kube-proxy: allow running in userns

Signed-off-by: Akihiro Suda <suda.akihiro@lab.ntt.co.jp>
2018-08-23 14:14:44 +09:00 · 2018-08-23 14:14:44 +09:00 · 9c7db00892
parent bfb3806701
commit 9c7db00892
4 changed files with 15 additions and 2 deletions
--- a/cmd/kube-proxy/app/BUILD
+++ b/cmd/kube-proxy/app/BUILD
@ -65,6 +65,7 @@ go_library(
        "//staging/src/k8s.io/component-base/config:go_default_library",
        "//staging/src/k8s.io/kube-proxy/config/v1alpha1:go_default_library",
        "//vendor/github.com/fsnotify/fsnotify:go_default_library",
+        "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
        "//vendor/github.com/prometheus/client_golang/prometheus:go_default_library",
        "//vendor/github.com/spf13/cobra:go_default_library",
        "//vendor/github.com/spf13/pflag:go_default_library",
--- a/cmd/kube-proxy/app/server_others.go
+++ b/cmd/kube-proxy/app/server_others.go
@ -47,6 +47,7 @@ import (
 	utilnode "k8s.io/kubernetes/pkg/util/node"
 	utilsysctl "k8s.io/kubernetes/pkg/util/sysctl"
 	"k8s.io/utils/exec"
+	rsystem "github.com/opencontainers/runc/libcontainer/system"

 	"k8s.io/klog"
 )
@ -230,6 +231,12 @@ func newProxyServer(

 	iptInterface.AddReloadFunc(proxier.Sync)

+	var connTracker Conntracker
+	if !rsystem.RunningInUserNS(){
+		// if we are in userns, sysctl does not work and connTracker should be kept nil
+		connTracker = &realConntracker{}
+	}
+
 	return &ProxyServer{
 		Client:                 client,
 		EventClient:            eventClient,
@ -241,7 +248,7 @@ func newProxyServer(
 		Broadcaster:            eventBroadcaster,
 		Recorder:               recorder,
 		ConntrackConfiguration: config.Conntrack,
-		Conntracker:            &realConntracker{},
+		Conntracker:            connTracker,
 		ProxyMode:              proxyMode,
 		NodeRef:                nodeRef,
 		MetricsBindAddress:     config.MetricsBindAddress,
--- a/pkg/proxy/userspace/BUILD
+++ b/pkg/proxy/userspace/BUILD
@ -33,6 +33,7 @@ go_library(
        "//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
        "//staging/src/k8s.io/apimachinery/pkg/util/wait:go_default_library",
        "//vendor/k8s.io/klog:go_default_library",
+        "//vendor/github.com/opencontainers/runc/libcontainer/system:go_default_library",
        "//vendor/k8s.io/utils/exec:go_default_library",
    ] + select({
        "@io_bazel_rules_go//go/platform:android": [
--- a/pkg/proxy/userspace/proxier.go
+++ b/pkg/proxy/userspace/proxier.go
@ -25,6 +25,7 @@ import (
 	"sync/atomic"
 	"time"

+	rsystem "github.com/opencontainers/runc/libcontainer/system"
 	"k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
@ -179,7 +180,10 @@ func NewCustomProxier(loadBalancer LoadBalancer, listenIP net.IP, iptables iptab

 	err = setRLimit(64 * 1000)
 	if err != nil {
-		return nil, fmt.Errorf("failed to set open file handler limit: %v", err)
+		if !rsystem.RunningInUserNS() {
+			return nil, fmt.Errorf("failed to set open file handler limit to 64000: %v", err)
+		}
+		klog.Errorf("failed to set open file handler limit to 64000: %v", err)
 	}

 	proxyPorts := newPortAllocator(pr)