refine docs about NLB (#2780)

M00nF1sh · web-flow · commit 65b18098d569 · 2022-08-25T16:51:58.000-07:00
* refine NLB docs

* address comment
diff --git a/docs/guide/service/annotations.md b/docs/guide/service/annotations.md
@@ -80,7 +80,7 @@ Traffic Routing can be controlled with following annotations:
 
 - <a name="nlb-target-type">`service.beta.kubernetes.io/aws-load-balancer-nlb-target-type`</a> specifies the target type to configure for NLB. You can choose between
 `instance` and `ip`.
-    - `instance` mode will route traffic to all EC2 instances within cluster on the [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) opened for your service.
+    - `instance` mode will route traffic to all EC2 instances within cluster on the [NodePort](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport) opened for your service. The kube-proxy on the individual worker nodes sets up the forwarding of the traffic from the NodePort to the pods behind the service.
 
         !!!note ""
             - service must be of type `NodePort` or `LoadBalancer` for `instance` targets
@@ -89,10 +89,14 @@ Traffic Routing can be controlled with following annotations:
         !!!note "default value"
             If you configure `spec.loadBalancerClass`, the controller defaults to `instance` target type
 
-      - `ip` mode will route traffic directly to the pod IP.
+        !!!warning "NodePort allocation"
+            k8s version 1.22 and later support disabling NodePort allocation by setting the service field `spec.allocateLoadBalancerNodePorts` to `false`. If the NodePort is not allocated for a service port, the controller will fail to reconcile instance mode NLB.
+
+      - `ip` mode will route traffic directly to the pod IP. In this mode, AWS NLB sends traffic directly to the Kubernetes pods behind the service, eliminating the need for an extra network hop through the worker nodes in the Kubernetes cluster.
 
         !!!note ""
-            network plugin must use native AWS VPC networking configuration for pod IP, for example [Amazon VPC CNI plugin](https://github.com/aws/amazon-vpc-cni-k8s).
+            - `ip` target mode supports pods running on AWS EC2 instances and AWS Fargate
+            - network plugin must use native AWS VPC networking configuration for pod IP, for example [Amazon VPC CNI plugin](https://github.com/aws/amazon-vpc-cni-k8s).
 
     !!!example
         ```
@@ -282,8 +286,8 @@ Health check on target groups can be configured with following annotations:
 
 - <a name="healthcheck-port">`service.beta.kubernetes.io/aws-load-balancer-healthcheck-port`</a> specifies the TCP port to use for target group health check.
 
-    !!!note ""
-        - if you do not specify the health check port, controller uses `traffic-port` as default value
+    !!!note "default value"
+        - if you do not specify the health check port, the default value will be `spec.healthCheckNodePort` when `externalTrafficPolicy=local` or `traffic-port` otherwise.
 
     !!!example
         - set the health check port to `traffic-port`
diff --git a/docs/guide/service/nlb.md b/docs/guide/service/nlb.md
@@ -1,74 +1,147 @@
 # Network Load Balancer
-AWS Load Balancer Controller supports Network Load Balancer (NLB) with instance or IP targets through Kubernetes service of type `LoadBalancer` with proper annotations.
 
-### Instance mode
-Instance target mode supports pods running on AWS EC2 instances. In this mode, AWS NLB sends traffic to the instances and the `kube-proxy` on the individual worker nodes forward it to the pods through one or more worker nodes in the Kubernetes cluster.
-### IP mode
-IP target mode supports pods running on AWS EC2 instances and AWS Fargate. In this mode, the AWS NLB targets traffic directly to the Kubernetes pods behind the service, eliminating the need for an extra network hop through the worker nodes in the Kubernetes cluster.
+AWS Load Balancer Controller supports reconciliation for Kubernetes Services resources of type `LoadBalancer` by Network Load Balancer (NLB) with `instance` or `ip` target type.
 
-## Prerequisites
-* AWS LoadBalancer Controller >= v2.2.0
-* Kubernetes >= v1.16 for Service type `NodePort`
-* Kubernetes >= v1.20 or EKS >= 1.16 or the following patch releases for Service type `LoadBalancer`
-    - 1.18.18+ for 1.18
-    - 1.19.10+ for 1.19
-* Pods have native AWS VPC networking configured, see [Amazon VPC CNI plugin](https://github.com/aws/amazon-vpc-cni-k8s)
-
-!!!note "secure by default"
-    Starting v2.2.0 release, the AWS Load balancer controller provisions an internal NLB by default. To create an internet-facing load balancer, apply the following annotation to your service:
+!!! info "secure by default"
+    Since [:octicons-tag-24: v2.2.0](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.2.0) release, the AWS Load balancer controller provisions an `internal` NLB by default. 
+    
+    To create an `internet-facing` NLB, following annotation is required on your service:
 
-    ```
+    ```yaml
     service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
     ```
 
-    For backwards compatibility, if this annotation is not specified, existing NLB will continue to use the scheme configured on the AWS resource.
-
-## Configuration
-The service resources of type `LoadBalancer` also get reconciled by the kubernetes controller built into the cloudprovider component of the `kube-controller-manager` or the `cloud-controller-manager` aka the `in-tree` controller. The AWS in-tree controller
-ignores those services resources that have the `service.beta.kubernetes.io/aws-load-balancer-type` annotation as `external`. The AWS Load balancer controller support for NLB is based on the in-tree cloud controller ignoring the service resources, so it is very important
-to apply the following annotation on the service resource during creation:
-
-```yaml
-service.beta.kubernetes.io/aws-load-balancer-type: "external"
-```
-This `external` value to the above annotation causes the in-tree controller to not process the service resource and thus pass it on to the external controller.
+    !!! tip ""
+        For backwards compatibility, if the [`service.beta.kubernetes.io/aws-load-balancer-scheme`](./annotations.md#lb-scheme) annotation is absent, existing NLB's scheme will remain unchanged.
 
-!!!warning "annotation modification"
-    Do not modify or add the `service.beta.kubernetes.io/aws-load-balancer-type` annotation on an existing service object. If you need to make changes, for example from classic to NLB or NLB managed
-    by the in-tree controller to the one managed by the AWS Load balancer controller, delete the kubernetes service first and then create again with the correct annotation. If you modify the annotation after service creation
-    you will end up with leaked AWS load balancer resources.
-
-### IP mode
-NLB IP mode is determined based on the `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type` annotation. If the annotation value is `ip`, then NLB will be provisioned in IP mode. Here is the manifest snippet:
-```yaml
-    metadata:
-      name: my-service
-      annotations:
-        service.beta.kubernetes.io/aws-load-balancer-type: "external"
-        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
-```
-
-!!!note "backwards compatibility"
-    For backwards compatibility, controller still supports the `nlb-ip` as the type annotation. For example, if you specify
-
-    ```
-    service.beta.kubernetes.io/aws-load-balancer-type: nlb-ip
-    ```
+## Prerequisites
+* AWS Load Balancer Controller >= v2.2.0
+* For Kubernetes Services resources of type `LoadBalancer`:
+    * Kubernetes >= v1.20 or
+    * Kubernetes >= v1.19.10 for 1.19 or
+    * Kubernetes >= v1.18.18 for 1.18 or
+    * EKS >= v1.16
+* For Kubernetes Services resources of type `NodePort`:
+    * Kubernetes >= v1.16
+* For `ip` target type:
+    * Pods have native AWS VPC networking configured, see [Amazon VPC CNI plugin](https://github.com/aws/amazon-vpc-cni-k8s)
 
-    the controller will provision NLB in IP mode. With this, the `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type` annotation gets ignored.
+## Configuration
 
-### Instance mode
-Similar to the IP mode, the instance mode is based on the annotation `service.beta.kubernetes.io/aws-load-balancer-nlb-target-type` value `instance`. Here is a sample manifest snippet:
-!!!warning "NodePort allocation"
-    k8s version 1.22 and later support disabling NodePort allocation by setting the service field `spec.allocateLoadBalancerNodePorts` to `false`. If the NodePort is not allocated for a service port, the controller will fail to reconcile instance mode NLB.
-
-```yaml
-    metadata:
-      name: my-service
-      annotations:
-        service.beta.kubernetes.io/aws-load-balancer-type: "external"
-        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "instance"
-```
+By default, Kubernetes Service resources of type `LoadBalancer` gets reconciled by the Kubernetes controller built into the CloudProvider component of the kube-controller-manager or the cloud-controller-manager(a.k.a. the in-tree controller). 
+
+In order to let AWS Load Balancer Controller manage the reconciliation for Kubernetes Services resources of type `LoadBalancer`, you need to offload the reconciliation from in-tree controller to AWS Load Balancer Controller explicitly.
+
+
+=== "With LoadBalancerClass"
+    AWS Load Balancer Controller supports `LoadBalancerClass` feature since [:octicons-tag-24: v2.4.0](https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.4.0) release for Kubernetes v1.22+ clusters. 
+     
+    `LoadBalancerClass` feature provides a CloudProvider agnostic way of offloading the reconciliation for Kubernetes Services resources of type `LoadBalancer` to an external controller.
+    
+    When you specify the `spec.loadBalancerClass` to be `service.k8s.aws/nlb` on a Kubernetes Service resource of type `LoadBalancer`, the AWS Load Balancer Controller takes charge of reconciliation by provision an NLB.
+
+    !!! warning
+        - If you modify a Service resource with matching `spec.loadBalancerClass` by changing its `type` from `LoadBalancer` to anything else, the controller will cleanup provioned NLB for that Service.
+
+        - If the `spec.loadBalancerClass` is set to a loadBalancerClass that is not recognized by this controller, it will ignore the Service resource regardless of the `service.beta.kubernetes.io/aws-load-balancer-type` annotation.
+
+    !!! tip
+        - By default, the NLB will use `instance` target-type, you can customize it via the [`service.beta.kubernetes.io/aws-load-balancer-nlb-target-type` annotation](./annotations.md#nlb-target-type)
+
+        - This controller uses `service.k8s.aws/nlb` as the default `LoadBalancerClass`, you can customize it to a different value via the controller flag `--load-balancer-class`.
+
+    !!! example "Example: instance mode"
+        ```yaml hl_lines="6 15"
+        apiVersion: v1
+        kind: Service
+        metadata:
+          name: echoserver
+          annotations:
+            service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
+        spec:
+          selector:
+            app: echoserver
+          ports:
+            - port: 80
+              targetPort: 8080
+              protocol: TCP
+          type: LoadBalancer
+          loadBalancerClass: service.k8s.aws/nlb
+        ```
+
+    !!! example "Example: ip mode"
+        ```yaml hl_lines="6 15"
+        apiVersion: v1
+        kind: Service
+        metadata:
+          name: echoserver
+          annotations:
+            service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+        spec:
+          selector:
+            app: echoserver
+          ports:
+            - port: 80
+              targetPort: 8080
+              protocol: TCP
+          type: LoadBalancer
+          loadBalancerClass: service.k8s.aws/nlb
+        ```
+
+=== "With `service.beta.kubernetes.io/aws-load-balancer-type` annotation"
+    The AWS in-tree controller supports an AWS specific way of offloading the reconciliation for Kubernetes Services resources of type `LoadBalancer` to an external controller. 
+
+    When you specify the [`service.beta.kubernetes.io/aws-load-balancer-type` annotation](./annotations.md#lb-type) to be `external` on a Kubernetes Service resource of type `LoadBalancer`, the in-tree controller will ignore the Service resource. In addition, If you specify the [`service.beta.kubernetes.io/aws-load-balancer-nlb-target-type` annotation](./annotations.md#nlb-target-type) on the Service resource, the AWS Load Balancer Controller takes charge of reconciliation by provision an NLB.
+
+    !!! warning
+        - It's not recommended to modify or add the `service.beta.kubernetes.io/aws-load-balancer-type` annotation on an existing Service resource. Instead, delete the existing Service resource and recreate a new one if a change is desired.
+
+        - If you modify this annotation on a existing Service resource, you might end up with leaked AWS Load Balancer resources. 
+
+    !!! note "backwards compatibility for `nlb-ip` type"
+        For backwards compatibility, both in-tree and AWS Load Balancer controller supports `nlb-ip` as value of `service.beta.kubernetes.io/aws-load-balancer-type` annotation. The controllers treats it as if you specified both annotation below:
+        ```
+        service.beta.kubernetes.io/aws-load-balancer-type: external
+        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+        ```
+    
+    !!! example "Example: instance mode"
+        ```yaml hl_lines="6 7"
+        apiVersion: v1
+        kind: Service
+        metadata:
+          name: echoserver
+          annotations:
+            service.beta.kubernetes.io/aws-load-balancer-type: external
+            service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: instance
+        spec:
+          selector:
+            app: echoserver
+          ports:
+            - port: 80
+              targetPort: 8080
+              protocol: TCP
+          type: LoadBalancer
+        ```
+
+    !!! example "Example: ip mode"
+        ```yaml hl_lines="6 7"
+        apiVersion: v1
+        kind: Service
+        metadata:
+          name: echoserver
+          annotations:
+            service.beta.kubernetes.io/aws-load-balancer-type: external
+            service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
+        spec:
+          selector:
+            app: echoserver
+          ports:
+            - port: 80
+              targetPort: 8080
+              protocol: TCP
+          type: LoadBalancer
+        ```
 
 ## Protocols
 Controller supports both TCP and UDP protocols. Controller also configures TLS termination on NLB if you configure service with certificate annotation. 
@@ -87,20 +160,40 @@ service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
 ## Subnet tagging requirements
 See [Subnet Discovery](../../deploy/subnet_discovery.md) for details on configuring ELB for public or private placement.
 
-
 ## Security group
-NLB does not currently support managed security groups. For ingress access, the controller adds inbound rules to the node security group for the instance mode, or the ENI security group for the IP mode. In case of multiple
-security groups, the controller expects only one security group tagged with the cluster name as follows:
+AWS currently does not support attaching security groups to NLB. To allow inbound traffic from NLB, the controller automatically adds inbound rules to the worker node security groups by default.
+
+!!! tip "disable worker node security group rule management"
+    You can disable the worker node security group rule management via [annotation](./annotations.md#manage-backend-sg-rules).
+
+### Worker node security groups selection
+The controller automatically selects the worker node security groups that will be modified to allow inbound traffic with following rules:
+
+* for `instance` mode, the security group of the each backend worker node's primary ENI will be selected.
+* for `ip` mode, the security group of each backend pod's ENI will be selected.
+
+!!! important "multiple security groups on an ENI"
+
+    if there are multiple security groups attached on an ENI, the controller expects only one security group tagged with following tags:
+
+    | Key                                     | Value               |
+    | --------------------------------------- | ------------------- |
+    | `kubernetes.io/cluster/${cluster-name}` | `owned` or `shared` |
+
+    `${cluster-name}` is the name of the kubernetes cluster
+
+### Worker node security groups rules
 
-| Key                                     | Value                 |
-| --------------------------------------- | --------------------- |
-| `kubernetes.io/cluster/${cluster-name}` | `owned` or `shared`   |
+=== "when Client IP preservation enabled"
 
-`${cluster-name}` is the name of the kubernetes cluster
+    | Rule                 | Protocol                 | Port(s)                                                 | IpRanges(s)                                         |
+    | -------------------- | ------------------------ | ------------------------------------------------------- | --------------------------------------------------- |
+    | Client Traffic       | `spec.ports[*].protocol` | `spec.ports[*].port`                                    | [Traffic Source CIDRs](./annotations.md#lb-source-ranges) |
+    | Health Check Traffic | TCP                      | [Health Check Ports](./annotations.md#healthcheck-port) | NLB Subnet CIDRs                                        |
 
-## Load Balancer Class
-The AWS Load Balancer Controller supports `LoadBalancerClass` starting v2.4.0 release on k8s 1.22 or later clusters. The LoadBalancerClass provides a cloudprovider agnostic way of offloading the load balancer reconciliation to an external controller. This controller uses the `service.k8s.aws/nlb` as the default class,
-you can configure it to a different value via the controller flag `--load-balancer-class`.
+=== "when Client IP preservation disabled"
 
-When you specify the `spec.loadBalancerClass` on a service of type `LoadBalancer` during service creation, this controller creates an internal NLB with instance targets by default. If the LoadBalancerClass is not the configured for this controller, this controller ignores the service resource completely regardless of the annotation
-`service.beta.kubernetes.io/aws-load-balancer-type`. If you modify the service, with `spec.loadBalancerClass`, type from `LoadBalancer` to anything else, the controller will cleanup the NLB.
+    | Rule                 | Protocol                 | Port(s)                                                 | IpRange(s)   |
+    | -------------------- | ------------------------ | ------------------------------------------------------- | ------------ |
+    | Client Traffic       | `spec.ports[*].protocol` | `spec.ports[*].port`                                    | NLB Subnet CIDRs |
+    | Health Check Traffic | TCP                      | [Health Check Ports](./annotations.md#healthcheck-port) | NLB Subnet CIDRs |
diff --git a/mkdocs.yml b/mkdocs.yml
@@ -22,7 +22,7 @@ nav:
           - IngressClass: guide/ingress/ingress_class.md
           - Certificate Discovery: guide/ingress/cert_discovery.md
       - Service:
-          - NLB: guide/service/nlb.md
+          - Network Load Balancer: guide/service/nlb.md
           - Annotations: guide/service/annotations.md
       - TargetGroupBinding:
           - TargetGroupBinding: guide/targetgroupbinding/targetgroupbinding.md
@@ -57,12 +57,16 @@ theme:
 # Extensions
 markdown_extensions:
   - admonition
+  - attr_list
   - codehilite
   - pymdownx.inlinehilite
   - pymdownx.tasklist:
       custom_checkbox: true
   - pymdownx.superfences
   - pymdownx.tabbed
+  - pymdownx.emoji:
+      emoji_index: !!python/name:materialx.emoji.twemoji
+      emoji_generator: !!python/name:materialx.emoji.to_svg
   - toc:
       permalink: true
 extra_css:
