Automatic merge from submit-queue (batch tested with PRs 57906, 57425, 56939, 57317, 57762). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
add "Not Found" error for ipset set & entry delete
**What this PR does / why we need it**:
Add "not found error" for ipset set and entry delete. For example,
```
[root@SHA1000130405 k8s-yml]# ipset list
Name: KUBE-LOOP-BACK
Type: hash:ip,port,ip
Revision: 2
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16776
References: 1
Members:
172.17.0.2,udp:53,172.17.0.2
172.17.0.2,tcp:53,172.17.0.2
100.106.89.164,tcp:6443,100.106.89.164
[root@SHA1000130405 k8s-yml]# ipset delete foo
ipset v6.19: The set with the given name does not exist
[root@SHA1000130405 k8s-yml]# ipset del KUBE-LOOP-BACK 1.2.3.4,tcp:80,1.2.3.4
ipset v6.19: Syntax error: Third element is missing from 1.2.3.4,tcp:80,1.2.3.4.
```
Just need to filter the error message "does not exist" or "element is missing". We should ignore these error when try to make sure they are deleted.
**Which issue(s) this PR fixes**:
Fixes#57318
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57699, 57657). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix ipvs virutal server update
**What this PR does / why we need it**:
Fix ipvs virutal server update.
**Which issue(s) this PR fixes**:
Fixes#57698
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 57292, 56274, 57435, 57438, 57429). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
replace syscall with sys/unix pkg in ipvs/netlink call
**What this PR does / why we need it**:
This PR replaces syscall with sys/unix pkg in ipvs/netlink call as the Go doc for syscall says:
NOTE: This package is locked down.
Code outside the standard Go repository should be migrated to use the corresponding package in the golang.org/x/sys repository.
That is also where updates required by new systems or versions should be applied.
See https://golang.org/s/go1.4-syscall for more information.
**Which issue(s) this PR fixes**:
Fixes #57430
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @thockin @brendandburns
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Test Proxy Mode
**What this PR does / why we need it**:
Currently, IPVS-based kube-proxy is protected by feature gateway and there is no UT for it. We should test ipvs proxy mode when feature gateway is set.
**Which issue(s) this PR fixes**:
Fixes#56404
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55954, 56037, 55866, 55984, 54994). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
remove dead code
**What this PR does / why we need it**:
remove dead code in IPVS kube-proxy
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @thockin
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Update IPVS README
**What this PR does / why we need it**:
People complained that they feel confused about how to use IPVS-based kube-proxy correctly, probably we may need to provide them a better README.
**Which issue(s) this PR fixes**:
xref: #56319
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Using ipset doing SNAT and packet filter in IPVS kube-proxy
**What this PR does / why we need it**:
Try ipset in ipvs proxy mode.
**Which issue this PR fixes**:
fixes#54203
xref: #53393, #53775
**Special notes for your reviewer**:
**Release note**:
```release-note
Using ipset doing SNAT and packet filtering in IPVS kube-proxy
```
/sig network
/area kube-proxy
Automatic merge from submit-queue (batch tested with PRs 53780, 55663, 55321, 52421, 55659). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Validate kube-proxy options
**What this PR does / why we need it**:
Validate ipvs proxy options
**Which issue this PR fixes** : fixes#53852
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55009, 55532, 55601, 52569, 55533). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix ipvs/proxy getLocalIPs inconsistency with iptables/proxy
**What this PR does / why we need it**:
* Fix ipvs/proxy `getLocalIPs()` inconsistency with iptables/proxy
* validate the ip address before pkg/proxy/util IPPart() return ip string.
**Which issue(s) this PR fixes** :
Fixes#55612
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 55247, 55324, 55261, 55147, 54052). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Implement dummy device operation by netlink for ipvs proxier
**What this PR does / why we need it**:
Currently, we implement network interface operations, e.g. create a dummy device and delete a dummy interface via ip cmd and then collect the exist code. For example, we assume the following command:
```
ip link add kube-ipvs0 type dummy
```
returns 2 means the dummy device `kube-ipvs0` exists, see https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/proxier.go#L1529 .
However, from the man page of ip command, exit status 2 just means an error was reported by the kernel, see http://man7.org/linux/man-pages/man8/ip.8.html#EXIT_STATUS.
So, that's a bug.
This PR implements dummy device operation by netlink for ipvs proxier so that can get ride of ip command operations.
**Which issue this PR fixes**:
fixes#54054
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig network
/area kube-proxy
/kind bug
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
kube-proxy IPVS: Fix IPVS availability check
**What this PR does / why we need it**:
The current implementation of `CanUseIPVSProxier()` reads `/proc/modules`
to check whether IPVS related kernel modules can be loaded.
You might get a false-negative when the kernel modules are installed to
the system but haven't been loaded into the kernel.
This patch firstly try to run `modprobe` to load specified kernel
modules, then just log warnings if error occured.
Secondly, it will check loaded kernel modules by reading
`/proc/modules`, return an error if any required module is missing.
This change will not break the compatability of existing implementation.
Running kube-proxy in a container without mounting `/lib/modules` will
cause `modprobe` warnings, but not raise an error if all required modules are
present in the host kernel.
**Special notes for your reviewer**:
**Release note**:
```release-note
Fix IPVS availability check
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
clean up legacy ipv4/32 in ipvs proxy
**What this PR does / why we need it**:
clean up legacy ipv4/32 in ipvs proxy
**Which issue(s) this PR fixes**: closes#51866
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig network
/area ipv6
/assign @thockin
cc @danehans
The current implementation of `CanUseIPVSProxier()` reads `/proc/modules`
to check whether IPVS related kernel modules can be loaded.
You might get a false-negative when the kernel modules are installed to
the system but haven't been loaded into the kernel.
This patch firstly try to run `modprobe` to load specified kernel
modules, then just log warnings if error occured.
Secondly, it will check loaded kernel modules by reading
`/proc/modules`, return an error if any required module is missing.
This change will not break the compatability of existing implementation.
Running kube-proxy in a container without mounting `/lib/modules` will
cause `modprobe` warnings, but not raise an error if all required modules are
present in the host kernel.
Automatic merge from submit-queue (batch tested with PRs 54774, 54820, 52192, 54827). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix IPV6 judgement bug and add UTs
**What this PR does / why we need it**:
Fix IPV6 judgement bug and add UTs.
**Which issue this PR fixes** : closes#54775
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig network
/area ipv6
/kind bug
Automatic merge from submit-queue (batch tested with PRs 53796, 54666, 54516, 54625, 54704). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove +linux restriction in ipvs/fake for running UTs in !linux platform
**What this PR does / why we need it**:
Remove +linux restriction in ipvs/fake for running UTs in !linux platform
**Which issue this PR fixes**:
fixes#54667
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/sig network
/kind bug
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Fix duplicate unbind action in kube-proxy
**What this PR does / why we need it**:
Fix duplicate unbind action in kube-proxy. It will generate unnecessary error info If unbind multi-ports on one service .
**Which issue this PR fixes**:
fixes#51694
**Release-note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 52768, 51898, 53510, 53097, 53058). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Run IPVS proxier UTs everywhere - include !linux platfrom
**What this PR does / why we need it**:
IPVS proxier UTs should run everywhere, including !linux platfrom, which will help a lot when developing in windows platfrom.
**Which issue this PR fixes**:
fixes#53099
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 53454, 53446, 52935, 53443, 52917). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Remove ipv4 constraint of Node IPs in ipvs proxier
**What this PR does / why we need it**:
We are targeting to IPV6. So, we should remove ipv4 constraint of Node IPs in ipvs proxier.
Besides, adding some log messages.
**Which issue this PR fixes**:
xref #51866
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.
Add required family flag for conntrack IPv6 operation
This change causes kube-proxy to supply the required "-f ipv6"
family flag whenever the conntrack utility is executed and the
associated service is using IPv6.
This change is required for IPv6-only operation.
Note that unit test coverage for the 2-line changes in
pkg/proxy/iptables/proxier.go and /pkg/proxy/ipvs/proxier.go will need
to be added after support for IPv6 service addresses is added to these
files. For pkg/proxy/iptables/proxier.go, this coverage will be added
either with PR #48551.
fixes#52027
**What this PR does / why we need it**:
Kube-proxy is currently not supplying the required "-f ipv6" family flag whenever it
calls the conntrack utility and the associated service is using an IPv6 service IP address.
This means that for IPv6-only operation, conntrack is not properly cleaning up
stale UDP connections, and this may be effecting ip6tables operation.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # 52027
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
bazel: build/test almost everything
**What this PR does / why we need it**: Miscellaneous cleanups and bug fixes. The main motivating idea here was to make `bazel build //...` and `bazel test //...` mostly work. (There's a few reasons these still don't work, but we're a lot closer.)
**Special notes for your reviewer**:
**Release note**:
```release-note
NONE
```
/assign @BenTheElder @mikedanese @spxtr
Automatic merge from submit-queue (batch tested with PRs 50068, 52406, 52394, 48551, 52131). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
add FlagPersistent flag in nodePort and other situation
**What this PR does / why we need it**:
For AffinityClientIP service, origin code in ipvs didn't add Persistent flag, which is a bug, so I added it.
**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes#52626
**Special notes for your reviewer**:
add FlagPersistent flag in nodePort and other situation
**Release note**:
```release-note
NONE
```
Automatic merge from submit-queue (batch tested with PRs 50294, 50422, 51757, 52379, 52014). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>..
rsync ipvs proxier to HEAD of iptables
**What this PR does / why we need it**:
rsync ipvs proxier to HEAD of iptables.
**Which issue this PR fixes**:
xref #51679
**Special notes for your reviewer**:
Obviously, @Lion-Wei has done part of this work, ref: #51922. It's fine that let #51922 get in first.
**Release note**:
```release-note
NONE
```
This change causes kube-proxy to supply the required "-f ipv6"
family flag whenever the conntrack utility is executed and the
associated service is using IPv6.
This change is required for IPv6-only operation.
Note that unit test coverage for the 2-line changes in
pkg/proxy/iptables/proxier.go and /pkg/proxy/ipvs/proxier.go will need
to be added after support for IPv6 service addresses is added to these
files. For pkg/proxy/iptables/proxier.go, this coverage will be added
either with PR #48551.
fixes#52027
Kubernetes Submit Queue