github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #124383 from danwinship/nftables-proxy-to-beta

Browse Source 
KEP-3866 kube-proxy nftables to beta
This commit is contained in:
Kubernetes Prow Robot
2024-04-18 17:42:20 -07:00
committed by GitHub
parent fd40d68a39 9f580afa66
commit bf07ef3950
4 changed files with 32 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cluster/gce/config-test.sh
View File

@@ -532,7 +532,7 @@ KUBE_PROXY_DAEMONSET=${KUBE_PROXY_DAEMONSET:-false} # true, false
# as an addon daemonset. # as an addon daemonset.
KUBE_PROXY_DISABLE="${KUBE_PROXY_DISABLE:-false}" # true, false KUBE_PROXY_DISABLE="${KUBE_PROXY_DISABLE:-false}" # true, false
# Optional: Change the kube-proxy implementation. Choices are [iptables, ipvs]. # Optional: Change the kube-proxy implementation. Choices are [iptables, ipvs, nftables].
KUBE_PROXY_MODE=${KUBE_PROXY_MODE:-iptables} KUBE_PROXY_MODE=${KUBE_PROXY_MODE:-iptables}
# Will be passed into the kube-proxy via `--detect-local-mode` # Will be passed into the kube-proxy via `--detect-local-mode`

45
cluster/gce/gci/configure-helper.sh Normal file → Executable file
View File

@@ -1753,24 +1753,35 @@ function prepare-kube-proxy-manifest-variables {
if [[ -n "${FEATURE_GATES:-}" ]]; then if [[ -n "${FEATURE_GATES:-}" ]]; then
params+=" --feature-gates=${FEATURE_GATES}" params+=" --feature-gates=${FEATURE_GATES}"
fi fi
if [[ "${KUBE_PROXY_MODE:-}" == "ipvs" ]];then
# use 'nf_conntrack' instead of 'nf_conntrack_ipv4' for linux kernel >= 4.19
# https://github.com/kubernetes/kubernetes/pull/70398
local -r kernel_version=$(uname -r | cut -d\. -f1,2)
local conntrack_module="nf_conntrack"
if [[ $(printf '%s\n4.18\n' "${kernel_version}" | sort -V | tail -1) == "4.18" ]]; then
conntrack_module="nf_conntrack_ipv4"
fi
if sudo modprobe -a ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh ${conntrack_module}; then case "${KUBE_PROXY_MODE:-iptables}" in
params+=" --proxy-mode=ipvs" iptables)
else params+=" --proxy-mode=iptables --iptables-sync-period=1m --iptables-min-sync-period=10s"
# If IPVS modules are not present, make sure the node does not come up as ;;
# healthy. ipvs)
exit 1 # use 'nf_conntrack' instead of 'nf_conntrack_ipv4' for linux kernel >= 4.19
fi # https://github.com/kubernetes/kubernetes/pull/70398
fi local -r kernel_version=$(uname -r | cut -d\. -f1,2)
params+=" --iptables-sync-period=1m --iptables-min-sync-period=10s --ipvs-sync-period=1m --ipvs-min-sync-period=10s" local conntrack_module="nf_conntrack"
if [[ $(printf '%s\n4.18\n' "${kernel_version}" | sort -V | tail -1) == "4.18" ]]; then
conntrack_module="nf_conntrack_ipv4"
fi
if ! sudo modprobe -a ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh ${conntrack_module}; then
# If IPVS modules are not present, make sure the node does not come up as
# healthy.
exit 1
fi
params+=" --proxy-mode=ipvs --ipvs-sync-period=1m --ipvs-min-sync-period=10s"
;;
nftables)
# Pass --conntrack-tcp-be-liberal so we can test that this makes the
# "proxy implementation should not be vulnerable to the invalid conntrack state bug"
# test pass. https://issues.k8s.io/122663#issuecomment-1885024015
params+=" --proxy-mode=nftables --conntrack-tcp-be-liberal"
;;
esac
if [[ -n "${KUBEPROXY_TEST_ARGS:-}" ]]; then if [[ -n "${KUBEPROXY_TEST_ARGS:-}" ]]; then
params+=" ${KUBEPROXY_TEST_ARGS}" params+=" ${KUBEPROXY_TEST_ARGS}"
fi fi

3
pkg/features/kube_features.go
View File

@@ -525,6 +525,7 @@ const (
// owner: @danwinship // owner: @danwinship
// kep: https://kep.k8s.io/3866 // kep: https://kep.k8s.io/3866
// alpha: v1.29 // alpha: v1.29
// beta: v1.31
// //
// Allows running kube-proxy with `--mode nftables`. // Allows running kube-proxy with `--mode nftables`.
NFTablesProxyMode featuregate.Feature = "NFTablesProxyMode" NFTablesProxyMode featuregate.Feature = "NFTablesProxyMode"
@@ -1131,7 +1132,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
NewVolumeManagerReconstruction: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.32 NewVolumeManagerReconstruction: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.32
NFTablesProxyMode: {Default: false, PreRelease: featuregate.Alpha}, NFTablesProxyMode: {Default: true, PreRelease: featuregate.Beta},
NodeLogQuery: {Default: false, PreRelease: featuregate.Beta}, NodeLogQuery: {Default: false, PreRelease: featuregate.Beta},

2
pkg/proxy/apis/config/validation/validation_test.go
View File

@@ -827,7 +827,7 @@ func TestValidateKubeProxyConntrackConfiguration(t *testing.T) {
func TestValidateProxyMode(t *testing.T) { func TestValidateProxyMode(t *testing.T) {
newPath := field.NewPath("KubeProxyConfiguration") newPath := field.NewPath("KubeProxyConfiguration")
successCases := []kubeproxyconfig.ProxyMode{""} successCases := []kubeproxyconfig.ProxyMode{""}
expectedNonExistentErrorMsg := "must be iptables, ipvs or blank (blank means the best-available proxy [currently iptables])" expectedNonExistentErrorMsg := "must be iptables, ipvs, nftables or blank (blank means the best-available proxy [currently iptables])"
if runtime.GOOS == "windows" { if runtime.GOOS == "windows" {
successCases = append(successCases, kubeproxyconfig.ProxyModeKernelspace) successCases = append(successCases, kubeproxyconfig.ProxyModeKernelspace)