Merge pull request #18600 from mikedanese/kube-proxy-file

Auto commit by PR queue bot
2016-01-28 23:01:42 -08:00 · 2016-01-28 23:01:42 -08:00 · 6e6974a38f
commit 6e6974a38f
parent 992a85950f 3ebbeb3c8c
14 changed files with 2101 additions and 1903 deletions
--- a/cmd/kube-proxy/app/options/options.go
+++ b/cmd/kube-proxy/app/options/options.go
@ -18,13 +18,14 @@ limitations under the License.
 package options

 import (
-	"net"
 	_ "net/http/pprof"
 	"time"

 	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/unversioned"
+	"k8s.io/kubernetes/pkg/apis/componentconfig"
 	"k8s.io/kubernetes/pkg/kubelet/qos"
-	utilnet "k8s.io/kubernetes/pkg/util/net"
+	"k8s.io/kubernetes/pkg/util"

 	"github.com/spf13/pflag"
 )
@ -33,67 +34,59 @@ const (
 	ExperimentalProxyModeAnnotation = "net.experimental.kubernetes.io/proxy-mode"
 )

-// ProxyServerConfig contains configurations for a Kubernetes proxy server
+// ProxyServerConfig configures and runs a Kubernetes proxy server
 type ProxyServerConfig struct {
-	BindAddress                    net.IP
-	HealthzPort                    int
-	HealthzBindAddress             net.IP
-	OOMScoreAdj                    int
-	ResourceContainer              string
-	Master                         string
-	Kubeconfig                     string
-	PortRange                      utilnet.PortRange
-	HostnameOverride               string
-	ProxyMode                      string
-	IptablesSyncPeriod             time.Duration
-	ConfigSyncPeriod               time.Duration
-	NodeRef                        *api.ObjectReference // Reference to this node.
-	MasqueradeAll                  bool
-	CleanupAndExit                 bool
-	KubeAPIQPS                     float32
-	KubeAPIBurst                   int
-	UDPIdleTimeout                 time.Duration
-	ConntrackMax                   int
-	ConntrackTCPTimeoutEstablished int // seconds
+	componentconfig.KubeProxyConfiguration
+	ResourceContainer string
+	KubeAPIQPS        float32
+	KubeAPIBurst      int
+	ConfigSyncPeriod  time.Duration
+	CleanupAndExit    bool
+	NodeRef           *api.ObjectReference
+	Master            string
+	Kubeconfig        string
 }

 func NewProxyConfig() *ProxyServerConfig {
 	return &ProxyServerConfig{
-		BindAddress:                    net.ParseIP("0.0.0.0"),
-		HealthzPort:                    10249,
-		HealthzBindAddress:             net.ParseIP("127.0.0.1"),
-		OOMScoreAdj:                    qos.KubeProxyOOMScoreAdj,
-		ResourceContainer:              "/kube-proxy",
-		IptablesSyncPeriod:             30 * time.Second,
-		ConfigSyncPeriod:               15 * time.Minute,
-		KubeAPIQPS:                     5.0,
-		KubeAPIBurst:                   10,
-		UDPIdleTimeout:                 250 * time.Millisecond,
-		ConntrackMax:                   256 * 1024, // 4x default (64k)
-		ConntrackTCPTimeoutEstablished: 86400,      // 1 day (1/5 default)
+		KubeProxyConfiguration: componentconfig.KubeProxyConfiguration{
+			BindAddress:                    "0.0.0.0",
+			HealthzPort:                    10249,
+			HealthzBindAddress:             "127.0.0.1",
+			OOMScoreAdj:                    util.IntPtr(qos.KubeProxyOOMScoreAdj),
+			ResourceContainer:              "/kube-proxy",
+			IPTablesSyncPeriod:             unversioned.Duration{30 * time.Second},
+			UDPIdleTimeout:                 unversioned.Duration{250 * time.Millisecond},
+			Mode:                           componentconfig.ProxyModeUserspace,
+			ConntrackMax:                   256 * 1024,                                     // 4x default (64k)
+			ConntrackTCPEstablishedTimeout: unversioned.Duration{Duration: 24 * time.Hour}, // 1 day (1/5 default)
+		},
+		KubeAPIQPS:       5.0,
+		KubeAPIBurst:     10,
+		ConfigSyncPeriod: 15 * time.Minute,
 	}
 }

 // AddFlags adds flags for a specific ProxyServer to the specified FlagSet
 func (s *ProxyServerConfig) AddFlags(fs *pflag.FlagSet) {
-	fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, "The IP address for the proxy server to serve on (set to 0.0.0.0 for all interfaces)")
+	fs.Var(componentconfig.IPVar{&s.BindAddress}, "bind-address", "The IP address for the proxy server to serve on (set to 0.0.0.0 for all interfaces)")
 	fs.StringVar(&s.Master, "master", s.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig)")
 	fs.IntVar(&s.HealthzPort, "healthz-port", s.HealthzPort, "The port to bind the health check server. Use 0 to disable.")
-	fs.IPVar(&s.HealthzBindAddress, "healthz-bind-address", s.HealthzBindAddress, "The IP address for the health check server to serve on, defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces)")
-	fs.IntVar(&s.OOMScoreAdj, "oom-score-adj", s.OOMScoreAdj, "The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]")
+	fs.Var(componentconfig.IPVar{&s.HealthzBindAddress}, "healthz-bind-address", "The IP address for the health check server to serve on, defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces)")
+	fs.IntVar(s.OOMScoreAdj, "oom-score-adj", util.IntPtrDerefOr(s.OOMScoreAdj, qos.KubeProxyOOMScoreAdj), "The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]")
 	fs.StringVar(&s.ResourceContainer, "resource-container", s.ResourceContainer, "Absolute name of the resource-only container to create and run the Kube-proxy in (Default: /kube-proxy).")
 	fs.MarkDeprecated("resource-container", "This feature will be removed in a later release.")
 	fs.StringVar(&s.Kubeconfig, "kubeconfig", s.Kubeconfig, "Path to kubeconfig file with authorization information (the master location is set by the master flag).")
-	fs.Var(&s.PortRange, "proxy-port-range", "Range of host ports (beginPort-endPort, inclusive) that may be consumed in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.")
+	fs.Var(componentconfig.PortRangeVar{&s.PortRange}, "proxy-port-range", "Range of host ports (beginPort-endPort, inclusive) that may be consumed in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.")
 	fs.StringVar(&s.HostnameOverride, "hostname-override", s.HostnameOverride, "If non-empty, will use this string as identification instead of the actual hostname.")
-	fs.StringVar(&s.ProxyMode, "proxy-mode", "", "Which proxy mode to use: 'userspace' (older) or 'iptables' (faster). If blank, look at the Node object on the Kubernetes API and respect the '"+ExperimentalProxyModeAnnotation+"' annotation if provided.  Otherwise use the best-available proxy (currently iptables).  If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.")
-	fs.DurationVar(&s.IptablesSyncPeriod, "iptables-sync-period", s.IptablesSyncPeriod, "How often iptables rules are refreshed (e.g. '5s', '1m', '2h22m').  Must be greater than 0.")
+	fs.Var(&s.Mode, "proxy-mode", "Which proxy mode to use: 'userspace' (older) or 'iptables' (faster). If blank, look at the Node object on the Kubernetes API and respect the '"+ExperimentalProxyModeAnnotation+"' annotation if provided.  Otherwise use the best-available proxy (currently iptables).  If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.")
+	fs.DurationVar(&s.IPTablesSyncPeriod.Duration, "iptables-sync-period", s.IPTablesSyncPeriod.Duration, "How often iptables rules are refreshed (e.g. '5s', '1m', '2h22m').  Must be greater than 0.")
 	fs.DurationVar(&s.ConfigSyncPeriod, "config-sync-period", s.ConfigSyncPeriod, "How often configuration from the apiserver is refreshed.  Must be greater than 0.")
 	fs.BoolVar(&s.MasqueradeAll, "masquerade-all", false, "If using the pure iptables proxy, SNAT everything")
 	fs.BoolVar(&s.CleanupAndExit, "cleanup-iptables", false, "If true cleanup iptables rules and exit.")
 	fs.Float32Var(&s.KubeAPIQPS, "kube-api-qps", s.KubeAPIQPS, "QPS to use while talking with kubernetes apiserver")
 	fs.IntVar(&s.KubeAPIBurst, "kube-api-burst", s.KubeAPIBurst, "Burst to use while talking with kubernetes apiserver")
-	fs.DurationVar(&s.UDPIdleTimeout, "udp-timeout", s.UDPIdleTimeout, "How long an idle UDP connection will be kept open (e.g. '250ms', '2s').  Must be greater than 0. Only applicable for proxy-mode=userspace")
+	fs.DurationVar(&s.UDPIdleTimeout.Duration, "udp-timeout", s.UDPIdleTimeout.Duration, "How long an idle UDP connection will be kept open (e.g. '250ms', '2s').  Must be greater than 0. Only applicable for proxy-mode=userspace")
 	fs.IntVar(&s.ConntrackMax, "conntrack-max", s.ConntrackMax, "Maximum number of NAT connections to track (0 to leave as-is)")
-	fs.IntVar(&s.ConntrackTCPTimeoutEstablished, "conntrack-tcp-timeout-established", s.ConntrackTCPTimeoutEstablished, "Idle timeout for established TCP connections (0 to leave as-is)")
+	fs.DurationVar(&s.ConntrackTCPEstablishedTimeout.Duration, "conntrack-tcp-timeout-established", s.ConntrackTCPEstablishedTimeout.Duration, "Idle timeout for established TCP connections (0 to leave as-is)")
 }
--- a/cmd/kube-proxy/app/server.go
+++ b/cmd/kube-proxy/app/server.go
@ -20,6 +20,7 @@ package app

 import (
 	"errors"
+	"net"
 	"net/http"
 	_ "net/http/pprof"
 	"strconv"
@ -40,6 +41,7 @@ import (
 	utildbus "k8s.io/kubernetes/pkg/util/dbus"
 	"k8s.io/kubernetes/pkg/util/exec"
 	utiliptables "k8s.io/kubernetes/pkg/util/iptables"
+	utilnet "k8s.io/kubernetes/pkg/util/net"
 	nodeutil "k8s.io/kubernetes/pkg/util/node"
 	"k8s.io/kubernetes/pkg/util/oom"

@ -116,7 +118,7 @@ with the apiserver API to configure the proxy.`,
 // NewProxyServerDefault creates a new ProxyServer object with default parameters.
 func NewProxyServerDefault(config *options.ProxyServerConfig) (*ProxyServer, error) {
 	protocol := utiliptables.ProtocolIpv4
-	if config.BindAddress.To4() == nil {
+	if net.ParseIP(config.BindAddress).To4() == nil {
 		protocol = utiliptables.ProtocolIpv6
 	}

@ -135,9 +137,9 @@ func NewProxyServerDefault(config *options.ProxyServerConfig) (*ProxyServer, err

 	// TODO(vmarmol): Use container config for this.
 	var oomAdjuster *oom.OOMAdjuster
-	if config.OOMScoreAdj != 0 {
+	if config.OOMScoreAdj != nil {
 		oomAdjuster = oom.NewOOMAdjuster()
-		if err := oomAdjuster.ApplyOOMScoreAdj(0, config.OOMScoreAdj); err != nil {
+		if err := oomAdjuster.ApplyOOMScoreAdj(0, *config.OOMScoreAdj); err != nil {
 			glog.V(2).Info(err)
 		}
 	}
@ -182,10 +184,10 @@ func NewProxyServerDefault(config *options.ProxyServerConfig) (*ProxyServer, err
 	var proxier proxy.ProxyProvider
 	var endpointsHandler proxyconfig.EndpointsConfigHandler

-	proxyMode := getProxyMode(config.ProxyMode, client.Nodes(), hostname, iptInterface)
+	proxyMode := getProxyMode(string(config.Mode), client.Nodes(), hostname, iptInterface)
 	if proxyMode == proxyModeIptables {
 		glog.V(2).Info("Using iptables Proxier.")
-		proxierIptables, err := iptables.NewProxier(iptInterface, execer, config.IptablesSyncPeriod, config.MasqueradeAll)
+		proxierIptables, err := iptables.NewProxier(iptInterface, execer, config.IPTablesSyncPeriod.Duration, config.MasqueradeAll)
 		if err != nil {
 			glog.Fatalf("Unable to create proxier: %v", err)
 		}
@ -202,7 +204,14 @@ func NewProxyServerDefault(config *options.ProxyServerConfig) (*ProxyServer, err
 		// set EndpointsConfigHandler to our loadBalancer
 		endpointsHandler = loadBalancer

-		proxierUserspace, err := userspace.NewProxier(loadBalancer, config.BindAddress, iptInterface, config.PortRange, config.IptablesSyncPeriod, config.UDPIdleTimeout)
+		proxierUserspace, err := userspace.NewProxier(
+			loadBalancer,
+			net.ParseIP(config.BindAddress),
+			iptInterface,
+			*utilnet.ParsePortRangeOrDie(config.PortRange),
+			config.IPTablesSyncPeriod.Duration,
+			config.UDPIdleTimeout.Duration,
+		)
 		if err != nil {
 			glog.Fatalf("Unable to create proxier: %v", err)
 		}
@ -259,7 +268,7 @@ func (s *ProxyServer) Run() error {
 	// Start up Healthz service if requested
 	if s.Config.HealthzPort > 0 {
 		go util.Until(func() {
-			err := http.ListenAndServe(s.Config.HealthzBindAddress.String()+":"+strconv.Itoa(s.Config.HealthzPort), nil)
+			err := http.ListenAndServe(s.Config.HealthzBindAddress+":"+strconv.Itoa(s.Config.HealthzPort), nil)
 			if err != nil {
 				glog.Errorf("Starting health server failed: %v", err)
 			}
@ -273,8 +282,8 @@ func (s *ProxyServer) Run() error {
 				return err
 			}
 		}
-		if s.Config.ConntrackTCPTimeoutEstablished > 0 {
-			if err := s.Conntracker.SetTCPEstablishedTimeout(s.Config.ConntrackTCPTimeoutEstablished); err != nil {
+		if s.Config.ConntrackTCPEstablishedTimeout.Duration > 0 {
+			if err := s.Conntracker.SetTCPEstablishedTimeout(int(s.Config.ConntrackTCPEstablishedTimeout.Duration / time.Second)); err != nil {
 				return err
 			}
 		}
--- a/docs/admin/kube-proxy.md
+++ b/docs/admin/kube-proxy.md
@ -58,7 +58,7 @@ kube-proxy
      --cleanup-iptables[=false]: If true cleanup iptables rules and exit.
      --config-sync-period=15m0s: How often configuration from the apiserver is refreshed.  Must be greater than 0.
      --conntrack-max=262144: Maximum number of NAT connections to track (0 to leave as-is)
-      --conntrack-tcp-timeout-established=86400: Idle timeout for established TCP connections (0 to leave as-is)
+      --conntrack-tcp-timeout-established=24h0m0s: Idle timeout for established TCP connections (0 to leave as-is)
      --google-json-key="": The Google Cloud Platform Service Account JSON Key to use for authentication.
      --healthz-bind-address=127.0.0.1: The IP address for the health check server to serve on, defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces)
      --healthz-port=10249: The port to bind the health check server. Use 0 to disable.
@ -71,12 +71,12 @@ kube-proxy
      --masquerade-all[=false]: If using the pure iptables proxy, SNAT everything
      --master="": The address of the Kubernetes API server (overrides any value in kubeconfig)
      --oom-score-adj=-999: The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]
-      --proxy-mode="": Which proxy mode to use: 'userspace' (older) or 'iptables' (faster). If blank, look at the Node object on the Kubernetes API and respect the 'net.experimental.kubernetes.io/proxy-mode' annotation if provided.  Otherwise use the best-available proxy (currently iptables).  If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.
+      --proxy-mode=userspace: Which proxy mode to use: 'userspace' (older) or 'iptables' (faster). If blank, look at the Node object on the Kubernetes API and respect the 'net.experimental.kubernetes.io/proxy-mode' annotation if provided.  Otherwise use the best-available proxy (currently iptables).  If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.
      --proxy-port-range=: Range of host ports (beginPort-endPort, inclusive) that may be consumed in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
      --udp-timeout=250ms: How long an idle UDP connection will be kept open (e.g. '250ms', '2s').  Must be greater than 0. Only applicable for proxy-mode=userspace
 ```

-###### Auto generated by spf13/cobra on 30-Dec-2015
+###### Auto generated by spf13/cobra on 27-Jan-2016


 <!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
--- a/pkg/apis/componentconfig/helpers.go
+++ b/pkg/apis/componentconfig/helpers.go
@ -19,9 +19,13 @@ package componentconfig
 import (
 	"fmt"
 	"net"
+
+	utilnet "k8s.io/kubernetes/pkg/util/net"
 )

-// used for validating command line ip addresses.
+// used for validating command line opts
+// TODO(mikedanese): remove these when we remove command line flags
+
 type IPVar struct {
 	Val *string
 }
@ -48,3 +52,47 @@ func (v IPVar) String() string {
 func (v IPVar) Type() string {
 	return "ip"
 }
+
+func (m *ProxyMode) Set(s string) error {
+	nm := ProxyMode(s)
+	m = &nm
+	return nil
+}
+
+func (m *ProxyMode) String() string {
+	if m != nil {
+		return string(*m)
+	}
+	return ""
+}
+
+func (m *ProxyMode) Type() string {
+	return "ProxyMode"
+}
+
+type PortRangeVar struct {
+	Val *string
+}
+
+func (v PortRangeVar) Set(s string) error {
+	if _, err := utilnet.ParsePortRange(s); err != nil {
+		return fmt.Errorf("%q is not a valid port range: %v", s, err)
+	}
+	if v.Val == nil {
+		// it's okay to panic here since this is programmer error
+		panic("the string pointer passed into PortRangeVar should not be nil")
+	}
+	*v.Val = s
+	return nil
+}
+
+func (v PortRangeVar) String() string {
+	if v.Val == nil {
+		return ""
+	}
+	return *v.Val
+}
+
+func (v PortRangeVar) Type() string {
+	return "port-range"
+}
--- a/pkg/apis/componentconfig/types.generated.go
+++ b/pkg/apis/componentconfig/types.generated.go
--- a/pkg/apis/componentconfig/types.go
+++ b/pkg/apis/componentconfig/types.go
@ -21,41 +21,53 @@ import "k8s.io/kubernetes/pkg/api/unversioned"
 type KubeProxyConfiguration struct {
 	unversioned.TypeMeta

-	// bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0 for all interfaces)
+	// bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0
+	// for all interfaces)
 	BindAddress string `json:"bindAddress"`
-	// cleanupIPTables
-	CleanupIPTables bool `json:"cleanupIPTables"`
-	// healthzBindAddress is the IP address for the health check server to serve on, defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces)
+	// healthzBindAddress is the IP address for the health check server to serve on,
+	// defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces)
 	HealthzBindAddress string `json:"healthzBindAddress"`
 	// healthzPort is the port to bind the health check server. Use 0 to disable.
 	HealthzPort int `json:"healthzPort"`
 	// hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname.
 	HostnameOverride string `json:"hostnameOverride"`
-	// iptablesSyncPeriodSeconds is the period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m').  Must be greater than 0.
-	IPTablesSyncePeriodSeconds int `json:"iptablesSyncPeriodSeconds"`
-	// kubeAPIBurst is the burst to use while talking with kubernetes apiserver
-	KubeAPIBurst int `json:"kubeAPIBurst"`
-	// kubeAPIQPS is the max QPS to use while talking with kubernetes apiserver
-	KubeAPIQPS int `json:"kubeAPIQPS"`
-	// kubeconfigPath is the path to the kubeconfig file with authorization information (the master location is set by the master flag).
+	// iptablesSyncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m',
+	// '2h22m').  Must be greater than 0.
+	IPTablesSyncPeriod unversioned.Duration `json:"iptablesSyncPeriodSeconds"`
+	// kubeconfigPath is the path to the kubeconfig file with authorization information (the
+	// master location is set by the master flag).
 	KubeconfigPath string `json:"kubeconfigPath"`
 	// masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode.
 	MasqueradeAll bool `json:"masqueradeAll"`
 	// master is the address of the Kubernetes API server (overrides any value in kubeconfig)
 	Master string `json:"master"`
-	// oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]
+	// oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within
+	// the range [-1000, 1000]
 	OOMScoreAdj *int `json:"oomScoreAdj"`
 	// mode specifies which proxy mode to use.
 	Mode ProxyMode `json:"mode"`
-	// portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
+	// portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed
+	// in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
 	PortRange string `json:"portRange"`
-	// resourceContainer is the bsolute name of the resource-only container to create and run the Kube-proxy in (Default: /kube-proxy).
+	// resourceContainer is the bsolute name of the resource-only container to create and run
+	// the Kube-proxy in (Default: /kube-proxy).
 	ResourceContainer string `json:"resourceContainer"`
-	// udpTimeoutMilliseconds is how long an idle UDP connection will be kept open (e.g. '250ms', '2s').  Must be greater than 0. Only applicable for proxyMode=userspace.
-	UDPTimeoutMilliseconds int `json:"udpTimeoutMilliseconds"`
+	// udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s').
+	// Must be greater than 0. Only applicable for proxyMode=userspace.
+	UDPIdleTimeout unversioned.Duration `json:"udpTimeoutMilliseconds"`
+	// conntrackMax is the maximum number of NAT connections to track (0 to leave as-is)")
+	ConntrackMax int `json:"conntrackMax"`
+	// conntrackTCPEstablishedTimeout is how long an idle UDP connection will be kept open
+	// (e.g. '250ms', '2s').  Must be greater than 0. Only applicable for proxyMode is Userspace
+	ConntrackTCPEstablishedTimeout unversioned.Duration `json:"conntrackTCPEstablishedTimeout"`
 }

-// Currently two modes of proxying are available: 'userspace' (older, stable) or 'iptables' (experimental). If blank, look at the Node object on the Kubernetes API and respect the 'net.experimental.kubernetes.io/proxy-mode' annotation if provided.  Otherwise use the best-available proxy (currently userspace, but may change in future versions).  If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.
+// Currently two modes of proxying are available: 'userspace' (older, stable) or 'iptables'
+// (experimental). If blank, look at the Node object on the Kubernetes API and respect the
+// 'net.experimental.kubernetes.io/proxy-mode' annotation if provided.  Otherwise use the
+// best-available proxy (currently userspace, but may change in future versions).  If the
+// iptables proxy is selected, regardless of how, but the system's kernel or iptables
+// versions are insufficient, this always falls back to the userspace proxy.
 type ProxyMode string

 const (
--- a/pkg/apis/componentconfig/v1alpha1/conversion_generated.go
+++ b/pkg/apis/componentconfig/v1alpha1/conversion_generated.go
@ -34,13 +34,12 @@ func autoConvert_componentconfig_KubeProxyConfiguration_To_v1alpha1_KubeProxyCon
 		return err
 	}
 	out.BindAddress = in.BindAddress
-	out.CleanupIPTables = in.CleanupIPTables
 	out.HealthzBindAddress = in.HealthzBindAddress
 	out.HealthzPort = int32(in.HealthzPort)
 	out.HostnameOverride = in.HostnameOverride
-	out.IPTablesSyncePeriodSeconds = int32(in.IPTablesSyncePeriodSeconds)
-	out.KubeAPIBurst = int32(in.KubeAPIBurst)
-	out.KubeAPIQPS = int32(in.KubeAPIQPS)
+	if err := s.Convert(&in.IPTablesSyncPeriod, &out.IPTablesSyncPeriod, 0); err != nil {
+		return err
+	}
 	out.KubeconfigPath = in.KubeconfigPath
 	out.MasqueradeAll = in.MasqueradeAll
 	out.Master = in.Master
@ -53,7 +52,13 @@ func autoConvert_componentconfig_KubeProxyConfiguration_To_v1alpha1_KubeProxyCon
 	out.Mode = ProxyMode(in.Mode)
 	out.PortRange = in.PortRange
 	out.ResourceContainer = in.ResourceContainer
-	out.UDPTimeoutMilliseconds = int32(in.UDPTimeoutMilliseconds)
+	if err := s.Convert(&in.UDPIdleTimeout, &out.UDPIdleTimeout, 0); err != nil {
+		return err
+	}
+	out.ConntrackMax = int32(in.ConntrackMax)
+	if err := s.Convert(&in.ConntrackTCPEstablishedTimeout, &out.ConntrackTCPEstablishedTimeout, 0); err != nil {
+		return err
+	}
 	return nil
 }

@ -69,13 +74,12 @@ func autoConvert_v1alpha1_KubeProxyConfiguration_To_componentconfig_KubeProxyCon
 		return err
 	}
 	out.BindAddress = in.BindAddress
-	out.CleanupIPTables = in.CleanupIPTables
 	out.HealthzBindAddress = in.HealthzBindAddress
 	out.HealthzPort = int(in.HealthzPort)
 	out.HostnameOverride = in.HostnameOverride
-	out.IPTablesSyncePeriodSeconds = int(in.IPTablesSyncePeriodSeconds)
-	out.KubeAPIBurst = int(in.KubeAPIBurst)
-	out.KubeAPIQPS = int(in.KubeAPIQPS)
+	if err := s.Convert(&in.IPTablesSyncPeriod, &out.IPTablesSyncPeriod, 0); err != nil {
+		return err
+	}
 	out.KubeconfigPath = in.KubeconfigPath
 	out.MasqueradeAll = in.MasqueradeAll
 	out.Master = in.Master
@ -88,7 +92,13 @@ func autoConvert_v1alpha1_KubeProxyConfiguration_To_componentconfig_KubeProxyCon
 	out.Mode = componentconfig.ProxyMode(in.Mode)
 	out.PortRange = in.PortRange
 	out.ResourceContainer = in.ResourceContainer
-	out.UDPTimeoutMilliseconds = int(in.UDPTimeoutMilliseconds)
+	if err := s.Convert(&in.UDPIdleTimeout, &out.UDPIdleTimeout, 0); err != nil {
+		return err
+	}
+	out.ConntrackMax = int(in.ConntrackMax)
+	if err := s.Convert(&in.ConntrackTCPEstablishedTimeout, &out.ConntrackTCPEstablishedTimeout, 0); err != nil {
+		return err
+	}
 	return nil
 }

--- a/pkg/apis/componentconfig/v1alpha1/deep_copy_generated.go
+++ b/pkg/apis/componentconfig/v1alpha1/deep_copy_generated.go
@ -24,6 +24,11 @@ import (
 	conversion "k8s.io/kubernetes/pkg/conversion"
 )

+func deepCopy_unversioned_Duration(in unversioned.Duration, out *unversioned.Duration, c *conversion.Cloner) error {
+	out.Duration = in.Duration
+	return nil
+}
+
 func deepCopy_unversioned_TypeMeta(in unversioned.TypeMeta, out *unversioned.TypeMeta, c *conversion.Cloner) error {
 	out.Kind = in.Kind
 	out.APIVersion = in.APIVersion
@ -35,13 +40,12 @@ func deepCopy_v1alpha1_KubeProxyConfiguration(in KubeProxyConfiguration, out *Ku
 		return err
 	}
 	out.BindAddress = in.BindAddress
-	out.CleanupIPTables = in.CleanupIPTables
 	out.HealthzBindAddress = in.HealthzBindAddress
 	out.HealthzPort = in.HealthzPort
 	out.HostnameOverride = in.HostnameOverride
-	out.IPTablesSyncePeriodSeconds = in.IPTablesSyncePeriodSeconds
-	out.KubeAPIBurst = in.KubeAPIBurst
-	out.KubeAPIQPS = in.KubeAPIQPS
+	if err := deepCopy_unversioned_Duration(in.IPTablesSyncPeriod, &out.IPTablesSyncPeriod, c); err != nil {
+		return err
+	}
 	out.KubeconfigPath = in.KubeconfigPath
 	out.MasqueradeAll = in.MasqueradeAll
 	out.Master = in.Master
@ -54,12 +58,19 @@ func deepCopy_v1alpha1_KubeProxyConfiguration(in KubeProxyConfiguration, out *Ku
 	out.Mode = in.Mode
 	out.PortRange = in.PortRange
 	out.ResourceContainer = in.ResourceContainer
-	out.UDPTimeoutMilliseconds = in.UDPTimeoutMilliseconds
+	if err := deepCopy_unversioned_Duration(in.UDPIdleTimeout, &out.UDPIdleTimeout, c); err != nil {
+		return err
+	}
+	out.ConntrackMax = in.ConntrackMax
+	if err := deepCopy_unversioned_Duration(in.ConntrackTCPEstablishedTimeout, &out.ConntrackTCPEstablishedTimeout, c); err != nil {
+		return err
+	}
 	return nil
 }

 func init() {
 	err := api.Scheme.AddGeneratedDeepCopyFuncs(
+		deepCopy_unversioned_Duration,
 		deepCopy_unversioned_TypeMeta,
 		deepCopy_v1alpha1_KubeProxyConfiguration,
 	)
--- a/pkg/apis/componentconfig/v1alpha1/defaults.go
+++ b/pkg/apis/componentconfig/v1alpha1/defaults.go
@ -17,6 +17,9 @@ limitations under the License.
 package v1alpha1

 import (
+	"time"
+
+	"k8s.io/kubernetes/pkg/api/unversioned"
 	"k8s.io/kubernetes/pkg/kubelet/qos"
 	"k8s.io/kubernetes/pkg/runtime"
 )
@ -37,8 +40,8 @@ func addDefaultingFuncs(scheme *runtime.Scheme) {
 				temp := int32(qos.KubeProxyOOMScoreAdj)
 				obj.OOMScoreAdj = &temp
 			}
-			if obj.IPTablesSyncePeriodSeconds == 0 {
-				obj.IPTablesSyncePeriodSeconds = 5
+			if obj.IPTablesSyncPeriod.Duration == 0 {
+				obj.IPTablesSyncPeriod = unversioned.Duration{5 * time.Second}
 			}
 		},
 	)
--- a/pkg/apis/componentconfig/v1alpha1/types.generated.go
+++ b/pkg/apis/componentconfig/v1alpha1/types.generated.go
--- a/pkg/apis/componentconfig/v1alpha1/types.go
+++ b/pkg/apis/componentconfig/v1alpha1/types.go
@ -21,41 +21,53 @@ import "k8s.io/kubernetes/pkg/api/unversioned"
 type KubeProxyConfiguration struct {
 	unversioned.TypeMeta

-	// bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0 for all int32erfaces)
+	// bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0
+	// for all interfaces)
 	BindAddress string `json:"bindAddress"`
-	// cleanupIPTables
-	CleanupIPTables bool `json:"cleanupIPTables"`
-	// healthzBindAddress is the IP address for the health check server to serve on, defaulting to 127.0.0.1 (set to 0.0.0.0 for all int32erfaces)
+	// healthzBindAddress is the IP address for the health check server to serve on,
+	// defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces)
 	HealthzBindAddress string `json:"healthzBindAddress"`
 	// healthzPort is the port to bind the health check server. Use 0 to disable.
 	HealthzPort int32 `json:"healthzPort"`
 	// hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname.
 	HostnameOverride string `json:"hostnameOverride"`
-	// iptablesSyncPeriodSeconds is the period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m').  Must be greater than 0.
-	IPTablesSyncePeriodSeconds int32 `json:"iptablesSyncPeriodSeconds"`
-	// kubeAPIBurst is the burst to use while talking with kubernetes apiserver
-	KubeAPIBurst int32 `json:"kubeAPIBurst"`
-	// kubeAPIQPS is the max QPS to use while talking with kubernetes apiserver
-	KubeAPIQPS int32 `json:"kubeAPIQPS"`
-	// kubeconfigPath is the path to the kubeconfig file with authorization information (the master location is set by the master flag).
+	// iptablesSyncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m',
+	// '2h22m').  Must be greater than 0.
+	IPTablesSyncPeriod unversioned.Duration `json:"iptablesSyncPeriodSeconds"`
+	// kubeconfigPath is the path to the kubeconfig file with authorization information (the
+	// master location is set by the master flag).
 	KubeconfigPath string `json:"kubeconfigPath"`
 	// masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode.
 	MasqueradeAll bool `json:"masqueradeAll"`
 	// master is the address of the Kubernetes API server (overrides any value in kubeconfig)
 	Master string `json:"master"`
-	// oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]
+	// oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within
+	// the range [-1000, 1000]
 	OOMScoreAdj *int32 `json:"oomScoreAdj"`
 	// mode specifies which proxy mode to use.
 	Mode ProxyMode `json:"mode"`
-	// portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
+	// portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed
+	// in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
 	PortRange string `json:"portRange"`
-	// resourceContainer is the bsolute name of the resource-only container to create and run the Kube-proxy in (Default: /kube-proxy).
+	// resourceContainer is the bsolute name of the resource-only container to create and run
+	// the Kube-proxy in (Default: /kube-proxy).
 	ResourceContainer string `json:"resourceContainer"`
-	// udpTimeoutMilliseconds is how long an idle UDP connection will be kept open (e.g. '250ms', '2s').  Must be greater than 0. Only applicable for proxyMode=userspace.
-	UDPTimeoutMilliseconds int32 `json:"udpTimeoutMilliseconds"`
+	// udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s').
+	// Must be greater than 0. Only applicable for proxyMode=userspace.
+	UDPIdleTimeout unversioned.Duration `json:"udpTimeoutMilliseconds"`
+	// conntrackMax is the maximum number of NAT connections to track (0 to leave as-is)")
+	ConntrackMax int32 `json:"conntrackMax"`
+	// conntrackTCPEstablishedTimeout is how long an idle UDP connection will be kept open
+	// (e.g. '250ms', '2s').  Must be greater than 0. Only applicable for proxyMode is Userspace
+	ConntrackTCPEstablishedTimeout unversioned.Duration `json:"conntrackTCPEstablishedTimeout"`
 }

-// Currently two modes of proxying are available: 'userspace' (older, stable) or 'iptables' (experimental). If blank, look at the Node object on the Kubernetes API and respect the 'net.experimental.kubernetes.io/proxy-mode' annotation if provided.  Otherwise use the best-available proxy (currently userspace, but may change in future versions).  If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.
+// Currently two modes of proxying are available: 'userspace' (older, stable) or 'iptables'
+// (experimental). If blank, look at the Node object on the Kubernetes API and respect the
+// 'net.experimental.kubernetes.io/proxy-mode' annotation if provided.  Otherwise use the
+// best-available proxy (currently userspace, but may change in future versions).  If the
+// iptables proxy is selected, regardless of how, but the system's kernel or iptables
+// versions are insufficient, this always falls back to the userspace proxy.
 type ProxyMode string

 const (
--- a/pkg/kubemark/hollow_proxy.go
+++ b/pkg/kubemark/hollow_proxy.go
@ -26,6 +26,7 @@ import (
 	client "k8s.io/kubernetes/pkg/client/unversioned"
 	proxyconfig "k8s.io/kubernetes/pkg/proxy/config"
 	"k8s.io/kubernetes/pkg/types"
+	"k8s.io/kubernetes/pkg/util"
 	utiliptables "k8s.io/kubernetes/pkg/util/iptables"

 	"github.com/golang/glog"
@ -59,7 +60,7 @@ func NewHollowProxyOrDie(
 ) *HollowProxy {
 	// Create and start Hollow Proxy
 	config := options.NewProxyConfig()
-	config.OOMScoreAdj = 0
+	config.OOMScoreAdj = util.IntPtr(0)
 	config.ResourceContainer = ""
 	config.NodeRef = &api.ObjectReference{
 		Kind:      "Node",
--- a/pkg/util/net/port_range.go
+++ b/pkg/util/net/port_range.go
@ -98,3 +98,11 @@ func ParsePortRange(value string) (*PortRange, error) {
 	}
 	return pr, nil
 }
+
+func ParsePortRangeOrDie(value string) *PortRange {
+	pr, err := ParsePortRange(value)
+	if err != nil {
+		panic(fmt.Sprintf("couldn't parse port range: %v"))
+	}
+	return pr
+}
--- a/pkg/util/util.go
+++ b/pkg/util/util.go
@ -238,3 +238,18 @@ func ReadDirNoExit(dirname string) ([]os.FileInfo, []error, error) {

 	return list, errs, nil
 }
+
+// IntPtr returns a pointer to an int
+func IntPtr(i int) *int {
+	o := i
+	return &o
+}
+
+// IntPtrDerefOr derefrence the int ptr and returns it i not nil,
+// else returns def.
+func IntPtrDerefOr(ptr *int, def int) int {
+	if ptr != nil {
+		return *ptr
+	}
+	return def
+}