Ensure kube-proxy waits for the services/endpointslices informer
caches to be synced *and* all pre-sync events delivered before
setting isInitialized=true. Otherwise, in clusters with many services,
some services may be missing from svcPortMap when kube-proxy starts
(e.g. during daemonset rollout). This can cause kube-proxy to temporarily
remove service DNAT rules and then skip cleanup of UDP conntrack entries
to a service VIP.
Resolves: https://github.com/kubernetes/kubernetes/issues/126468
objects.
Change the order of operations to stop current iteration if no changes
to the service chains are needed.
Bump syncProxy frequency to 1 hour.
In a test kind cluster creation of 10K services, 2 endpoints each,
takes ~25m before the fix and ~9min after. Maximum memory usage
during creation is ~650MiB and 260MiB respectively.
Another important metric is the time it takes to create 1 new service
when 10K svc already exist. It used to take ~8m before the fix,
with partialSync it takes ~141ms.
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
Remove PortRange for internal configuration of kube-proxy
adhering to the v1alpha2 version specifications as detailed in
https://kep.k8s.io/784.
Signed-off-by: Daman Arora <aroradaman@gmail.com>
Refactor ClusterCIDR for internal configuration of kube-proxy
adhering to the v1alpha2 version specifications as detailed in
https://kep.k8s.io/784.
Signed-off-by: Daman Arora <aroradaman@gmail.com>
Consolidate SyncPeriod and MinSyncPeriod for internal configuration
of kube-proxy adhering to the v1alpha2 version specifications as
detailed in https://kep.k8s.io/784.
Signed-off-by: Daman Arora <aroradaman@gmail.com>
Introduce Linux section for internal configuration of kube-proxy
adhering to the v1alpha2 version specifications as detailed in
https://kep.k8s.io/784.
Signed-off-by: Daman Arora <aroradaman@gmail.com>
Introduce Windows section for internal configuration of kube-proxy
adhering to the v1alpha2 version specifications as detailed in
https://kep.k8s.io/784. This also introduces WindowsRunAsService
to v1alpha1 configuration.
Signed-off-by: Daman Arora <aroradaman@gmail.com>
If the nfacct sub-system is not available in the kernel then:
1. nfacct based metrics won't be registered.
2. proxier will not attempt to ensure the counters
Signed-off-by: Daman Arora <aroradaman@gmail.com>
Currently, there are some unit tests that are failing on Windows due
to various reasons:
- IPVS proxy mode is not supported on Windows.
- pkg/kubelet/cri/remote was moved to cri-client.
Given that we are no longer modifying any of the EndpointSlice data,
we can just work with pointers to the actual EndpointSlice objects.
(The informer cache is already holding on to them, so they'll be
taking up memory whether or not the EndpointSliceCache points to
them.)
EndpointSliceCache cached EndpointSlices into endpointSliceData
objects, in part so it could sort the ports and addresses, so that if
those fields got reordered without otherwise changing, it would not
trigger an OnEndpointSliceUpdate().
However, the EndpointSlice controller and mirroring controller always
output the ports in the same order, and they never reorder the
addresses of an existing slice unless the set of addresses actually
changed. So in the normal case, sorting the data adds more work than
it saves.
* LocalTrafficDetector construction and test improvements
* Reorder getLocalDetector unit test fields so "input" args come before "output" args
* Don't pass DetectLocalMode as a separate arg to getLocalDetector
It's already part of `config`
* Clarify test names in preparation for merging
* Merge single-stack/dual-stack LocalTrafficDetector construction
Also, only warn if the *primary* IP family is not correctly configured
(since we don't actually know if the cluster is really dual-stack or
not), and pass the pair of detectors to the proxiers as a map rather
than an array.
* Remove the rest of Test_getDualStackLocalDetectorTuple
Track packets dropped by proxy which were marked invalid by conntrack
using nfacct netfilter extended accounting infrastructure.
Signed-off-by: Daman Arora <aroradaman@gmail.com>
nfacct is netfilter's accounting subsystem. This utility allows
interactions with the subsystem using lower level netlink API.
Signed-off-by: Daman Arora <aroradaman@gmail.com>
The constructors only return an error if you pass them invalid data,
but we only ever pass them data which has already been validated,
making the error checking just annoying. Just make them return garbage
output if you give them garbage input.
