Commit Graph

163 Commits

Author SHA1 Message Date
Khaled Henidak (Kal)
a53e2eaeab
move IPv6DualStack feature to stable. (#104691)
* kube-proxy

* endpoints controller

* app: kube-controller-manager

* app: cloud-controller-manager

* kubelet

* app: api-server

* node utils + registry/strategy

* api: validation (comment removal)

* api:pod strategy (util pkg)

* api: docs

* core: integration testing

* kubeadm: change feature gate to GA

* service registry and rest stack

* move feature to GA

* generated
2021-09-24 16:30:22 -07:00
Stephen Augustus
481cf6fbe7
generated: Run hack/update-gofmt.sh
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2021-08-24 15:47:49 -04:00
Davanum Srinivas
26cc8e40a8
fix deadcode issues
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-07-14 08:41:21 -04:00
Masashi Honma
39538463de test: Use bytes.Buffer.String
Fix some warnings from go-staticcheck.

"should use buffer.String() instead of string(buffer.Bytes()) (S1030)"

This warning is explained at this link.
https://staticcheck.io/docs/checks#S1030
2021-03-22 17:48:21 +09:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Dan Winship
95c6a488d8 Make kube-proxy check if IPv6 is really supported before assuming dual-stack 2021-02-17 09:11:15 -05:00
Antonio Ojea
7223f12f39 don´t leak files on iptables tests
the iptables restore function, if it considers that the --wait flag
is not supported, creates a lock file to mimic the iptables behaviour.

The test should take this into account and remove the file.
2021-02-11 00:20:38 +01:00
Hanlin Shi
4cd1eacbc1 Add rule to allow healthcheck nodeport traffic in filter table
1. For iptables mode, add KUBE-NODEPORTS chain in filter table. Add
   rules to allow healthcheck node port traffic.
2. For ipvs mode, add KUBE-NODE-PORT chain in filter table. Add
   KUBE-HEALTH-CHECK-NODE-PORT ipset to allow traffic to healthcheck
   node port.
2021-02-03 15:20:10 +00:00
knight42
ce0a423ef7
test(iptables): deflake TestRestoreAllWaitOldIptablesRestore
Signed-off-by: knight42 <anonymousknight96@gmail.com>
2020-09-12 22:43:44 +08:00
knight42
b25af8e3c9
feat(iptables): be able to override iptables-1.4-compatible lock path 2020-09-12 22:43:43 +08:00
knight42
f6f0f7922a
test(iptables): deflake TestRestoreAllGrabOldLock
Signed-off-by: knight42 <anonymousknight96@gmail.com>
2020-09-05 01:07:46 +08:00
Antonio Ojea
924553b7ee iptables don't do reverse DNS lookups
the iptables monitor was using iptables -L to list the chains,
without the -n option, so it was trying to do reverse DNS lookups.
A side effect is that it was holding the lock, so other components
could not use it.
We can use -S instead of -L -n to avoid this, since we only want
to check the chain exists.
2020-07-08 18:39:22 +02:00
Benjamin Elder
2abc8afece eparis to emeritus 2020-06-30 09:50:44 -07:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:27 -04:00
Tim Hockin
9551ecb7c3 Cleanup: Change "Ip" to "IP" in func and var names 2020-04-10 15:29:50 -07:00
Tim Hockin
efb24d44c6 Rename iptables IsIpv6 to IsIPv6 2020-04-10 15:29:50 -07:00
Tim Hockin
ef934a2c5e Add Protocol() method to iptables
Enables simpler printing of which IP family the iptables interface is
managing.
2020-04-10 15:29:49 -07:00
Satyadeep Musuvathy
8c6956e5bb Refactor handling of local traffic detection. 2020-02-21 17:57:34 -08:00
SataQiu
51c742c1dd fix staticcheck failures of pkg/util/ipconfig pkg/util/iptables pkg/util/ipvs/testing 2020-01-09 16:05:11 +08:00
SataQiu
2497a1209b bump k8s.io/utils version 2019-12-21 14:54:44 +08:00
Antonio Ojea
51814ae189
Be more agressive acquiring the iptables lock
iptables has two options to modify the behaviour trying to
acquire the lock.

--wait  -w [seconds]    maximum wait to acquire xtables lock
                        before give up
--wait-interval -W [usecs]  wait time to try to acquire xtables
                            lock
                            interval to wait for xtables lock
                            default is 1 second

Kubernetes uses -w 5 that means that wait 5 seconds to try to
acquire the lock. If we are not able to acquire it, kube-proxy
fails and retries in 30 seconds, that is an important penalty
on sensitive applications.
We can be a bit more aggresive and try to acquire the lock every
100 msec, that means that we have to fail 50 times to not being
able to succeed.
2019-12-03 17:38:13 +01:00
gkarthiks
c38e79e76d refactor: incorporated the review comments
Signed-off-by: gkarthiks <github.gkarthiks@gmail.com>
2019-11-24 11:46:57 -08:00
gkarthiks
a4abc1dd4d refactor(golint): lint fixes for iptables test file
Signed-off-by: gkarthiks <github.gkarthiks@gmail.com>
2019-11-22 19:58:56 -08:00
gkarthiks
b05749c619 chore(gofmt): go format fix
Signed-off-by: gkarthiks <github.gkarthiks@gmail.com>
2019-11-19 08:30:16 -08:00
Karthikeyan Govindaraj
a4631c845e
chore(lint): lint fix in /pkg/util/iptables 2019-11-18 23:44:49 -08:00
Karthikeyan Govindaraj
bdc11c2806
chore(lint): fix iptable.go file lint 2019-11-18 23:43:51 -08:00
Kubernetes Prow Robot
e434d2dbab
Merge pull request #84295 from aojea/iptableslogs
Improve iptables logging
2019-11-14 17:49:51 -08:00
Kubernetes Prow Robot
6c5fb3ee60
Merge pull request #83491 from dcbw/winship-iptables-owner
pkg/util/iptables: add Dan Winship to approvers
2019-11-14 16:37:26 -08:00
Jordan Liggitt
297570e06a hack/update-vendor.sh 2019-11-06 17:42:34 -05:00
Antonio Ojea
1268d1a8ff Improve iptables logging 2019-10-24 15:52:05 +02:00
Dan Williams
765bb2707d pkg/util/iptables: add Dan Winship to OWNERS 2019-10-03 22:21:48 -05:00
Dan Winship
2f89c03c63 iptables.Monitor: don't be fooled by "could not get lock" errors 2019-10-02 11:35:12 -04:00
chenyaqi01
3175c9e226 simplify regexp with raw string 2019-09-20 16:53:56 +08:00
Dan Winship
3948f16ff4 Add iptables.Monitor, use it from kubelet and kube-proxy
Kubelet and kube-proxy both had loops to ensure that their iptables
rules didn't get deleted, by repeatedly recreating them. But on
systems with lots of iptables rules (ie, thousands of services), this
can be very slow (and thus might end up holding the iptables lock for
several seconds, blocking other operations, etc).

The specific threat that they need to worry about is
firewall-management commands that flush *all* dynamic iptables rules.
So add a new iptables.Monitor() function that handles this by creating
iptables-flush canaries and only triggering a full rule reload after
noticing that someone has deleted those chains.
2019-09-17 10:19:26 -04:00
Dan Winship
b6c3d5416a Drop iptables firewalld monitoring support
The firewalld monitoring code was not well tested (and not easily
testable), would never be triggered on most platforms, and was only
being taken advantage of from one place (kube-proxy), which didn't
need it anyway since it already has its own resync loop.

Since the firewalld monitoring was the only consumer of pkg/util/dbus,
we can also now delete that.
2019-09-15 15:35:40 -04:00
Dan Winship
75888077d3 Fix iptables version detection code to handle RHEL 7 correctly 2019-09-11 18:47:58 -04:00
Mike Spreitzer
d86d1defa1 Made IPVS and iptables modes of kube-proxy fully randomize masquerading if possible
Work around Linux kernel bug that sometimes causes multiple flows to
get mapped to the same IP:PORT and consequently some suffer packet
drops.

Also made the same update in kubelet.

Also added cross-pointers between the two bodies of code, in comments.

Some day we should eliminate the duplicate code.  But today is not
that day.
2019-09-01 22:07:30 -04:00
Dan Winship
81cd27a51e iptables: simplify version handling 2019-08-01 12:05:31 -04:00
Dan Winship
8bced9b130 iptables: don't do feature detection on the iptables-restore binary
The iptables code was doing version detection on the iptables binary
but feature detection on the iptables-restore binary, to try to
support the version of iptables in RHEL 7, which claims to be 1.4.21
but has certain features from iptables 1.6.

The problem is that this particular set of versions and checks
resulted in the code passing "-w" ("wait forever for the lock") to
iptables, but "-w 5" ("wait at most 5 seconds for the lock") to
iptables-restore. On systems with very very many iptables rules, this
could result in the kubelet periodic resyncs (which use "iptables")
blocking kube-proxy (which uses "iptables-restore") and causing it to
time out.

We already have code to grab the lock file by hand when using a
version of iptables-restore that doesn't support "-w", and it works
fine. So just use that instead, and only pass "-w 5" to
iptables-restore when iptables reports a version that actually
supports it.
2019-08-01 11:49:50 -04:00
Kubernetes Prow Robot
9b14c22375
Merge pull request #78428 from luksa/iptables-save-panic
Fix panic in kube-proxy when iptables-save prints to stderr
2019-05-31 23:23:00 -07:00
Marko Lukša
93a549679f Capture stderr output and write it to buffer on error 2019-05-28 17:09:29 +02:00
Marko Lukša
00e7505618 Discard stderr output when calling iptables-save 2019-05-28 14:43:28 +02:00
Marko Lukša
df23697ae7 Better error message if panic occurs during iptables-save output parsing 2019-05-28 11:38:27 +02:00
Andrew Sy Kim
8dfd4def99 add unit tests for -src-type=LOCAL from LB chain
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
2019-05-07 15:22:46 -04:00
Dan Winship
4d77d3e75f Update iptables.IsNotFoundError for iptables-nft error messages 2019-05-01 10:42:30 -04:00
JieJhih Jhang
098a7c5972 fix golint 2019-04-26 15:37:38 +08:00
Kubernetes Prow Robot
5b7a790d35
Merge pull request #72185 from dcbw/owners-label-sig-network
OWNERS: add label:sig/network to a bunch of places
2019-02-08 10:36:16 -08:00
Roy Lenferink
b43c04452f Updated OWNERS files to include link to docs 2019-02-04 22:33:12 +01:00
Andrew Kim
93b086f6ea replace k8s.io/apiserver/pkg/util/trace with k8s.io/utils/trace 2019-01-24 15:34:21 -05:00