proxy/iptables: Fix sync_proxy_rules_iptables_total metric

It was counting the number of lines including the "COMMIT" line at the
end, so it was off by one.
This commit is contained in:
Dan Winship 2021-11-04 16:30:12 -04:00
parent 1d8966f4f9
commit 08680192fb
2 changed files with 17 additions and 21 deletions

View File

@ -1596,6 +1596,11 @@ func (proxier *Proxier) syncProxyRules() {
"-j", "ACCEPT",
)
numberFilterIptablesRules := utilproxy.CountBytesLines(proxier.filterRules.Bytes())
metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableFilter)).Set(float64(numberFilterIptablesRules))
numberNatIptablesRules := utilproxy.CountBytesLines(proxier.natRules.Bytes())
metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableNAT)).Set(float64(numberNatIptablesRules))
// Write the end-of-table markers.
utilproxy.WriteLine(proxier.filterRules, "COMMIT")
utilproxy.WriteLine(proxier.natRules, "COMMIT")
@ -1608,11 +1613,6 @@ func (proxier *Proxier) syncProxyRules() {
proxier.iptablesData.Write(proxier.natChains.Bytes())
proxier.iptablesData.Write(proxier.natRules.Bytes())
numberFilterIptablesRules := utilproxy.CountBytesLines(proxier.filterRules.Bytes())
metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableFilter)).Set(float64(numberFilterIptablesRules))
numberNatIptablesRules := utilproxy.CountBytesLines(proxier.natRules.Bytes())
metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableNAT)).Set(float64(numberNatIptablesRules))
klog.V(5).InfoS("Restoring iptables", "rules", proxier.iptablesData.Bytes())
err = proxier.iptables.RestoreAll(proxier.iptablesData.Bytes(), utiliptables.NoFlushTables, utiliptables.RestoreCounters)
if err != nil {

View File

@ -913,9 +913,9 @@ COMMIT
if err != nil {
t.Errorf("failed to get %s value, err: %v", metrics.IptablesRulesTotal.Name, err)
}
// 43 here is test specific and corresponds to one more than the number of -A lines after `*nat` in `expected`.
if nNatRules != 43.0 {
t.Fatalf("Wrong number of nat rules: expected 43 received %f", nNatRules)
// 42 here is test specific and corresponds to one more than the number of -A lines after `*nat` in `expected`.
if nNatRules != 42.0 {
t.Fatalf("Wrong number of nat rules: expected 42 received %f", nNatRules)
}
}
@ -3308,10 +3308,9 @@ func TestProxierMetricsIptablesTotalRules(t *testing.T) {
// -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
// -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
// -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
// COMMIT
if nFilterRules != 7.0 {
t.Fatalf("Wrong number of filter rule: expected 7 received %f", nFilterRules)
if nFilterRules != 6.0 {
t.Fatalf("Wrong number of filter rule: expected 6 received %f", nFilterRules)
}
nNatRules, err := testutil.GetGaugeMetricValue(metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableNAT)))
@ -3319,14 +3318,13 @@ func TestProxierMetricsIptablesTotalRules(t *testing.T) {
t.Errorf("failed to get %s value, err: %v", metrics.IptablesRulesTotal.Name, err)
}
// rules -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
// -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
// -A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
// -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
// -A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
// -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
// COMMIT
if nNatRules != 6.0 {
t.Fatalf("Wrong number of nat rules: expected 6 received %f", nNatRules)
if nNatRules != 5.0 {
t.Fatalf("Wrong number of nat rules: expected 5 received %f", nNatRules)
}
populateEndpointSlices(fp,
@ -3355,9 +3353,8 @@ func TestProxierMetricsIptablesTotalRules(t *testing.T) {
// -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
// -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
// -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
// COMMIT
if nFilterRules != 5.0 {
t.Fatalf("Wrong number of filter rule: expected 5 received %f", nFilterRules)
if nFilterRules != 4.0 {
t.Fatalf("Wrong number of filter rule: expected 4 received %f", nFilterRules)
}
nNatRules, err = testutil.GetGaugeMetricValue(metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableNAT)))
if err != nil {
@ -3378,9 +3375,8 @@ func TestProxierMetricsIptablesTotalRules(t *testing.T) {
// -A KUBE-SEP-OUFLBLJVR33W4FIZ -m comment --comment ns1/svc1:p80 -s 10.0.0.5/32 -j KUBE-MARK-MASQ
// -A KUBE-SEP-OUFLBLJVR33W4FIZ -m comment --comment ns1/svc1:p80 -m udp -p udp -j DNAT --to-destination 10.0.0.5:80
// -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
// COMMIT
if nNatRules != 16.0 {
t.Fatalf("Wrong number of nat rules: expected 16 received %f", nNatRules)
if nNatRules != 15.0 {
t.Fatalf("Wrong number of nat rules: expected 15 received %f", nNatRules)
}
}