Merge pull request #41162 from MrHohn/esipp-ga

Automatic merge from submit-queue (batch tested with PRs 45623, 45241, 45460, 41162)

Promotes Source IP preservation for Virtual IPs from Beta to GA

Fixes #33625. Feature issue: kubernetes/features#27.

Bullet points:
- Declare 2 fields (ExternalTraffic and HealthCheckNodePort) that mirror the ESIPP annotations.
- ESIPP alpha annotations will be ignored.
- Existing ESIPP beta annotations will still be fully supported.
- Allow promoting beta annotations to first class fields or reversely.
- Disallow setting invalid ExternalTraffic and HealthCheckNodePort on services. Default ExternalTraffic field for nodePort or loadBalancer type service to "Global" if not set.

**Release note**:

```release-note
Promotes Source IP preservation for Virtual IPs to GA.

Two api fields are defined correspondingly:
- Service.Spec.ExternalTrafficPolicy <- 'service.beta.kubernetes.io/external-traffic' annotation.
- Service.Spec.HealthCheckNodePort <- 'service.beta.kubernetes.io/healthcheck-nodeport' annotation.
```

api/openapi-spec/swagger.json

@@ -45084,6 +45084,15 @@
       "description": "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid DNS name and requires Type to be ExternalName.",
       "type": "string"
      },
+     "externalTrafficPolicy": {
+      "description": "externalTrafficPolicy denotes if this Service desires to route external traffic to local endpoints only. This preserves Source IP and avoids a second hop for LoadBalancer and Nodeport type services.",
+      "type": "string"
+     },
+     "healthCheckNodePort": {
+      "description": "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local.",
+      "type": "integer",
+      "format": "int32"
+     },
      "loadBalancerIP": {
       "description": "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.",
       "type": "string"

api/swagger-spec/v1.json

@@ -21041,6 +21041,15 @@
      "externalName": {
       "type": "string",
       "description": "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid DNS name and requires Type to be ExternalName."
+     },
+     "externalTrafficPolicy": {
+      "type": "string",
+      "description": "externalTrafficPolicy denotes if this Service desires to route external traffic to local endpoints only. This preserves Source IP and avoids a second hop for LoadBalancer and Nodeport type services."
+     },
+     "healthCheckNodePort": {
+      "type": "integer",
+      "format": "int32",
+      "description": "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local."
      }
     }
    },

docs/api-reference/v1/definitions.html

@@ -9695,6 +9695,20 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">externalTrafficPolicy</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">externalTrafficPolicy denotes if this Service desires to route external traffic to local endpoints only. This preserves Source IP and avoids a second hop for LoadBalancer and Nodeport type services.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">string</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">healthCheckNodePort</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">integer (int32)</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
 </tbody>
 </table>
 
@@ -9927,7 +9941,7 @@ Examples:<br>
 </div>
 <div id="footer">
 <div id="footer-text">
-Last updated 2017-04-26 21:11:18 UTC
+Last updated 2017-05-07 16:52:23 UTC
 </div>
 </div>
 </body>

federation/apis/openapi-spec/swagger.json

@@ -12228,6 +12228,15 @@
       "description": "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid DNS name and requires Type to be ExternalName.",
       "type": "string"
      },
+     "externalTrafficPolicy": {
+      "description": "externalTrafficPolicy denotes if this Service desires to route external traffic to local endpoints only. This preserves Source IP and avoids a second hop for LoadBalancer and Nodeport type services.",
+      "type": "string"
+     },
+     "healthCheckNodePort": {
+      "description": "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local.",
+      "type": "integer",
+      "format": "int32"
+     },
      "loadBalancerIP": {
       "description": "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.",
       "type": "string"

pkg/api/service/BUILD

@@ -30,6 +30,8 @@ go_test(
     deps = [
         "//pkg/api:go_default_library",
         "//pkg/util/net/sets:go_default_library",
+        "//vendor/github.com/davecgh/go-spew/spew:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
     ],
 )
 

pkg/api/service/annotations.go

@@ -26,25 +26,19 @@ const (
 	// Not all cloud providers support this annotation, though AWS & GCE do.
 	AnnotationLoadBalancerSourceRangesKey = "service.beta.kubernetes.io/load-balancer-source-ranges"
 
-	// AnnotationValueExternalTrafficLocal Value of annotation to specify local endpoints behaviour
+	// AnnotationValueExternalTrafficLocal Value of annotation to specify local endpoints behavior.
 	AnnotationValueExternalTrafficLocal = "OnlyLocal"
-	// AnnotationValueExternalTrafficGlobal Value of annotation to specify global (legacy) behaviour
+	// AnnotationValueExternalTrafficGlobal Value of annotation to specify global (legacy) behavior.
 	AnnotationValueExternalTrafficGlobal = "Global"
 
-	// TODO: The alpha annotations have been deprecated, remove them when we move this feature to GA.
+	// TODO: The beta annotations have been deprecated, remove them when we release k8s 1.8.
 
-	// AlphaAnnotationHealthCheckNodePort Annotation specifying the healthcheck nodePort for the service
+	// BetaAnnotationHealthCheckNodePort Annotation specifying the healthcheck nodePort for the service.
-	// If not specified, annotation is created by the service api backend with the allocated nodePort
+	// If not specified, annotation is created by the service api backend with the allocated nodePort.
-	// Will use user-specified nodePort value if specified by the client
+	// Will use user-specified nodePort value if specified by the client.
-	AlphaAnnotationHealthCheckNodePort = "service.alpha.kubernetes.io/healthcheck-nodeport"
-
-	// AlphaAnnotationExternalTraffic An annotation that denotes if this Service desires to route external traffic to local
-	// endpoints only. This preserves Source IP and avoids a second hop.
-	AlphaAnnotationExternalTraffic = "service.alpha.kubernetes.io/external-traffic"
-
-	// BetaAnnotationHealthCheckNodePort is the beta version of AlphaAnnotationHealthCheckNodePort.
 	BetaAnnotationHealthCheckNodePort = "service.beta.kubernetes.io/healthcheck-nodeport"
 
-	// BetaAnnotationExternalTraffic is the beta version of AlphaAnnotationExternalTraffic.
+	// BetaAnnotationExternalTraffic An annotation that denotes if this Service desires to route
+	// external traffic to local endpoints only. This preserves Source IP and avoids a second hop.
 	BetaAnnotationExternalTraffic = "service.beta.kubernetes.io/external-traffic"
 )

pkg/api/service/util.go

@@ -76,23 +76,22 @@ func RequestsOnlyLocalTraffic(service *api.Service) bool {
 		service.Spec.Type != api.ServiceTypeNodePort {
 		return false
 	}
-	// First check the alpha annotation and then the beta. This is so existing
+
-	// Services continue to work till the user decides to transition to beta.
+	// First check the beta annotation and then the first class field. This is so that
-	// If they transition to beta, there's no way to go back to alpha without
+	// existing Services continue to work till the user decides to transition to the
-	// rolling back the cluster.
+	// first class field.
-	for _, annotation := range []string{AlphaAnnotationExternalTraffic, BetaAnnotationExternalTraffic} {
+	if l, ok := service.Annotations[BetaAnnotationExternalTraffic]; ok {
-		if l, ok := service.Annotations[annotation]; ok {
+		switch l {
-			switch l {
+		case AnnotationValueExternalTrafficLocal:
-			case AnnotationValueExternalTrafficLocal:
+			return true
-				return true
+		case AnnotationValueExternalTrafficGlobal:
-			case AnnotationValueExternalTrafficGlobal:
+			return false
-				return false
+		default:
-			default:
+			glog.Errorf("Invalid value for annotation %v: %v", BetaAnnotationExternalTraffic, l)
-				glog.Errorf("Invalid value for annotation %v: %v", annotation, l)
+			return false
-			}
 		}
 	}
-	return false
+	return service.Spec.ExternalTrafficPolicy == api.ServiceExternalTrafficPolicyTypeLocal
 }
 
 // NeedsHealthCheck Check if service needs health check.
@@ -103,21 +102,61 @@ func NeedsHealthCheck(service *api.Service) bool {
 	return RequestsOnlyLocalTraffic(service)
 }
 
-// GetServiceHealthCheckNodePort Return health check node port annotation for service, if one exists
+// GetServiceHealthCheckNodePort Return health check node port for service, if one exists
 func GetServiceHealthCheckNodePort(service *api.Service) int32 {
-	// First check the alpha annotation and then the beta. This is so existing
+	// First check the beta annotation and then the first class field. This is so that
-	// Services continue to work till the user decides to transition to beta.
+	// existing Services continue to work till the user decides to transition to the
-	// If they transition to beta, there's no way to go back to alpha without
+	// first class field.
-	// rolling back the cluster.
+	if l, ok := service.Annotations[BetaAnnotationHealthCheckNodePort]; ok {
-	for _, annotation := range []string{AlphaAnnotationHealthCheckNodePort, BetaAnnotationHealthCheckNodePort} {
+		p, err := strconv.Atoi(l)
-		if l, ok := service.Annotations[annotation]; ok {
+		if err != nil {
-			p, err := strconv.Atoi(l)
+			glog.Errorf("Failed to parse annotation %v: %v", BetaAnnotationHealthCheckNodePort, err)
-			if err != nil {
+			return 0
-				glog.Errorf("Failed to parse annotation %v: %v", annotation, err)
-				continue
-			}
-			return int32(p)
 		}
+		return int32(p)
 	}
-	return 0
+	return service.Spec.HealthCheckNodePort
+}
+
+// SetDefaultExternalTrafficPolicyIfNeeded defaults the ExternalTrafficPolicy field
+// for NodePort / LoadBalancer service to Global for consistency.
+// TODO: Move this default logic to default.go once beta annotation is deprecated.
+func SetDefaultExternalTrafficPolicyIfNeeded(service *api.Service) {
+	if _, ok := service.Annotations[BetaAnnotationExternalTraffic]; ok {
+		// Don't default this field if beta annotation exists.
+		return
+	} else if (service.Spec.Type == api.ServiceTypeNodePort ||
+		service.Spec.Type == api.ServiceTypeLoadBalancer) &&
+		service.Spec.ExternalTrafficPolicy == "" {
+		service.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeGlobal
+	}
+}
+
+// ClearExternalTrafficPolicy resets the ExternalTrafficPolicy field.
+func ClearExternalTrafficPolicy(service *api.Service) {
+	// First check the beta annotation and then the first class field. This is so that
+	// existing Services continue to work till the user decides to transition to the
+	// first class field.
+	if _, ok := service.Annotations[BetaAnnotationExternalTraffic]; ok {
+		delete(service.Annotations, BetaAnnotationExternalTraffic)
+		return
+	}
+	service.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyType("")
+}
+
+// SetServiceHealthCheckNodePort sets the given health check node port on service.
+// It does not check whether this service needs healthCheckNodePort.
+func SetServiceHealthCheckNodePort(service *api.Service, hcNodePort int32) {
+	// First check the beta annotation and then the first class field. This is so that
+	// existing Services continue to work till the user decides to transition to the
+	// first class field.
+	if _, ok := service.Annotations[BetaAnnotationExternalTraffic]; ok {
+		if hcNodePort == 0 {
+			delete(service.Annotations, BetaAnnotationHealthCheckNodePort)
+		} else {
+			service.Annotations[BetaAnnotationHealthCheckNodePort] = fmt.Sprintf("%d", hcNodePort)
+		}
+		return
+	}
+	service.Spec.HealthCheckNodePort = hcNodePort
 }

pkg/api/service/util_test.go

@@ -19,10 +19,15 @@ package service
 import (
 	"testing"
 
+	"fmt"
+	"reflect"
 	"strings"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/kubernetes/pkg/api"
 	netsets "k8s.io/kubernetes/pkg/util/net/sets"
+
+	"github.com/davecgh/go-spew/spew"
 )
 
 func TestGetLoadBalancerSourceRanges(t *testing.T) {
@@ -129,3 +134,385 @@ func TestAllowAll(t *testing.T) {
 	checkAllowAll(true, "192.168.0.0/0")
 	checkAllowAll(true, "192.168.0.1/32", "0.0.0.0/0")
 }
+
+func TestRequestsOnlyLocalTraffic(t *testing.T) {
+	checkRequestsOnlyLocalTraffic := func(requestsOnlyLocalTraffic bool, service *api.Service) {
+		res := RequestsOnlyLocalTraffic(service)
+		if res != requestsOnlyLocalTraffic {
+			t.Errorf("Expected requests OnlyLocal traffic = %v, got %v",
+				requestsOnlyLocalTraffic, res)
+		}
+	}
+
+	checkRequestsOnlyLocalTraffic(false, &api.Service{})
+	checkRequestsOnlyLocalTraffic(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeClusterIP,
+		},
+	})
+	checkRequestsOnlyLocalTraffic(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeNodePort,
+		},
+	})
+	checkRequestsOnlyLocalTraffic(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeNodePort,
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkRequestsOnlyLocalTraffic(true, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeNodePort,
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeLocal,
+		},
+	})
+	checkRequestsOnlyLocalTraffic(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkRequestsOnlyLocalTraffic(true, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeLocal,
+		},
+	})
+}
+
+func TestNeedsHealthCheck(t *testing.T) {
+	checkNeedsHealthCheck := func(needsHealthCheck bool, service *api.Service) {
+		res := NeedsHealthCheck(service)
+		if res != needsHealthCheck {
+			t.Errorf("Expected needs health check = %v, got %v",
+				needsHealthCheck, res)
+		}
+	}
+
+	checkNeedsHealthCheck(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeClusterIP,
+		},
+	})
+	checkNeedsHealthCheck(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeNodePort,
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkNeedsHealthCheck(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeNodePort,
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeLocal,
+		},
+	})
+	checkNeedsHealthCheck(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkNeedsHealthCheck(true, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeLocal,
+		},
+	})
+
+	checkNeedsHealthCheck(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeLoadBalancer,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				BetaAnnotationExternalTraffic: "invalid",
+			},
+		},
+	})
+	checkNeedsHealthCheck(false, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeLoadBalancer,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficGlobal,
+			},
+		},
+	})
+	checkNeedsHealthCheck(true, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeLoadBalancer,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficLocal,
+			},
+		},
+	})
+}
+
+func TestGetServiceHealthCheckNodePort(t *testing.T) {
+	checkGetServiceHealthCheckNodePort := func(healthCheckNodePort int32, service *api.Service) {
+		res := GetServiceHealthCheckNodePort(service)
+		if res != healthCheckNodePort {
+			t.Errorf("Expected health check node port = %v, got %v",
+				healthCheckNodePort, res)
+		}
+	}
+
+	checkGetServiceHealthCheckNodePort(0, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeClusterIP,
+		},
+	})
+	checkGetServiceHealthCheckNodePort(0, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeNodePort,
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkGetServiceHealthCheckNodePort(0, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkGetServiceHealthCheckNodePort(34567, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeLocal,
+			HealthCheckNodePort:   int32(34567),
+		},
+	})
+	checkGetServiceHealthCheckNodePort(34567, &api.Service{
+		Spec: api.ServiceSpec{
+			Type: api.ServiceTypeLoadBalancer,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				BetaAnnotationExternalTraffic:     AnnotationValueExternalTrafficLocal,
+				BetaAnnotationHealthCheckNodePort: "34567",
+			},
+		},
+	})
+}
+
+func TestSetDefaultExternalTrafficPolicyIfNeeded(t *testing.T) {
+	testCases := []struct {
+		inputService    *api.Service
+		expectedService *api.Service
+	}{
+		// First class fields cases.
+		{
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeLoadBalancer,
+				},
+			},
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeLoadBalancer,
+					ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+				},
+			},
+		},
+		{
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeNodePort,
+				},
+			},
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeNodePort,
+					ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+				},
+			},
+		},
+		{
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeClusterIP,
+				},
+			},
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeClusterIP,
+				},
+			},
+		},
+		// Beta annotations cases.
+		{
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeLoadBalancer,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficLocal,
+					},
+				},
+			},
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeLoadBalancer,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficLocal,
+					},
+				},
+			},
+		},
+		{
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeLoadBalancer,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficGlobal,
+					},
+				},
+			},
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeLoadBalancer,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficGlobal,
+					},
+				},
+			},
+		},
+	}
+
+	for i, tc := range testCases {
+		SetDefaultExternalTrafficPolicyIfNeeded(tc.inputService)
+		if !reflect.DeepEqual(tc.inputService, tc.expectedService) {
+			t.Errorf("%v: got unexpected service", i)
+			spew.Dump(tc)
+		}
+	}
+}
+
+func TestClearExternalTrafficPolicy(t *testing.T) {
+	testCases := []struct {
+		inputService *api.Service
+	}{
+		// First class fields cases.
+		{
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeClusterIP,
+					ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+				},
+			},
+		},
+		// Beta annotations cases.
+		{
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeClusterIP,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficLocal,
+					},
+				},
+			},
+		},
+	}
+
+	for i, tc := range testCases {
+		ClearExternalTrafficPolicy(tc.inputService)
+		if _, ok := tc.inputService.Annotations[BetaAnnotationExternalTraffic]; ok ||
+			tc.inputService.Spec.ExternalTrafficPolicy != "" {
+			t.Errorf("%v: failed to clear ExternalTrafficPolicy", i)
+			spew.Dump(tc)
+		}
+	}
+}
+
+func TestSetServiceHealthCheckNodePort(t *testing.T) {
+	testCases := []struct {
+		inputService *api.Service
+		hcNodePort   int32
+		beta         bool
+	}{
+		// First class fields cases.
+		{
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeClusterIP,
+					ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+				},
+			},
+			30012,
+			false,
+		},
+		{
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeClusterIP,
+					ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+				},
+			},
+			0,
+			false,
+		},
+		// Beta annotations cases.
+		{
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeClusterIP,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficGlobal,
+					},
+				},
+			},
+			30012,
+			true,
+		},
+		{
+			&api.Service{
+				Spec: api.ServiceSpec{
+					Type: api.ServiceTypeClusterIP,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficGlobal,
+					},
+				},
+			},
+			0,
+			true,
+		},
+	}
+
+	for i, tc := range testCases {
+		SetServiceHealthCheckNodePort(tc.inputService, tc.hcNodePort)
+		if !tc.beta {
+			if tc.inputService.Spec.HealthCheckNodePort != tc.hcNodePort {
+				t.Errorf("%v: got HealthCheckNodePort %v, want %v", i, tc.inputService.Spec.HealthCheckNodePort, tc.hcNodePort)
+			}
+		} else {
+			l, ok := tc.inputService.Annotations[BetaAnnotationHealthCheckNodePort]
+			if tc.hcNodePort == 0 {
+				if ok {
+					t.Errorf("%v: HealthCheckNodePort set, want it to be cleared", i)
+				}
+			} else {
+				if !ok {
+					t.Errorf("%v: HealthCheckNodePort unset, want %v", i, tc.hcNodePort)
+				} else if l != fmt.Sprintf("%v", tc.hcNodePort) {
+					t.Errorf("%v: got HealthCheckNodePort %v, want %v", i, l, tc.hcNodePort)
+				}
+			}
+		}
+	}
+}

pkg/api/types.go

@@ -2453,6 +2453,16 @@ const (
 	ServiceTypeExternalName ServiceType = "ExternalName"
 )
 
+// Service External Traffic Policy Type string
+type ServiceExternalTrafficPolicyType string
+
+const (
+	// ServiceExternalTrafficPolicyTypeLocal specifies local endpoints behavior.
+	ServiceExternalTrafficPolicyTypeLocal ServiceExternalTrafficPolicyType = "Local"
+	// ServiceExternalTrafficPolicyTypeGlobal specifies global (legacy) behavior.
+	ServiceExternalTrafficPolicyTypeGlobal ServiceExternalTrafficPolicyType = "Global"
+)
+
 // ServiceStatus represents the current status of a service
 type ServiceStatus struct {
 	// LoadBalancer contains the current status of the load-balancer,
@@ -2552,6 +2562,20 @@ type ServiceSpec struct {
 	// cloud-provider does not support the feature."
 	// +optional
 	LoadBalancerSourceRanges []string
+
+	// externalTrafficPolicy denotes if this Service desires to route external traffic to
+	// local endpoints only. This preserves Source IP and avoids a second hop for
+	// LoadBalancer and Nodeport type services.
+	// +optional
+	ExternalTrafficPolicy ServiceExternalTrafficPolicyType
+
+	// healthCheckNodePort specifies the healthcheck nodePort for the service.
+	// If not specified, HealthCheckNodePort is created by the service api
+	// backend with the allocated nodePort. Will use user-specified nodePort value
+	// if specified by the client. Only effects when Type is set to LoadBalancer
+	// and ExternalTrafficPolicy is set to Local.
+	// +optional
+	HealthCheckNodePort int32
 }
 
 type ServicePort struct {

pkg/api/v1/generated.proto

@@ -3697,6 +3697,20 @@ message ServiceSpec {
   // Must be a valid DNS name and requires Type to be ExternalName.
   // +optional
   optional string externalName = 10;
+
+  // externalTrafficPolicy denotes if this Service desires to route external traffic to
+  // local endpoints only. This preserves Source IP and avoids a second hop for
+  // LoadBalancer and Nodeport type services.
+  // +optional
+  optional string externalTrafficPolicy = 11;
+
+  // healthCheckNodePort specifies the healthcheck nodePort for the service.
+  // If not specified, HealthCheckNodePort is created by the service api
+  // backend with the allocated nodePort. Will use user-specified nodePort value
+  // if specified by the client. Only effects when Type is set to LoadBalancer
+  // and ExternalTrafficPolicy is set to Local.
+  // +optional
+  optional int32 healthCheckNodePort = 12;
 }
 
 // ServiceStatus represents the current status of a service.

pkg/api/v1/service/BUILD

@@ -30,6 +30,8 @@ go_test(
     deps = [
         "//pkg/api/v1:go_default_library",
         "//pkg/util/net/sets:go_default_library",
+        "//vendor/github.com/davecgh/go-spew/spew:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
     ],
 )
 

pkg/api/v1/service/annotations.go

@@ -26,25 +26,19 @@ const (
 	// Not all cloud providers support this annotation, though AWS & GCE do.
 	AnnotationLoadBalancerSourceRangesKey = "service.beta.kubernetes.io/load-balancer-source-ranges"
 
-	// AnnotationValueExternalTrafficLocal Value of annotation to specify local endpoints behaviour
+	// AnnotationValueExternalTrafficLocal Value of annotation to specify local endpoints behavior.
 	AnnotationValueExternalTrafficLocal = "OnlyLocal"
-	// AnnotationValueExternalTrafficGlobal Value of annotation to specify global (legacy) behaviour
+	// AnnotationValueExternalTrafficGlobal Value of annotation to specify global (legacy) behavior.
 	AnnotationValueExternalTrafficGlobal = "Global"
 
-	// TODO: The alpha annotations have been deprecated, remove them when we move this feature to GA.
+	// TODO: The beta annotations have been deprecated, remove them when we release k8s 1.8.
 
-	// AlphaAnnotationHealthCheckNodePort Annotation specifying the healthcheck nodePort for the service
+	// BetaAnnotationHealthCheckNodePort Annotation specifying the healthcheck nodePort for the service.
-	// If not specified, annotation is created by the service api backend with the allocated nodePort
+	// If not specified, annotation is created by the service api backend with the allocated nodePort.
-	// Will use user-specified nodePort value if specified by the client
+	// Will use user-specified nodePort value if specified by the client.
-	AlphaAnnotationHealthCheckNodePort = "service.alpha.kubernetes.io/healthcheck-nodeport"
-
-	// AlphaAnnotationExternalTraffic An annotation that denotes if this Service desires to route external traffic to local
-	// endpoints only. This preserves Source IP and avoids a second hop.
-	AlphaAnnotationExternalTraffic = "service.alpha.kubernetes.io/external-traffic"
-
-	// BetaAnnotationHealthCheckNodePort is the beta version of AlphaAnnotationHealthCheckNodePort.
 	BetaAnnotationHealthCheckNodePort = "service.beta.kubernetes.io/healthcheck-nodeport"
 
-	// BetaAnnotationExternalTraffic is the beta version of AlphaAnnotationExternalTraffic.
+	// BetaAnnotationExternalTraffic An annotation that denotes if this Service desires to route
+	// external traffic to local endpoints only. This preserves Source IP and avoids a second hop.
 	BetaAnnotationExternalTraffic = "service.beta.kubernetes.io/external-traffic"
 )

pkg/api/v1/service/util.go

@@ -76,23 +76,22 @@ func RequestsOnlyLocalTraffic(service *v1.Service) bool {
 		service.Spec.Type != v1.ServiceTypeNodePort {
 		return false
 	}
-	// First check the alpha annotation and then the beta. This is so existing
+
-	// Services continue to work till the user decides to transition to beta.
+	// First check the beta annotation and then the first class field. This is so that
-	// If they transition to beta, there's no way to go back to alpha without
+	// existing Services continue to work till the user decides to transition to the
-	// rolling back the cluster.
+	// first class field.
-	for _, annotation := range []string{AlphaAnnotationExternalTraffic, BetaAnnotationExternalTraffic} {
+	if l, ok := service.Annotations[BetaAnnotationExternalTraffic]; ok {
-		if l, ok := service.Annotations[annotation]; ok {
+		switch l {
-			switch l {
+		case AnnotationValueExternalTrafficLocal:
-			case AnnotationValueExternalTrafficLocal:
+			return true
-				return true
+		case AnnotationValueExternalTrafficGlobal:
-			case AnnotationValueExternalTrafficGlobal:
+			return false
-				return false
+		default:
-			default:
+			glog.Errorf("Invalid value for annotation %v: %v", BetaAnnotationExternalTraffic, l)
-				glog.Errorf("Invalid value for annotation %v: %v", annotation, l)
+			return false
-			}
 		}
 	}
-	return false
+	return service.Spec.ExternalTrafficPolicy == v1.ServiceExternalTrafficPolicyTypeLocal
 }
 
 // NeedsHealthCheck Check if service needs health check.
@@ -103,23 +102,62 @@ func NeedsHealthCheck(service *v1.Service) bool {
 	return RequestsOnlyLocalTraffic(service)
 }
 
-// GetServiceHealthCheckNodePort Return health check node port annotation for service, if one exists
+// GetServiceHealthCheckNodePort Return health check node port for service, if one exists
 func GetServiceHealthCheckNodePort(service *v1.Service) int32 {
-	// First check the alpha annotation and then the beta. This is so existing
+	// First check the beta annotation and then the first class field. This is so that
-	// Services continue to work till the user decides to transition to beta.
+	// existing Services continue to work till the user decides to transition to the
-	// If they transition to beta, there's no way to go back to alpha without
+	// first class field.
-	// rolling back the cluster.
+	if l, ok := service.Annotations[BetaAnnotationHealthCheckNodePort]; ok {
-	for _, annotation := range []string{AlphaAnnotationHealthCheckNodePort, BetaAnnotationHealthCheckNodePort} {
+		p, err := strconv.Atoi(l)
-		if l, ok := service.Annotations[annotation]; ok {
+		if err != nil {
-			p, err := strconv.Atoi(l)
+			glog.Errorf("Failed to parse annotation %v: %v", BetaAnnotationHealthCheckNodePort, err)
-			if err != nil {
+			return 0
-				glog.Errorf("Failed to parse annotation %v: %v", annotation, err)
-				continue
-			}
-			return int32(p)
 		}
+		return int32(p)
 	}
-	return 0
+	return service.Spec.HealthCheckNodePort
+}
+
+// SetDefaultExternalTrafficPolicyIfNeeded defaults the ExternalTrafficPolicy field
+// for NodePort / LoadBalancer service to Global for consistency.
+// TODO: Move this default logic to default.go once beta annotation is deprecated.
+func SetDefaultExternalTrafficPolicyIfNeeded(service *v1.Service) {
+	if _, ok := service.Annotations[BetaAnnotationExternalTraffic]; ok {
+		// Don't default this field if beta annotation exists.
+		return
+	} else if (service.Spec.Type == v1.ServiceTypeNodePort ||
+		service.Spec.Type == v1.ServiceTypeLoadBalancer) &&
+		service.Spec.ExternalTrafficPolicy == "" {
+		service.Spec.ExternalTrafficPolicy = v1.ServiceExternalTrafficPolicyTypeGlobal
+	}
+}
+
+// ClearExternalTrafficPolicy resets the ExternalTrafficPolicy field.
+func ClearExternalTrafficPolicy(service *v1.Service) {
+	// First check the beta annotation and then the first class field. This is so existing
+	// Services continue to work till the user decides to transition to the first class field.
+	if _, ok := service.Annotations[BetaAnnotationExternalTraffic]; ok {
+		delete(service.Annotations, BetaAnnotationExternalTraffic)
+		return
+	}
+	service.Spec.ExternalTrafficPolicy = v1.ServiceExternalTrafficPolicyType("")
+}
+
+// SetServiceHealthCheckNodePort sets the given health check node port on service.
+// It does not check whether this service needs healthCheckNodePort.
+func SetServiceHealthCheckNodePort(service *v1.Service, hcNodePort int32) {
+	// First check the beta annotation and then the first class field. This is so that
+	// existing Services continue to work till the user decides to transition to the
+	// first class field.
+	if _, ok := service.Annotations[BetaAnnotationExternalTraffic]; ok {
+		if hcNodePort == 0 {
+			delete(service.Annotations, BetaAnnotationHealthCheckNodePort)
+		} else {
+			service.Annotations[BetaAnnotationHealthCheckNodePort] = fmt.Sprintf("%d", hcNodePort)
+		}
+		return
+	}
+	service.Spec.HealthCheckNodePort = hcNodePort
 }
 
 // GetServiceHealthCheckPathPort Return the path and nodePort programmed into the Cloud LB Health Check

pkg/api/v1/service/util_test.go

@@ -19,10 +19,15 @@ package service
 import (
 	"testing"
 
+	"fmt"
+	"reflect"
 	"strings"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/kubernetes/pkg/api/v1"
 	netsets "k8s.io/kubernetes/pkg/util/net/sets"
+
+	"github.com/davecgh/go-spew/spew"
 )
 
 func TestGetLoadBalancerSourceRanges(t *testing.T) {
@@ -129,3 +134,385 @@ func TestAllowAll(t *testing.T) {
 	checkAllowAll(true, "192.168.0.0/0")
 	checkAllowAll(true, "192.168.0.1/32", "0.0.0.0/0")
 }
+
+func TestRequestsOnlyLocalTraffic(t *testing.T) {
+	checkRequestsOnlyLocalTraffic := func(requestsOnlyLocalTraffic bool, service *v1.Service) {
+		res := RequestsOnlyLocalTraffic(service)
+		if res != requestsOnlyLocalTraffic {
+			t.Errorf("Expected requests OnlyLocal traffic = %v, got %v",
+				requestsOnlyLocalTraffic, res)
+		}
+	}
+
+	checkRequestsOnlyLocalTraffic(false, &v1.Service{})
+	checkRequestsOnlyLocalTraffic(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeClusterIP,
+		},
+	})
+	checkRequestsOnlyLocalTraffic(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeNodePort,
+		},
+	})
+	checkRequestsOnlyLocalTraffic(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeNodePort,
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkRequestsOnlyLocalTraffic(true, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeNodePort,
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeLocal,
+		},
+	})
+	checkRequestsOnlyLocalTraffic(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkRequestsOnlyLocalTraffic(true, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeLocal,
+		},
+	})
+}
+
+func TestNeedsHealthCheck(t *testing.T) {
+	checkNeedsHealthCheck := func(needsHealthCheck bool, service *v1.Service) {
+		res := NeedsHealthCheck(service)
+		if res != needsHealthCheck {
+			t.Errorf("Expected needs health check = %v, got %v",
+				needsHealthCheck, res)
+		}
+	}
+
+	checkNeedsHealthCheck(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeClusterIP,
+		},
+	})
+	checkNeedsHealthCheck(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeNodePort,
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkNeedsHealthCheck(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeNodePort,
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeLocal,
+		},
+	})
+	checkNeedsHealthCheck(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkNeedsHealthCheck(true, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeLocal,
+		},
+	})
+
+	checkNeedsHealthCheck(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeLoadBalancer,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				BetaAnnotationExternalTraffic: "invalid",
+			},
+		},
+	})
+	checkNeedsHealthCheck(false, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeLoadBalancer,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficGlobal,
+			},
+		},
+	})
+	checkNeedsHealthCheck(true, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeLoadBalancer,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficLocal,
+			},
+		},
+	})
+}
+
+func TestGetServiceHealthCheckNodePort(t *testing.T) {
+	checkGetServiceHealthCheckNodePort := func(healthCheckNodePort int32, service *v1.Service) {
+		res := GetServiceHealthCheckNodePort(service)
+		if res != healthCheckNodePort {
+			t.Errorf("Expected health check node port = %v, got %v",
+				healthCheckNodePort, res)
+		}
+	}
+
+	checkGetServiceHealthCheckNodePort(0, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeClusterIP,
+		},
+	})
+	checkGetServiceHealthCheckNodePort(0, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeNodePort,
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkGetServiceHealthCheckNodePort(0, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	})
+	checkGetServiceHealthCheckNodePort(34567, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeLoadBalancer,
+			ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeLocal,
+			HealthCheckNodePort:   int32(34567),
+		},
+	})
+	checkGetServiceHealthCheckNodePort(34567, &v1.Service{
+		Spec: v1.ServiceSpec{
+			Type: v1.ServiceTypeLoadBalancer,
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				BetaAnnotationExternalTraffic:     AnnotationValueExternalTrafficLocal,
+				BetaAnnotationHealthCheckNodePort: "34567",
+			},
+		},
+	})
+}
+
+func TestSetDefaultExternalTrafficPolicyIfNeeded(t *testing.T) {
+	testCases := []struct {
+		inputService    *v1.Service
+		expectedService *v1.Service
+	}{
+		// First class fields cases.
+		{
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeLoadBalancer,
+				},
+			},
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeLoadBalancer,
+					ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeGlobal,
+				},
+			},
+		},
+		{
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeNodePort,
+				},
+			},
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeNodePort,
+					ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeGlobal,
+				},
+			},
+		},
+		{
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeClusterIP,
+				},
+			},
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeClusterIP,
+				},
+			},
+		},
+		// Beta annotations cases.
+		{
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeLoadBalancer,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficLocal,
+					},
+				},
+			},
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeLoadBalancer,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficLocal,
+					},
+				},
+			},
+		},
+		{
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeLoadBalancer,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficGlobal,
+					},
+				},
+			},
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeLoadBalancer,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficGlobal,
+					},
+				},
+			},
+		},
+	}
+
+	for i, tc := range testCases {
+		SetDefaultExternalTrafficPolicyIfNeeded(tc.inputService)
+		if !reflect.DeepEqual(tc.inputService, tc.expectedService) {
+			t.Errorf("%v: got unexpected service", i)
+			spew.Dump(tc)
+		}
+	}
+}
+
+func TestClearExternalTrafficPolicy(t *testing.T) {
+	testCases := []struct {
+		inputService *v1.Service
+	}{
+		// First class fields cases.
+		{
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeClusterIP,
+					ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeGlobal,
+				},
+			},
+		},
+		// Beta annotations cases.
+		{
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeClusterIP,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficLocal,
+					},
+				},
+			},
+		},
+	}
+
+	for i, tc := range testCases {
+		ClearExternalTrafficPolicy(tc.inputService)
+		if _, ok := tc.inputService.Annotations[BetaAnnotationExternalTraffic]; ok ||
+			tc.inputService.Spec.ExternalTrafficPolicy != "" {
+			t.Errorf("%v: failed to clear ExternalTrafficPolicy", i)
+			spew.Dump(tc)
+		}
+	}
+}
+
+func TestSetServiceHealthCheckNodePort(t *testing.T) {
+	testCases := []struct {
+		inputService *v1.Service
+		hcNodePort   int32
+		beta         bool
+	}{
+		// First class fields cases.
+		{
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeClusterIP,
+					ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeGlobal,
+				},
+			},
+			30012,
+			false,
+		},
+		{
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeClusterIP,
+					ExternalTrafficPolicy: v1.ServiceExternalTrafficPolicyTypeGlobal,
+				},
+			},
+			0,
+			false,
+		},
+		// Beta annotations cases.
+		{
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeClusterIP,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficGlobal,
+					},
+				},
+			},
+			30012,
+			true,
+		},
+		{
+			&v1.Service{
+				Spec: v1.ServiceSpec{
+					Type: v1.ServiceTypeClusterIP,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						BetaAnnotationExternalTraffic: AnnotationValueExternalTrafficGlobal,
+					},
+				},
+			},
+			0,
+			true,
+		},
+	}
+
+	for i, tc := range testCases {
+		SetServiceHealthCheckNodePort(tc.inputService, tc.hcNodePort)
+		if !tc.beta {
+			if tc.inputService.Spec.HealthCheckNodePort != tc.hcNodePort {
+				t.Errorf("%v: got HealthCheckNodePort %v, want %v", i, tc.inputService.Spec.HealthCheckNodePort, tc.hcNodePort)
+			}
+		} else {
+			l, ok := tc.inputService.Annotations[BetaAnnotationHealthCheckNodePort]
+			if tc.hcNodePort == 0 {
+				if ok {
+					t.Errorf("%v: HealthCheckNodePort set, want it to be cleared", i)
+				}
+			} else {
+				if !ok {
+					t.Errorf("%v: HealthCheckNodePort unset, want %v", i, tc.hcNodePort)
+				} else if l != fmt.Sprintf("%v", tc.hcNodePort) {
+					t.Errorf("%v: got HealthCheckNodePort %v, want %v", i, l, tc.hcNodePort)
+				}
+			}
+		}
+	}
+}

pkg/api/v1/types.generated.go

@@ -41195,6 +41195,32 @@ func (x *ServiceType) CodecDecodeSelf(d *codec1978.Decoder) {
 	}
 }
 
+func (x ServiceExternalTrafficPolicyType) CodecEncodeSelf(e *codec1978.Encoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperEncoder(e)
+	_, _, _ = h, z, r
+	yym1 := z.EncBinary()
+	_ = yym1
+	if false {
+	} else if z.HasExtensions() && z.EncExt(x) {
+	} else {
+		r.EncodeString(codecSelferC_UTF81234, string(x))
+	}
+}
+
+func (x *ServiceExternalTrafficPolicyType) CodecDecodeSelf(d *codec1978.Decoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperDecoder(d)
+	_, _, _ = h, z, r
+	yym1 := z.DecBinary()
+	_ = yym1
+	if false {
+	} else if z.HasExtensions() && z.DecExt(x) {
+	} else {
+		*((*string)(x)) = r.DecodeString()
+	}
+}
+
 func (x *ServiceStatus) CodecEncodeSelf(e *codec1978.Encoder) {
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperEncoder(e)
@@ -41802,7 +41828,7 @@ func (x *ServiceSpec) CodecEncodeSelf(e *codec1978.Encoder) {
 		} else {
 			yysep2 := !z.EncBinary()
 			yy2arr2 := z.EncBasicHandle().StructToArray
-			var yyq2 [9]bool
+			var yyq2 [11]bool
 			_, _, _ = yysep2, yyq2, yy2arr2
 			const yyr2 bool = false
 			yyq2[0] = len(x.Ports) != 0
@@ -41814,9 +41840,11 @@ func (x *ServiceSpec) CodecEncodeSelf(e *codec1978.Encoder) {
 			yyq2[6] = x.LoadBalancerIP != ""
 			yyq2[7] = len(x.LoadBalancerSourceRanges) != 0
 			yyq2[8] = x.ExternalName != ""
+			yyq2[9] = x.ExternalTrafficPolicy != ""
+			yyq2[10] = x.HealthCheckNodePort != 0
 			var yynn2 int
 			if yyr2 || yy2arr2 {
-				r.EncodeArrayStart(9)
+				r.EncodeArrayStart(11)
 			} else {
 				yynn2 = 0
 				for _, b := range yyq2 {
@@ -42064,6 +42092,46 @@ func (x *ServiceSpec) CodecEncodeSelf(e *codec1978.Encoder) {
 					}
 				}
 			}
+			if yyr2 || yy2arr2 {
+				z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+				if yyq2[9] {
+					x.ExternalTrafficPolicy.CodecEncodeSelf(e)
+				} else {
+					r.EncodeString(codecSelferC_UTF81234, "")
+				}
+			} else {
+				if yyq2[9] {
+					z.EncSendContainerState(codecSelfer_containerMapKey1234)
+					r.EncodeString(codecSelferC_UTF81234, string("externalTrafficPolicy"))
+					z.EncSendContainerState(codecSelfer_containerMapValue1234)
+					x.ExternalTrafficPolicy.CodecEncodeSelf(e)
+				}
+			}
+			if yyr2 || yy2arr2 {
+				z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+				if yyq2[10] {
+					yym34 := z.EncBinary()
+					_ = yym34
+					if false {
+					} else {
+						r.EncodeInt(int64(x.HealthCheckNodePort))
+					}
+				} else {
+					r.EncodeInt(0)
+				}
+			} else {
+				if yyq2[10] {
+					z.EncSendContainerState(codecSelfer_containerMapKey1234)
+					r.EncodeString(codecSelferC_UTF81234, string("healthCheckNodePort"))
+					z.EncSendContainerState(codecSelfer_containerMapValue1234)
+					yym35 := z.EncBinary()
+					_ = yym35
+					if false {
+					} else {
+						r.EncodeInt(int64(x.HealthCheckNodePort))
+					}
+				}
+			}
 			if yyr2 || yy2arr2 {
 				z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
 			} else {
@@ -42223,6 +42291,25 @@ func (x *ServiceSpec) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
 					*((*string)(yyv18)) = r.DecodeString()
 				}
 			}
+		case "externalTrafficPolicy":
+			if r.TryDecodeAsNil() {
+				x.ExternalTrafficPolicy = ""
+			} else {
+				yyv20 := &x.ExternalTrafficPolicy
+				yyv20.CodecDecodeSelf(d)
+			}
+		case "healthCheckNodePort":
+			if r.TryDecodeAsNil() {
+				x.HealthCheckNodePort = 0
+			} else {
+				yyv21 := &x.HealthCheckNodePort
+				yym22 := z.DecBinary()
+				_ = yym22
+				if false {
+				} else {
+					*((*int32)(yyv21)) = int32(r.DecodeInt(32))
+				}
+			}
 		default:
 			z.DecStructFieldNotFound(-1, yys3)
 		} // end switch yys3
@@ -42234,16 +42321,16 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperDecoder(d)
 	_, _, _ = h, z, r
-	var yyj20 int
+	var yyj23 int
-	var yyb20 bool
+	var yyb23 bool
-	var yyhl20 bool = l >= 0
+	var yyhl23 bool = l >= 0
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42251,21 +42338,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.Ports = nil
 	} else {
-		yyv21 := &x.Ports
+		yyv24 := &x.Ports
-		yym22 := z.DecBinary()
+		yym25 := z.DecBinary()
-		_ = yym22
+		_ = yym25
 		if false {
 		} else {
-			h.decSliceServicePort((*[]ServicePort)(yyv21), d)
+			h.decSliceServicePort((*[]ServicePort)(yyv24), d)
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42273,21 +42360,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.Selector = nil
 	} else {
-		yyv23 := &x.Selector
+		yyv26 := &x.Selector
-		yym24 := z.DecBinary()
+		yym27 := z.DecBinary()
-		_ = yym24
+		_ = yym27
 		if false {
 		} else {
-			z.F.DecMapStringStringX(yyv23, false, d)
+			z.F.DecMapStringStringX(yyv26, false, d)
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42295,21 +42382,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.ClusterIP = ""
 	} else {
-		yyv25 := &x.ClusterIP
+		yyv28 := &x.ClusterIP
-		yym26 := z.DecBinary()
+		yym29 := z.DecBinary()
-		_ = yym26
+		_ = yym29
 		if false {
 		} else {
-			*((*string)(yyv25)) = r.DecodeString()
+			*((*string)(yyv28)) = r.DecodeString()
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42317,16 +42404,16 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.Type = ""
 	} else {
-		yyv27 := &x.Type
+		yyv30 := &x.Type
-		yyv27.CodecDecodeSelf(d)
+		yyv30.CodecDecodeSelf(d)
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42334,21 +42421,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.ExternalIPs = nil
 	} else {
-		yyv28 := &x.ExternalIPs
+		yyv31 := &x.ExternalIPs
-		yym29 := z.DecBinary()
+		yym32 := z.DecBinary()
-		_ = yym29
+		_ = yym32
 		if false {
 		} else {
-			z.F.DecSliceStringX(yyv28, false, d)
+			z.F.DecSliceStringX(yyv31, false, d)
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42356,16 +42443,16 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.SessionAffinity = ""
 	} else {
-		yyv30 := &x.SessionAffinity
+		yyv33 := &x.SessionAffinity
-		yyv30.CodecDecodeSelf(d)
+		yyv33.CodecDecodeSelf(d)
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42373,21 +42460,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.LoadBalancerIP = ""
 	} else {
-		yyv31 := &x.LoadBalancerIP
+		yyv34 := &x.LoadBalancerIP
-		yym32 := z.DecBinary()
+		yym35 := z.DecBinary()
-		_ = yym32
+		_ = yym35
 		if false {
 		} else {
-			*((*string)(yyv31)) = r.DecodeString()
+			*((*string)(yyv34)) = r.DecodeString()
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42395,21 +42482,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.LoadBalancerSourceRanges = nil
 	} else {
-		yyv33 := &x.LoadBalancerSourceRanges
+		yyv36 := &x.LoadBalancerSourceRanges
-		yym34 := z.DecBinary()
+		yym37 := z.DecBinary()
-		_ = yym34
+		_ = yym37
 		if false {
 		} else {
-			z.F.DecSliceStringX(yyv33, false, d)
+			z.F.DecSliceStringX(yyv36, false, d)
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42417,26 +42504,65 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.ExternalName = ""
 	} else {
-		yyv35 := &x.ExternalName
+		yyv38 := &x.ExternalName
-		yym36 := z.DecBinary()
+		yym39 := z.DecBinary()
-		_ = yym36
+		_ = yym39
 		if false {
 		} else {
-			*((*string)(yyv35)) = r.DecodeString()
+			*((*string)(yyv38)) = r.DecodeString()
+		}
+	}
+	yyj23++
+	if yyhl23 {
+		yyb23 = yyj23 > l
+	} else {
+		yyb23 = r.CheckBreak()
+	}
+	if yyb23 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.ExternalTrafficPolicy = ""
+	} else {
+		yyv40 := &x.ExternalTrafficPolicy
+		yyv40.CodecDecodeSelf(d)
+	}
+	yyj23++
+	if yyhl23 {
+		yyb23 = yyj23 > l
+	} else {
+		yyb23 = r.CheckBreak()
+	}
+	if yyb23 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.HealthCheckNodePort = 0
+	} else {
+		yyv41 := &x.HealthCheckNodePort
+		yym42 := z.DecBinary()
+		_ = yym42
+		if false {
+		} else {
+			*((*int32)(yyv41)) = int32(r.DecodeInt(32))
 		}
 	}
 	for {
-		yyj20++
+		yyj23++
-		if yyhl20 {
+		if yyhl23 {
-			yyb20 = yyj20 > l
+			yyb23 = yyj23 > l
 		} else {
-			yyb20 = r.CheckBreak()
+			yyb23 = r.CheckBreak()
 		}
-		if yyb20 {
+		if yyb23 {
 			break
 		}
 		z.DecSendContainerState(codecSelfer_containerArrayElem1234)
-		z.DecStructFieldNotFound(yyj20-1, "")
+		z.DecStructFieldNotFound(yyj23-1, "")
 	}
 	z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 }
@@ -71379,7 +71505,7 @@ func (x codecSelfer1234) decSliceService(v *[]Service, d *codec1978.Decoder) {
 
 			yyrg1 := len(yyv1) > 0
 			yyv21 := yyv1
-			yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 440)
+			yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 464)
 			if yyrt1 {
 				if yyrl1 <= cap(yyv1) {
 					yyv1 = yyv1[:yyrl1]

pkg/api/v1/types.go

@@ -2792,6 +2792,16 @@ const (
 	ServiceTypeExternalName ServiceType = "ExternalName"
 )
 
+// Service External Traffic Policy Type string
+type ServiceExternalTrafficPolicyType string
+
+const (
+	// ServiceExternalTrafficPolicyTypeLocal specifies local endpoints behavior.
+	ServiceExternalTrafficPolicyTypeLocal ServiceExternalTrafficPolicyType = "Local"
+	// ServiceExternalTrafficPolicyTypeGlobal specifies global (legacy) behavior.
+	ServiceExternalTrafficPolicyTypeGlobal ServiceExternalTrafficPolicyType = "Global"
+)
+
 // ServiceStatus represents the current status of a service.
 type ServiceStatus struct {
 	// LoadBalancer contains the current status of the load-balancer,
@@ -2904,6 +2914,20 @@ type ServiceSpec struct {
 	// Must be a valid DNS name and requires Type to be ExternalName.
 	// +optional
 	ExternalName string `json:"externalName,omitempty" protobuf:"bytes,10,opt,name=externalName"`
+
+	// externalTrafficPolicy denotes if this Service desires to route external traffic to
+	// local endpoints only. This preserves Source IP and avoids a second hop for
+	// LoadBalancer and Nodeport type services.
+	// +optional
+	ExternalTrafficPolicy ServiceExternalTrafficPolicyType `json:"externalTrafficPolicy,omitempty" protobuf:"bytes,11,opt,name=externalTrafficPolicy"`
+
+	// healthCheckNodePort specifies the healthcheck nodePort for the service.
+	// If not specified, HealthCheckNodePort is created by the service api
+	// backend with the allocated nodePort. Will use user-specified nodePort value
+	// if specified by the client. Only effects when Type is set to LoadBalancer
+	// and ExternalTrafficPolicy is set to Local.
+	// +optional
+	HealthCheckNodePort int32 `json:"healthCheckNodePort,omitempty" protobuf:"bytes,12,opt,name=healthCheckNodePort"`
 }
 
 // ServicePort contains information on service's port.

pkg/api/v1/types_swagger_doc_generated.go

@@ -1844,6 +1844,8 @@ var map_ServiceSpec = map[string]string{
 	"loadBalancerIP":           "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.",
 	"loadBalancerSourceRanges": "If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: http://kubernetes.io/docs/user-guide/services-firewalls",
 	"externalName":             "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid DNS name and requires Type to be ExternalName.",
+	"externalTrafficPolicy":    "externalTrafficPolicy denotes if this Service desires to route external traffic to local endpoints only. This preserves Source IP and avoids a second hop for LoadBalancer and Nodeport type services.",
+	"healthCheckNodePort":      "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local.",
 }
 
 func (ServiceSpec) SwaggerDoc() map[string]string {

pkg/api/v1/zz_generated.conversion.go

@@ -4721,6 +4721,8 @@ func autoConvert_v1_ServiceSpec_To_api_ServiceSpec(in *ServiceSpec, out *api.Ser
 	out.LoadBalancerIP = in.LoadBalancerIP
 	out.LoadBalancerSourceRanges = *(*[]string)(unsafe.Pointer(&in.LoadBalancerSourceRanges))
 	out.ExternalName = in.ExternalName
+	out.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyType(in.ExternalTrafficPolicy)
+	out.HealthCheckNodePort = in.HealthCheckNodePort
 	return nil
 }
 
@@ -4739,6 +4741,8 @@ func autoConvert_api_ServiceSpec_To_v1_ServiceSpec(in *api.ServiceSpec, out *Ser
 	out.LoadBalancerIP = in.LoadBalancerIP
 	out.SessionAffinity = ServiceAffinity(in.SessionAffinity)
 	out.LoadBalancerSourceRanges = *(*[]string)(unsafe.Pointer(&in.LoadBalancerSourceRanges))
+	out.ExternalTrafficPolicy = ServiceExternalTrafficPolicyType(in.ExternalTrafficPolicy)
+	out.HealthCheckNodePort = in.HealthCheckNodePort
 	return nil
 }
 

pkg/api/validation/validation.go

@@ -2742,7 +2742,8 @@ func ValidateService(service *api.Service) field.ErrorList {
 		}
 	}
 
-	allErrs = append(allErrs, validateServiceExternalTrafficFields(service)...)
+	allErrs = append(allErrs, validateServiceExternalTrafficFieldsValue(service)...)
+	allErrs = append(allErrs, validateServiceExternalTrafficAPIVersion(service)...)
 
 	return allErrs
 }
@@ -2785,61 +2786,68 @@ func validateServicePort(sp *api.ServicePort, requireName, isHeadlessService boo
 	return allErrs
 }
 
-// validateServiceExternalTrafficFields validates ExternalTraffic related annotations
+// validateServiceExternalTrafficFieldsValue validates ExternalTraffic related annotations
 // have legal value.
-func validateServiceExternalTrafficFields(service *api.Service) field.ErrorList {
+func validateServiceExternalTrafficFieldsValue(service *api.Service) field.ErrorList {
 	allErrs := field.ErrorList{}
 
-	for _, annotation := range []string{apiservice.AlphaAnnotationExternalTraffic, apiservice.BetaAnnotationExternalTraffic} {
+	// Check beta annotations.
-		if l, ok := service.Annotations[annotation]; ok {
+	if l, ok := service.Annotations[apiservice.BetaAnnotationExternalTraffic]; ok {
-			if l != apiservice.AnnotationValueExternalTrafficLocal &&
+		if l != apiservice.AnnotationValueExternalTrafficLocal &&
-				l != apiservice.AnnotationValueExternalTrafficGlobal {
+			l != apiservice.AnnotationValueExternalTrafficGlobal {
-				allErrs = append(allErrs, field.Invalid(field.NewPath("metadata", "annotations").Key(annotation), l,
+			allErrs = append(allErrs, field.Invalid(field.NewPath("metadata", "annotations").Key(apiservice.BetaAnnotationExternalTraffic), l,
-					fmt.Sprintf("ExternalTraffic must be %v or %v", apiservice.AnnotationValueExternalTrafficLocal, apiservice.AnnotationValueExternalTrafficGlobal)))
+				fmt.Sprintf("ExternalTraffic must be %v or %v", apiservice.AnnotationValueExternalTrafficLocal, apiservice.AnnotationValueExternalTrafficGlobal)))
-			}
 		}
 	}
-	for _, annotation := range []string{apiservice.AlphaAnnotationHealthCheckNodePort, apiservice.BetaAnnotationHealthCheckNodePort} {
+	if l, ok := service.Annotations[apiservice.BetaAnnotationHealthCheckNodePort]; ok {
-		if l, ok := service.Annotations[annotation]; ok {
+		p, err := strconv.Atoi(l)
-			p, err := strconv.Atoi(l)
+		if err != nil {
-			if err != nil {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("metadata", "annotations").Key(apiservice.BetaAnnotationHealthCheckNodePort), l,
-				allErrs = append(allErrs, field.Invalid(field.NewPath("metadata", "annotations").Key(annotation), l,
+				"HealthCheckNodePort must be a valid port number"))
-					"HealthCheckNodePort must be a valid port number"))
+		} else if p <= 0 {
-			} else if p <= 0 {
+			allErrs = append(allErrs, field.Invalid(field.NewPath("metadata", "annotations").Key(apiservice.BetaAnnotationHealthCheckNodePort), l,
-				allErrs = append(allErrs, field.Invalid(field.NewPath("metadata", "annotations").Key(annotation), l,
+				"HealthCheckNodePort must be greater than 0"))
-					"HealthCheckNodePort must be greater than 0"))
-			}
 		}
 	}
 
-	allErrs = append(allErrs, validateServiceExternalTrafficAPIVersion(service)...)
+	// Check first class fields.
+	if service.Spec.ExternalTrafficPolicy != "" &&
+		service.Spec.ExternalTrafficPolicy != api.ServiceExternalTrafficPolicyTypeGlobal &&
+		service.Spec.ExternalTrafficPolicy != api.ServiceExternalTrafficPolicyTypeLocal {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("externalTrafficPolicy"), service.Spec.ExternalTrafficPolicy,
+			fmt.Sprintf("ExternalTrafficPolicy must be empty, %v or %v", api.ServiceExternalTrafficPolicyTypeGlobal, api.ServiceExternalTrafficPolicyTypeLocal)))
+	}
+	if service.Spec.HealthCheckNodePort < 0 {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec").Child("healthCheckNodePort"), service.Spec.HealthCheckNodePort,
+			"HealthCheckNodePort must be not less than 0"))
+	}
 
 	return allErrs
 }
 
 // serviceExternalTrafficStatus stores flags indicating whether ExternalTraffic
-// related beta annotations and alpha annotations are set on service.
+// related beta annotations and GA fields are set on service.
 type serviceExternalTrafficStatus struct {
-	alphaExternalTrafficIsSet bool
+	betaExternalTrafficIsSet bool
-	alphaHealthCheckIsSet     bool
+	betaHealthCheckIsSet     bool
-	betaExternalTrafficIsSet  bool
+	gaExternalTrafficIsSet   bool
-	betaHealthCheckIsSet      bool
+	gaHealthCheckIsSet       bool
 }
 
-func (s *serviceExternalTrafficStatus) useAlphaExternalTrafficWithBeta() bool {
+func (s *serviceExternalTrafficStatus) useBetaExternalTrafficWithGA() bool {
-	return s.alphaExternalTrafficIsSet && (s.betaExternalTrafficIsSet || s.betaHealthCheckIsSet)
+	return s.betaExternalTrafficIsSet && (s.gaExternalTrafficIsSet || s.gaHealthCheckIsSet)
 }
 
-func (s *serviceExternalTrafficStatus) useAlphaHealthCheckWithBeta() bool {
+func (s *serviceExternalTrafficStatus) useBetaHealthCheckWithGA() bool {
-	return s.alphaHealthCheckIsSet && (s.betaExternalTrafficIsSet || s.betaHealthCheckIsSet)
+	return s.betaHealthCheckIsSet && (s.gaExternalTrafficIsSet || s.gaHealthCheckIsSet)
 }
 
 func getServiceExternalTrafficStatus(service *api.Service) *serviceExternalTrafficStatus {
 	s := serviceExternalTrafficStatus{}
-	_, s.alphaExternalTrafficIsSet = service.Annotations[apiservice.AlphaAnnotationExternalTraffic]
-	_, s.alphaHealthCheckIsSet = service.Annotations[apiservice.AlphaAnnotationHealthCheckNodePort]
 	_, s.betaExternalTrafficIsSet = service.Annotations[apiservice.BetaAnnotationExternalTraffic]
 	_, s.betaHealthCheckIsSet = service.Annotations[apiservice.BetaAnnotationHealthCheckNodePort]
+	s.gaExternalTrafficIsSet = service.Spec.ExternalTrafficPolicy != ""
+	s.gaHealthCheckIsSet = service.Spec.HealthCheckNodePort != 0
 	return &s
 }
 
@@ -2850,16 +2858,39 @@ func validateServiceExternalTrafficAPIVersion(service *api.Service) field.ErrorL
 
 	status := getServiceExternalTrafficStatus(service)
 
-	if status.useAlphaExternalTrafficWithBeta() {
+	if status.useBetaExternalTrafficWithGA() {
-		fieldPath := field.NewPath("metadata", "annotations").Key(apiservice.AlphaAnnotationExternalTraffic)
+		fieldPath := field.NewPath("metadata", "annotations").Key(apiservice.BetaAnnotationExternalTraffic)
-		msg := fmt.Sprintf("please replace the alpha annotation with beta annotation")
+		msg := fmt.Sprintf("please replace the beta annotation with 'ExternalTrafficPolicy' field")
-		allErrs = append(allErrs, field.Invalid(fieldPath, apiservice.AlphaAnnotationExternalTraffic, msg))
+		allErrs = append(allErrs, field.Invalid(fieldPath, apiservice.BetaAnnotationExternalTraffic, msg))
 	}
 
-	if status.useAlphaHealthCheckWithBeta() {
+	if status.useBetaHealthCheckWithGA() {
-		fieldPath := field.NewPath("metadata", "annotations").Key(apiservice.AlphaAnnotationHealthCheckNodePort)
+		fieldPath := field.NewPath("metadata", "annotations").Key(apiservice.BetaAnnotationHealthCheckNodePort)
-		msg := fmt.Sprintf("please replace the alpha annotation with beta annotation")
+		msg := fmt.Sprintf("please replace the beta annotation with 'HealthCheckNodePort' field")
-		allErrs = append(allErrs, field.Invalid(fieldPath, apiservice.AlphaAnnotationHealthCheckNodePort, msg))
+		allErrs = append(allErrs, field.Invalid(fieldPath, apiservice.BetaAnnotationHealthCheckNodePort, msg))
+	}
+
+	return allErrs
+}
+
+// ValidateServiceExternalTrafficFieldsCombination validates if ExternalTrafficPolicy,
+// HealthCheckNodePort and Type combination are legal. For update, it should be called
+// after clearing externalTraffic related fields for the ease of transitioning between
+// different service types.
+func ValidateServiceExternalTrafficFieldsCombination(service *api.Service) field.ErrorList {
+	allErrs := field.ErrorList{}
+
+	if service.Spec.Type != api.ServiceTypeLoadBalancer &&
+		service.Spec.Type != api.ServiceTypeNodePort &&
+		service.Spec.ExternalTrafficPolicy != "" {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "externalTrafficPolicy"), service.Spec.ExternalTrafficPolicy,
+			"ExternalTrafficPolicy can only be set on NodePort and LoadBalancer service"))
+	}
+
+	if !apiservice.NeedsHealthCheck(service) &&
+		service.Spec.HealthCheckNodePort != 0 {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("spec", "healthCheckNodePort"), service.Spec.HealthCheckNodePort,
+			"HealthCheckNodePort can only be set on LoadBalancer service with ExternalTrafficPolicy=Local"))
 	}
 
 	return allErrs

pkg/api/validation/validation_test.go

@@ -5656,9 +5656,19 @@ func TestValidateService(t *testing.T) {
 			numErrs: 1,
 		},
 		{
-			name: "LoadBalancer allows onlyLocal alpha annotations",
+			name: "invalid node port with clusterIP None",
 			tweakSvc: func(s *api.Service) {
-				s.Annotations[service.AlphaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
+				s.Spec.Type = api.ServiceTypeNodePort
+				s.Spec.Ports = append(s.Spec.Ports, api.ServicePort{Name: "q", Port: 1, Protocol: "TCP", NodePort: 1, TargetPort: intstr.FromInt(1)})
+				s.Spec.ClusterIP = "None"
+			},
+			numErrs: 1,
+		},
+		// ESIPP section begins.
+		{
+			name: "LoadBalancer allows onlyLocal beta annotations",
+			tweakSvc: func(s *api.Service) {
+				s.Annotations[service.BetaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
 			},
 			numErrs: 0,
 		},
@@ -5689,14 +5699,68 @@ func TestValidateService(t *testing.T) {
 			numErrs: 1,
 		},
 		{
-			name: "invalid node port with clusterIP None",
+			name: "valid healthCheckNodePort beta annotation",
 			tweakSvc: func(s *api.Service) {
-				s.Spec.Type = api.ServiceTypeNodePort
+				s.Spec.Type = api.ServiceTypeLoadBalancer
-				s.Spec.Ports = append(s.Spec.Ports, api.ServicePort{Name: "q", Port: 1, Protocol: "TCP", NodePort: 1, TargetPort: intstr.FromInt(1)})
+				s.Annotations[service.BetaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
-				s.Spec.ClusterIP = "None"
+				s.Annotations[service.BetaAnnotationHealthCheckNodePort] = "31100"
+			},
+			numErrs: 0,
+		},
+		{
+			name: "invalid externalTraffic field",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeLoadBalancer
+				s.Spec.ExternalTrafficPolicy = "invalid"
 			},
 			numErrs: 1,
 		},
+		{
+			name: "nagative healthCheckNodePort field",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeLoadBalancer
+				s.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeLocal
+				s.Spec.HealthCheckNodePort = -1
+			},
+			numErrs: 1,
+		},
+		{
+			name: "nagative healthCheckNodePort field",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeLoadBalancer
+				s.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeLocal
+				s.Spec.HealthCheckNodePort = 31100
+			},
+			numErrs: 0,
+		},
+		{
+			name: "disallows use ExternalTraffic beta annotation with first class field",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeLoadBalancer
+				s.Annotations[service.BetaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
+				s.Spec.HealthCheckNodePort = 3001
+			},
+			numErrs: 1,
+		},
+		{
+			name: "disallows duplicated ExternalTraffic beta annotation with first class field",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeLoadBalancer
+				s.Annotations[service.BetaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
+				s.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeLocal
+			},
+			numErrs: 1,
+		},
+		{
+			name: "disallows use HealthCheckNodePort beta annotation with first class field",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeLoadBalancer
+				s.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeLocal
+				s.Annotations[service.BetaAnnotationHealthCheckNodePort] = "3001"
+			},
+			numErrs: 1,
+		},
+		// ESIPP section ends.
 	}
 
 	for _, tc := range testCases {
@@ -5709,6 +5773,75 @@ func TestValidateService(t *testing.T) {
 	}
 }
 
+func TestValidateServiceExternalTrafficFieldsCombination(t *testing.T) {
+	testCases := []struct {
+		name     string
+		tweakSvc func(svc *api.Service) // Given a basic valid service, each test case can customize it.
+		numErrs  int
+	}{
+		{
+			name: "valid loadBalancer service with externalTrafficPolicy and healthCheckNodePort set",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeLoadBalancer
+				s.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeLocal
+				s.Spec.HealthCheckNodePort = 34567
+			},
+			numErrs: 0,
+		},
+		{
+			name: "valid nodePort service with externalTrafficPolicy set",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeNodePort
+				s.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeLocal
+			},
+			numErrs: 0,
+		},
+		{
+			name: "valid clusterIP service with none of externalTrafficPolicy and healthCheckNodePort set",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeClusterIP
+			},
+			numErrs: 0,
+		},
+		{
+			name: "cannot set healthCheckNodePort field on loadBalancer service with externalTrafficPolicy!=Local",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeLoadBalancer
+				s.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeGlobal
+				s.Spec.HealthCheckNodePort = 34567
+			},
+			numErrs: 1,
+		},
+		{
+			name: "cannot set healthCheckNodePort field on nodePort service",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeNodePort
+				s.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeLocal
+				s.Spec.HealthCheckNodePort = 34567
+			},
+			numErrs: 1,
+		},
+		{
+			name: "cannot set externalTrafficPolicy or healthCheckNodePort fields on clusterIP service",
+			tweakSvc: func(s *api.Service) {
+				s.Spec.Type = api.ServiceTypeClusterIP
+				s.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeLocal
+				s.Spec.HealthCheckNodePort = 34567
+			},
+			numErrs: 2,
+		},
+	}
+
+	for _, tc := range testCases {
+		svc := makeValidService()
+		tc.tweakSvc(&svc)
+		errs := ValidateServiceExternalTrafficFieldsCombination(&svc)
+		if len(errs) != tc.numErrs {
+			t.Errorf("Unexpected error list for case %q: %v", tc.name, errs.ToAggregate())
+		}
+	}
+}
+
 func TestValidateReplicationControllerStatus(t *testing.T) {
 	tests := []struct {
 		name string
@@ -7088,40 +7221,46 @@ func TestValidateServiceUpdate(t *testing.T) {
 			numErrs: 1,
 		},
 		{
-			name: "Service allows removing onlyLocal alpha annotations",
+			name: "Service allows removing onlyLocal beta annotations",
 			tweakSvc: func(oldSvc, newSvc *api.Service) {
-				oldSvc.Annotations[service.AlphaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
+				oldSvc.Annotations[service.BetaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
-				oldSvc.Annotations[service.AlphaAnnotationHealthCheckNodePort] = "3001"
+				oldSvc.Annotations[service.BetaAnnotationHealthCheckNodePort] = "3001"
 			},
 			numErrs: 0,
 		},
 		{
-			name: "Service allows modifying onlyLocal alpha annotations",
+			name: "Service allows modifying onlyLocal beta annotations",
 			tweakSvc: func(oldSvc, newSvc *api.Service) {
-				oldSvc.Annotations[service.AlphaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
+				oldSvc.Spec.Type = api.ServiceTypeLoadBalancer
-				oldSvc.Annotations[service.AlphaAnnotationHealthCheckNodePort] = "3001"
+				oldSvc.Annotations[service.BetaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
-				newSvc.Annotations[service.AlphaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficGlobal
+				oldSvc.Annotations[service.BetaAnnotationHealthCheckNodePort] = "3001"
-				newSvc.Annotations[service.AlphaAnnotationHealthCheckNodePort] = oldSvc.Annotations[service.AlphaAnnotationHealthCheckNodePort]
+				newSvc.Spec.Type = api.ServiceTypeLoadBalancer
-			},
-			numErrs: 0,
-		},
-		{
-			name: "Service disallows promoting one of the onlyLocal pair to beta",
-			tweakSvc: func(oldSvc, newSvc *api.Service) {
-				oldSvc.Annotations[service.AlphaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
-				oldSvc.Annotations[service.AlphaAnnotationHealthCheckNodePort] = "3001"
 				newSvc.Annotations[service.BetaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficGlobal
-				newSvc.Annotations[service.AlphaAnnotationHealthCheckNodePort] = oldSvc.Annotations[service.AlphaAnnotationHealthCheckNodePort]
+				newSvc.Annotations[service.BetaAnnotationHealthCheckNodePort] = oldSvc.Annotations[service.BetaAnnotationHealthCheckNodePort]
+			},
+			numErrs: 0,
+		},
+		{
+			name: "Service disallows promoting one of the onlyLocal pair to GA",
+			tweakSvc: func(oldSvc, newSvc *api.Service) {
+				oldSvc.Spec.Type = api.ServiceTypeLoadBalancer
+				oldSvc.Annotations[service.BetaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
+				oldSvc.Annotations[service.BetaAnnotationHealthCheckNodePort] = "3001"
+				newSvc.Spec.Type = api.ServiceTypeLoadBalancer
+				newSvc.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeLocal
+				newSvc.Annotations[service.BetaAnnotationHealthCheckNodePort] = oldSvc.Annotations[service.BetaAnnotationHealthCheckNodePort]
 			},
 			numErrs: 1,
 		},
 		{
-			name: "Service allows changing both onlyLocal annotations from alpha to beta",
+			name: "Service allows changing both onlyLocal annotations from beta to GA",
 			tweakSvc: func(oldSvc, newSvc *api.Service) {
-				oldSvc.Annotations[service.AlphaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
+				oldSvc.Spec.Type = api.ServiceTypeLoadBalancer
-				oldSvc.Annotations[service.AlphaAnnotationHealthCheckNodePort] = "3001"
+				oldSvc.Annotations[service.BetaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
-				newSvc.Annotations[service.BetaAnnotationExternalTraffic] = service.AnnotationValueExternalTrafficLocal
+				oldSvc.Annotations[service.BetaAnnotationHealthCheckNodePort] = "3001"
-				newSvc.Annotations[service.BetaAnnotationHealthCheckNodePort] = oldSvc.Annotations[service.AlphaAnnotationHealthCheckNodePort]
+				newSvc.Spec.Type = api.ServiceTypeLoadBalancer
+				newSvc.Spec.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyTypeLocal
+				newSvc.Spec.HealthCheckNodePort = 3001
 			},
 			numErrs: 0,
 		},

pkg/cloudprovider/providers/azure/azure_test.go

@@ -66,10 +66,8 @@ func TestReconcileLoadBalancerAddPort(t *testing.T) {
 func TestReconcileLoadBalancerNodeHealth(t *testing.T) {
 	az := getTestCloud()
 	svc := getTestService("servicea", v1.ProtocolTCP, 80)
-	svc.Annotations = map[string]string{
+	svc.Spec.ExternalTrafficPolicy = v1.ServiceExternalTrafficPolicyTypeLocal
-		serviceapi.BetaAnnotationExternalTraffic:     serviceapi.AnnotationValueExternalTrafficLocal,
+	svc.Spec.HealthCheckNodePort = int32(32456)
-		serviceapi.BetaAnnotationHealthCheckNodePort: "32456",
-	}
 	configProperties := getTestPublicFipConfigurationProperties()
 	lb := getTestLoadBalancer()
 

pkg/cloudprovider/providers/gce/gce_loadbalancer.go

@@ -311,9 +311,9 @@ func (gce *GCECloud) EnsureLoadBalancer(clusterName string, apiService *v1.Servi
 	}
 
 	// Ensure health checks are created for this target pool to pass to createTargetPool for health check links
-	// Alternately, if the annotation on the service was removed, we need to recreate the target pool without
+	// Alternately, if the service has ExternalTrafficPolicy field set from Local to Global, we need to recreate
-	// health checks. This needs to be prior to the forwarding rule deletion below otherwise it is not possible
+	// the target pool without health checks. This needs to be prior to the forwarding rule deletion below otherwise
-	// to delete just the target pool or http health checks later.
+	// it is not possible to delete just the target pool or http health checks later.
 	var hcToCreate *compute.HttpHealthCheck
 	hcExisting, err := gce.GetHttpHealthCheck(loadBalancerName)
 	if err != nil && !isHTTPErrorCode(err, http.StatusNotFound) {
@@ -325,7 +325,7 @@ func (gce *GCECloud) EnsureLoadBalancer(clusterName string, apiService *v1.Servi
 			// This logic exists to detect a transition for a pre-existing service and turn on
 			// the tpNeedsUpdate flag to delete/recreate fwdrule/tpool adding the health check
 			// to the target pool.
-			glog.V(2).Infof("Annotation external-traffic=OnlyLocal added to new or pre-existing service")
+			glog.V(2).Infof("ExternalTrafficPolicy field set to Local on new or pre-existing service")
 			tpNeedsUpdate = true
 		}
 		hcToCreate, err = gce.ensureHttpHealthCheck(loadBalancerName, path, healthCheckNodePort)

pkg/features/kube_features.go

@@ -98,7 +98,7 @@ func init() {
 // To add a new feature, define a key for it above and add it here. The features will be
 // available throughout Kubernetes binaries.
 var defaultKubernetesFeatureGates = map[utilfeature.Feature]utilfeature.FeatureSpec{
-	ExternalTrafficLocalOnly:                    {Default: true, PreRelease: utilfeature.Beta},
+	ExternalTrafficLocalOnly:                    {Default: true, PreRelease: utilfeature.GA},
 	AppArmor:                                    {Default: true, PreRelease: utilfeature.Beta},
 	DynamicKubeletConfig:                        {Default: false, PreRelease: utilfeature.Alpha},
 	DynamicVolumeProvisioning:                   {Default: true, PreRelease: utilfeature.Alpha},

pkg/proxy/iptables/proxier.go

@@ -1055,7 +1055,7 @@ func (proxier *Proxier) syncProxyRules() {
 
 		svcXlbChain := serviceLBChainName(svcNameString, protocol)
 		if svcInfo.onlyNodeLocalEndpoints {
-			// Only for services with the externalTraffic annotation set to OnlyLocal
+			// Only for services request OnlyLocal traffic
 			// create the per-service LB chain, retaining counters if possible.
 			if lbChain, ok := existingNATChains[svcXlbChain]; ok {
 				writeLine(natChains, lbChain)
@@ -1371,7 +1371,7 @@ func (proxier *Proxier) syncProxyRules() {
 			continue
 		}
 
-		// Now write ingress loadbalancing & DNAT rules only for services that have a localOnly annotation
+		// Now write ingress loadbalancing & DNAT rules only for services that request OnlyLocal traffic.
 		// TODO - This logic may be combinable with the block above that creates the svc balancer chain
 		localEndpoints := make([]*endpointsInfo, 0)
 		localEndpointChains := make([]utiliptables.Chain, 0)

pkg/registry/core/service/rest.go

@@ -162,32 +162,16 @@ func (rs *REST) Create(ctx genericapirequest.Context, obj runtime.Object) (runti
 		}
 	}
 
-	if shouldCheckOrAssignHealthCheckNodePort(service) {
+	// Handle ExternalTraiffc related fields during service creation.
-		var healthCheckNodePort int
+	if utilfeature.DefaultFeatureGate.Enabled(features.ExternalTrafficLocalOnly) {
-		var err error
+		apiservice.SetDefaultExternalTrafficPolicyIfNeeded(service)
-		if l, ok := service.Annotations[apiservice.BetaAnnotationHealthCheckNodePort]; ok {
+		if apiservice.NeedsHealthCheck(service) {
-			healthCheckNodePort, err = strconv.Atoi(l)
+			if err := rs.allocateHealthCheckNodePort(service); err != nil {
-			if err != nil || healthCheckNodePort <= 0 {
+				return nil, errors.NewInternalError(err)
-				return nil, errors.NewInternalError(fmt.Errorf("Failed to parse annotation %v: %v", apiservice.BetaAnnotationHealthCheckNodePort, err))
 			}
 		}
-		if healthCheckNodePort > 0 {
+		if errs := validation.ValidateServiceExternalTrafficFieldsCombination(service); len(errs) > 0 {
-			// If the request has a health check nodePort in mind, attempt to reserve it
+			return nil, errors.NewInvalid(api.Kind("Service"), service.Name, errs)
-			err := nodePortOp.Allocate(int(healthCheckNodePort))
-			if err != nil {
-				return nil, errors.NewInternalError(fmt.Errorf("Failed to allocate requested HealthCheck nodePort %v: %v", healthCheckNodePort, err))
-			}
-		} else {
-			// If the request has no health check nodePort specified, allocate any
-			healthCheckNodePort, err = nodePortOp.AllocateNext()
-			if err != nil {
-				// TODO: what error should be returned here?  It's not a
-				// field-level validation failure (the field is valid), and it's
-				// not really an internal error.
-				return nil, errors.NewInternalError(fmt.Errorf("failed to allocate a nodePort: %v", err))
-			}
-			// Insert the newly allocated health check port as an annotation (plan of record for Alpha)
-			service.Annotations[apiservice.BetaAnnotationHealthCheckNodePort] = fmt.Sprintf("%d", healthCheckNodePort)
 		}
 	}
 
@@ -239,13 +223,14 @@ func (rs *REST) Delete(ctx genericapirequest.Context, id string) (runtime.Object
 		}
 	}
 
-	if shouldCheckOrAssignHealthCheckNodePort(service) {
+	if utilfeature.DefaultFeatureGate.Enabled(features.ExternalTrafficLocalOnly) &&
+		apiservice.NeedsHealthCheck(service) {
 		nodePort := apiservice.GetServiceHealthCheckNodePort(service)
 		if nodePort > 0 {
 			err := rs.serviceNodePorts.Release(int(nodePort))
 			if err != nil {
 				// these should be caught by an eventual reconciliation / restart
-				utilruntime.HandleError(fmt.Errorf("Error releasing service health check %s node port %d: %v", service.Name, nodePort, err))
+				utilruntime.HandleError(fmt.Errorf("Error releasing service %s health check node port %d: %v", service.Name, nodePort, err))
 			}
 		}
 	}
@@ -280,92 +265,70 @@ func (*REST) NewList() runtime.Object {
 	return &api.ServiceList{}
 }
 
+// externalTrafficPolicyUpdate adjusts ExternalTrafficPolicy during service update if needed.
+// It is necessary because we default ExternalTrafficPolicy field to different values.
+// (NodePort / LoadBalancer: default is Global; Other types: default is empty.)
+func externalTrafficPolicyUpdate(oldService, service *api.Service) {
+	var neededExternalTraffic, needsExternalTraffic bool
+	if oldService.Spec.Type == api.ServiceTypeNodePort ||
+		oldService.Spec.Type == api.ServiceTypeLoadBalancer {
+		neededExternalTraffic = true
+	}
+	if service.Spec.Type == api.ServiceTypeNodePort ||
+		service.Spec.Type == api.ServiceTypeLoadBalancer {
+		needsExternalTraffic = true
+	}
+	if neededExternalTraffic && !needsExternalTraffic {
+		// Clear ExternalTrafficPolicy to prevent confusion from ineffective field.
+		apiservice.ClearExternalTrafficPolicy(service)
+	}
+}
+
+// healthCheckNodePortUpdate handles HealthCheckNodePort allocation/release
+// and adjusts HealthCheckNodePort during service update if needed.
 func (rs *REST) healthCheckNodePortUpdate(oldService, service *api.Service) (bool, error) {
-	// Health Check Node Port handling during updates
+	neededHealthCheckNodePort := apiservice.NeedsHealthCheck(oldService)
-	//
-	// Case 1. Transition from globalTraffic to OnlyLocal for the ESIPP annotation
-	//
-	//   Allocate a health check node port or attempt to reserve the user-specified one, if provided.
-	//   Insert health check node port as an annotation into the service's annotations
-	//
-	// Case 2. Transition from OnlyLocal to Global for the ESIPP annotation
-	//
-	//   Free the existing healthCheckNodePort and clear the health check nodePort annotation
-	//
-	// Case 3. No change (Global ---stays--> Global) but prevent invalid annotation manipulations
-	//
-	//   Reject insertion of the "service.alpha.kubernetes.io/healthcheck-nodeport" annotation
-	//
-	// Case 4. No change (OnlyLocal ---stays--> OnlyLocal) but prevent invalid annotation manipulations
-	//
-	//   Reject deletion of the "service.alpha.kubernetes.io/healthcheck-nodeport" annotation
-	//   Reject changing the value of the healthCheckNodePort annotation
-	//
-	oldServiceHasHealthCheckNodePort := shouldCheckOrAssignHealthCheckNodePort(oldService)
 	oldHealthCheckNodePort := apiservice.GetServiceHealthCheckNodePort(oldService)
 
-	assignHealthCheckNodePort := shouldCheckOrAssignHealthCheckNodePort(service)
+	needsHealthCheckNodePort := apiservice.NeedsHealthCheck(service)
-	requestedHealthCheckNodePort := apiservice.GetServiceHealthCheckNodePort(service)
+	newHealthCheckNodePort := apiservice.GetServiceHealthCheckNodePort(service)
 
 	switch {
-	case !oldServiceHasHealthCheckNodePort && assignHealthCheckNodePort:
+	// Case 1: Transition from don't need HealthCheckNodePort to needs HealthCheckNodePort.
-		glog.Infof("Transition from Global LB service to OnlyLocal service")
+	// Allocate a health check node port or attempt to reserve the user-specified one if provided.
-		if requestedHealthCheckNodePort > 0 {
+	// Insert health check node port into the service's HealthCheckNodePort field if needed.
-			// If the request has a health check nodePort in mind, attempt to reserve it
+	case !neededHealthCheckNodePort && needsHealthCheckNodePort:
-			err := rs.serviceNodePorts.Allocate(int(requestedHealthCheckNodePort))
+		glog.Infof("Transition to LoadBalancer type service with ExternalTrafficPolicy=Local")
-			if err != nil {
+		if err := rs.allocateHealthCheckNodePort(service); err != nil {
-				errmsg := fmt.Sprintf("Failed to allocate requested HealthCheck nodePort %v:%v",
+			return false, errors.NewInternalError(err)
-					requestedHealthCheckNodePort, err)
-				el := field.ErrorList{field.Invalid(field.NewPath("metadata", "annotations"),
-					apiservice.BetaAnnotationHealthCheckNodePort, errmsg)}
-				return false, errors.NewInvalid(api.Kind("Service"), service.Name, el)
-			}
-			glog.Infof("Reserved user requested nodePort: %d", requestedHealthCheckNodePort)
-		} else {
-			// If the request has no health check nodePort specified, allocate any
-			healthCheckNodePort, err := rs.serviceNodePorts.AllocateNext()
-			if err != nil {
-				// TODO: what error should be returned here?  It's not a
-				// field-level validation failure (the field is valid), and it's
-				// not really an internal error.
-				return false, errors.NewInternalError(fmt.Errorf("failed to allocate a nodePort: %v", err))
-			}
-			// Insert the newly allocated health check port as an annotation (plan of record for Alpha)
-			service.Annotations[apiservice.BetaAnnotationHealthCheckNodePort] = fmt.Sprintf("%d", healthCheckNodePort)
-			glog.Infof("Reserved health check nodePort: %d", healthCheckNodePort)
 		}
 
-	case oldServiceHasHealthCheckNodePort && !assignHealthCheckNodePort:
+	// Case 2: Transition from needs HealthCheckNodePort to don't need HealthCheckNodePort.
-		glog.Infof("Transition from OnlyLocal LB service to Global service")
+	// Free the existing healthCheckNodePort and clear the HealthCheckNodePort field.
+	case neededHealthCheckNodePort && !needsHealthCheckNodePort:
+		glog.Infof("Transition to non LoadBalancer type service or LoadBalancer type service with ExternalTrafficPolicy=Global")
 		err := rs.serviceNodePorts.Release(int(oldHealthCheckNodePort))
 		if err != nil {
-			glog.Warningf("Error releasing service health check %s node port %d: %v", service.Name, oldHealthCheckNodePort, err)
+			glog.Warningf("error releasing service health check %s node port %d: %v", service.Name, oldHealthCheckNodePort, err)
 			return false, errors.NewInternalError(fmt.Errorf("failed to free health check nodePort: %v", err))
-		} else {
-			delete(service.Annotations, apiservice.BetaAnnotationHealthCheckNodePort)
-			delete(service.Annotations, apiservice.AlphaAnnotationHealthCheckNodePort)
-			glog.Infof("Freed health check nodePort: %d", oldHealthCheckNodePort)
 		}
+		glog.Infof("Freed health check nodePort: %d", oldHealthCheckNodePort)
+		// Clear the HealthCheckNodePort field.
+		apiservice.SetServiceHealthCheckNodePort(service, 0)
 
-	case !oldServiceHasHealthCheckNodePort && !assignHealthCheckNodePort:
+	// Case 3: Remain in needs HealthCheckNodePort.
-		if _, ok := service.Annotations[apiservice.BetaAnnotationHealthCheckNodePort]; ok {
+	// Reject changing the value of the HealthCheckNodePort field.
-			glog.Warningf("Attempt to insert health check node port annotation DENIED")
+	case neededHealthCheckNodePort && needsHealthCheckNodePort:
-			el := field.ErrorList{field.Invalid(field.NewPath("metadata", "annotations"),
+		if oldHealthCheckNodePort != newHealthCheckNodePort {
-				apiservice.BetaAnnotationHealthCheckNodePort, "Cannot insert healthcheck nodePort annotation")}
+			glog.Warningf("Attempt to change value of health check node port DENIED")
-			return false, errors.NewInvalid(api.Kind("Service"), service.Name, el)
+			var fldPath *field.Path
-		}
+			if _, ok := service.Annotations[apiservice.BetaAnnotationHealthCheckNodePort]; ok {
-
+				fldPath = field.NewPath("metadata", "annotations").Key(apiservice.BetaAnnotationHealthCheckNodePort)
-	case oldServiceHasHealthCheckNodePort && assignHealthCheckNodePort:
+			} else {
-		if _, ok := service.Annotations[apiservice.BetaAnnotationHealthCheckNodePort]; !ok {
+				fldPath = field.NewPath("spec", "healthCheckNodePort")
-			glog.Warningf("Attempt to delete health check node port annotation DENIED")
+			}
-			el := field.ErrorList{field.Invalid(field.NewPath("metadata", "annotations"),
+			el := field.ErrorList{field.Invalid(fldPath, newHealthCheckNodePort,
-				apiservice.BetaAnnotationHealthCheckNodePort, "Cannot delete healthcheck nodePort annotation")}
+				"cannot change healthCheckNodePort on loadBalancer service with externalTraffic=Local during update")}
-			return false, errors.NewInvalid(api.Kind("Service"), service.Name, el)
-		}
-		if oldHealthCheckNodePort != requestedHealthCheckNodePort {
-			glog.Warningf("Attempt to change value of health check node port annotation DENIED")
-			el := field.ErrorList{field.Invalid(field.NewPath("metadata", "annotations"),
-				apiservice.BetaAnnotationHealthCheckNodePort, "Cannot change healthcheck nodePort during update")}
 			return false, errors.NewInvalid(api.Kind("Service"), service.Name, el)
 		}
 	}
@@ -449,9 +412,17 @@ func (rs *REST) Update(ctx genericapirequest.Context, name string, objInfo rest.
 		service.Status.LoadBalancer = api.LoadBalancerStatus{}
 	}
 
-	success, err := rs.healthCheckNodePortUpdate(oldService, service)
+	// Handle ExternalTraiffc related updates.
-	if !success {
+	if utilfeature.DefaultFeatureGate.Enabled(features.ExternalTrafficLocalOnly) {
-		return nil, false, err
+		apiservice.SetDefaultExternalTrafficPolicyIfNeeded(service)
+		success, err := rs.healthCheckNodePortUpdate(oldService, service)
+		if !success || err != nil {
+			return nil, false, err
+		}
+		externalTrafficPolicyUpdate(oldService, service)
+		if errs := validation.ValidateServiceExternalTrafficFieldsCombination(service); len(errs) > 0 {
+			return nil, false, errors.NewInvalid(api.Kind("Service"), service.Name, errs)
+		}
 	}
 
 	out, err := rs.registry.UpdateService(ctx, service)
@@ -566,10 +537,6 @@ func shouldAssignNodePorts(service *api.Service) bool {
 	}
 }
 
-func shouldCheckOrAssignHealthCheckNodePort(service *api.Service) bool {
-	return (utilfeature.DefaultFeatureGate.Enabled(features.ExternalTrafficLocalOnly) && apiservice.NeedsHealthCheck(service))
-}
-
 // Loop through the service ports list, find one with the same port number and
 // NodePort specified, return this NodePort otherwise return 0.
 func findRequestedNodePort(port int, servicePorts []api.ServicePort) int {
@@ -581,3 +548,26 @@ func findRequestedNodePort(port int, servicePorts []api.ServicePort) int {
 	}
 	return 0
 }
+
+// allocateHealthCheckNodePort allocates health check node port to service.
+func (rs *REST) allocateHealthCheckNodePort(service *api.Service) error {
+	healthCheckNodePort := apiservice.GetServiceHealthCheckNodePort(service)
+	if healthCheckNodePort != 0 {
+		// If the request has a health check nodePort in mind, attempt to reserve it.
+		err := rs.serviceNodePorts.Allocate(int(healthCheckNodePort))
+		if err != nil {
+			return fmt.Errorf("failed to allocate requested HealthCheck NodePort %v: %v",
+				service.Spec.HealthCheckNodePort, err)
+		}
+		glog.Infof("Reserved user requested nodePort: %d", service.Spec.HealthCheckNodePort)
+	} else {
+		// If the request has no health check nodePort specified, allocate any.
+		healthCheckNodePort, err := rs.serviceNodePorts.AllocateNext()
+		if err != nil {
+			return fmt.Errorf("failed to allocate a HealthCheck NodePort %v: %v", healthCheckNodePort, err)
+		}
+		apiservice.SetServiceHealthCheckNodePort(service, int32(healthCheckNodePort))
+		glog.Infof("Reserved allocated nodePort: %d", healthCheckNodePort)
+	}
+	return nil
+}

pkg/registry/core/service/rest_test.go

@@ -959,13 +959,48 @@ func TestUpdateServiceWithConflictingNamespace(t *testing.T) {
 	}
 }
 
-// Validate allocation of a nodePort when the externalTraffic=OnlyLocal annotation is set
+// Validate allocation of a nodePort when ExternalTrafficPolicy is set to Local
-// and type is LoadBalancer
+// and type is LoadBalancer.
-func TestServiceRegistryExternalTrafficAnnotationHealthCheckNodePortAllocation(t *testing.T) {
+func TestServiceRegistryExternalTrafficHealthCheckNodePortAllocation(t *testing.T) {
 	ctx := genericapirequest.NewDefaultContext()
 	storage, _ := NewTestREST(t, nil)
 	svc := &api.Service{
-		ObjectMeta: metav1.ObjectMeta{Name: "external-lb-esipp",
+		ObjectMeta: metav1.ObjectMeta{Name: "external-lb-esipp"},
+		Spec: api.ServiceSpec{
+			Selector:        map[string]string{"bar": "baz"},
+			SessionAffinity: api.ServiceAffinityNone,
+			Type:            api.ServiceTypeLoadBalancer,
+			Ports: []api.ServicePort{{
+				Port:       6502,
+				Protocol:   api.ProtocolTCP,
+				TargetPort: intstr.FromInt(6502),
+			}},
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeLocal,
+		},
+	}
+	created_svc, err := storage.Create(ctx, svc)
+	if created_svc == nil || err != nil {
+		t.Errorf("Unexpected failure creating service %v", err)
+	}
+	created_service := created_svc.(*api.Service)
+	if !service.NeedsHealthCheck(created_service) {
+		t.Errorf("Expecting health check needed, returned health check not needed instead")
+	}
+	port := service.GetServiceHealthCheckNodePort(created_service)
+	if port == 0 {
+		t.Errorf("Failed to allocate health check node port and set the HealthCheckNodePort")
+	}
+
+}
+
+// Validate allocation of a nodePort when ExternalTraffic beta annotation is set to OnlyLocal
+// and type is LoadBalancer.
+func TestServiceRegistryExternalTrafficHealthCheckNodePortAllocationBeta(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	storage, _ := NewTestREST(t, nil)
+	svc := &api.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "external-lb-esipp",
 			Annotations: map[string]string{
 				service.BetaAnnotationExternalTraffic: service.AnnotationValueExternalTrafficLocal,
 			},
@@ -987,22 +1022,60 @@ func TestServiceRegistryExternalTrafficAnnotationHealthCheckNodePortAllocation(t
 	}
 	created_service := created_svc.(*api.Service)
 	if !service.NeedsHealthCheck(created_service) {
-		t.Errorf("Unexpected missing annotation %s", service.BetaAnnotationExternalTraffic)
+		t.Errorf("Expecting health check needed, returned health check not needed instead")
 	}
 	port := service.GetServiceHealthCheckNodePort(created_service)
 	if port == 0 {
-		t.Errorf("Failed to allocate and create the health check node port annotation %s", service.BetaAnnotationHealthCheckNodePort)
+		t.Errorf("Failed to allocate health check node port and set the HealthCheckNodePort")
 	}
 
 }
 
-// Validate using the user specified nodePort when the externalTraffic=OnlyLocal annotation is set
+// Validate using the user specified nodePort when ExternalTrafficPolicy is set to Local
-// and type is LoadBalancer
+// and type is LoadBalancer.
-func TestServiceRegistryExternalTrafficBetaAnnotationHealthCheckNodePortUserAllocation(t *testing.T) {
+func TestServiceRegistryExternalTrafficHealthCheckNodePortUserAllocation(t *testing.T) {
 	ctx := genericapirequest.NewDefaultContext()
 	storage, _ := NewTestREST(t, nil)
 	svc := &api.Service{
-		ObjectMeta: metav1.ObjectMeta{Name: "external-lb-esipp",
+		ObjectMeta: metav1.ObjectMeta{Name: "external-lb-esipp"},
+		Spec: api.ServiceSpec{
+			Selector:        map[string]string{"bar": "baz"},
+			SessionAffinity: api.ServiceAffinityNone,
+			Type:            api.ServiceTypeLoadBalancer,
+			Ports: []api.ServicePort{{
+				Port:       6502,
+				Protocol:   api.ProtocolTCP,
+				TargetPort: intstr.FromInt(6502),
+			}},
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeLocal,
+			HealthCheckNodePort:   int32(30200),
+		},
+	}
+	created_svc, err := storage.Create(ctx, svc)
+	if created_svc == nil || err != nil {
+		t.Fatalf("Unexpected failure creating service :%v", err)
+	}
+	created_service := created_svc.(*api.Service)
+	if !service.NeedsHealthCheck(created_service) {
+		t.Errorf("Expecting health check needed, returned health check not needed instead")
+	}
+	port := service.GetServiceHealthCheckNodePort(created_service)
+	if port == 0 {
+		t.Errorf("Failed to allocate health check node port and set the HealthCheckNodePort")
+	}
+	if port != 30200 {
+		t.Errorf("Failed to allocate requested nodePort expected 30200, got %d", port)
+	}
+}
+
+// Validate using the user specified nodePort when ExternalTraffic beta annotation is set to OnlyLocal
+// and type is LoadBalancer.
+func TestServiceRegistryExternalTrafficHealthCheckNodePortUserAllocationBeta(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	storage, _ := NewTestREST(t, nil)
+	svc := &api.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "external-lb-esipp",
 			Annotations: map[string]string{
 				service.BetaAnnotationExternalTraffic:     service.AnnotationValueExternalTrafficLocal,
 				service.BetaAnnotationHealthCheckNodePort: "30200",
@@ -1021,27 +1094,54 @@ func TestServiceRegistryExternalTrafficBetaAnnotationHealthCheckNodePortUserAllo
 	}
 	created_svc, err := storage.Create(ctx, svc)
 	if created_svc == nil || err != nil {
-		t.Fatalf("Unexpected failure creating service: %v", err)
+		t.Fatalf("Unexpected failure creating service :%v", err)
 	}
 	created_service := created_svc.(*api.Service)
 	if !service.NeedsHealthCheck(created_service) {
-		t.Errorf("Unexpected missing annotation %s", service.BetaAnnotationExternalTraffic)
+		t.Errorf("Expecting health check needed, returned health check not needed instead")
 	}
 	port := service.GetServiceHealthCheckNodePort(created_service)
 	if port == 0 {
-		t.Errorf("Failed to allocate and create the health check node port annotation %s", service.BetaAnnotationHealthCheckNodePort)
+		t.Errorf("Failed to allocate health check node port and set the HealthCheckNodePort")
 	}
 	if port != 30200 {
 		t.Errorf("Failed to allocate requested nodePort expected 30200, got %d", port)
 	}
 }
 
-// Validate that the service creation fails when the requested port number is -1
+// Validate that the service creation fails when the requested port number is -1.
-func TestServiceRegistryExternalTrafficAnnotationNegative(t *testing.T) {
+func TestServiceRegistryExternalTrafficHealthCheckNodePortNegative(t *testing.T) {
 	ctx := genericapirequest.NewDefaultContext()
 	storage, _ := NewTestREST(t, nil)
 	svc := &api.Service{
-		ObjectMeta: metav1.ObjectMeta{Name: "external-lb-esipp",
+		ObjectMeta: metav1.ObjectMeta{Name: "external-lb-esipp"},
+		Spec: api.ServiceSpec{
+			Selector:        map[string]string{"bar": "baz"},
+			SessionAffinity: api.ServiceAffinityNone,
+			Type:            api.ServiceTypeLoadBalancer,
+			Ports: []api.ServicePort{{
+				Port:       6502,
+				Protocol:   api.ProtocolTCP,
+				TargetPort: intstr.FromInt(6502),
+			}},
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeLocal,
+			HealthCheckNodePort:   int32(-1),
+		},
+	}
+	created_svc, err := storage.Create(ctx, svc)
+	if created_svc == nil || err != nil {
+		return
+	}
+	t.Errorf("Unexpected creation of service with invalid HealthCheckNodePort specified")
+}
+
+// Validate that the service creation fails when the requested port number in beta annotation is -1.
+func TestServiceRegistryExternalTrafficHealthCheckNodePortNegativeBeta(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	storage, _ := NewTestREST(t, nil)
+	svc := &api.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "external-lb-esipp",
 			Annotations: map[string]string{
 				service.BetaAnnotationExternalTraffic:     service.AnnotationValueExternalTrafficLocal,
 				service.BetaAnnotationHealthCheckNodePort: "-1",
@@ -1062,15 +1162,49 @@ func TestServiceRegistryExternalTrafficAnnotationNegative(t *testing.T) {
 	if created_svc == nil || err != nil {
 		return
 	}
-	t.Errorf("Unexpected creation of service with invalid healthCheckNodePort specified")
+	t.Errorf("Unexpected creation of service with invalid HealthCheckNodePort specified")
 }
 
-// Validate that the health check nodePort is not allocated when the externalTraffic annotation is !"OnlyLocal"
+// Validate that the health check nodePort is not allocated when ExternalTrafficPolicy is set to Global.
-func TestServiceRegistryExternalTrafficAnnotationGlobal(t *testing.T) {
+func TestServiceRegistryExternalTrafficGlobal(t *testing.T) {
 	ctx := genericapirequest.NewDefaultContext()
 	storage, _ := NewTestREST(t, nil)
 	svc := &api.Service{
-		ObjectMeta: metav1.ObjectMeta{Name: "external-lb-esipp",
+		ObjectMeta: metav1.ObjectMeta{Name: "external-lb-esipp"},
+		Spec: api.ServiceSpec{
+			Selector:        map[string]string{"bar": "baz"},
+			SessionAffinity: api.ServiceAffinityNone,
+			Type:            api.ServiceTypeLoadBalancer,
+			Ports: []api.ServicePort{{
+				Port:       6502,
+				Protocol:   api.ProtocolTCP,
+				TargetPort: intstr.FromInt(6502),
+			}},
+			ExternalTrafficPolicy: api.ServiceExternalTrafficPolicyTypeGlobal,
+		},
+	}
+	created_svc, err := storage.Create(ctx, svc)
+	if created_svc == nil || err != nil {
+		t.Errorf("Unexpected failure creating service %v", err)
+	}
+	created_service := created_svc.(*api.Service)
+	if service.NeedsHealthCheck(created_service) {
+		t.Errorf("Expecting health check not needed, returned health check needed instead")
+	}
+	// Make sure the service does not have the health check node port allocated
+	port := service.GetServiceHealthCheckNodePort(created_service)
+	if port != 0 {
+		t.Errorf("Unexpected allocation of health check node port: %v", port)
+	}
+}
+
+// Validate that the health check nodePort is not allocated when ExternalTraffic beta annotation is set to Global.
+func TestServiceRegistryExternalTrafficGlobalBeta(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	storage, _ := NewTestREST(t, nil)
+	svc := &api.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "external-lb-esipp",
 			Annotations: map[string]string{
 				service.BetaAnnotationExternalTraffic: service.AnnotationValueExternalTrafficGlobal,
 			},
@@ -1091,14 +1225,47 @@ func TestServiceRegistryExternalTrafficAnnotationGlobal(t *testing.T) {
 		t.Errorf("Unexpected failure creating service %v", err)
 	}
 	created_service := created_svc.(*api.Service)
-	// Make sure the service does not have the annotation
 	if service.NeedsHealthCheck(created_service) {
-		t.Errorf("Unexpected value for annotation %s", service.BetaAnnotationExternalTraffic)
+		t.Errorf("Expecting health check not needed, returned health check needed instead")
 	}
 	// Make sure the service does not have the health check node port allocated
 	port := service.GetServiceHealthCheckNodePort(created_service)
 	if port != 0 {
-		t.Errorf("Unexpected allocation of health check node port annotation %s", service.BetaAnnotationHealthCheckNodePort)
+		t.Errorf("Unexpected allocation of health check node port: %v", port)
+	}
+}
+
+// Validate that ExternalTraffic is default to Global for loadBalancer service.
+func TestServiceRegistryExternalTrafficDefaultGlobal(t *testing.T) {
+	ctx := genericapirequest.NewDefaultContext()
+	storage, _ := NewTestREST(t, nil)
+	svc := &api.Service{
+		ObjectMeta: metav1.ObjectMeta{Name: "external-lb-esipp"},
+		Spec: api.ServiceSpec{
+			Selector:        map[string]string{"bar": "baz"},
+			SessionAffinity: api.ServiceAffinityNone,
+			Type:            api.ServiceTypeLoadBalancer,
+			Ports: []api.ServicePort{{
+				Port:       6502,
+				Protocol:   api.ProtocolTCP,
+				TargetPort: intstr.FromInt(6502),
+			}},
+		},
+	}
+	created_svc, err := storage.Create(ctx, svc)
+	if created_svc == nil || err != nil {
+		t.Errorf("Unexpected failure creating service %v", err)
+	}
+	created_service := created_svc.(*api.Service)
+	if service.NeedsHealthCheck(created_service) {
+		t.Errorf("Expecting health check not needed, returned health check needed instead")
+	}
+	// Make sure the service does not have the health check node port allocated
+	if port := service.GetServiceHealthCheckNodePort(created_service); port != 0 {
+		t.Errorf("Unexpected allocation of health check node port: %v", port)
+	}
+	if created_service.Spec.ExternalTrafficPolicy != api.ServiceExternalTrafficPolicyTypeGlobal {
+		t.Errorf("Expecting externalTraffic to be %v, got:%v", api.ServiceExternalTrafficPolicyTypeGlobal, created_service.Spec.ExternalTrafficPolicy)
 	}
 }
 

staging/src/k8s.io/client-go/pkg/api/types.go

@@ -2453,6 +2453,16 @@ const (
 	ServiceTypeExternalName ServiceType = "ExternalName"
 )
 
+// Service External Traffic Policy Type string
+type ServiceExternalTrafficPolicyType string
+
+const (
+	// ServiceExternalTrafficPolicyTypeLocal specifies local endpoints behavior.
+	ServiceExternalTrafficPolicyTypeLocal ServiceExternalTrafficPolicyType = "Local"
+	// ServiceExternalTrafficPolicyTypeGlobal specifies global (legacy) behavior.
+	ServiceExternalTrafficPolicyTypeGlobal ServiceExternalTrafficPolicyType = "Global"
+)
+
 // ServiceStatus represents the current status of a service
 type ServiceStatus struct {
 	// LoadBalancer contains the current status of the load-balancer,
@@ -2552,6 +2562,20 @@ type ServiceSpec struct {
 	// cloud-provider does not support the feature."
 	// +optional
 	LoadBalancerSourceRanges []string
+
+	// externalTrafficPolicy denotes if this Service desires to route external traffic to
+	// local endpoints only. This preserves Source IP and avoids a second hop for
+	// LoadBalancer and Nodeport type services.
+	// +optional
+	ExternalTrafficPolicy ServiceExternalTrafficPolicyType
+
+	// healthCheckNodePort specifies the healthcheck nodePort for the service.
+	// If not specified, HealthCheckNodePort is created by the service api
+	// backend with the allocated nodePort. Will use user-specified nodePort value
+	// if specified by the client. Only effects when Type is set to LoadBalancer
+	// and ExternalTrafficPolicy is set to Local.
+	// +optional
+	HealthCheckNodePort int32
 }
 
 type ServicePort struct {

staging/src/k8s.io/client-go/pkg/api/v1/generated.proto

@@ -3697,6 +3697,20 @@ message ServiceSpec {
   // Must be a valid DNS name and requires Type to be ExternalName.
   // +optional
   optional string externalName = 10;
+
+  // externalTrafficPolicy denotes if this Service desires to route external traffic to
+  // local endpoints only. This preserves Source IP and avoids a second hop for
+  // LoadBalancer and Nodeport type services.
+  // +optional
+  optional string externalTrafficPolicy = 11;
+
+  // healthCheckNodePort specifies the healthcheck nodePort for the service.
+  // If not specified, HealthCheckNodePort is created by the service api
+  // backend with the allocated nodePort. Will use user-specified nodePort value
+  // if specified by the client. Only effects when Type is set to LoadBalancer
+  // and ExternalTrafficPolicy is set to Local.
+  // +optional
+  optional int32 healthCheckNodePort = 12;
 }
 
 // ServiceStatus represents the current status of a service.

staging/src/k8s.io/client-go/pkg/api/v1/types.generated.go

@@ -41195,6 +41195,32 @@ func (x *ServiceType) CodecDecodeSelf(d *codec1978.Decoder) {
 	}
 }
 
+func (x ServiceExternalTrafficPolicyType) CodecEncodeSelf(e *codec1978.Encoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperEncoder(e)
+	_, _, _ = h, z, r
+	yym1 := z.EncBinary()
+	_ = yym1
+	if false {
+	} else if z.HasExtensions() && z.EncExt(x) {
+	} else {
+		r.EncodeString(codecSelferC_UTF81234, string(x))
+	}
+}
+
+func (x *ServiceExternalTrafficPolicyType) CodecDecodeSelf(d *codec1978.Decoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperDecoder(d)
+	_, _, _ = h, z, r
+	yym1 := z.DecBinary()
+	_ = yym1
+	if false {
+	} else if z.HasExtensions() && z.DecExt(x) {
+	} else {
+		*((*string)(x)) = r.DecodeString()
+	}
+}
+
 func (x *ServiceStatus) CodecEncodeSelf(e *codec1978.Encoder) {
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperEncoder(e)
@@ -41802,7 +41828,7 @@ func (x *ServiceSpec) CodecEncodeSelf(e *codec1978.Encoder) {
 		} else {
 			yysep2 := !z.EncBinary()
 			yy2arr2 := z.EncBasicHandle().StructToArray
-			var yyq2 [9]bool
+			var yyq2 [11]bool
 			_, _, _ = yysep2, yyq2, yy2arr2
 			const yyr2 bool = false
 			yyq2[0] = len(x.Ports) != 0
@@ -41814,9 +41840,11 @@ func (x *ServiceSpec) CodecEncodeSelf(e *codec1978.Encoder) {
 			yyq2[6] = x.LoadBalancerIP != ""
 			yyq2[7] = len(x.LoadBalancerSourceRanges) != 0
 			yyq2[8] = x.ExternalName != ""
+			yyq2[9] = x.ExternalTrafficPolicy != ""
+			yyq2[10] = x.HealthCheckNodePort != 0
 			var yynn2 int
 			if yyr2 || yy2arr2 {
-				r.EncodeArrayStart(9)
+				r.EncodeArrayStart(11)
 			} else {
 				yynn2 = 0
 				for _, b := range yyq2 {
@@ -42064,6 +42092,46 @@ func (x *ServiceSpec) CodecEncodeSelf(e *codec1978.Encoder) {
 					}
 				}
 			}
+			if yyr2 || yy2arr2 {
+				z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+				if yyq2[9] {
+					x.ExternalTrafficPolicy.CodecEncodeSelf(e)
+				} else {
+					r.EncodeString(codecSelferC_UTF81234, "")
+				}
+			} else {
+				if yyq2[9] {
+					z.EncSendContainerState(codecSelfer_containerMapKey1234)
+					r.EncodeString(codecSelferC_UTF81234, string("externalTrafficPolicy"))
+					z.EncSendContainerState(codecSelfer_containerMapValue1234)
+					x.ExternalTrafficPolicy.CodecEncodeSelf(e)
+				}
+			}
+			if yyr2 || yy2arr2 {
+				z.EncSendContainerState(codecSelfer_containerArrayElem1234)
+				if yyq2[10] {
+					yym34 := z.EncBinary()
+					_ = yym34
+					if false {
+					} else {
+						r.EncodeInt(int64(x.HealthCheckNodePort))
+					}
+				} else {
+					r.EncodeInt(0)
+				}
+			} else {
+				if yyq2[10] {
+					z.EncSendContainerState(codecSelfer_containerMapKey1234)
+					r.EncodeString(codecSelferC_UTF81234, string("healthCheckNodePort"))
+					z.EncSendContainerState(codecSelfer_containerMapValue1234)
+					yym35 := z.EncBinary()
+					_ = yym35
+					if false {
+					} else {
+						r.EncodeInt(int64(x.HealthCheckNodePort))
+					}
+				}
+			}
 			if yyr2 || yy2arr2 {
 				z.EncSendContainerState(codecSelfer_containerArrayEnd1234)
 			} else {
@@ -42223,6 +42291,25 @@ func (x *ServiceSpec) codecDecodeSelfFromMap(l int, d *codec1978.Decoder) {
 					*((*string)(yyv18)) = r.DecodeString()
 				}
 			}
+		case "externalTrafficPolicy":
+			if r.TryDecodeAsNil() {
+				x.ExternalTrafficPolicy = ""
+			} else {
+				yyv20 := &x.ExternalTrafficPolicy
+				yyv20.CodecDecodeSelf(d)
+			}
+		case "healthCheckNodePort":
+			if r.TryDecodeAsNil() {
+				x.HealthCheckNodePort = 0
+			} else {
+				yyv21 := &x.HealthCheckNodePort
+				yym22 := z.DecBinary()
+				_ = yym22
+				if false {
+				} else {
+					*((*int32)(yyv21)) = int32(r.DecodeInt(32))
+				}
+			}
 		default:
 			z.DecStructFieldNotFound(-1, yys3)
 		} // end switch yys3
@@ -42234,16 +42321,16 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperDecoder(d)
 	_, _, _ = h, z, r
-	var yyj20 int
+	var yyj23 int
-	var yyb20 bool
+	var yyb23 bool
-	var yyhl20 bool = l >= 0
+	var yyhl23 bool = l >= 0
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42251,21 +42338,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.Ports = nil
 	} else {
-		yyv21 := &x.Ports
+		yyv24 := &x.Ports
-		yym22 := z.DecBinary()
+		yym25 := z.DecBinary()
-		_ = yym22
+		_ = yym25
 		if false {
 		} else {
-			h.decSliceServicePort((*[]ServicePort)(yyv21), d)
+			h.decSliceServicePort((*[]ServicePort)(yyv24), d)
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42273,21 +42360,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.Selector = nil
 	} else {
-		yyv23 := &x.Selector
+		yyv26 := &x.Selector
-		yym24 := z.DecBinary()
+		yym27 := z.DecBinary()
-		_ = yym24
+		_ = yym27
 		if false {
 		} else {
-			z.F.DecMapStringStringX(yyv23, false, d)
+			z.F.DecMapStringStringX(yyv26, false, d)
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42295,21 +42382,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.ClusterIP = ""
 	} else {
-		yyv25 := &x.ClusterIP
+		yyv28 := &x.ClusterIP
-		yym26 := z.DecBinary()
+		yym29 := z.DecBinary()
-		_ = yym26
+		_ = yym29
 		if false {
 		} else {
-			*((*string)(yyv25)) = r.DecodeString()
+			*((*string)(yyv28)) = r.DecodeString()
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42317,16 +42404,16 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.Type = ""
 	} else {
-		yyv27 := &x.Type
+		yyv30 := &x.Type
-		yyv27.CodecDecodeSelf(d)
+		yyv30.CodecDecodeSelf(d)
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42334,21 +42421,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.ExternalIPs = nil
 	} else {
-		yyv28 := &x.ExternalIPs
+		yyv31 := &x.ExternalIPs
-		yym29 := z.DecBinary()
+		yym32 := z.DecBinary()
-		_ = yym29
+		_ = yym32
 		if false {
 		} else {
-			z.F.DecSliceStringX(yyv28, false, d)
+			z.F.DecSliceStringX(yyv31, false, d)
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42356,16 +42443,16 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.SessionAffinity = ""
 	} else {
-		yyv30 := &x.SessionAffinity
+		yyv33 := &x.SessionAffinity
-		yyv30.CodecDecodeSelf(d)
+		yyv33.CodecDecodeSelf(d)
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42373,21 +42460,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.LoadBalancerIP = ""
 	} else {
-		yyv31 := &x.LoadBalancerIP
+		yyv34 := &x.LoadBalancerIP
-		yym32 := z.DecBinary()
+		yym35 := z.DecBinary()
-		_ = yym32
+		_ = yym35
 		if false {
 		} else {
-			*((*string)(yyv31)) = r.DecodeString()
+			*((*string)(yyv34)) = r.DecodeString()
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42395,21 +42482,21 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.LoadBalancerSourceRanges = nil
 	} else {
-		yyv33 := &x.LoadBalancerSourceRanges
+		yyv36 := &x.LoadBalancerSourceRanges
-		yym34 := z.DecBinary()
+		yym37 := z.DecBinary()
-		_ = yym34
+		_ = yym37
 		if false {
 		} else {
-			z.F.DecSliceStringX(yyv33, false, d)
+			z.F.DecSliceStringX(yyv36, false, d)
 		}
 	}
-	yyj20++
+	yyj23++
-	if yyhl20 {
+	if yyhl23 {
-		yyb20 = yyj20 > l
+		yyb23 = yyj23 > l
 	} else {
-		yyb20 = r.CheckBreak()
+		yyb23 = r.CheckBreak()
 	}
-	if yyb20 {
+	if yyb23 {
 		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 		return
 	}
@@ -42417,26 +42504,65 @@ func (x *ServiceSpec) codecDecodeSelfFromArray(l int, d *codec1978.Decoder) {
 	if r.TryDecodeAsNil() {
 		x.ExternalName = ""
 	} else {
-		yyv35 := &x.ExternalName
+		yyv38 := &x.ExternalName
-		yym36 := z.DecBinary()
+		yym39 := z.DecBinary()
-		_ = yym36
+		_ = yym39
 		if false {
 		} else {
-			*((*string)(yyv35)) = r.DecodeString()
+			*((*string)(yyv38)) = r.DecodeString()
+		}
+	}
+	yyj23++
+	if yyhl23 {
+		yyb23 = yyj23 > l
+	} else {
+		yyb23 = r.CheckBreak()
+	}
+	if yyb23 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.ExternalTrafficPolicy = ""
+	} else {
+		yyv40 := &x.ExternalTrafficPolicy
+		yyv40.CodecDecodeSelf(d)
+	}
+	yyj23++
+	if yyhl23 {
+		yyb23 = yyj23 > l
+	} else {
+		yyb23 = r.CheckBreak()
+	}
+	if yyb23 {
+		z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
+		return
+	}
+	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
+	if r.TryDecodeAsNil() {
+		x.HealthCheckNodePort = 0
+	} else {
+		yyv41 := &x.HealthCheckNodePort
+		yym42 := z.DecBinary()
+		_ = yym42
+		if false {
+		} else {
+			*((*int32)(yyv41)) = int32(r.DecodeInt(32))
 		}
 	}
 	for {
-		yyj20++
+		yyj23++
-		if yyhl20 {
+		if yyhl23 {
-			yyb20 = yyj20 > l
+			yyb23 = yyj23 > l
 		} else {
-			yyb20 = r.CheckBreak()
+			yyb23 = r.CheckBreak()
 		}
-		if yyb20 {
+		if yyb23 {
 			break
 		}
 		z.DecSendContainerState(codecSelfer_containerArrayElem1234)
-		z.DecStructFieldNotFound(yyj20-1, "")
+		z.DecStructFieldNotFound(yyj23-1, "")
 	}
 	z.DecSendContainerState(codecSelfer_containerArrayEnd1234)
 }
@@ -71379,7 +71505,7 @@ func (x codecSelfer1234) decSliceService(v *[]Service, d *codec1978.Decoder) {
 
 			yyrg1 := len(yyv1) > 0
 			yyv21 := yyv1
-			yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 440)
+			yyrl1, yyrt1 = z.DecInferLen(yyl1, z.DecBasicHandle().MaxInitLen, 464)
 			if yyrt1 {
 				if yyrl1 <= cap(yyv1) {
 					yyv1 = yyv1[:yyrl1]

staging/src/k8s.io/client-go/pkg/api/v1/types.go

@@ -2792,6 +2792,16 @@ const (
 	ServiceTypeExternalName ServiceType = "ExternalName"
 )
 
+// Service External Traffic Policy Type string
+type ServiceExternalTrafficPolicyType string
+
+const (
+	// ServiceExternalTrafficPolicyTypeLocal specifies local endpoints behavior.
+	ServiceExternalTrafficPolicyTypeLocal ServiceExternalTrafficPolicyType = "Local"
+	// ServiceExternalTrafficPolicyTypeGlobal specifies global (legacy) behavior.
+	ServiceExternalTrafficPolicyTypeGlobal ServiceExternalTrafficPolicyType = "Global"
+)
+
 // ServiceStatus represents the current status of a service.
 type ServiceStatus struct {
 	// LoadBalancer contains the current status of the load-balancer,
@@ -2904,6 +2914,20 @@ type ServiceSpec struct {
 	// Must be a valid DNS name and requires Type to be ExternalName.
 	// +optional
 	ExternalName string `json:"externalName,omitempty" protobuf:"bytes,10,opt,name=externalName"`
+
+	// externalTrafficPolicy denotes if this Service desires to route external traffic to
+	// local endpoints only. This preserves Source IP and avoids a second hop for
+	// LoadBalancer and Nodeport type services.
+	// +optional
+	ExternalTrafficPolicy ServiceExternalTrafficPolicyType `json:"externalTrafficPolicy,omitempty" protobuf:"bytes,11,opt,name=externalTrafficPolicy"`
+
+	// healthCheckNodePort specifies the healthcheck nodePort for the service.
+	// If not specified, HealthCheckNodePort is created by the service api
+	// backend with the allocated nodePort. Will use user-specified nodePort value
+	// if specified by the client. Only effects when Type is set to LoadBalancer
+	// and ExternalTrafficPolicy is set to Local.
+	// +optional
+	HealthCheckNodePort int32 `json:"healthCheckNodePort,omitempty" protobuf:"bytes,12,opt,name=healthCheckNodePort"`
 }
 
 // ServicePort contains information on service's port.

staging/src/k8s.io/client-go/pkg/api/v1/types_swagger_doc_generated.go

@@ -1844,6 +1844,8 @@ var map_ServiceSpec = map[string]string{
 	"loadBalancerIP":           "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.",
 	"loadBalancerSourceRanges": "If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: http://kubernetes.io/docs/user-guide/services-firewalls",
 	"externalName":             "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid DNS name and requires Type to be ExternalName.",
+	"externalTrafficPolicy":    "externalTrafficPolicy denotes if this Service desires to route external traffic to local endpoints only. This preserves Source IP and avoids a second hop for LoadBalancer and Nodeport type services.",
+	"healthCheckNodePort":      "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local.",
 }
 
 func (ServiceSpec) SwaggerDoc() map[string]string {

staging/src/k8s.io/client-go/pkg/api/v1/zz_generated.conversion.go

@@ -4721,6 +4721,8 @@ func autoConvert_v1_ServiceSpec_To_api_ServiceSpec(in *ServiceSpec, out *api.Ser
 	out.LoadBalancerIP = in.LoadBalancerIP
 	out.LoadBalancerSourceRanges = *(*[]string)(unsafe.Pointer(&in.LoadBalancerSourceRanges))
 	out.ExternalName = in.ExternalName
+	out.ExternalTrafficPolicy = api.ServiceExternalTrafficPolicyType(in.ExternalTrafficPolicy)
+	out.HealthCheckNodePort = in.HealthCheckNodePort
 	return nil
 }
 
@@ -4739,6 +4741,8 @@ func autoConvert_api_ServiceSpec_To_v1_ServiceSpec(in *api.ServiceSpec, out *Ser
 	out.LoadBalancerIP = in.LoadBalancerIP
 	out.SessionAffinity = ServiceAffinity(in.SessionAffinity)
 	out.LoadBalancerSourceRanges = *(*[]string)(unsafe.Pointer(&in.LoadBalancerSourceRanges))
+	out.ExternalTrafficPolicy = ServiceExternalTrafficPolicyType(in.ExternalTrafficPolicy)
+	out.HealthCheckNodePort = in.HealthCheckNodePort
 	return nil
 }
 

test/e2e/firewall.go

@@ -60,7 +60,7 @@ var _ = framework.KubeDescribe("Firewall rule", func() {
 		nodesSet := sets.NewString(nodesNames...)
 
 		// OnlyLocal service is needed to examine which exact nodes the requests are being forwarded to by the Load Balancer on GCE
-		By("Creating a LoadBalancer type service with onlyLocal annotation")
+		By("Creating a LoadBalancer type service with ExternalTrafficPolicy=Local")
 		svc := jig.CreateOnlyLocalLoadBalancerService(ns, serviceName,
 			framework.LoadBalancerCreateTimeoutDefault, false, func(svc *v1.Service) {
 				svc.Spec.Ports = []v1.ServicePort{{Protocol: "TCP", Port: framework.FirewallTestHttpPort}}

test/e2e/framework/BUILD

@@ -45,7 +45,6 @@ go_library(
         "//pkg/api/v1/helper:go_default_library",
         "//pkg/api/v1/node:go_default_library",
         "//pkg/api/v1/pod:go_default_library",
-        "//pkg/api/v1/service:go_default_library",
         "//pkg/apis/apps/v1beta1:go_default_library",
         "//pkg/apis/authorization/v1beta1:go_default_library",
         "//pkg/apis/batch:go_default_library",

test/e2e/framework/service_util.go

@@ -34,7 +34,6 @@ import (
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/kubernetes/pkg/api/v1"
-	"k8s.io/kubernetes/pkg/api/v1/service"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/clientset"
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	"k8s.io/kubernetes/pkg/client/retry"
@@ -189,15 +188,15 @@ func (j *ServiceTestJig) ChangeServiceType(namespace, name string, newType v1.Se
 	}
 }
 
-// CreateOnlyLocalNodePortService creates a loadbalancer service and sanity checks its
+// CreateOnlyLocalNodePortService creates a NodePort service with
-// nodePort. If createPod is true, it also creates an RC with 1 replica of
+// ExternalTrafficPolicy set to Local and sanity checks its nodePort.
+// If createPod is true, it also creates an RC with 1 replica of
 // the standard netexec container used everywhere in this test.
 func (j *ServiceTestJig) CreateOnlyLocalNodePortService(namespace, serviceName string, createPod bool) *v1.Service {
-	By("creating a service " + namespace + "/" + serviceName + " with type=NodePort and annotation for local-traffic-only")
+	By("creating a service " + namespace + "/" + serviceName + " with type=NodePort and ExternalTrafficPolicy=Local")
 	svc := j.CreateTCPServiceOrFail(namespace, func(svc *v1.Service) {
 		svc.Spec.Type = v1.ServiceTypeNodePort
-		svc.ObjectMeta.Annotations = map[string]string{
+		svc.Spec.ExternalTrafficPolicy = v1.ServiceExternalTrafficPolicyTypeLocal
-			service.BetaAnnotationExternalTraffic: service.AnnotationValueExternalTrafficLocal}
 		svc.Spec.Ports = []v1.ServicePort{{Protocol: "TCP", Port: 80}}
 	})
 
@@ -209,18 +208,18 @@ func (j *ServiceTestJig) CreateOnlyLocalNodePortService(namespace, serviceName s
 	return svc
 }
 
-// CreateOnlyLocalLoadBalancerService creates a loadbalancer service and waits for it to
+// CreateOnlyLocalLoadBalancerService creates a loadbalancer service with
-// acquire an ingress IP. If createPod is true, it also creates an RC with 1
+// ExternalTrafficPolicy set to Local and waits for it to acquire an ingress IP.
-// replica of the standard netexec container used everywhere in this test.
+// If createPod is true, it also creates an RC with 1 replica of
+// the standard netexec container used everywhere in this test.
 func (j *ServiceTestJig) CreateOnlyLocalLoadBalancerService(namespace, serviceName string, timeout time.Duration, createPod bool,
 	tweak func(svc *v1.Service)) *v1.Service {
-	By("creating a service " + namespace + "/" + serviceName + " with type=LoadBalancer and annotation for local-traffic-only")
+	By("creating a service " + namespace + "/" + serviceName + " with type=LoadBalancer and ExternalTrafficPolicy=Local")
 	svc := j.CreateTCPServiceOrFail(namespace, func(svc *v1.Service) {
 		svc.Spec.Type = v1.ServiceTypeLoadBalancer
 		// We need to turn affinity off for our LB distribution tests
 		svc.Spec.SessionAffinity = v1.ServiceAffinityNone
-		svc.ObjectMeta.Annotations = map[string]string{
+		svc.Spec.ExternalTrafficPolicy = v1.ServiceExternalTrafficPolicyTypeLocal
-			service.BetaAnnotationExternalTraffic: service.AnnotationValueExternalTrafficLocal}
 		if tweak != nil {
 			tweak(svc)
 		}

test/e2e/service.go

@@ -1441,7 +1441,7 @@ var _ = framework.KubeDescribe("ESIPP [Slow]", func() {
 		}
 	})
 
-	It("should handle updates to source ip annotation", func() {
+	It("should handle updates to ExternalTrafficPolicy field", func() {
 		namespace := f.Namespace.Name
 		serviceName := "external-local"
 		jig := framework.NewServiceTestJig(cs, serviceName)
@@ -1458,16 +1458,15 @@ var _ = framework.KubeDescribe("ESIPP [Slow]", func() {
 			Expect(cs.Core().Services(svc.Namespace).Delete(svc.Name, nil)).NotTo(HaveOccurred())
 		}()
 
-		// save the health check node port because it disappears when lift the annotation.
+		// save the health check node port because it disappears when ESIPP is turned off.
 		healthCheckNodePort := int(service.GetServiceHealthCheckNodePort(svc))
 
 		By("turning ESIPP off")
 		svc = jig.UpdateServiceOrFail(svc.Namespace, svc.Name, func(svc *v1.Service) {
-			svc.ObjectMeta.Annotations[service.BetaAnnotationExternalTraffic] =
+			svc.Spec.ExternalTrafficPolicy = v1.ServiceExternalTrafficPolicyTypeGlobal
-				service.AnnotationValueExternalTrafficGlobal
 		})
 		if service.GetServiceHealthCheckNodePort(svc) > 0 {
-			framework.Failf("Service HealthCheck NodePort annotation still present")
+			framework.Failf("Service HealthCheck NodePort still present")
 		}
 
 		endpointNodeMap := jig.GetEndpointNodes(svc)
@@ -1525,13 +1524,11 @@ var _ = framework.KubeDescribe("ESIPP [Slow]", func() {
 		// If the health check nodePort has NOT been freed, the new service
 		// creation will fail.
 
-		By("turning ESIPP annotation back on")
+		By("setting ExternalTraffic field back to OnlyLocal")
 		svc = jig.UpdateServiceOrFail(svc.Namespace, svc.Name, func(svc *v1.Service) {
-			svc.ObjectMeta.Annotations[service.BetaAnnotationExternalTraffic] =
+			svc.Spec.ExternalTrafficPolicy = v1.ServiceExternalTrafficPolicyTypeLocal
-				service.AnnotationValueExternalTrafficLocal
 			// Request the same healthCheckNodePort as before, to test the user-requested allocation path
-			svc.ObjectMeta.Annotations[service.BetaAnnotationHealthCheckNodePort] =
+			svc.Spec.HealthCheckNodePort = int32(healthCheckNodePort)
-				fmt.Sprintf("%d", healthCheckNodePort)
 		})
 		pollErr = wait.PollImmediate(framework.Poll, framework.KubeProxyLagTimeout, func() (bool, error) {
 			content := jig.GetHTTPContent(ingressIP, svcTCPPort, framework.KubeProxyLagTimeout, path)