From 9c7db008923b24657b62f2d37c03ec6a7d9e94d2 Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Thu, 23 Aug 2018 14:14:44 +0900 Subject: [PATCH] kube-proxy: allow running in userns Signed-off-by: Akihiro Suda --- cmd/kube-proxy/app/BUILD | 1 + cmd/kube-proxy/app/server_others.go | 9 ++++++++- pkg/proxy/userspace/BUILD | 1 + pkg/proxy/userspace/proxier.go | 6 +++++- 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/cmd/kube-proxy/app/BUILD b/cmd/kube-proxy/app/BUILD index d30c4dcc11..05b49da2f4 100644 --- a/cmd/kube-proxy/app/BUILD +++ b/cmd/kube-proxy/app/BUILD @@ -65,6 +65,7 @@ go_library( "//staging/src/k8s.io/component-base/config:go_default_library", "//staging/src/k8s.io/kube-proxy/config/v1alpha1:go_default_library", "//vendor/github.com/fsnotify/fsnotify:go_default_library", + "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library", "//vendor/github.com/prometheus/client_golang/prometheus:go_default_library", "//vendor/github.com/spf13/cobra:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library", diff --git a/cmd/kube-proxy/app/server_others.go b/cmd/kube-proxy/app/server_others.go index 9b51c42520..0a46df6186 100644 --- a/cmd/kube-proxy/app/server_others.go +++ b/cmd/kube-proxy/app/server_others.go @@ -47,6 +47,7 @@ import ( utilnode "k8s.io/kubernetes/pkg/util/node" utilsysctl "k8s.io/kubernetes/pkg/util/sysctl" "k8s.io/utils/exec" + rsystem "github.com/opencontainers/runc/libcontainer/system" "k8s.io/klog" ) @@ -230,6 +231,12 @@ func newProxyServer( iptInterface.AddReloadFunc(proxier.Sync) + var connTracker Conntracker + if !rsystem.RunningInUserNS(){ + // if we are in userns, sysctl does not work and connTracker should be kept nil + connTracker = &realConntracker{} + } + return &ProxyServer{ Client: client, EventClient: eventClient, @@ -241,7 +248,7 @@ func newProxyServer( Broadcaster: eventBroadcaster, Recorder: recorder, ConntrackConfiguration: config.Conntrack, - Conntracker: &realConntracker{}, + Conntracker: connTracker, ProxyMode: proxyMode, NodeRef: nodeRef, MetricsBindAddress: config.MetricsBindAddress, diff --git a/pkg/proxy/userspace/BUILD b/pkg/proxy/userspace/BUILD index b7887c85b5..17a7be8ebb 100644 --- a/pkg/proxy/userspace/BUILD +++ b/pkg/proxy/userspace/BUILD @@ -33,6 +33,7 @@ go_library( "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library", "//vendor/k8s.io/klog:go_default_library", + "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library", "//vendor/k8s.io/utils/exec:go_default_library", ] + select({ "@io_bazel_rules_go//go/platform:android": [ diff --git a/pkg/proxy/userspace/proxier.go b/pkg/proxy/userspace/proxier.go index 661092b1b2..c0983f6e44 100644 --- a/pkg/proxy/userspace/proxier.go +++ b/pkg/proxy/userspace/proxier.go @@ -25,6 +25,7 @@ import ( "sync/atomic" "time" + rsystem "github.com/opencontainers/runc/libcontainer/system" "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" utilerrors "k8s.io/apimachinery/pkg/util/errors" @@ -179,7 +180,10 @@ func NewCustomProxier(loadBalancer LoadBalancer, listenIP net.IP, iptables iptab err = setRLimit(64 * 1000) if err != nil { - return nil, fmt.Errorf("failed to set open file handler limit: %v", err) + if !rsystem.RunningInUserNS() { + return nil, fmt.Errorf("failed to set open file handler limit to 64000: %v", err) + } + klog.Errorf("failed to set open file handler limit to 64000: %v", err) } proxyPorts := newPortAllocator(pr)