diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index b7e3dc0f4e1..248b2fc2e8b 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -273,6 +273,7 @@ func NewProxier(ipt utiliptables.Interface, if err := sysctl.SetSysctl(sysctlRouteLocalnet, 1); err != nil { return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err) } + klog.V(1).Infof("Set sysctl %q to 1", sysctlRouteLocalnet) } // Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers @@ -285,6 +286,7 @@ func NewProxier(ipt utiliptables.Interface, // Generate the masquerade mark to use for SNAT rules. masqueradeValue := 1 << uint(masqueradeBit) masqueradeMark := fmt.Sprintf("%#08x/%#08x", masqueradeValue, masqueradeValue) + klog.V(2).Infof("iptables(%s) masquerade mark: %s", ipVersion(ipt.IsIpv6()), masqueradeMark) endpointSlicesEnabled := utilfeature.DefaultFeatureGate.Enabled(features.EndpointSliceProxying) @@ -319,18 +321,35 @@ func NewProxier(ipt utiliptables.Interface, nodePortAddresses: nodePortAddresses, networkInterfacer: utilproxy.RealNetwork{}, } + burstSyncs := 2 - klog.V(3).Infof("minSyncPeriod: %v, syncPeriod: %v, burstSyncs: %d", minSyncPeriod, syncPeriod, burstSyncs) + klog.V(2).Infof("iptables(%s) sync params: minSyncPeriod=%v, syncPeriod=%v, burstSyncs=%d", + ipVersion(ipt.IsIpv6()), minSyncPeriod, syncPeriod, burstSyncs) // We pass syncPeriod to ipt.Monitor, which will call us only if it needs to. // We need to pass *some* maxInterval to NewBoundedFrequencyRunner anyway though. // time.Hour is arbitrary. proxier.syncRunner = async.NewBoundedFrequencyRunner("sync-runner", proxier.syncProxyRules, minSyncPeriod, time.Hour, burstSyncs) + go ipt.Monitor(utiliptables.Chain("KUBE-PROXY-CANARY"), []utiliptables.Table{utiliptables.TableMangle, utiliptables.TableNAT, utiliptables.TableFilter}, proxier.syncProxyRules, syncPeriod, wait.NeverStop) + + if ipt.HasRandomFully() { + klog.V(2).Infof("iptables(%s) supports --random-fully", ipVersion(ipt.IsIpv6())) + } else { + klog.V(2).Infof("iptables(%s) does not support --random-fully", ipVersion(ipt.IsIpv6())) + } + return proxier, nil } +func ipVersion(isIPv6 bool) string { + if isIPv6 { + return "ipv6" + } + return "ipv4" +} + // NewDualStackProxier creates a MetaProxier instance, with IPv4 and IPv6 proxies. func NewDualStackProxier( ipt [2]utiliptables.Interface, @@ -787,7 +806,7 @@ func (proxier *Proxier) syncProxyRules() { start := time.Now() defer func() { metrics.SyncProxyRulesLatency.Observe(metrics.SinceInSeconds(start)) - klog.V(4).Infof("syncProxyRules took %v", time.Since(start)) + klog.V(2).Infof("syncProxyRules took %v", time.Since(start)) }() localAddrs, err := utilproxy.GetLocalAddrs() @@ -818,7 +837,7 @@ func (proxier *Proxier) syncProxyRules() { } } - klog.V(3).Info("Syncing iptables rules") + klog.V(2).Info("Syncing iptables rules") success := false defer func() { diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go index 47c544c61b1..67305b8cf11 100644 --- a/pkg/proxy/ipvs/proxier.go +++ b/pkg/proxy/ipvs/proxier.go @@ -351,6 +351,7 @@ func NewProxier(ipt utiliptables.Interface, if err := sysctl.SetSysctl(sysctlRouteLocalnet, 1); err != nil { return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err) } + klog.V(1).Infof("Set sysctl %q to 1", sysctlRouteLocalnet) } // Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers @@ -365,6 +366,7 @@ func NewProxier(ipt utiliptables.Interface, if err := sysctl.SetSysctl(sysctlVSConnTrack, 1); err != nil { return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlVSConnTrack, err) } + klog.V(1).Infof("Set sysctl %q to 1", sysctlVSConnTrack) } kernelVersionStr, err := kernelHandler.GetKernelVersion() @@ -383,6 +385,7 @@ func NewProxier(ipt utiliptables.Interface, if err := sysctl.SetSysctl(sysctlConnReuse, 0); err != nil { return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlConnReuse, err) } + klog.V(1).Infof("Set sysctl %q to 0", sysctlConnReuse) } } @@ -391,6 +394,7 @@ func NewProxier(ipt utiliptables.Interface, if err := sysctl.SetSysctl(sysctlExpireNoDestConn, 1); err != nil { return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlExpireNoDestConn, err) } + klog.V(1).Infof("Set sysctl %q to 1", sysctlExpireNoDestConn) } // Set the expire_quiescent_template sysctl we need for @@ -398,6 +402,7 @@ func NewProxier(ipt utiliptables.Interface, if err := sysctl.SetSysctl(sysctlExpireQuiescentTemplate, 1); err != nil { return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlExpireQuiescentTemplate, err) } + klog.V(1).Infof("Set sysctl %q to 1", sysctlExpireQuiescentTemplate) } // Set the ip_forward sysctl we need for @@ -405,6 +410,7 @@ func NewProxier(ipt utiliptables.Interface, if err := sysctl.SetSysctl(sysctlForward, 1); err != nil { return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlForward, err) } + klog.V(1).Infof("Set sysctl %q to 1", sysctlForward) } if strictARP { @@ -413,6 +419,7 @@ func NewProxier(ipt utiliptables.Interface, if err := sysctl.SetSysctl(sysctlArpIgnore, 1); err != nil { return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlArpIgnore, err) } + klog.V(1).Infof("Set sysctl %q to 1", sysctlArpIgnore) } // Set the arp_announce sysctl we need for @@ -420,6 +427,7 @@ func NewProxier(ipt utiliptables.Interface, if err := sysctl.SetSysctl(sysctlArpAnnounce, 2); err != nil { return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlArpAnnounce, err) } + klog.V(1).Infof("Set sysctl %q to 2", sysctlArpAnnounce) } } @@ -490,12 +498,20 @@ func NewProxier(ipt utiliptables.Interface, proxier.ipsetList[is.name] = NewIPSet(ipset, is.name, is.setType, isIPv6, is.comment) } burstSyncs := 2 - klog.V(3).Infof("minSyncPeriod: %v, syncPeriod: %v, burstSyncs: %d", minSyncPeriod, syncPeriod, burstSyncs) + klog.V(2).Infof("ipvs(%s) sync params: minSyncPeriod=%v, syncPeriod=%v, burstSyncs=%d", + ipVersion(ipt.IsIpv6()), minSyncPeriod, syncPeriod, burstSyncs) proxier.syncRunner = async.NewBoundedFrequencyRunner("sync-runner", proxier.syncProxyRules, minSyncPeriod, syncPeriod, burstSyncs) proxier.gracefuldeleteManager.Run() return proxier, nil } +func ipVersion(isIPv6 bool) string { + if isIPv6 { + return "ipv6" + } + return "ipv4" +} + // NewDualStackProxier returns a new Proxier for dual-stack operation func NewDualStackProxier( ipt [2]utiliptables.Interface,