github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
105,205 Commits 1 Branch 31 Tags 1,019 MiB
daf7edb8f4
Commit Graph

1610 Commits

Author SHA1 Message Date
Fangyuan Li
7ed2f1d94d Implements Service Internal Traffic Policy 
1. Add API definitions;
2. Add feature gate and drops the field when feature gate is not on;
3. Set default values for the field;
4. Add API Validation
5. add kube-proxy iptables and ipvs implementations
6. add tests
 2021-03-07 16:52:59 -08:00
Swetha Repakula
108fd44f7c Graduate EndpointSlice feature gate to GA 2021-03-06 15:58:47 -08:00
Kubernetes Prow Robot
269d62d895
Merge pull request #97837 from JornShen/proxier_userspace_structured_logging 
migrate proxy/userspace/proxier.go logs to structured logging
 2021-03-05 13:25:42 -08:00
Kubernetes Prow Robot
70d732c7e7
Merge pull request #99653 from aojea/kproxymetrics 
new kube-proxy iptables metric to expose then number of iptables rules
 2021-03-05 10:00:34 -08:00
Antonio Ojea
654be57022 kube-proxy iptables expose number of rules metrics 
add a new metric to kube-proxy iptables, so it exposes the number
of rules programmed in each iteration.
 2021-03-05 10:00:38 +01:00
Swetha Repakula
6f5329d4c0 Remove EndpointSliceNodeName feature gate logic 
- feature gate has graduated to GA and will always be enabled, so no
 longer need to check if enabled
 2021-03-04 09:57:15 -08:00
Kubernetes Prow Robot
7c9841d586
Merge pull request #98985 from timyinshi/proxy 
delete the extra word
 2021-03-03 01:53:32 -08:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
JunYang
53056e88b6 Fix incorrect use of klog.ErrorS 
Signed-off-by: JunYang <yang.jun22@zte.com.cn>
 2021-02-21 14:55:23 +08:00
Kubernetes Prow Robot
4ef5d1402d
Merge pull request #99102 from justinsb/avoid_multiple_calls_to_done 
proxy/config tests: avoid multiple calls to done
 2021-02-18 20:28:24 -08:00
Kubernetes Prow Robot
6dc317a107
Merge pull request #98130 from JornShen/optimze_redundant_listenPortOpener 
migrate to use k8s.io/util/net/port in kube-proxy
 2021-02-18 10:02:51 -08:00
Justin SB
6ac76e184e proxy/config tests: avoid multiple calls to done 
If the callback is called multiple times the wait group will be
over-decremented.
 2021-02-15 15:23:21 -05:00
jornshen
dbe89a5683 migrate kube canary chain as const 2021-02-15 16:50:48 +08:00
jornshen
00e26e9785 clear pkg/proxy/port.go port_test.go file 2021-02-15 16:36:09 +08:00
jornshen
d8d6a0223b clear no use LocalPort in winkernel 2021-02-15 16:36:08 +08:00
jornshen
97a5a3d4d5 migrate to use k8s.io/util LocalPort and ListenPortOpener in ipvs.proxier 2021-02-15 16:36:08 +08:00
jornshen
e68e105102 migrate to use k8s.io/util LocalPort and ListenPortOpener in iptables.proxier 2021-02-15 16:36:06 +08:00
timyinshi
5242af9d2d
delete the extra word 
Signed-off-by: timyinshi <shiguangyin@inspur.com>
 2021-02-11 16:35:48 +08:00
Kubernetes Prow Robot
659b4dc4a8
Merge pull request #98305 from aojea/holdports 
kube-proxy has to clear NodePort stale UDP entries
 2021-02-10 23:36:16 -08:00
Antonio Ojea
ed21a0e16c kube-proxy: clear conntrack entries after rules are in place 
Clear conntrack entries for UDP NodePorts,
this has to be done AFTER the iptables rules are programmed.
It can happen that traffic to the NodePort hits the host before
the iptables rules are programmed this will create an stale entry
in conntrack that will blackhole the traffic, so we need to
clear it ONLY when the service has endpoints.
 2021-02-10 16:22:03 +01:00
Kubernetes Prow Robot
6b9379eae4
Merge pull request #98001 from JornShen/proxier_winkernel_structured_logging 
migrate proxy/winkernel/proxier.go logs to structured logging
 2021-02-09 23:47:12 -08:00
Kubernetes Prow Robot
c1b3797f4b
Merge pull request #97824 from hanlins/fix/97225/hc-rules 
Explicitly add iptables rule to allow healthcheck nodeport
 2021-02-04 15:54:52 -08:00
Hanlin Shi
4cd1eacbc1 Add rule to allow healthcheck nodeport traffic in filter table 
1. For iptables mode, add KUBE-NODEPORTS chain in filter table. Add
   rules to allow healthcheck node port traffic.
2. For ipvs mode, add KUBE-NODE-PORT chain in filter table. Add
   KUBE-HEALTH-CHECK-NODE-PORT ipset to allow traffic to healthcheck
   node port.
 2021-02-03 15:20:10 +00:00
Sravanth Bangari
04eced5c67 For LoadBalancer Service type don't create a HNS policy for empty or invalid external loadbalancer IP 2021-01-31 11:56:30 -08:00
jornshen
e3d068870d migrate proxy/userspace/proxier.go logs to structured logging 2021-01-30 10:21:51 +08:00
Kubernetes Prow Robot
e89e7b4ed1
Merge pull request #98083 from JornShen/optimize_proxier_duplicate_localaddrset 
optimize proxier duplicate localaddrset
 2021-01-29 01:21:40 -08:00
jornshen
3f506cadb0 optimize proxier duplicate localaddrset 2021-01-29 10:52:01 +08:00
Kubernetes Prow Robot
97076f6647
Merge pull request #98297 from JornShen/replace_ipvs_proxier_protocal_str 
use exist const to replace ipvs/proxier.go tcp,udp,sctp str
 2021-01-28 14:41:52 -08:00
Jordan Liggitt
ce553e1b68 Resolve IP addresses of host-only in filtered dialer 2021-01-26 12:00:53 -05:00
Kubernetes Prow Robot
b557633c3f
Merge pull request #98249 from JornShen/optimize_writeline_writeBytesLine 
Optimize writeline and writeBytesLine in proxier.go
 2021-01-22 23:45:39 -08:00
jornshen
249996e62f use exist const to replace ipvs/proxier.go tcp,udp,sctp 2021-01-22 14:52:00 +08:00
jornshen
761473cd44 add ut for utils WriteLine WriteBytesLine 2021-01-21 10:51:54 +08:00
jornshen
3783821553 move the redundant writeline writeBytesLine to proxy/util/util.go 2021-01-21 10:51:39 +08:00
Kubernetes Prow Robot
0c91285ea6
Merge pull request #97941 from JornShen/proxier_winuserspace_structured_logging 
migrate proxy/winuserspace/proxier.go logs to structured logging
 2021-01-20 17:51:00 -08:00
jornshen
f3b9e8b105 migrate proxy/winkernel/proxier.go logs to structured logging 2021-01-18 09:35:51 +08:00
Kubernetes Prow Robot
857c06eb49
Merge pull request #98043 from JornShen/migrate_string_overlay_as_const 
migrate winkernel network type string "overlay" as const
 2021-01-14 20:43:51 -08:00
jornshen
dff2da8cbc migrate winkernel network type string overlay as const 2021-01-14 16:38:02 +08:00
Kubernetes Prow Robot
5c7ee30eaa
Merge pull request #94902 from cmluciano/cml/proxyvaltesting 
proxy: Restructure config validation tests to check errors
 2021-01-13 10:18:36 -08:00
Kubernetes Prow Robot
eb08f36c7d
Merge pull request #96371 from andrewsykim/kube-proxy-terminating 
kube-proxy: track serving/terminating conditions in endpoints cache
 2021-01-11 18:38:25 -08:00
jornshen
a5a5fef039 migrate proxy/winuserspace/proxier.go logs to structured logging 2021-01-12 10:31:31 +08:00
Kubernetes Prow Robot
5e22f7fead
Merge pull request #92938 from DataDog/lbernail/CVE-2020-8558 
Do not set sysctlRouteLocalnet (CVE-2020-8558)
 2021-01-11 17:38:24 -08:00
Andrew Sy Kim
a11abb5475 kube-proxy: ipvs proxy should ignore endpoints with condition ready=false 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2021-01-11 16:27:38 -05:00
Andrew Sy Kim
9c096292cc kube-proxy: iptables proxy should ignore endpoints with condition ready=false 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2021-01-11 16:27:38 -05:00
Andrew Sy Kim
1acdfb4e7c kube-proxyy: update winkernel proxier to read 'ready', 'serving' and 'terminating' conditions 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2021-01-11 16:17:58 -05:00
Andrew Sy Kim
a7333e1a3e kube-proxy: add endpointslice cache unit tests for terminating endpoints 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2021-01-11 16:17:58 -05:00
Andrew Sy Kim
e5f9b80023 kube-proxy: health check server should only check ready endpoints 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2021-01-11 16:17:58 -05:00
Andrew Sy Kim
55cb453a3c kube-proxy: update internal endpoints map with 'serving' and 'terminating' condition from EndpointSlice 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2021-01-11 16:17:58 -05:00
Laurent Bernaille
15439148da
Do not set sysctlRouteLocalnet (CVE-2020-8558) 
Signed-off-by: Laurent Bernaille <laurent.bernaille@datadoghq.com>
 2021-01-11 11:41:32 +01:00
jornshen
5af5a2ac7d migrate proxy.UpdateServiceMap to be a method of ServiceMap 2021-01-11 11:07:30 +08:00
Kubernetes Prow Robot
5150d2f839
Merge pull request #97716 from chengzhycn/syncEndpoint-error-return 
proxy/ipvs: return non-nil error when there is no matched IPVS servic…
 2021-01-07 12:44:54 -08:00
Kubernetes Prow Robot
466e2e3751
Merge pull request #97678 from JornShen/proxier_iptables_structured_logging 
migrate proxy/iptables/proxier.go logs to structured logging
 2021-01-07 11:51:05 -08:00
chengzhycn
c6c74f2a5d proxy/ipvs: return non-nil error when there is no matched IPVS service in syncEndpoint 
Signed-off-by: chengzhycn <chengzhycn@gmail.com>
 2021-01-07 10:49:04 +08:00
jornshen
07990e44bf migrate proxy/iptables/proxier.go logs to structured logging 2021-01-07 10:48:01 +08:00
Zhou Peng
0ca17c62d2 [pkg/proxy/ipvs]: fix README.md typo 
Signed-off-by: Zhou Peng <p@ctriple.cn>
 2021-01-05 14:04:10 +08:00
Kubernetes Prow Robot
77abaabf3a
Merge pull request #97677 from chengzhycn/proxy-error-log 
fix incorrect dev name in log when finding link by name returns error
 2021-01-04 19:33:57 -08:00
chengzhycn
5bd2b6877d fix incorrect dev name in log when finding link by name returns error 
Signed-off-by: chengzhycn <chengzhycn@gmail.com>
 2021-01-04 16:34:02 +08:00
maao
d001b9b72a remove --cleanup-ipvs flag of kube-proxy 
Signed-off-by: maao <maao420691301@gmail.com>
 2020-12-31 11:29:38 +08:00
Kubernetes Prow Robot
6aae473318
Merge pull request #96830 from tnqn/ipvs-restore-commands 
Fix duplicate chains in iptables-restore input
 2020-12-08 20:03:34 -08:00
Kubernetes Prow Robot
c9dfd5829b
Merge pull request #96728 from jeremyje/dontpanic 
Fail instead of panic when HNS network cannot be created in test.
 2020-12-08 18:36:14 -08:00
Kubernetes Prow Robot
d2662b9842
Merge pull request #96488 from basantsa1989/kproxy_cleanup 
Kube-proxy cleanup: Changing FilterIncorrectIP/CIDR functions to MapIPsToIPFamily that returns a map
 2020-12-08 17:28:52 -08:00
Jeremy Edwards
7f972840ca Fail instead of panic when HNS network cannot be created in test. 2020-12-02 07:01:27 +00:00
Quan Tian
9bf96b84c4 Fix duplicate chains in iptables-restore input 
When running in ipvs mode, kube-proxy generated wrong iptables-restore
input because the chain names are hardcoded.

It also fixed a typo in method name.
 2020-11-24 15:13:23 +08:00
Antonio Ojea
120472032c kube-proxy: treat ExternalIPs as ClusterIP 
Currently kube-proxy treat ExternalIPs differently depending on:
- the traffic origin
- if the ExternalIP is present or not in the system.

It also depends on the CNI implementation to
discriminate between local and non-local traffic.

Since the ExternalIP belongs to a Service, we can avoid the roundtrip
of sending outside the traffic originated in the cluster.

Also, we leverage the new LocalTrafficDetector to detect the local
traffic and not rely on the CNI implementations for this.
 2020-11-22 00:54:33 +01:00
Basant Amarkhed
293d4b7c48 Avoiding double parsing of ip/cidr strings and logging bad ips/cidrs 2020-11-20 22:22:55 +00:00
Basant Amarkhed
f11c4e9c8c Testcases for MapCIDRsByIPFamily 2020-11-17 07:35:50 +00:00
Basant Amarkhed
707073d2f9 Fixup #1 addressing review comments 2020-11-17 07:13:51 +00:00
Basant Amarkhed
09d966c8cc Adding service.go changes after merge 2020-11-14 01:09:46 +00:00
Basant Amarkhed
8fb895f3f1 Updating after merging with a conflicting commit 2020-11-14 01:09:46 +00:00
Kubernetes Prow Robot
94b17881fc
Merge pull request #96454 from Sh4d1/revert_92312 
Revert "Merge pull request #92312 from Sh4d1/kep_1860"
 2020-11-12 16:03:24 -08:00
Kubernetes Prow Robot
765d949bfc
Merge pull request #96440 from robscott/endpointslice-pre-ga 
Adding NodeName to EndpointSlice API, deprecation updates
 2020-11-12 16:03:13 -08:00
Rob Scott
84e4b30a3e
Updates related to PR feedback 
- Remove feature gate consideration from EndpointSlice validation
- Deprecate topology field, note that it will be removed in future
release
- Update kube-proxy to check for NodeName if feature gate is enabled
- Add comments indicating the feature gates that can be used to enable
alpha API fields
- Add comments explaining use of deprecated address type in tests
 2020-11-12 12:30:50 -08:00
Sravanth Bangari
6c68ca5a9e Choosing the right source VIP for local endpoints 2020-11-11 23:29:07 -08:00
Rob Scott
506861c0a0
Removing "IP" from supported EndpointSlice address types in kube-proxy 2020-11-11 16:50:45 -08:00
Christopher M. Luciano
a036577e2c
proxy: Restructure config validation tests to check errors 
The tests for most functions have also been revised to check the errors
explicitly upon validating. This will properly catch occasions
where we should be returning multiple errors if more error occurs or
if just one block is failing.

Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-11-11 14:38:11 -05:00
Patrik Cyvoct
d29665cc17
Revert "Merge pull request #92312 from Sh4d1/kep_1860" 
This reverts commit ef16faf409, reversing
changes made to 2343b8a68b.
 2020-11-11 10:26:53 +01:00
Kubernetes Prow Robot
ef16faf409
Merge pull request #92312 from Sh4d1/kep_1860 
Make Kubernetes aware of the LoadBalancer behaviour
 2020-11-08 23:34:24 -08:00
Kubernetes Prow Robot
2343b8a68b
Merge pull request #95872 from 22dm/kube-proxy-comment-fix 
Fix the kube-proxy document
 2020-11-08 19:23:37 -08:00
Patrik Cyvoct
20fc86df25
fix defaulting 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-11-07 10:00:59 +01:00
Patrik Cyvoct
0768b45e7b
add nil case in proxy 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-11-07 10:00:58 +01:00
Patrik Cyvoct
11b97e9ef8
fix tests 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-11-07 10:00:55 +01:00
Patrik Cyvoct
540901779c
fix reviews 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-11-07 10:00:53 +01:00
Patrik Cyvoct
af7494e896
Update generated 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-11-07 10:00:52 +01:00
Patrik Cyvoct
7bdf2af648
fix review 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-11-07 10:00:51 +01:00
Patrik Cyvoct
88330eafef
fix typo 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-11-07 10:00:50 +01:00
Patrik Cyvoct
0153b96ab8
fix review 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-11-07 10:00:27 +01:00
Patrik Cyvoct
d562b6924a
Add tests 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-11-07 09:59:59 +01:00
Patrik Cyvoct
47ae7cbf52
Add route type field to loadbalancer status ingress 
Signed-off-by: Patrik Cyvoct <patrik@ptrk.io>
 2020-11-07 09:59:58 +01:00
Kubernetes Prow Robot
48a2bca893
Merge pull request #96251 from ravens/nodeport_udp_conntrack_fix 
Correctly fix clearing conntrack entry on endpoint changes (nodeport)
 2020-11-06 14:25:37 -08:00
Kubernetes Prow Robot
f1a3e4dcce
Merge pull request #95036 from cmluciano/cml/validateproxycidrs 
proxy: validate each CIDR config seperately and check for errors
 2020-11-05 13:12:52 -08:00
Kubernetes Prow Robot
0451848d64
Merge pull request #95787 from qingsenLi/k8s201022-format 
format incorrectAddresses in klog
 2020-11-05 11:50:33 -08:00
Christopher M. Luciano
705ba7b4bc
proxy: validate each CIDR config seperately and check for errors 
This commit revises validateProxyNodePortAddress and
validateExcludeCIDRS to report on the exact CIDR that is
invalid within the array of strings. Previously we would just return
the whole block of addresses and now we identify the exact address
within the block to eliminate confusion. I also removed the break from
validateProxyNodeAddress so that we can report on all addresses that
may not be valid.

The tests for each function have also been revised to check the errors
explicitly upon validating. This also will properly catch occasions
where we should be returning multiple errors if more than one CIDR is invalid.

Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-11-05 13:56:39 -05:00
Yan Grunenberger
fdee7b2faa Correctly fix clearing conntrack entry on endpoint changes (nodeport) 
A previous PR (#71573) intended to clear conntrack entry on endpoint
changes when using nodeport by introducing a dedicated function to
remove the stale conntrack entry on the node port and allow traffic to
resume. By doing so, it has introduced a nodeport specific bug where the
conntrack entries related to the ClusterIP does not get clean if
endpoint is changed (issue #96174). We fix by doing ClusterIP cleanup in
all cases.
 2020-11-05 09:45:17 +01:00
elweb9858
1bcddb0747 Implementing ExternalTrafficPolicy: local in winkernel kube-proxy via DSR 2020-10-30 15:28:47 -07:00
Khaled Henidak (Kal)
6675eba3ef
dual stack services (#91824) 
* api: structure change

* api: defaulting, conversion, and validation

* [FIX] validation: auto remove second ip/family when service changes to SingleStack

* [FIX] api: defaulting, conversion, and validation

* api-server: clusterIPs alloc, printers, storage and strategy

* [FIX] clusterIPs default on read

* alloc: auto remove second ip/family when service changes to SingleStack

* api-server: repair loop handling for clusterIPs

* api-server: force kubernetes default service into single stack

* api-server: tie dualstack feature flag with endpoint feature flag

* controller-manager: feature flag, endpoint, and endpointSlice controllers handling multi family service

* [FIX] controller-manager: feature flag, endpoint, and endpointSlicecontrollers handling multi family service

* kube-proxy: feature-flag, utils, proxier, and meta proxier

* [FIX] kubeproxy: call both proxier at the same time

* kubenet: remove forced pod IP sorting

* kubectl: modify describe to include ClusterIPs, IPFamilies, and IPFamilyPolicy

* e2e: fix tests that depends on IPFamily field AND add dual stack tests

* e2e: fix expected error message for ClusterIP immutability

* add integration tests for dualstack

the third phase of dual stack is a very complex change in the API,
basically it introduces Dual Stack services. Main changes are:

- It pluralizes the Service IPFamily field to IPFamilies,
and removes the singular field.
- It introduces a new field IPFamilyPolicyType that can take
3 values to express the "dual-stack(mad)ness" of the cluster:
SingleStack, PreferDualStack and RequireDualStack
- It pluralizes ClusterIP to ClusterIPs.

The goal is to add coverage to the services API operations,
taking into account the 6 different modes a cluster can have:

- single stack: IP4 or IPv6 (as of today)
- dual stack: IPv4 only, IPv6 only, IPv4 - IPv6, IPv6 - IPv4

* [FIX] add integration tests for dualstack

* generated data

* generated files

Co-authored-by: Antonio Ojea <aojea@redhat.com>
 2020-10-26 13:15:59 -07:00
Kubernetes Prow Robot
bdde4fb8f5
Merge pull request #93040 from cmluciano/cml/ipvsschedmodules 
ipvs: ensure selected scheduler kernel modules are loaded
 2020-10-26 10:25:17 -07:00
liuhongyu
d1525ec808 Fix the kube-proxy comment so that the document can be generated correctly 2020-10-26 23:13:50 +08:00
Christopher M. Luciano
51ed242194
ipvs: check for existence of scheduler module and fail if not found 
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-10-23 17:17:44 -04:00
Kubernetes Prow Robot
766ae2b81b
Merge pull request #95252 from tssurya/shrink-input-chain 
Kube-proxy: Perf-fix: Shrink INPUT chain
 2020-10-22 22:16:02 -07:00
qingsenLi
9ad39c9eda format incorrectAddresses in klog 2020-10-22 17:26:29 +08:00
Surya Seetharaman
477b14b3c4 Kube-proxy: Perf-fix: Shrink INPUT chain 
In #56164, we had split the reject rules for non-ep existing services
into KUBE-EXTERNAL-SERVICES chain in order to avoid calling KUBE-SERVICES
from INPUT. However in #74394 KUBE-SERVICES was re-added into INPUT.

As noted in #56164, kernel is sensitive to the size of INPUT chain. This
patch refrains from calling the KUBE-SERVICES chain from INPUT and FORWARD,
instead adds the lb reject rule to the KUBE-EXTERNAL-SERVICES chain which will be
called from INPUT and FORWARD.
 2020-10-19 11:26:04 +02:00
Antonio Ojea
880baa9f6f kube-proxy: log stale services operations 2020-10-19 09:35:34 +02:00
Lion-Wei
1f7ea16560 kube-proxy ensure KUBE-MARK-DROP exist but not modify their rules 2020-10-16 14:52:07 +08:00
wojtekt
6e4aa0f27d Fix reporting network_programming_latency metrics in kube-proxy 2020-10-07 20:57:14 +02:00
John Howard
b898266cb1 Fix documentation on EndpointSliceCache map 
This is not storing by slice name, it is IP. This can be seen from the
code and tests.
 2020-10-06 10:24:09 -07:00
Christopher M. Luciano
601c5150ca
proxy: Add tests for kube-proxy config defaulting 
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-10-02 12:39:46 -04:00
Matthew Cary
299a296c7a update-bazel 
Change-Id: Iebc99ee13587f0cd4c43ab85c7295d458d679d1e
 2020-09-18 00:44:39 +00:00
Matthew Cary
f2e23afcf1 Adds filtering of hosts to DialContexts. 
The provided DialContext wraps existing clients' DialContext in an attempt to
preserve any existing timeout configuration. In some cases, we may replace
infinite timeouts with golang defaults.

- scaleio: tcp connect/keepalive values changed from 0/15 to 30/30
- storageos: no change
 2020-09-18 00:07:32 +00:00
Matthew Cary
74dbf274d9 update storageos vendor for FilteredDial change 2020-09-18 00:07:32 +00:00
Amim Knabben
a18e5de51a LockToDefault the ExternalPolicyForExternalIP feature gate 2020-09-16 13:16:33 -04:00
tangwz
a143803066 remove feature gate SupportIPVSProxyMode. 2020-09-10 09:03:00 +08:00
elweb9858
b29379687f Updating winkernel kube-proxy OWNERS file 2020-09-03 14:55:09 -07:00
Kubernetes Prow Robot
b2cba08217
Merge pull request #93979 from dcbw/userspace-proxy-test-waitgroups 
proxy/userspace: use waitgroups instead of sketchy atomic ops in testcases
 2020-09-02 17:05:40 -07:00
Dan Williams
0cb5e55409 proxy/userspace: clean up and consolidate testcase setup 2020-09-02 16:20:13 -05:00
Dan Williams
1372bd94fe proxy/userspace: use waitgroups instead of sketchy atomic ops in testcases 
Instead of relying on atomic ops to increment/decrement at the right time
just use waitgroups to provide hard synchronization points.
 2020-09-02 16:20:13 -05:00
Daniel Smith
a86afc12df update scripts 2020-09-02 10:49:40 -07:00
Daniel Smith
75f835aa08 move port definitions to a common location 2020-09-02 10:48:25 -07:00
Kubernetes Prow Robot
163504e9ae
Merge pull request #94107 from robscott/kube-proxy-source-ranges-fix 
Updating kube-proxy to trim space from loadBalancerSourceRanges
 2020-09-01 18:43:51 -07:00
Kubernetes Prow Robot
6e7086d7ca
Merge pull request #93638 from sbangari/refcountfix3 
Avoid dereferencing same endpoint twice on the deletion or update of a service
 2020-09-01 16:35:06 -07:00
Kubernetes Prow Robot
1364a6028d
Merge pull request #92759 from kumarvin123/master 
Updating the Reviewers / Approvers for WinKernel Proxier
 2020-08-27 00:07:16 -07:00
Rob Scott
c382c79f60
Updating kube-proxy to trim space from loadBalancerSourceRanges 
Before this fix, a Service with a loadBalancerSourceRange value that
included a space would cause kube-proxy to crashloop. This updates
kube-proxy to trim any space from that field.
 2020-08-20 18:19:52 -07:00
Vinod K L Swamy
e9719ebc46
Updating the Reviewers / Approvers for WinKernel Proxier 2020-08-03 17:16:22 -07:00
Sravanth Bangari
b96cebf222 fix the remote endpoint cleanup logic 2020-08-03 14:57:44 -07:00
Jordan Liggitt
f33dc28094 generated: hack/update-hack-tools.sh && hack/update-vendor.sh 2020-07-25 16:45:02 -04:00
Christopher M. Luciano
65ff4e8227
ipvs: log error if scheduler does not exist and fallback to rr 
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-07-23 13:58:02 -04:00
Christopher M. Luciano
e2a0eddaf0
ipvs: ensure selected scheduler kernel modules are loaded 
Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-07-16 13:21:54 -04:00
Kubernetes Prow Robot
11348a38d7
Merge pull request #92871 from liggitt/kube-features 
Move proxy features to kube_features
 2020-07-11 20:57:22 -07:00
Kubernetes Prow Robot
76e3b255e1
Merge pull request #92836 from aojea/minsyncperiod 
kube-proxy iptables min-sync-period default 1sec
 2020-07-11 20:56:03 -07:00
Rob Scott
8039cf9bb1
Graduating EndpointSliceProxying to beta for Linux 2020-07-07 14:18:03 -07:00
Jordan Liggitt
8d03ace92b Move proxy features to kube_features 2020-07-07 12:34:18 -04:00
Antonio Ojea
f8e64d31f9 kube-proxy iptables min-sync-period default 1sec 
Currently kube-proxy defaults the min-sync-period for
iptables to 0. However, as explained by Dan Winship,

"With minSyncPeriod: 0, you run iptables-restore 100 times.
 With minSyncPeriod: 1s , you run iptables-restore once.
 With minSyncPeriod: 10s , you also run iptables-restore once,
 but you might have to wait 10 seconds first"
 2020-07-07 11:23:00 +02:00
Andrew Sy Kim
de2ecd7e2f proxier/ipvs: check already binded addresses in the IPVS dummy interface 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
Co-authored-by: Laurent Bernaille <laurent.bernaille@gmail.com>
 2020-07-02 15:32:21 -04:00
Kubernetes Prow Robot
4d0ce2e708
Merge pull request #92584 from aojea/ipvsfix 
IPVS: kubelet, kube-proxy: unmark packets before masquerading …
 2020-07-01 23:13:57 -07:00
Kubernetes Prow Robot
8623c26150
Merge pull request #90909 from kumarvin123/feature/WindowsEpSlices 
EndPointSlices implementation for Windows
 2020-07-01 23:12:01 -07:00
Antonio Ojea
c40081b550 kube-proxy ipvs masquerade hairpin traffic 
Masquerade de traffic that loops back to the originator
before they hit the kubernetes-specific postrouting rules

Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
 2020-07-01 09:16:19 +02:00
Antonio Ojea
c7a29774c9 kube-proxy dual-stack infers IP family from ClusterIP 
when dual-stack kube-proxy infers the service IP family from
the ClusterIP because ipFamily field is going to be deprecated.

Since kube-proxy skip headless and externalname services we
can safely obtain the IPFamily from the ClusterIP field

Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
 2020-06-30 18:42:19 +02:00
Antonio Ojea
a46e1f0613 kube-proxy ShouldSkipService takes only one argument 
instead of receiving the service name and namespace we
can obtain it from the service object directly.

Signed-off-by: Antonio Ojea <antonio.ojea.garcia@gmail.com>
 2020-06-30 18:42:15 +02:00
Kubernetes Prow Robot
8a76c27b8d
Merge pull request #88573 from davidstack/master 
the result value of functrion NodeIPS will contain the docker0 ip , update the comment
 2020-06-30 00:01:59 -07:00
Vinod K L Swamy
bbd4a07dec
Changes to WinKernel to support EndpointSlices 2020-06-29 14:31:15 -07:00
Vinod K L Swamy
4505d5b182
Changes to Proxy common code 2020-06-29 14:29:46 -07:00
Damon Wang
b199dd8ee1 update the comment of NodeIPs function 2020-06-29 15:29:16 +08:00
Kubernetes Prow Robot
73fa63a86d
Merge pull request #92035 from danwinship/unmark-before-masq 
kubelet, kube-proxy: unmark packets before masquerading them
 2020-06-16 00:50:03 -07:00
Dan Winship
c12534d8b4 kubelet, kube-proxy: unmark packets before masquerading them 
It seems that if you set the packet mark on a packet and then route
that packet through a kernel VXLAN interface, the VXLAN-encapsulated
packet will still have the mark from the original packet. Since our
NAT rules are based on the packet mark, this was causing us to
double-NAT some packets, which then triggered a kernel checksumming
bug. But even without the checksum bug, there are reasons to avoid
double-NATting, so fix the rules to unmark the packets before
masquerading them.
 2020-06-15 18:45:38 -04:00
Kubernetes Prow Robot
35fc65dc2c
Merge pull request #89998 from Nordix/issue-89923 
Filter nodePortAddresses to proxiers
 2020-06-13 09:39:55 -07:00
Vinod K L Swamy
ac3f87346f
KubeProxy and DockerShim changes for Ipv6 dual stack support on Windows 
Signed-off-by: Vinod K L Swamy <vinodko@microsoft.com>
 2020-06-10 15:36:48 -07:00
Kubernetes Prow Robot
6ac3ca4b17
Merge pull request #91886 from sbangari/fixsourcevip 
Fix access to Kubernetes Service from inside Windows Pod when two ser…
 2020-06-09 14:49:50 -07:00
Kubernetes Prow Robot
b731b2ebbc
Merge pull request #91905 from lo24/master 
fix minor typos in ipvs readme.md
 2020-06-09 03:13:18 -07:00
Kubernetes Prow Robot
86e14157d0
Merge pull request #91706 from sbangari/remoteendpointrefcount 
Fixing refcounting of remote endpoints used across services
 2020-06-08 21:43:34 -07:00
Sravanth Bangari
c3eb69c1f1 Fix access to Kubernetes Service from inside Windows Pod when two services have same NodeIp as backend (Overlay) 2020-06-08 11:20:56 -07:00
lo24
491961e03c fix minor typos in ipvs readme.md 2020-06-08 14:31:39 +00:00
Sravanth Bangari
cd43fc94f7 Fixing refcounting of remote endpoints used across services 2020-06-04 21:59:14 -07:00
Kubernetes Prow Robot
98de6bd142
Merge pull request #91701 from elweb9858/sessionaffinity 
Adding windows implementation for sessionaffinity
 2020-06-03 17:44:43 -07:00
elweb9858
44096b8f71 Adding windows implementation for sessionaffinity 2020-06-03 13:41:59 -07:00
Kubernetes Prow Robot
8f5e8514b3
Merge pull request #90103 from SataQiu/refactor-proxy-20200413 
kube-proxy: move GetNodeAddresses call out of internal loop to avoid repeated computation
 2020-06-02 19:44:17 -07:00
Andrew Sy Kim
18741157ef proxier/ipvs: remove redundant length check for node addresses 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-05-28 11:48:48 -04:00
Andrew Sy Kim
f96d35fc11 proxy utils: GetNodeAddresses should check if matching addresses were found 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-05-26 12:45:32 -04:00
Andrew Sy Kim
a99321c87c proxy utils: check network interfaces only once 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-05-26 12:12:15 -04:00
SataQiu
b68312e688 kube-proxy: move GetNodeAddresses call out of internal loop to avoid repeated computation 
Signed-off-by: SataQiu <1527062125@qq.com>
 2020-05-26 15:32:05 +08:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2 
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
 2020-05-16 07:54:27 -04:00
Lars Ekman
f54b8f98b9 Filter nodePortAddresses to the proxiers. 
Log a warning for addresses of wrong family.
 2020-05-15 09:54:33 +02:00
Casey Callendrello
042daa24ac proxy: followup to last-queued-change metric 
Fixes two small issues with the metric added in #90175:

1. Bump the timestamp on initial informer sync. Otherwise it remains 0 if
   restarting kube-proxy in a quiescent cluster, which isn't quite right.
2. Bump the timestamp even if no healthz server is specified.
 2020-05-11 18:48:47 +02:00
Casey Callendrello
2e1a884bf3 pkg/proxy: add last-queued-timestamp metric 
This adds a metric, kubeproxy_sync_proxy_rules_last_queued_timestamp,
that captures the last time a change was queued to be applied to the
proxy. This matches the healthz logic, which fails if a pending change
is stale.

This allows us to write alerts that mirror healthz.

Signed-off-by: Casey Callendrello <cdc@redhat.com>
 2020-04-21 15:19:32 +02:00
Tim Hockin
9551ecb7c3 Cleanup: Change "Ip" to "IP" in func and var names 2020-04-10 15:29:50 -07:00
Tim Hockin
efb24d44c6 Rename iptables IsIpv6 to IsIPv6 2020-04-10 15:29:50 -07:00
Tim Hockin
ef934a2c5e Add Protocol() method to iptables 
Enables simpler printing of which IP family the iptables interface is
managing.
 2020-04-10 15:29:49 -07:00
Tim Hockin
b874f7c626 Encapsulate sysctl test and log 2020-04-10 15:29:49 -07:00
Tim Hockin
341022f8d1 kube-proxy: log service and endpoint updates 2020-04-10 15:29:44 -07:00
Tim Hockin
37da906db2 kube-proxy: more logging at startup 2020-04-10 15:17:46 -07:00
Kubernetes Prow Robot
4a63d95916
Merge pull request #89792 from andrewsykim/remove-redundant-len-check 
proxy: remove redundant length check on local address sets
 2020-04-10 00:31:47 -07:00
Kubernetes Prow Robot
cabf5d1cdc
Merge pull request #89350 from SataQiu/fix-kube-proxy-20200323 
kube-proxy: treat failure to bind to a port as fatal
 2020-04-06 17:47:20 -07:00
louisgong
619f657b15 add loaded module 2020-04-04 08:49:19 +08:00
Andrew Sy Kim
5169ef5fb5 proxy: remove redundant length check on local address set 
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
 2020-04-02 16:06:51 -04:00
Kubernetes Prow Robot
bbe5594409
Merge pull request #89296 from danwinship/random-emptily 
Don't log whether we're using iptables --random-fully
 2020-04-02 12:42:24 -07:00
Kubernetes Prow Robot
c2ae0bd763
Merge pull request #74073 from Nordix/issue-70020 
Issue #70020; Flush Conntrack entities for SCTP
 2020-04-01 22:14:24 -07:00
SataQiu
871b90ba23 kube-proxy: add '--bind-address-hard-fail' flag to treat failure to bind to a port as fatal 
Signed-off-by: SataQiu <1527062125@qq.com>
 2020-04-02 13:13:10 +08:00
Tim Hockin
15632b10cb Clean up kube-proxy metrics startup 2020-03-30 10:29:14 -07:00
Tim Hockin
8747ba9370 Clean up kube-proxy healthz startup 
Make the healthz package simpler, move retries back to caller.
 2020-03-30 10:29:14 -07:00
Dan Winship
945d5f8d7d Make userspace proxy logging quieter 2020-03-20 08:24:02 -04:00
Dan Winship
8edd656238 Don't log whether we're using iptables --random-fully 2020-03-20 08:06:27 -04:00
Kubernetes Prow Robot
1b3c94b034
Merge pull request #89146 from SataQiu/fix-kube-proxy-20200316 
comment cleanup for kube-proxy
 2020-03-18 22:25:05 -07:00
Kubernetes Prow Robot
42c94f35a7
Merge pull request #88541 from cmluciano/cml/41ipvsfix 
ipvs: only attempt setting of sysctlconnreuse on supported kernels
 2020-03-17 16:21:28 -07:00
SataQiu
64a496e645 kube-proxy: some code cleanup 2020-03-17 21:46:54 +08:00
Minhan Xia
068963fc06 add testing 2020-03-13 14:59:40 -07:00
Minhan Xia
d527a09192 add ExternalTrafficPolicy support for External IPs in ipvs kubeproxy 2020-03-13 14:59:39 -07:00
Minhan Xia
efc4b12186 add ExternalTrafficPolicy support for External IPs in iptables kubeproxy 2020-03-13 14:59:39 -07:00
Christopher M. Luciano
d22e18ad4f
ipvs: only attempt setting of sysctlconnreuse on supported kernels 
This builds on previous work but only sets the sysctlConnReuse value
if the kernel is known to be above 4.19. To avoid calling GetKernelVersion
twice, I store the value from the CanUseIPVS method and then check the version
constraint at time of expected sysctl call.

Signed-off-by: Christopher M. Luciano <cmluciano@us.ibm.com>
 2020-03-12 13:16:00 -04:00
Lars Ekman
aa8521df66 Issue #70020; Flush Conntrack entities for SCTP 
Signed-off-by: Lars Ekman <lars.g.ekman@est.tech>
 2020-03-11 09:56:54 +01:00
Kubernetes Prow Robot
0ec85a1467
Merge pull request #88934 from aojea/endpointnolog 
Stop flooding the kube-proxy logs on dual-stack because of IPFamily
 2020-03-10 12:43:37 -07:00
Satyadeep Musuvathy
e053fdd08a Add NodeCIDR for detect-local-mode 2020-03-09 13:44:34 -07:00
Antonio Ojea
df58c042a8 metaproxier logging for endpoints ipfamily 
The kube-proxy metaproxier implementations tries to get the IPFamily
from the endpoints, but if the endpoints doesn't contains an IP
address it logs a Warning.

This causes that services without endpoints keep flooding the logs
with warnings.

We log this errors with a level of Verbosity of 4 instead of a Warning
 2020-03-07 11:42:02 +01:00
Antonio Ojea
23d9ffd4c8 Add metaproxier unit tests 2020-03-07 00:33:55 +01:00
Kubernetes Prow Robot
0773f108c7
Merge pull request #88710 from SataQiu/ipvs-readme-20200302 
kube-proxy: small cleanup for ipvs readme
 2020-03-03 12:18:22 -08:00
SataQiu
b60c0b5c24 small cleanup for ipvs readme 2020-03-02 10:56:29 +08:00
chendotjs
e79f49ebba validate configuration of kube-proxy IPVS tcp,tcpfin,udp timeout 2020-03-02 10:28:52 +08:00
Satyadeep Musuvathy
8c6956e5bb Refactor handling of local traffic detection. 2020-02-21 17:57:34 -08:00
Kubernetes Prow Robot
09d78529db
Merge pull request #87792 from ksubrmnn/nodeip 
Allow access to default Kubernetes Service from inside Windows Pod (Overlay)
 2020-02-20 03:07:04 -08:00
Kubernetes Prow Robot
ea5cef1c65
Merge pull request #87870 from tedyu/restore-proxier-updater 
Use ProxierHealthUpdater directly to avoid panic
 2020-02-17 10:13:29 -08:00
Kubernetes Prow Robot
ad68c4a8b5
Merge pull request #87699 from michaelbeaumont/fix_66766 
kube-proxy: Only open ipv4 sockets for ipv4 clusters
 2020-02-13 23:54:18 -08:00
Kubernetes Prow Robot
48434c3677
Merge pull request #87117 from aojea/proxyv6LB 
kube-proxy crash when load balancers use a different IP family
 2020-02-13 22:44:17 -08:00
Kubernetes Prow Robot
b9c57a1aa2
Merge pull request #87353 from aojea/kproxy_dual 
kube-proxy: validate dual-stack cidrs
 2020-02-12 17:54:35 -08:00