Commit Graph

775 Commits (ba535d57f6e2eb338f6fbf121d6be2e6f9204136)

Author SHA1 Message Date
Kubernetes Submit Queue f45f4a4ec0
Merge pull request #56880 from MrHohn/kube-proxy-ipv6-fix
Automatic merge from submit-queue (batch tested with PRs 53689, 56880, 55856, 59289, 60249). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Harden kube-proxy for unmatched IP versions

**What this PR does / why we need it**:
This PR makes kube-proxy omits & logs & emits event for unmatched IP versions configuration (IPv6 address in IPv4 mode or IPv4 address in IPv6 mode). 

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #57219

**Special notes for your reviewer**:

**Release note**:

```release-note
Fix the issue in kube-proxy iptables/ipvs mode to properly handle incorrect IP version.
```
2018-02-28 00:00:29 -08:00
Kubernetes Submit Queue 24516c5a96
Merge pull request #60501 from johscheuer/fix-ipvs-kubeadm-readme
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Remove old featureGate flag in Readme

**What this PR does / why we need it**:

This PR corrects the Readme for ipvs mode: https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/README.md. `kubeadm init` doesn't support the `--feature-gates=SupportIPVSProxyMode=true` flag anymore since IPVS is in beta and not alpha anymore.


```
sudo kubeadm init --help
Run this command in order to set up the Kubernetes master.

Usage:
  kubeadm init [flags]

Flags:
      --apiserver-advertise-address string      The IP address the API Server will advertise it's listening on. Specify '0.0.0.0' to use the address of the default network interface.
      --apiserver-bind-port int32               Port for the API Server to bind to. (default 6443)
      --apiserver-cert-extra-sans stringSlice   Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. Can be both IP addresses and DNS names.
      --cert-dir string                         The path where to save and store the certificates. (default "/etc/kubernetes/pki")
      --config string                           Path to kubeadm config file. WARNING: Usage of a configuration file is experimental.
      --cri-socket string                       Specify the CRI socket to connect to. (default "/var/run/dockershim.sock")
      --dry-run                                 Don't apply any changes; just output what would be done.
      --feature-gates string                    A set of key=value pairs that describe feature gates for various features. Options are:
CoreDNS=true|false (ALPHA - default=false)
DynamicKubeletConfig=true|false (ALPHA - default=false)
SelfHosting=true|false (ALPHA - default=false)
StoreCertsInSecrets=true|false (ALPHA - default=false)
      --ignore-preflight-errors stringSlice     A list of checks whose errors will be shown as warnings. Example: 'IsPrivilegedUser,Swap'. Value 'all' ignores errors from all checks.
      --kubernetes-version string               Choose a specific Kubernetes version for the control plane. (default "stable-1.9")
      --node-name string                        Specify the node name.
      --pod-network-cidr string                 Specify range of IP addresses for the pod network. If set, the control plane will automatically allocate CIDRs for every node.
      --service-cidr string                     Use alternative range of IP address for service VIPs. (default "10.96.0.0/12")
      --service-dns-domain string               Use alternative domain for services, e.g. "myorg.internal". (default "cluster.local")
      --skip-token-print                        Skip printing of the default bootstrap token generated by 'kubeadm init'.
      --token string                            The token to use for establishing bidirectional trust between nodes and masters.
      --token-ttl duration                      The duration before the bootstrap token is automatically deleted. If set to '0', the token will never expire. (default 24h0m0s)
```

**Special notes for your reviewer**:
Used kubeadm version:

```bash
sudo kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3be3d0864b52323b", GitTreeState:"clean", BuildDate:"2018-02-07T11:55:20Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}
```

**Release note**:

```release-note
NONE
```
2018-02-27 21:40:36 -08:00
Zihong Zheng 6004452bed Auto-updated BUILD files 2018-02-27 11:18:11 -08:00
Zihong Zheng f6eed81f21 [kube-proxy] Mass service/endpoint info functions rename and comments 2018-02-27 11:14:02 -08:00
Zihong Zheng 06064498de [kube-proxy] Unit test for unmatched IP version 2018-02-27 11:14:02 -08:00
Zihong Zheng 95cde4fb98 [kube-proxy] Harden change tracker and proxiers for unmatched IP versions 2018-02-27 11:14:02 -08:00
Zihong Zheng 2ae45e9f1b [kube-proxy] Make the import name of utilproxy consistent 2018-02-27 11:14:02 -08:00
Zihong Zheng ca032528be [kube-proxy] Add more IP version related utils 2018-02-27 11:14:02 -08:00
Zihong Zheng dfbec1a63a [kube-proxy] Move ipv6 related funcs to utils pkg 2018-02-27 11:12:45 -08:00
Zihong Zheng b485f7b5b4 [kube-proxy] Move Service/EndpointInfo common codes to change tracker 2018-02-27 11:05:59 -08:00
Kubernetes Submit Queue 42378eab40
Merge pull request #58052 from m1093782566/nodeip-config
Automatic merge from submit-queue (batch tested with PRs 60430, 60115, 58052, 60355, 60116). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Make nodeport ip configurable

**What this PR does / why we need it**:

By default, kube-proxy accepts everything from NodePort without any filter. It can be a problem for nodes which has both public and private NICs, and people only want to provide a service in private network and avoid exposing any internal service on the public IPs.

This PR makes nodeport ip configurable.

**Which issue(s) this PR fixes**:
Closes: #21070

**Special notes for your reviewer**:

Design proposal see: https://github.com/kubernetes/community/pull/1547

Issue in feature repo: https://github.com/kubernetes/features/issues/539

**Release note**:

```release-note
Make NodePort IP addresses configurable
```
2018-02-27 09:38:44 -08:00
Johannes Scheuermann 7bf7f9c79c Remove old featureGate flag 2018-02-27 14:01:45 +01:00
jennybuckley c8dacd8e63 Run hack/update-all.sh 2018-02-26 17:16:14 -08:00
Kubernetes Submit Queue 05425f0826
Merge pull request #60256 from danwinship/review-iptables-stuff
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

add me to iptables/kube-proxy reviewers

kube-proxy needs reviewers!
2018-02-26 07:50:58 -08:00
m1093782566 2edc97bf17 fix static checks 2018-02-26 23:49:26 +08:00
m1093782566 9bb4807e25 update bazel 2018-02-26 23:48:48 +08:00
m1093782566 df7df811a4 auto generated codes 2018-02-26 23:48:48 +08:00
m1093782566 b498a33927 userspace part changes 2018-02-26 23:48:48 +08:00
m1093782566 c537ff54e7 ipvs part implementation 2018-02-26 23:48:47 +08:00
m1093782566 ddfa04e8f4 iptables part implementation 2018-02-26 23:48:47 +08:00
m1093782566 bf565305ee create netwowrk interface util 2018-02-26 23:48:46 +08:00
m1093782566 dbcb2c9b27 validate nodeport-addresses 2018-02-26 23:48:46 +08:00
m1093782566 bc850adce4 add nodeport-addresses flag for kube-proxy 2018-02-26 23:48:46 +08:00
Kubernetes Submit Queue c11ae9d21e
Merge pull request #60306 from danwinship/proxier-connstate-new
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Only run connection-rejecting rules on new connections

Kube-proxy has two iptables chains full of rules to reject incoming connections to services that don't have any endpoints. Currently these rules get tested against all incoming packets, but that's unnecessary; if a connection to a given service has already been established, then we can't have been rejecting connections to that service. By only checking the first packet in each new connection, we can get rid of a lot of unnecessary checks on incoming traffic.

Fixes #56842

**Release note**:
```release-note
Additional changes to iptables kube-proxy backend to improve performance on clusters with very large numbers of services.
```
2018-02-24 16:19:56 -08:00
Kubernetes Submit Queue c1a73ea685
Merge pull request #59286 from prameshj/udp-conntrack
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Delete stale UDP conntrack entries that use hostPort

**What this PR does / why we need it**:
This PR introduces a change to delete stale conntrack entries for UDP connections, specifically for udp connections that use hostPort. When the pod listening on that udp port get updated/restarted(and gets a new ip address), these entries need to be flushed so that ongoing udp connections can recover once the pod is back and the new iptables rules have been installed. 
**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #59033

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
2018-02-23 19:54:08 -08:00
Kubernetes Submit Queue e6c2a5de10
Merge pull request #57461 from danwinship/proxier-no-dummy-nat-rules
Automatic merge from submit-queue (batch tested with PRs 55637, 57461, 60268, 60290, 60210). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Don't create no-op iptables rules for services with no endpoints

Currently for all services we create `-t nat -A KUBE-SERVICES` rules that match the destination IPs (ClusterIP, ExternalIP, NodePort IPs, etc) and then jump to the appropriate `KUBE-SVC-XXXXXX` chain. But if the service has no endpoints then the `KUBE-SVC-XXXXXX` chain will be empty and so nothing happens except that we wasted time (a) forcing iptables-restore to parse the match rules, and (b) forcing the kernel to test matches that aren't going to have any effect.

This PR gets rid of the match rules in this case. Which is to say, it changes things so that every incoming service packet is matched *either* by nat rules to rewrite it *or* by filter rules to ICMP reject it, but not both. (Actually, that's not quite true: there are no filter rules to reject Ingress-addressed packets, and I *think* that's a bug?)

I also got rid of some comments that seemed redundant.

The patch is mostly reindentation, so best viewed with `diff -w`.

Partial fix for #56842 / Related to #56164 (which it conflicts with but I'll fix that after one or the other merges).

**Release note**:
```release-note
Removed some redundant rules created by the iptables proxier, to improve performance on systems with very many services.
```
2018-02-23 09:49:38 -08:00
Dan Winship 225941679e Only run connection-rejecting rules on new connections 2018-02-23 08:50:58 -05:00
Kubernetes Submit Queue be2880d6be
Merge pull request #57550 from m1093782566/cleanup-mode
Automatic merge from submit-queue (batch tested with PRs 57550, 60089). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix inconsistent comment message

**What this PR does / why we need it**:

remove dead code in `/pkg/proxy/apis/kubeproxyconfig/validation/validation.go` - see duplicated codes in https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/apis/kubeproxyconfig/types.go#L155-L169

**Which issue(s) this PR fixes**:

**Special notes for your reviewer**:

**Release note**:

```release-note
NONE
```
2018-02-23 04:01:33 -08:00
Pavithra Ramesh 098a4467fe Remove conntrack entry on udp rule add.
Moved conntrack util outside of proxy pkg
Added warning message if conntrack binary is not found
Addressed review comments.
ran gofmt
2018-02-22 23:34:42 -08:00
m1093782566 181930794c fix proxy mode comment message 2018-02-23 11:50:42 +08:00
m1093782566 c44399f31e fix proxy mode comment message in v1alpha1 2018-02-23 11:50:39 +08:00
Kubernetes Submit Queue da564ef4fb
Merge pull request #57962 from xiangpengzhao/proxy-feature-gates
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

 Migrate FeatureGates type of kube-proxy from string to map[string]bool

**What this PR does / why we need it**:
Migration of FeatureGates type. This is a follow-up of #53025.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
ref: #53025
https://github.com/kubernetes/kubernetes/pull/57754#discussion_r160023416

**Special notes for your reviewer**:
/cc @luxas @mtaufen @ncdc 

**Release note**:

```release-note
action required: kube-proxy: feature gates are now specified as a map when provided via a JSON or YAML KubeProxyConfiguration, rather than as a string of key-value pairs.
```
2018-02-22 19:32:41 -08:00
Kubernetes Submit Queue f0ca996274
Merge pull request #56164 from danwinship/proxier-chain-split
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Split KUBE-SERVICES chain to re-shrink the INPUT chain

**What this PR does / why we need it**:
#43972 added an iptables rule "`-A INPUT -j KUBE-SERVICES`" to make NodePort ICMP rejection work. (Previously the KUBE-SERVICES chain was only run from OUTPUT, not INPUT.) #44547 extended that patch for ExternalIP rejection as well.

However, the KUBE-SERVICES chain may potentially have a very large number of ICMP reject rules for plain ClusterIP services (the ones that get run from OUTPUT), and it seems that for some reason the kernel is much more sensitive to the length of the INPUT chain than it is to the length of the OUTPUT chain. So a node that worked fine with kube 1.6 (when KUBE-SERVICES was only run from OUTPUT) might fall over with kube 1.7 (with KUBE-SERVICES being run from both INPUT and OUTPUT).

(Specifically, a node with about 5000 ClusterIP reject rules that ran fine with OpenShift 3.6 [kube 1.6] slowed almost to a complete halt with OpenShift 3.7 [kube 1.7].)

This PR fixes things by splitting out the "new" part of KUBE-SERVICES (NodePort and ExternalIP reject rules) into a separate KUBE-EXTERNAL-SERVICES chain run from INPUT, and moves KUBE-SERVICES back to being only run from OUTPUT. (So, yes, this assumes that you don't have 5000 NodePort/ExternalIP services, but, if you do, there's not much we can do, since those rules *have* to be run on the INPUT side.)

Oh, and I left in the code to clean up the "`-A INPUT -j KUBE-SERVICES`" rule even though we don't generate it any more, so it gets fixed on upgrade.

**Release note**:
```release-note
Reorganized iptables rules to fix a performance regression on clusters with thousands of services.
```

@kubernetes/sig-network-bugs @kubernetes/rh-networking
2018-02-22 18:52:53 -08:00
Dan Winship fc03cfe7a8 add me to iptables/kube-proxy reviewers 2018-02-22 17:36:57 -05:00
Jeff Grafton ef56a8d6bb Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
Davanum Srinivas 692f2ec305 Standardize on KUBE_PROXY_MODE (not KUBEPROXY_MODE)
There's a disconnect between 12d4eac038
and the earlier a6af827898. One says
KUBEPROXY_MODE and another says KUBE_PROXY_MODE. Let's just pick one.
Currently we fail with the following error:

hack/local-up-cluster.sh: line 808: KUBEPROXY_MODE: unbound variable
2018-02-14 21:26:54 -05:00
Dan Winship 07ead7d8e2 Don't create no-op iptables rules for services with no endpoints 2018-02-13 07:52:47 -05:00
Lihua Tang cad52f6576 Fix typos 2018-02-13 16:17:37 +08:00
Kubernetes Submit Queue 9438e14d39
Merge pull request #52528 from m1093782566/refactor-proxy
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Refactor kube-proxy service/endpoints update so that can be consumed among different proxiers

**What this PR does / why we need it**:

There are huge duplication among different proxiers.  For example, the service/endpoints list/watch part in iptables, ipvs and windows kernel mode(to be get in soon).

I think the more places this is replicated the harder it becomes to keep correct. We may need to refactor it and let different proxiers consume the same code.

**Which issue this PR fixes**: 

fixes #52464

**Special notes for your reviewer**:

* This refactor reduces **500** Lines in iptables proxy, so it will reduce **500*N**(number of proxiers) lines in total. People no need to care the service/endpoints update logic any more and can be more focus on proxy logic.

* I would like to do the following things in follow-ups:

1. rsync it to ipvs proxier

2. rsync it to winkernel proxier

**Release note**:

```release-note
Refactor kube-proxy service/endpoints update so that can be consumed among different proxiers
```
2018-02-12 23:29:50 -08:00
xiangpengzhao 131ce79c65 Update fuzzer to reflect FeatureGates type change. 2018-02-11 15:15:22 +08:00
xiangpengzhao 58bb1447e9 Auto generated files. 2018-02-11 14:40:13 +08:00
xiangpengzhao 57071d85ee Migrate FeatureGates type of kube-proxy from string to map[string]bool 2018-02-11 14:40:13 +08:00
Kubernetes Submit Queue 317853c90c
Merge pull request #59464 from dixudx/fix_all_typos
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

fix all the typos across the project

**What this PR does / why we need it**:
There are lots of typos across the project. We should avoid small PRs on fixing those annoying typos, which is time-consuming and low efficient.

This PR does fix all the typos across the project currently. And with #59463, typos could be avoided when a new PR gets merged.

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:
/sig testing
/area test-infra
/sig release
/cc @ixdy 
/assign @fejta 

**Release note**:

```release-note
None
```
2018-02-10 22:12:45 -08:00
Di Xu 48388fec7e fix all the typos across the project 2018-02-11 11:04:14 +08:00
stewart-yu 2e67243497 fix deleting dummy device error in kube-proxy.log when run cluster in local 2018-02-11 10:59:09 +08:00
m1093782566 b7dbaab96a update bazel BUILD 2018-02-09 17:26:22 +08:00
m1093782566 8dd4cbe88b ipvs part changes 2018-02-09 17:20:55 +08:00
m1093782566 f3512cbbb9 iptables proxier part changes 2018-02-09 17:20:51 +08:00
m1093782566 6edcf02d9e proxy endpoints part changes 2018-02-09 17:20:47 +08:00
m1093782566 9e85b526cb proxy service part changes 2018-02-09 17:20:44 +08:00