Merge pull request #120274 from danwinship/kube-proxy-config-docs

kube-proxy config/CLI doc fixups
2023-10-15 02:56:24 +02:00
parent 4a94a570bd 6c9ddf300c
commit cf54acce5c
7 changed files with 354 additions and 309 deletions
--- a/pkg/proxy/apis/config/types.go
+++ b/pkg/proxy/apis/config/types.go
@@ -30,36 +30,44 @@ import (
 // details for the Kubernetes proxy server.
 type KubeProxyIPTablesConfiguration struct {
 	// masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using
-	// the pure iptables proxy mode. Values must be within the range [0, 31].
+	// the iptables or ipvs proxy mode. Values must be within the range [0, 31].
 	MasqueradeBit *int32
-	// masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode.
+	// masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs,
+	// when using the iptables or ipvs proxy mode. This may be required with some CNI
+	// plugins.
 	MasqueradeAll bool
-	// LocalhostNodePorts tells kube-proxy to allow service NodePorts to be accessed via
-	// localhost (iptables mode only)
+	// localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior
+	// of allowing NodePort services to be accessed via localhost. (Applies only to
+	// iptables mode and IPv4; localhost NodePorts are never allowed with other proxy
+	// modes or with IPv6.)
 	LocalhostNodePorts *bool
-	// syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m',
-	// '2h22m').  Must be greater than 0.
+	// syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
+	// various re-synchronizing and cleanup operations are performed. Must be greater
+	// than 0.
 	SyncPeriod metav1.Duration
-	// minSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m',
-	// '2h22m').
+	// minSyncPeriod is the minimum period between iptables rule resyncs (e.g. '5s',
+	// '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will
+	// result in an immediate iptables resync.
 	MinSyncPeriod metav1.Duration
 }

 // KubeProxyIPVSConfiguration contains ipvs-related configuration
 // details for the Kubernetes proxy server.
 type KubeProxyIPVSConfiguration struct {
-	// syncPeriod is the period that ipvs rules are refreshed (e.g. '5s', '1m',
-	// '2h22m').  Must be greater than 0.
+	// syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
+	// various re-synchronizing and cleanup operations are performed. Must be greater
+	// than 0.
 	SyncPeriod metav1.Duration
-	// minSyncPeriod is the minimum period that ipvs rules are refreshed (e.g. '5s', '1m',
-	// '2h22m').
+	// minSyncPeriod is the minimum period between IPVS rule resyncs (e.g. '5s', '1m',
+	// '2h22m'). A value of 0 means every Service or EndpointSlice change will result
+	// in an immediate IPVS resync.
 	MinSyncPeriod metav1.Duration
-	// ipvs scheduler
+	// scheduler is the IPVS scheduler to use
 	Scheduler string
-	// excludeCIDRs is a list of CIDR's which the ipvs proxier should not touch
+	// excludeCIDRs is a list of CIDRs which the ipvs proxier should not touch
 	// when cleaning up ipvs services.
 	ExcludeCIDRs []string
-	// strict ARP configure arp_ignore and arp_announce to avoid answering ARP queries
+	// strictARP configures arp_ignore and arp_announce to avoid answering ARP queries
 	// from kube-ipvs0 interface
 	StrictARP bool
 	// tcpTimeout is the timeout value used for idle IPVS TCP sessions.
@@ -111,23 +119,23 @@ type KubeProxyWinkernelConfiguration struct {
 	// enableDSR tells kube-proxy whether HNS policies should be created
 	// with DSR
 	EnableDSR bool
-	// RootHnsEndpointName is the name of hnsendpoint that is attached to
+	// rootHnsEndpointName is the name of hnsendpoint that is attached to
 	// l2bridge for root network namespace
 	RootHnsEndpointName string
-	// ForwardHealthCheckVip forwards service VIP for health check port on
+	// forwardHealthCheckVip forwards service VIP for health check port on
 	// Windows
 	ForwardHealthCheckVip bool
 }

 // DetectLocalConfiguration contains optional settings related to DetectLocalMode option
 type DetectLocalConfiguration struct {
-	// BridgeInterface is a string argument which represents a single bridge interface name.
-	// Kube-proxy considers traffic as local if originating from this given bridge.
-	// This argument should be set if DetectLocalMode is set to BridgeInterface.
+	// bridgeInterface is a bridge interface name. When DetectLocalMode is set to
+	// LocalModeBridgeInterface, kube-proxy will consider traffic to be local if
+	// it originates from this bridge.
 	BridgeInterface string
-	// InterfaceNamePrefix is a string argument which represents a single interface prefix name.
-	// Kube-proxy considers traffic as local if originating from one or more interfaces which match
-	// the given prefix. This argument should be set if DetectLocalMode is set to InterfaceNamePrefix.
+	// interfaceNamePrefix is an interface name prefix. When DetectLocalMode is set to
+	// LocalModeInterfaceNamePrefix, kube-proxy will consider traffic to be local if
+	// it originates from any interface whose name begins with this prefix.
 	InterfaceNamePrefix string
 }

@@ -141,65 +149,77 @@ type KubeProxyConfiguration struct {
 	// featureGates is a map of feature names to bools that enable or disable alpha/experimental features.
 	FeatureGates map[string]bool

-	// bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0
-	// for all interfaces)
+	// clientConnection specifies the kubeconfig file and client connection settings for the proxy
+	// server to use when communicating with the apiserver.
+	ClientConnection componentbaseconfig.ClientConnectionConfiguration
+	// logging specifies the options of logging.
+	// Refer to [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go)
+	// for more information.
+	Logging logsapi.LoggingConfiguration
+
+	// hostnameOverride, if non-empty, will be used as the name of the Node that
+	// kube-proxy is running on. If unset, the node name is assumed to be the same as
+	// the node's hostname.
+	HostnameOverride string
+	// bindAddress can be used to override kube-proxy's idea of what its node's
+	// primary IP is. Note that the name is a historical artifact, and kube-proxy does
+	// not actually bind any sockets to this IP.
 	BindAddress string
-	// healthzBindAddress is the IP address and port for the health check server to serve on,
-	// defaulting to 0.0.0.0:10256
+	// healthzBindAddress is the IP address and port for the health check server to
+	// serve on, defaulting to "0.0.0.0:10256" (if bindAddress is unset or IPv4), or
+	// "[::]:10256" (if bindAddress is IPv6).
 	HealthzBindAddress string
-	// metricsBindAddress is the IP address and port for the metrics server to serve on,
-	// defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces)
+	// metricsBindAddress is the IP address and port for the metrics server to serve
+	// on, defaulting to "127.0.0.1:10249" (if bindAddress is unset or IPv4), or
+	// "[::1]:10249" (if bindAddress is IPv6). (Set to "0.0.0.0:10249" / "[::]:10249"
+	// to bind on all interfaces.)
 	MetricsBindAddress string
-	// BindAddressHardFail, if true, kube-proxy will treat failure to bind to a port as fatal and exit
+	// bindAddressHardFail, if true, tells kube-proxy to treat failure to bind to a
+	// port as fatal and exit
 	BindAddressHardFail bool
 	// enableProfiling enables profiling via web interface on /debug/pprof handler.
 	// Profiling handlers will be handled by metrics server.
 	EnableProfiling bool
-	// clusterCIDR is the CIDR range of the pods in the cluster. It is used to
-	// bridge traffic coming from outside of the cluster. If not provided,
-	// no off-cluster bridging will be performed.
-	ClusterCIDR string
-	// hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname.
-	HostnameOverride string
-	// clientConnection specifies the kubeconfig file and client connection settings for the proxy
-	// server to use when communicating with the apiserver.
-	ClientConnection componentbaseconfig.ClientConnectionConfiguration
+	// showHiddenMetricsForVersion is the version for which you want to show hidden metrics.
+	ShowHiddenMetricsForVersion string
+
+	// mode specifies which proxy mode to use.
+	Mode ProxyMode
 	// iptables contains iptables-related configuration options.
 	IPTables KubeProxyIPTablesConfiguration
 	// ipvs contains ipvs-related configuration options.
 	IPVS KubeProxyIPVSConfiguration
+	// winkernel contains winkernel-related configuration options.
+	Winkernel KubeProxyWinkernelConfiguration
+
+	// detectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR
+	DetectLocalMode LocalMode
+	// detectLocal contains optional configuration settings related to DetectLocalMode.
+	DetectLocal DetectLocalConfiguration
+	// clusterCIDR is the CIDR range of the pods in the cluster. (For dual-stack
+	// clusters, this can be a comma-separated dual-stack pair of CIDR ranges.). When
+	// DetectLocalMode is set to LocalModeClusterCIDR, kube-proxy will consider
+	// traffic to be local if its source IP is in this range. (Otherwise it is not
+	// used.)
+	ClusterCIDR string
+
+	// nodePortAddresses is a list of CIDR ranges that contain valid node IPs. If set,
+	// connections to NodePort services will only be accepted on node IPs in one of
+	// the indicated ranges. If unset, NodePort connections will be accepted on all
+	// local IPs.
+	NodePortAddresses []string
+
 	// oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within
 	// the range [-1000, 1000]
 	OOMScoreAdj *int32
-	// mode specifies which proxy mode to use.
-	Mode ProxyMode
-	// portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed
-	// in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
-	PortRange string
 	// conntrack contains conntrack-related configuration options.
 	Conntrack KubeProxyConntrackConfiguration
 	// configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater
 	// than 0.
 	ConfigSyncPeriod metav1.Duration
-	// nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid
-	// IP blocks. These values are as a parameter to select the interfaces where nodeport works.
-	// In case someone would like to expose a service on localhost for local visit and some other interfaces for
-	// particular purpose, a list of IP blocks would do that.
-	// If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort.
-	// If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node.
-	// An empty string slice is meant to select all network interfaces.
-	NodePortAddresses []string
-	// winkernel contains winkernel-related configuration options.
-	Winkernel KubeProxyWinkernelConfiguration
-	// ShowHiddenMetricsForVersion is the version for which you want to show hidden metrics.
-	ShowHiddenMetricsForVersion string
-	// DetectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR
-	DetectLocalMode LocalMode
-	// DetectLocal contains optional configuration settings related to DetectLocalMode.
-	DetectLocal DetectLocalConfiguration
-	// Logging specifies the options of logging.
-	// Refer to [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) for more information.
-	Logging logsapi.LoggingConfiguration
+
+	// portRange was previously used to configure the userspace proxy, but is now unused.
+	PortRange string
 }

 // ProxyMode represents modes used by the Kubernetes proxy server.
--- a/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go
+++ b/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go
@@ -126,39 +126,39 @@ func Convert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguratio

 func autoConvert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(in *v1alpha1.KubeProxyConfiguration, out *config.KubeProxyConfiguration, s conversion.Scope) error {
 	out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
+	if err := configv1alpha1.Convert_v1alpha1_ClientConnectionConfiguration_To_config_ClientConnectionConfiguration(&in.ClientConnection, &out.ClientConnection, s); err != nil {
+		return err
+	}
+	out.Logging = in.Logging
+	out.HostnameOverride = in.HostnameOverride
 	out.BindAddress = in.BindAddress
 	out.HealthzBindAddress = in.HealthzBindAddress
 	out.MetricsBindAddress = in.MetricsBindAddress
 	out.BindAddressHardFail = in.BindAddressHardFail
 	out.EnableProfiling = in.EnableProfiling
-	out.ClusterCIDR = in.ClusterCIDR
-	out.HostnameOverride = in.HostnameOverride
-	if err := configv1alpha1.Convert_v1alpha1_ClientConnectionConfiguration_To_config_ClientConnectionConfiguration(&in.ClientConnection, &out.ClientConnection, s); err != nil {
-		return err
-	}
+	out.ShowHiddenMetricsForVersion = in.ShowHiddenMetricsForVersion
+	out.Mode = config.ProxyMode(in.Mode)
 	if err := Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(&in.IPTables, &out.IPTables, s); err != nil {
 		return err
 	}
 	if err := Convert_v1alpha1_KubeProxyIPVSConfiguration_To_config_KubeProxyIPVSConfiguration(&in.IPVS, &out.IPVS, s); err != nil {
 		return err
 	}
-	out.OOMScoreAdj = (*int32)(unsafe.Pointer(in.OOMScoreAdj))
-	out.Mode = config.ProxyMode(in.Mode)
-	out.PortRange = in.PortRange
-	if err := Convert_v1alpha1_KubeProxyConntrackConfiguration_To_config_KubeProxyConntrackConfiguration(&in.Conntrack, &out.Conntrack, s); err != nil {
-		return err
-	}
-	out.ConfigSyncPeriod = in.ConfigSyncPeriod
-	out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses))
 	if err := Convert_v1alpha1_KubeProxyWinkernelConfiguration_To_config_KubeProxyWinkernelConfiguration(&in.Winkernel, &out.Winkernel, s); err != nil {
 		return err
 	}
-	out.ShowHiddenMetricsForVersion = in.ShowHiddenMetricsForVersion
 	out.DetectLocalMode = config.LocalMode(in.DetectLocalMode)
 	if err := Convert_v1alpha1_DetectLocalConfiguration_To_config_DetectLocalConfiguration(&in.DetectLocal, &out.DetectLocal, s); err != nil {
 		return err
 	}
-	out.Logging = in.Logging
+	out.ClusterCIDR = in.ClusterCIDR
+	out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses))
+	out.OOMScoreAdj = (*int32)(unsafe.Pointer(in.OOMScoreAdj))
+	if err := Convert_v1alpha1_KubeProxyConntrackConfiguration_To_config_KubeProxyConntrackConfiguration(&in.Conntrack, &out.Conntrack, s); err != nil {
+		return err
+	}
+	out.ConfigSyncPeriod = in.ConfigSyncPeriod
+	out.PortRange = in.PortRange
 	return nil
 }

@@ -169,39 +169,39 @@ func Convert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(in

 func autoConvert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(in *config.KubeProxyConfiguration, out *v1alpha1.KubeProxyConfiguration, s conversion.Scope) error {
 	out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
+	if err := configv1alpha1.Convert_config_ClientConnectionConfiguration_To_v1alpha1_ClientConnectionConfiguration(&in.ClientConnection, &out.ClientConnection, s); err != nil {
+		return err
+	}
+	out.Logging = in.Logging
+	out.HostnameOverride = in.HostnameOverride
 	out.BindAddress = in.BindAddress
 	out.HealthzBindAddress = in.HealthzBindAddress
 	out.MetricsBindAddress = in.MetricsBindAddress
 	out.BindAddressHardFail = in.BindAddressHardFail
 	out.EnableProfiling = in.EnableProfiling
-	out.ClusterCIDR = in.ClusterCIDR
-	out.HostnameOverride = in.HostnameOverride
-	if err := configv1alpha1.Convert_config_ClientConnectionConfiguration_To_v1alpha1_ClientConnectionConfiguration(&in.ClientConnection, &out.ClientConnection, s); err != nil {
-		return err
-	}
+	out.ShowHiddenMetricsForVersion = in.ShowHiddenMetricsForVersion
+	out.Mode = v1alpha1.ProxyMode(in.Mode)
 	if err := Convert_config_KubeProxyIPTablesConfiguration_To_v1alpha1_KubeProxyIPTablesConfiguration(&in.IPTables, &out.IPTables, s); err != nil {
 		return err
 	}
 	if err := Convert_config_KubeProxyIPVSConfiguration_To_v1alpha1_KubeProxyIPVSConfiguration(&in.IPVS, &out.IPVS, s); err != nil {
 		return err
 	}
-	out.OOMScoreAdj = (*int32)(unsafe.Pointer(in.OOMScoreAdj))
-	out.Mode = v1alpha1.ProxyMode(in.Mode)
-	out.PortRange = in.PortRange
-	if err := Convert_config_KubeProxyConntrackConfiguration_To_v1alpha1_KubeProxyConntrackConfiguration(&in.Conntrack, &out.Conntrack, s); err != nil {
-		return err
-	}
-	out.ConfigSyncPeriod = in.ConfigSyncPeriod
-	out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses))
 	if err := Convert_config_KubeProxyWinkernelConfiguration_To_v1alpha1_KubeProxyWinkernelConfiguration(&in.Winkernel, &out.Winkernel, s); err != nil {
 		return err
 	}
-	out.ShowHiddenMetricsForVersion = in.ShowHiddenMetricsForVersion
 	out.DetectLocalMode = v1alpha1.LocalMode(in.DetectLocalMode)
 	if err := Convert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguration(&in.DetectLocal, &out.DetectLocal, s); err != nil {
 		return err
 	}
-	out.Logging = in.Logging
+	out.ClusterCIDR = in.ClusterCIDR
+	out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses))
+	out.OOMScoreAdj = (*int32)(unsafe.Pointer(in.OOMScoreAdj))
+	if err := Convert_config_KubeProxyConntrackConfiguration_To_v1alpha1_KubeProxyConntrackConfiguration(&in.Conntrack, &out.Conntrack, s); err != nil {
+		return err
+	}
+	out.ConfigSyncPeriod = in.ConfigSyncPeriod
+	out.PortRange = in.PortRange
 	return nil
 }

--- a/pkg/proxy/apis/config/zz_generated.deepcopy.go
+++ b/pkg/proxy/apis/config/zz_generated.deepcopy.go
@@ -76,8 +76,16 @@ func (in *KubeProxyConfiguration) DeepCopyInto(out *KubeProxyConfiguration) {
 		}
 	}
 	out.ClientConnection = in.ClientConnection
+	in.Logging.DeepCopyInto(&out.Logging)
 	in.IPTables.DeepCopyInto(&out.IPTables)
 	in.IPVS.DeepCopyInto(&out.IPVS)
+	out.Winkernel = in.Winkernel
+	out.DetectLocal = in.DetectLocal
+	if in.NodePortAddresses != nil {
+		in, out := &in.NodePortAddresses, &out.NodePortAddresses
+		*out = make([]string, len(*in))
+		copy(*out, *in)
+	}
 	if in.OOMScoreAdj != nil {
 		in, out := &in.OOMScoreAdj, &out.OOMScoreAdj
 		*out = new(int32)
@@ -85,14 +93,6 @@ func (in *KubeProxyConfiguration) DeepCopyInto(out *KubeProxyConfiguration) {
 	}
 	in.Conntrack.DeepCopyInto(&out.Conntrack)
 	out.ConfigSyncPeriod = in.ConfigSyncPeriod
-	if in.NodePortAddresses != nil {
-		in, out := &in.NodePortAddresses, &out.NodePortAddresses
-		*out = make([]string, len(*in))
-		copy(*out, *in)
-	}
-	out.Winkernel = in.Winkernel
-	out.DetectLocal = in.DetectLocal
-	in.Logging.DeepCopyInto(&out.Logging)
 	return
 }