Merge pull request #126293 from aroradaman/kube-proxy-refactor-internal-config

Kube proxy refactor internal config
2024-07-23 11:02:46 -07:00
parent 9c2302dd3e 3d589bd18a
commit 6834a1ef3d
17 changed files with 563 additions and 430 deletions
--- a/cmd/kube-proxy/app/options.go
+++ b/cmd/kube-proxy/app/options.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"os"
 	"strings"
+	"time"

 	"github.com/fsnotify/fsnotify"
 	"github.com/spf13/pflag"
@@ -79,6 +80,14 @@ type Options struct {
 	hostnameOverride string

 	logger klog.Logger
+
+	// The fields below here are placeholders for flags that can't be directly mapped into
+	// config.KubeProxyConfiguration.
+	iptablesSyncPeriod    time.Duration
+	iptablesMinSyncPeriod time.Duration
+	ipvsSyncPeriod        time.Duration
+	ipvsMinSyncPeriod     time.Duration
+	clusterCIDRs          string
 }

 // AddFlags adds flags to fs and binds them to options.
@@ -120,11 +129,11 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.Int32Var(o.config.IPTables.MasqueradeBit, "iptables-masquerade-bit", ptr.Deref(o.config.IPTables.MasqueradeBit, 14), "If using the iptables or ipvs proxy mode, the bit of the fwmark space to mark packets requiring SNAT with.  Must be within the range [0, 31].")
 	fs.BoolVar(&o.config.Linux.MasqueradeAll, "masquerade-all", o.config.Linux.MasqueradeAll, "SNAT all traffic sent via Service cluster IPs. This may be required with some CNI plugins. Only supported on Linux.")
 	fs.BoolVar(o.config.IPTables.LocalhostNodePorts, "iptables-localhost-nodeports", ptr.Deref(o.config.IPTables.LocalhostNodePorts, true), "If false, kube-proxy will disable the legacy behavior of allowing NodePort services to be accessed via localhost. (Applies only to iptables mode and IPv4; localhost NodePorts are never allowed with other proxy modes or with IPv6.)")
-	fs.DurationVar(&o.config.IPTables.SyncPeriod.Duration, "iptables-sync-period", o.config.IPTables.SyncPeriod.Duration, "An interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.")
-	fs.DurationVar(&o.config.IPTables.MinSyncPeriod.Duration, "iptables-min-sync-period", o.config.IPTables.MinSyncPeriod.Duration, "The minimum period between iptables rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate iptables resync.")
+	fs.DurationVar(&o.iptablesSyncPeriod, "iptables-sync-period", o.config.SyncPeriod.Duration, "An interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.")
+	fs.DurationVar(&o.iptablesMinSyncPeriod, "iptables-min-sync-period", o.config.MinSyncPeriod.Duration, "The minimum period between iptables rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate iptables resync.")

-	fs.DurationVar(&o.config.IPVS.SyncPeriod.Duration, "ipvs-sync-period", o.config.IPVS.SyncPeriod.Duration, "An interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.")
-	fs.DurationVar(&o.config.IPVS.MinSyncPeriod.Duration, "ipvs-min-sync-period", o.config.IPVS.MinSyncPeriod.Duration, "The minimum period between IPVS rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate IPVS resync.")
+	fs.DurationVar(&o.ipvsSyncPeriod, "ipvs-sync-period", o.config.SyncPeriod.Duration, "An interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.")
+	fs.DurationVar(&o.ipvsMinSyncPeriod, "ipvs-min-sync-period", o.config.MinSyncPeriod.Duration, "The minimum period between IPVS rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate IPVS resync.")
 	fs.StringVar(&o.config.IPVS.Scheduler, "ipvs-scheduler", o.config.IPVS.Scheduler, "The ipvs scheduler type when proxy mode is ipvs")
 	fs.StringSliceVar(&o.config.IPVS.ExcludeCIDRs, "ipvs-exclude-cidrs", o.config.IPVS.ExcludeCIDRs, "A comma-separated list of CIDRs which the ipvs proxier should not touch when cleaning up IPVS rules.")
 	fs.BoolVar(&o.config.IPVS.StrictARP, "ipvs-strict-arp", o.config.IPVS.StrictARP, "Enable strict ARP by setting arp_ignore to 1 and arp_announce to 2")
@@ -135,7 +144,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.Var(&o.config.DetectLocalMode, "detect-local-mode", "Mode to use to detect local traffic. This parameter is ignored if a config file is specified by --config.")
 	fs.StringVar(&o.config.DetectLocal.BridgeInterface, "pod-bridge-interface", o.config.DetectLocal.BridgeInterface, "A bridge interface name. When --detect-local-mode is set to BridgeInterface, kube-proxy will consider traffic to be local if it originates from this bridge.")
 	fs.StringVar(&o.config.DetectLocal.InterfaceNamePrefix, "pod-interface-name-prefix", o.config.DetectLocal.InterfaceNamePrefix, "An interface name prefix. When --detect-local-mode is set to InterfaceNamePrefix, kube-proxy will consider traffic to be local if it originates from any interface whose name begins with this prefix.")
-	fs.StringVar(&o.config.ClusterCIDR, "cluster-cidr", o.config.ClusterCIDR, "The CIDR range of the pods in the cluster. (For dual-stack clusters, this can be a comma-separated dual-stack pair of CIDR ranges.). When --detect-local-mode is set to ClusterCIDR, kube-proxy will consider traffic to be local if its source IP is in this range. (Otherwise it is not used.) "+
+	fs.StringVar(&o.clusterCIDRs, "cluster-cidr", strings.Join(o.config.DetectLocal.ClusterCIDRs, ","), "The CIDR range of the pods in the cluster. (For dual-stack clusters, this can be a comma-separated dual-stack pair of CIDR ranges.). When --detect-local-mode is set to ClusterCIDR, kube-proxy will consider traffic to be local if its source IP is in this range. (Otherwise it is not used.) "+
 		"This parameter is ignored if a config file is specified by --config.")

 	fs.StringSliceVar(&o.config.NodePortAddresses, "nodeport-addresses", o.config.NodePortAddresses,
@@ -161,8 +170,6 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	_ = fs.MarkDeprecated("healthz-port", "This flag is deprecated and will be removed in a future release. Please use --healthz-bind-address instead.")
 	fs.Int32Var(&o.metricsPort, "metrics-port", o.metricsPort, "The port to bind the metrics server. Use 0 to disable.")
 	_ = fs.MarkDeprecated("metrics-port", "This flag is deprecated and will be removed in a future release. Please use --metrics-bind-address instead.")
-	fs.Var(utilflag.PortRangeVar{Val: &o.config.PortRange}, "proxy-port-range", "This was previously used to configure the userspace proxy, but is now unused.")
-	_ = fs.MarkDeprecated("proxy-port-range", "This flag has no effect and will be removed in a future release.")

 	logsapi.AddFlags(&o.config.Logging, fs)
 }
@@ -216,6 +223,8 @@ func (o *Options) Complete(fs *pflag.FlagSet) error {
 		if err := o.initWatcher(); err != nil {
 			return err
 		}
+	} else {
+		o.processV1Alpha1Flags(fs)
 	}

 	o.platformApplyDefaults(o.config)
@@ -302,6 +311,25 @@ func (o *Options) processHostnameOverrideFlag() error {
 	return nil
 }

+// processV1Alpha1Flags processes v1alpha1 flags which can't be directly mapped to internal config.
+func (o *Options) processV1Alpha1Flags(fs *pflag.FlagSet) {
+	if fs.Changed("iptables-sync-period") && o.config.Mode != kubeproxyconfig.ProxyModeIPVS {
+		o.config.SyncPeriod.Duration = o.iptablesSyncPeriod
+	}
+	if fs.Changed("iptables-min-sync-period") && o.config.Mode != kubeproxyconfig.ProxyModeIPVS {
+		o.config.MinSyncPeriod.Duration = o.iptablesMinSyncPeriod
+	}
+	if fs.Changed("ipvs-sync-period") && o.config.Mode == kubeproxyconfig.ProxyModeIPVS {
+		o.config.SyncPeriod.Duration = o.ipvsSyncPeriod
+	}
+	if fs.Changed("ipvs-min-sync-period") && o.config.Mode == kubeproxyconfig.ProxyModeIPVS {
+		o.config.MinSyncPeriod.Duration = o.ipvsMinSyncPeriod
+	}
+	if fs.Changed("cluster-cidr") {
+		o.config.DetectLocal.ClusterCIDRs = strings.Split(o.clusterCIDRs, ",")
+	}
+}
+
 // Validate validates all the required options.
 func (o *Options) Validate() error {
 	if errs := validation.Validate(o.config); len(errs) != 0 {
--- a/cmd/kube-proxy/app/options_test.go
+++ b/cmd/kube-proxy/app/options_test.go
@@ -20,6 +20,8 @@ import (
 	"fmt"
 	"os"
 	"path"
+	"reflect"
+	"strings"
 	"testing"
 	"time"

@@ -194,7 +196,8 @@ nodePortAddresses:
 					Kubeconfig:         "/path/to/kubeconfig",
 					QPS:                7,
 				},
-				ClusterCIDR:      tc.clusterCIDR,
+				MinSyncPeriod:    metav1.Duration{Duration: 10 * time.Second},
+				SyncPeriod:       metav1.Duration{Duration: 60 * time.Second},
 				ConfigSyncPeriod: metav1.Duration{Duration: 15 * time.Second},
 				Linux: kubeproxyconfig.KubeProxyLinuxConfiguration{
 					Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
@@ -212,26 +215,20 @@ nodePortAddresses:
 				IPTables: kubeproxyconfig.KubeProxyIPTablesConfiguration{
 					MasqueradeBit:      ptr.To[int32](17),
 					LocalhostNodePorts: ptr.To(true),
-					MinSyncPeriod:      metav1.Duration{Duration: 10 * time.Second},
-					SyncPeriod:         metav1.Duration{Duration: 60 * time.Second},
 				},
 				IPVS: kubeproxyconfig.KubeProxyIPVSConfiguration{
-					MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second},
-					SyncPeriod:    metav1.Duration{Duration: 60 * time.Second},
-					ExcludeCIDRs:  []string{"10.20.30.40/16", "fd00:1::0/64"},
+					ExcludeCIDRs: []string{"10.20.30.40/16", "fd00:1::0/64"},
 				},
 				NFTables: kubeproxyconfig.KubeProxyNFTablesConfiguration{
 					MasqueradeBit: ptr.To[int32](18),
-					MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second},
-					SyncPeriod:    metav1.Duration{Duration: 60 * time.Second},
 				},
 				MetricsBindAddress: tc.metricsBindAddress,
 				Mode:               kubeproxyconfig.ProxyMode(tc.mode),
-				PortRange:          "2-7",
 				NodePortAddresses:  []string{"10.20.30.40/16", "fd00:1::0/64"},
 				DetectLocalMode:    kubeproxyconfig.LocalModeClusterCIDR,
 				DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
 					BridgeInterface:     "cbr0",
+					ClusterCIDRs:        strings.Split(tc.clusterCIDR, ","),
 					InterfaceNamePrefix: "veth",
 				},
 				Logging: logsapi.LoggingConfiguration{
@@ -377,6 +374,99 @@ func TestProcessHostnameOverrideFlag(t *testing.T) {
 	}
 }

+// TestProcessV1Alpha1Flags tests processing v1alpha1 flags.
+func TestProcessV1Alpha1Flags(t *testing.T) {
+	testCases := []struct {
+		name     string
+		flags    []string
+		validate func(*kubeproxyconfig.KubeProxyConfiguration) bool
+	}{
+		{
+			name: "iptables configuration",
+			flags: []string{
+				"--iptables-sync-period=36s",
+				"--iptables-min-sync-period=3s",
+				"--proxy-mode=iptables",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return config.SyncPeriod == metav1.Duration{Duration: 36 * time.Second} &&
+					config.MinSyncPeriod == metav1.Duration{Duration: 3 * time.Second}
+			},
+		},
+		{
+			name: "iptables + ipvs configuration with iptables mode",
+			flags: []string{
+				"--iptables-sync-period=36s",
+				"--iptables-min-sync-period=3s",
+				"--ipvs-sync-period=16s",
+				"--ipvs-min-sync-period=7s",
+				"--proxy-mode=iptables",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return config.SyncPeriod == metav1.Duration{Duration: 36 * time.Second} &&
+					config.MinSyncPeriod == metav1.Duration{Duration: 3 * time.Second}
+			},
+		},
+		{
+			name: "winkernel configuration",
+			flags: []string{
+				"--iptables-sync-period=36s",
+				"--iptables-min-sync-period=3s",
+				"--proxy-mode=kernelspace",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return config.SyncPeriod == metav1.Duration{Duration: 36 * time.Second} &&
+					config.MinSyncPeriod == metav1.Duration{Duration: 3 * time.Second}
+			},
+		},
+		{
+			name: "ipvs + iptables configuration with ipvs mode",
+			flags: []string{
+				"--iptables-sync-period=36s",
+				"--iptables-min-sync-period=3s",
+				"--ipvs-sync-period=16s",
+				"--ipvs-min-sync-period=7s",
+				"--proxy-mode=ipvs",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return config.SyncPeriod == metav1.Duration{Duration: 16 * time.Second} &&
+					config.MinSyncPeriod == metav1.Duration{Duration: 7 * time.Second}
+			},
+		},
+		{
+			name: "ipvs configuration",
+			flags: []string{
+				"--ipvs-sync-period=16s",
+				"--ipvs-min-sync-period=7s",
+				"--proxy-mode=ipvs",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return config.SyncPeriod == metav1.Duration{Duration: 16 * time.Second} &&
+					config.MinSyncPeriod == metav1.Duration{Duration: 7 * time.Second}
+			},
+		},
+		{
+			name: "cluster cidr",
+			flags: []string{
+				"--cluster-cidr=2002:0:0:1234::/64,10.0.0.0/14",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return reflect.DeepEqual(config.DetectLocal.ClusterCIDRs, []string{"2002:0:0:1234::/64", "10.0.0.0/14"})
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			options := NewOptions()
+			fs := new(pflag.FlagSet)
+			options.AddFlags(fs)
+			require.NoError(t, fs.Parse(tc.flags))
+			options.processV1Alpha1Flags(fs)
+			require.True(t, tc.validate(options.config))
+		})
+	}
+}
+
 // TestOptionsComplete checks that command line flags are combined with a
 // config properly.
 func TestOptionsComplete(t *testing.T) {
--- a/cmd/kube-proxy/app/server.go
+++ b/cmd/kube-proxy/app/server.go
@@ -25,7 +25,6 @@ import (
 	"net"
 	"net/http"
 	"os"
-	"strings"
 	"time"

 	"github.com/spf13/cobra"
@@ -222,7 +221,7 @@ func newProxyServer(ctx context.Context, config *kubeproxyconfig.KubeProxyConfig
 	}

 	if len(config.HealthzBindAddress) > 0 {
-		s.HealthzServer = healthcheck.NewProxierHealthServer(config.HealthzBindAddress, 2*config.IPTables.SyncPeriod.Duration)
+		s.HealthzServer = healthcheck.NewProxierHealthServer(config.HealthzBindAddress, 2*config.SyncPeriod.Duration)
 	}

 	err = s.platformSetup(ctx)
@@ -271,8 +270,7 @@ func checkBadConfig(s *ProxyServer) error {
 	// we can at least take note of whether there is any explicitly-dual-stack
 	// configuration.
 	anyDualStackConfig := false
-	clusterCIDRs := strings.Split(s.Config.ClusterCIDR, ",")
-	for _, config := range [][]string{clusterCIDRs, s.Config.NodePortAddresses, s.Config.IPVS.ExcludeCIDRs, s.podCIDRs} {
+	for _, config := range [][]string{s.Config.DetectLocal.ClusterCIDRs, s.Config.NodePortAddresses, s.Config.IPVS.ExcludeCIDRs, s.podCIDRs} {
 		if dual, _ := netutils.IsDualStackCIDRStrings(config); dual {
 			anyDualStackConfig = true
 			break
@@ -314,14 +312,11 @@ func checkBadIPConfig(s *ProxyServer, dualStackSupported bool) (err error, fatal
 		clusterType = fmt.Sprintf("%s-only", s.PrimaryIPFamily)
 	}

-	if s.Config.ClusterCIDR != "" {
-		clusterCIDRs := strings.Split(s.Config.ClusterCIDR, ",")
-		if badCIDRs(clusterCIDRs, badFamily) {
-			errors = append(errors, fmt.Errorf("cluster is %s but clusterCIDRs contains only IPv%s addresses", clusterType, badFamily))
-			if s.Config.DetectLocalMode == kubeproxyconfig.LocalModeClusterCIDR && !dualStackSupported {
-				// This has always been a fatal error
-				fatal = true
-			}
+	if badCIDRs(s.Config.DetectLocal.ClusterCIDRs, badFamily) {
+		errors = append(errors, fmt.Errorf("cluster is %s but clusterCIDRs contains only IPv%s addresses", clusterType, badFamily))
+		if s.Config.DetectLocalMode == kubeproxyconfig.LocalModeClusterCIDR && !dualStackSupported {
+			// This has always been a fatal error
+			fatal = true
 		}
 	}

--- a/cmd/kube-proxy/app/server_linux.go
+++ b/cmd/kube-proxy/app/server_linux.go
@@ -26,7 +26,6 @@ import (
 	"errors"
 	"fmt"
 	goruntime "runtime"
-	"strings"
 	"time"

 	"github.com/google/cadvisor/machine"
@@ -178,8 +177,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 				ipt,
 				utilsysctl.New(),
 				exec.New(),
-				config.IPTables.SyncPeriod.Duration,
-				config.IPTables.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.Linux.MasqueradeAll,
 				*config.IPTables.LocalhostNodePorts,
 				int(*config.IPTables.MasqueradeBit),
@@ -202,8 +201,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 				iptInterface,
 				utilsysctl.New(),
 				exec.New(),
-				config.IPTables.SyncPeriod.Duration,
-				config.IPTables.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.Linux.MasqueradeAll,
 				*config.IPTables.LocalhostNodePorts,
 				int(*config.IPTables.MasqueradeBit),
@@ -238,8 +237,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 				ipsetInterface,
 				utilsysctl.New(),
 				execer,
-				config.IPVS.SyncPeriod.Duration,
-				config.IPVS.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.IPVS.ExcludeCIDRs,
 				config.IPVS.StrictARP,
 				config.IPVS.TCPTimeout.Duration,
@@ -266,8 +265,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 				ipsetInterface,
 				utilsysctl.New(),
 				execer,
-				config.IPVS.SyncPeriod.Duration,
-				config.IPVS.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.IPVS.ExcludeCIDRs,
 				config.IPVS.StrictARP,
 				config.IPVS.TCPTimeout.Duration,
@@ -295,8 +294,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 			// TODO this has side effects that should only happen when Run() is invoked.
 			proxier, err = nftables.NewDualStackProxier(
 				ctx,
-				config.NFTables.SyncPeriod.Duration,
-				config.NFTables.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.Linux.MasqueradeAll,
 				int(*config.NFTables.MasqueradeBit),
 				localDetectors,
@@ -313,8 +312,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 			proxier, err = nftables.NewProxier(
 				ctx,
 				s.PrimaryIPFamily,
-				config.NFTables.SyncPeriod.Duration,
-				config.NFTables.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.Linux.MasqueradeAll,
 				int(*config.NFTables.MasqueradeBit),
 				localDetectors[s.PrimaryIPFamily],
@@ -477,12 +476,11 @@ func getLocalDetectors(logger klog.Logger, primaryIPFamily v1.IPFamily, config *

 	switch config.DetectLocalMode {
 	case proxyconfigapi.LocalModeClusterCIDR:
-		clusterCIDRs := strings.Split(strings.TrimSpace(config.ClusterCIDR), ",")
-		for family, cidrs := range proxyutil.MapCIDRsByIPFamily(clusterCIDRs) {
+		for family, cidrs := range proxyutil.MapCIDRsByIPFamily(config.DetectLocal.ClusterCIDRs) {
 			localDetectors[family] = proxyutil.NewDetectLocalByCIDR(cidrs[0].String())
 		}
 		if !localDetectors[primaryIPFamily].IsImplemented() {
-			logger.Info("Detect-local-mode set to ClusterCIDR, but no cluster CIDR specified for primary IP family", "ipFamily", primaryIPFamily, "clusterCIDR", config.ClusterCIDR)
+			logger.Info("Detect-local-mode set to ClusterCIDR, but no cluster CIDR specified for primary IP family", "ipFamily", primaryIPFamily, "clusterCIDRs", config.DetectLocal.ClusterCIDRs)
 		}

 	case proxyconfigapi.LocalModeNodeCIDR:
--- a/cmd/kube-proxy/app/server_linux_test.go
+++ b/cmd/kube-proxy/app/server_linux_test.go
@@ -121,7 +121,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, single-stack IPv4 cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -133,7 +135,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, single-stack IPv6 cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -145,7 +149,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, single-stack IPv6 cluster with single-stack IPv4 config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			// This will output a warning that there is no IPv6 CIDR but it
@@ -159,7 +165,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, single-stack IPv4 cluster with single-stack IPv6 config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			// This will output a warning that there is no IPv4 CIDR but it
@@ -173,7 +181,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, dual-stack IPv4-primary cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "10.0.0.0/14,2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14", "2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -185,7 +195,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, dual-stack IPv6-primary cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64,10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64", "10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -197,7 +209,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, IPv4-primary kube-proxy / IPv6-primary config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64,10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64", "10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -209,7 +223,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeClusterCIDR, no ClusterCIDR",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeClusterCIDR,
-				ClusterCIDR:     "",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{""},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -222,7 +238,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, single-stack IPv4 cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			nodePodCIDRs:    []string{"10.0.0.0/24"},
@@ -235,7 +253,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, single-stack IPv6 cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			nodePodCIDRs:    []string{"2002::1234:abcd:ffff:0:0/96"},
@@ -248,7 +268,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, single-stack IPv6 cluster with single-stack IPv4 config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			nodePodCIDRs:    []string{"10.0.0.0/24"},
@@ -263,7 +285,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, single-stack IPv4 cluster with single-stack IPv6 config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			nodePodCIDRs:    []string{"2002::1234:abcd:ffff:0:0/96"},
@@ -278,7 +302,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, dual-stack IPv4-primary cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "10.0.0.0/14,2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14", "2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			nodePodCIDRs:    []string{"10.0.0.0/24", "2002::1234:abcd:ffff:0:0/96"},
@@ -291,7 +317,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, dual-stack IPv6-primary cluster",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "2002:0:0:1234::/64,10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"2002:0:0:1234::/64", "10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			nodePodCIDRs:    []string{"2002::1234:abcd:ffff:0:0/96", "10.0.0.0/24"},
@@ -304,7 +332,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, IPv6-primary kube-proxy / IPv4-primary config",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "10.0.0.0/14,2002:0:0:1234::/64",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14", "2002:0:0:1234::/64"},
+				},
 			},
 			primaryIPFamily: v1.IPv6Protocol,
 			nodePodCIDRs:    []string{"10.0.0.0/24", "2002::1234:abcd:ffff:0:0/96"},
@@ -317,7 +347,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeNodeCIDR, no PodCIDRs",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeNodeCIDR,
-				ClusterCIDR:     "",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{""},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			nodePodCIDRs:    []string{},
@@ -331,7 +363,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "unknown LocalMode",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalMode("abcd"),
-				ClusterCIDR:     "10.0.0.0/14",
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					ClusterCIDRs: []string{"10.0.0.0/14"},
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -344,7 +378,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeBridgeInterface",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeBridgeInterface,
-				DetectLocal:     proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "eth"},
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					BridgeInterface: "eth",
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -356,7 +392,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeBridgeInterface, strange bridge name",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeBridgeInterface,
-				DetectLocal:     proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "1234567890123456789"},
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					BridgeInterface: "1234567890123456789",
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -369,7 +407,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeInterfaceNamePrefix",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeInterfaceNamePrefix,
-				DetectLocal:     proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "eth"},
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					InterfaceNamePrefix: "eth",
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
@@ -381,7 +421,9 @@ func Test_getLocalDetectors(t *testing.T) {
 			name: "LocalModeInterfaceNamePrefix, strange interface name",
 			config: &proxyconfigapi.KubeProxyConfiguration{
 				DetectLocalMode: proxyconfigapi.LocalModeInterfaceNamePrefix,
-				DetectLocal:     proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "1234567890123456789"},
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{
+					InterfaceNamePrefix: "1234567890123456789",
+				},
 			},
 			primaryIPFamily: v1.IPv4Protocol,
 			expected: map[v1.IPFamily]proxyutil.LocalTrafficDetector{
--- a/cmd/kube-proxy/app/server_test.go
+++ b/cmd/kube-proxy/app/server_test.go
@@ -305,7 +305,9 @@ func Test_checkBadConfig(t *testing.T) {
 			name: "single-stack NodePortAddresses with single-stack config",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR:       "10.0.0.0/8",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"10.0.0.0/8"},
+					},
 					NodePortAddresses: []string{"192.168.0.0/24"},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
@@ -316,7 +318,9 @@ func Test_checkBadConfig(t *testing.T) {
 			name: "dual-stack NodePortAddresses with dual-stack config",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR:       "10.0.0.0/8,fd09::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"10.0.0.0/8", "fd09::/64"},
+					},
 					NodePortAddresses: []string{"192.168.0.0/24", "fd03::/64"},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
@@ -337,7 +341,9 @@ func Test_checkBadConfig(t *testing.T) {
 			name: "single-stack NodePortAddresses with dual-stack config",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR:       "10.0.0.0/8,fd09::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"10.0.0.0/8", "fd09::/64"},
+					},
 					NodePortAddresses: []string{"192.168.0.0/24"},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
@@ -348,7 +354,9 @@ func Test_checkBadConfig(t *testing.T) {
 			name: "wrong-single-stack NodePortAddresses",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR:       "fd09::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"fd09::/64"},
+					},
 					NodePortAddresses: []string{"192.168.0.0/24"},
 				},
 				PrimaryIPFamily: v1.IPv6Protocol,
@@ -392,7 +400,9 @@ func Test_checkBadIPConfig(t *testing.T) {
 			name: "ok single-stack clusterCIDR",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR: "10.0.0.0/8",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"10.0.0.0/8"},
+					},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
 			},
@@ -403,7 +413,9 @@ func Test_checkBadIPConfig(t *testing.T) {
 			name: "ok dual-stack clusterCIDR",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR: "10.0.0.0/8,fd01:2345::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"10.0.0.0/8", "fd01:2345::/64"},
+					},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
 			},
@@ -414,7 +426,9 @@ func Test_checkBadIPConfig(t *testing.T) {
 			name: "ok reversed dual-stack clusterCIDR",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR: "fd01:2345::/64,10.0.0.0/8",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"fd01:2345::/64", "10.0.0.0/8"},
+					},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
 			},
@@ -425,7 +439,9 @@ func Test_checkBadIPConfig(t *testing.T) {
 			name: "wrong-family clusterCIDR",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR: "fd01:2345::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"fd01:2345::/64"},
+					},
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
 			},
@@ -438,7 +454,9 @@ func Test_checkBadIPConfig(t *testing.T) {
 			name: "wrong-family clusterCIDR when using ClusterCIDR LocalDetector",
 			proxy: &ProxyServer{
 				Config: &kubeproxyconfig.KubeProxyConfiguration{
-					ClusterCIDR:     "fd01:2345::/64",
+					DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+						ClusterCIDRs: []string{"fd01:2345::/64"},
+					},
 					DetectLocalMode: kubeproxyconfig.LocalModeClusterCIDR,
 				},
 				PrimaryIPFamily: v1.IPv4Protocol,
--- a/cmd/kube-proxy/app/server_windows.go
+++ b/cmd/kube-proxy/app/server_windows.go
@@ -91,8 +91,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.

 	if dualStackMode {
 		proxier, err = winkernel.NewDualStackProxier(
-			config.IPTables.SyncPeriod.Duration,
-			config.IPTables.MinSyncPeriod.Duration,
+			config.SyncPeriod.Duration,
+			config.MinSyncPeriod.Duration,
 			s.Hostname,
 			s.NodeIPs,
 			s.Recorder,
@@ -103,8 +103,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 	} else {
 		proxier, err = winkernel.NewProxier(
 			s.PrimaryIPFamily,
-			config.IPTables.SyncPeriod.Duration,
-			config.IPTables.MinSyncPeriod.Duration,
+			config.SyncPeriod.Duration,
+			config.MinSyncPeriod.Duration,
 			s.Hostname,
 			s.NodeIPs[s.PrimaryIPFamily],
 			s.Recorder,