AKO Optimisation Recommendations
Overview
AKO watches events(CUD) of different Kubernetes/OpenShift cluster objects to realise the NSX Advanced Load Balancer Controller-side objects. AKO provides config level knobs that can help to filter Kubernetes/OpenShift objects and help improve AKO performance.
This article discusses AKO values.yaml(configmap) level settings that will help in optimizing AKO performance.
AKOSettings.namespaceSelector.labelKey and AKOSettings.namespaceSelector.labelValue
These two parameters act as a namespace filter. AKO syncs Ingresses/Routes, L4 services from namespaces having this namespace selector.
| Parameter | Description | Default |
|---|---|---|
| AKOSettings.namespaceSelector.labelKey | Key used as a label based selection for the namespaces | empty |
| AKOSettings.namespaceSelector.labelValue | Value used as a label based selection for the namespaces | empty |
If either of the above values is left empty, then AKO will sync objects from all namespaces with Avi controller.
For example, if user specifies values as labelKey: app and labelValue: migrate in values.yaml, then user has to label namespace with app: migrate.
apiVersion: v1
kind: Namespace
metadata:
creationTimestamp: "2020-12-04T13:20:42Z"
labels:
app: migrate
name: red
resourceVersion: "14055620"
selfLink: /api/v1/namespaces/red
uid: a424bf13-2f4a-4005-a84d-f2fb65acfda0
spec:
finalizers:
- kubernetes
status:
phase: Active
AKO syncs all objects from correctly labelled namespace/s.
If the label of the ‘red’ namespace is changed from app: migrate (valid) to app: migrate1 (invalid), then following objects of red namespace will be deleted from the NSX Advanced Load Balancer Controller.
- Pools associated with, insecure ingresses/routes
- SNI VSes associated with secure ingresses/routes
- Virtual services associated with L4 objects
- EVH virtual services associated with secure, insecure ingresses/routes.
- AKO will sync back objects of a namespace with AVI controller if namespace label is changed from an invalid label to a valid label.
Note: AKO reboot will be required if value of this knob is changed in AKO configmap.
AKOSettings.blockedNamespaceList
The blockedNamespaceList lists the Kubernetes/OpenShift namespaces blocked by AKO. AKO will not process any Kubernetes/OpenShift object update from these namespaces. Default value is empty list.
| Parameter | Description | Default |
|---|---|---|
| AKOSettings.blockedNamespaceList | List of Kubernetes/OpenShift namespaces blocked by AKO | Empty List |
For example, To block syncing objects from kube-system, kube-public namespaces, you can specify those namespaces as follows:
AKOSettings:
.
.
blockedNamespaceList:
- kube-system
- kube-public
Note: AKO reboot is required if the value of this knob is changed in AKO configmap.
nodeSelectorLabels.key and nodeSelectorLabels.value
It might not be desirable to have all the nodes of a Kubernetes/OpenShift cluster to participate in becoming server pool members. Hence, key/value pairs are used as a label based selection on the nodes in Kubernetes/OpenShift to filter out nodes. If key/value pairs are not specified then all nodes are selected. This setting is applicable in NodePort deployment only.
| Parameter | Description | Default |
|---|---|---|
| nodeSelectorLabels.key | Key used as a label based selection for the nodes. | Empty |
| nodeSelectorLabels.value | Value used as a label based selection for the nodes. | Empty |
For example, if user you have specified nodeSelectorLabels.key as a node selected and nodeSelectorLabels.value as yes, then nodes which do have this label will be selected during pool server population.
apiVersion: v1
kind: Node
metadata:
annotations:
node.alpha.kubernetes.io/ttl: "0"
volumes.kubernetes.io/controller-managed-attach-detach: "true"
labels:
kubernetes.io/hostname: node2
kubernetes.io/os: linux
nodeselected: yes
name: node2
spec:
.
.
.
AKO selects node2 while populating pool servers.
Note: Rebooting of AKO will be required if the value of this knob is changed in the AKO configmap.