mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-15 22:20:51 +00:00
Merge pull request #54219 from m1093782566/ipset
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Using ipset doing SNAT and packet filter in IPVS kube-proxy **What this PR does / why we need it**: Try ipset in ipvs proxy mode. **Which issue this PR fixes**: fixes #54203 xref: #53393, #53775 **Special notes for your reviewer**: **Release note**: ```release-note Using ipset doing SNAT and packet filtering in IPVS kube-proxy ``` /sig network /area kube-proxy
This commit is contained in:
Kubernetes Submit Queue
GitHub
@@ -41,6 +41,7 @@ go_library(
|
||||
"//pkg/proxy/userspace:go_default_library",
|
||||
"//pkg/util/configz:go_default_library",
|
||||
"//pkg/util/dbus:go_default_library",
|
||||
"//pkg/util/ipset:go_default_library",
|
||||
"//pkg/util/iptables:go_default_library",
|
||||
"//pkg/util/ipvs:go_default_library",
|
||||
"//pkg/util/mount:go_default_library",
|
||||
|
||||
@@ -63,6 +63,7 @@ import (
|
||||
"k8s.io/kubernetes/pkg/proxy/ipvs"
|
||||
"k8s.io/kubernetes/pkg/proxy/userspace"
|
||||
"k8s.io/kubernetes/pkg/util/configz"
|
||||
utilipset "k8s.io/kubernetes/pkg/util/ipset"
|
||||
utiliptables "k8s.io/kubernetes/pkg/util/iptables"
|
||||
utilipvs "k8s.io/kubernetes/pkg/util/ipvs"
|
||||
utilnode "k8s.io/kubernetes/pkg/util/node"
|
||||
@@ -356,6 +357,7 @@ type ProxyServer struct {
|
||||
EventClient v1core.EventsGetter
|
||||
IptInterface utiliptables.Interface
|
||||
IpvsInterface utilipvs.Interface
|
||||
IpsetInterface utilipset.Interface
|
||||
execer exec.Interface
|
||||
Proxier proxy.ProxyProvider
|
||||
Broadcaster record.EventBroadcaster
|
||||
@@ -422,7 +424,7 @@ func (s *ProxyServer) Run() error {
|
||||
if s.CleanupAndExit {
|
||||
encounteredError := userspace.CleanupLeftovers(s.IptInterface)
|
||||
encounteredError = iptables.CleanupLeftovers(s.IptInterface) || encounteredError
|
||||
encounteredError = ipvs.CleanupLeftovers(s.IpvsInterface, s.IptInterface) || encounteredError
|
||||
encounteredError = ipvs.CleanupLeftovers(s.IpvsInterface, s.IptInterface, s.IpsetInterface) || encounteredError
|
||||
if encounteredError {
|
||||
return errors.New("encountered an error while tearing down rules.")
|
||||
}
|
||||
|
||||
@@ -43,6 +43,7 @@ import (
|
||||
"k8s.io/kubernetes/pkg/proxy/userspace"
|
||||
"k8s.io/kubernetes/pkg/util/configz"
|
||||
utildbus "k8s.io/kubernetes/pkg/util/dbus"
|
||||
utilipset "k8s.io/kubernetes/pkg/util/ipset"
|
||||
utiliptables "k8s.io/kubernetes/pkg/util/iptables"
|
||||
utilipvs "k8s.io/kubernetes/pkg/util/ipvs"
|
||||
utilnode "k8s.io/kubernetes/pkg/util/node"
|
||||
@@ -72,6 +73,7 @@ func NewProxyServer(config *proxyconfigapi.KubeProxyConfiguration, cleanupAndExi
|
||||
|
||||
var iptInterface utiliptables.Interface
|
||||
var ipvsInterface utilipvs.Interface
|
||||
var ipsetInterface utilipset.Interface
|
||||
var dbus utildbus.Interface
|
||||
|
||||
// Create a iptables utils.
|
||||
@@ -80,6 +82,7 @@ func NewProxyServer(config *proxyconfigapi.KubeProxyConfiguration, cleanupAndExi
|
||||
dbus = utildbus.New()
|
||||
iptInterface = utiliptables.New(execer, dbus, protocol)
|
||||
ipvsInterface = utilipvs.New(execer)
|
||||
ipsetInterface = utilipset.New(execer)
|
||||
|
||||
// We omit creation of pretty much everything if we run in cleanup mode
|
||||
if cleanupAndExit {
|
||||
@@ -87,6 +90,7 @@ func NewProxyServer(config *proxyconfigapi.KubeProxyConfiguration, cleanupAndExi
|
||||
execer: execer,
|
||||
IptInterface: iptInterface,
|
||||
IpvsInterface: ipvsInterface,
|
||||
IpsetInterface: ipsetInterface,
|
||||
CleanupAndExit: cleanupAndExit,
|
||||
}, nil
|
||||
}
|
||||
@@ -119,7 +123,7 @@ func NewProxyServer(config *proxyconfigapi.KubeProxyConfiguration, cleanupAndExi
|
||||
var serviceEventHandler proxyconfig.ServiceHandler
|
||||
var endpointsEventHandler proxyconfig.EndpointsHandler
|
||||
|
||||
proxyMode := getProxyMode(string(config.Mode), iptInterface, iptables.LinuxKernelCompatTester{})
|
||||
proxyMode := getProxyMode(string(config.Mode), iptInterface, ipsetInterface, iptables.LinuxKernelCompatTester{})
|
||||
if proxyMode == proxyModeIPTables {
|
||||
glog.V(0).Info("Using iptables Proxier.")
|
||||
nodeIP := net.ParseIP(config.BindAddress)
|
||||
@@ -159,12 +163,13 @@ func NewProxyServer(config *proxyconfigapi.KubeProxyConfiguration, cleanupAndExi
|
||||
userspace.CleanupLeftovers(iptInterface)
|
||||
// IPVS Proxier will generate some iptables rules,
|
||||
// need to clean them before switching to other proxy mode.
|
||||
ipvs.CleanupLeftovers(ipvsInterface, iptInterface)
|
||||
ipvs.CleanupLeftovers(ipvsInterface, iptInterface, ipsetInterface)
|
||||
} else if proxyMode == proxyModeIPVS {
|
||||
glog.V(0).Info("Using ipvs Proxier.")
|
||||
proxierIPVS, err := ipvs.NewProxier(
|
||||
iptInterface,
|
||||
ipvsInterface,
|
||||
ipsetInterface,
|
||||
utilsysctl.New(),
|
||||
execer,
|
||||
config.IPVS.SyncPeriod.Duration,
|
||||
@@ -220,7 +225,7 @@ func NewProxyServer(config *proxyconfigapi.KubeProxyConfiguration, cleanupAndExi
|
||||
iptables.CleanupLeftovers(iptInterface)
|
||||
// IPVS Proxier will generate some iptables rules,
|
||||
// need to clean them before switching to other proxy mode.
|
||||
ipvs.CleanupLeftovers(ipvsInterface, iptInterface)
|
||||
ipvs.CleanupLeftovers(ipvsInterface, iptInterface, ipsetInterface)
|
||||
}
|
||||
|
||||
iptInterface.AddReloadFunc(proxier.Sync)
|
||||
@@ -230,6 +235,7 @@ func NewProxyServer(config *proxyconfigapi.KubeProxyConfiguration, cleanupAndExi
|
||||
EventClient: eventClient,
|
||||
IptInterface: iptInterface,
|
||||
IpvsInterface: ipvsInterface,
|
||||
IpsetInterface: ipsetInterface,
|
||||
execer: execer,
|
||||
Proxier: proxier,
|
||||
Broadcaster: eventBroadcaster,
|
||||
@@ -249,7 +255,7 @@ func NewProxyServer(config *proxyconfigapi.KubeProxyConfiguration, cleanupAndExi
|
||||
}, nil
|
||||
}
|
||||
|
||||
func getProxyMode(proxyMode string, iptver iptables.IPTablesVersioner, kcompat iptables.KernelCompatTester) string {
|
||||
func getProxyMode(proxyMode string, iptver iptables.IPTablesVersioner, ipsetver ipvs.IPSetVersioner, kcompat iptables.KernelCompatTester) string {
|
||||
if proxyMode == proxyModeUserspace {
|
||||
return proxyModeUserspace
|
||||
}
|
||||
@@ -260,7 +266,7 @@ func getProxyMode(proxyMode string, iptver iptables.IPTablesVersioner, kcompat i
|
||||
|
||||
if utilfeature.DefaultFeatureGate.Enabled(features.SupportIPVSProxyMode) {
|
||||
if proxyMode == proxyModeIPVS {
|
||||
return tryIPVSProxy(iptver, kcompat)
|
||||
return tryIPVSProxy(iptver, ipsetver, kcompat)
|
||||
} else {
|
||||
glog.Warningf("Can't use ipvs proxier, trying iptables proxier")
|
||||
return tryIPTablesProxy(iptver, kcompat)
|
||||
@@ -270,10 +276,10 @@ func getProxyMode(proxyMode string, iptver iptables.IPTablesVersioner, kcompat i
|
||||
return tryIPTablesProxy(iptver, kcompat)
|
||||
}
|
||||
|
||||
func tryIPVSProxy(iptver iptables.IPTablesVersioner, kcompat iptables.KernelCompatTester) string {
|
||||
func tryIPVSProxy(iptver iptables.IPTablesVersioner, ipsetver ipvs.IPSetVersioner, kcompat iptables.KernelCompatTester) string {
|
||||
// guaranteed false on error, error only necessary for debugging
|
||||
// IPVS Proxier relies on iptables
|
||||
useIPVSProxy, err := ipvs.CanUseIPVSProxier()
|
||||
// IPVS Proxier relies on ipset
|
||||
useIPVSProxy, err := ipvs.CanUseIPVSProxier(ipsetver)
|
||||
if err != nil {
|
||||
// Try to fallback to iptables before falling back to userspace
|
||||
utilruntime.HandleError(fmt.Errorf("can't determine whether to use ipvs proxy, error: %v", err))
|
||||
@@ -282,8 +288,6 @@ func tryIPVSProxy(iptver iptables.IPTablesVersioner, kcompat iptables.KernelComp
|
||||
return proxyModeIPVS
|
||||
}
|
||||
|
||||
// TODO: Check ipvs version
|
||||
|
||||
// Try to fallback to iptables before falling back to userspace
|
||||
glog.V(1).Infof("Can't use ipvs proxier, trying iptables proxier")
|
||||
return tryIPTablesProxy(iptver, kcompat)
|
||||
|
||||
@@ -52,6 +52,15 @@ func (fake *fakeIPTablesVersioner) GetVersion() (string, error) {
|
||||
return fake.version, fake.err
|
||||
}
|
||||
|
||||
type fakeIPSetVersioner struct {
|
||||
version string // what to return
|
||||
err error // what to return
|
||||
}
|
||||
|
||||
func (fake *fakeIPSetVersioner) GetVersion() (string, error) {
|
||||
return fake.version, fake.err
|
||||
}
|
||||
|
||||
type fakeKernelCompatTester struct {
|
||||
ok bool
|
||||
}
|
||||
@@ -72,8 +81,10 @@ func Test_getProxyMode(t *testing.T) {
|
||||
annotationKey string
|
||||
annotationVal string
|
||||
iptablesVersion string
|
||||
ipsetVersion string
|
||||
kernelCompat bool
|
||||
iptablesError error
|
||||
ipsetError error
|
||||
expected string
|
||||
}{
|
||||
{ // flag says userspace
|
||||
@@ -128,7 +139,8 @@ func Test_getProxyMode(t *testing.T) {
|
||||
for i, c := range cases {
|
||||
versioner := &fakeIPTablesVersioner{c.iptablesVersion, c.iptablesError}
|
||||
kcompater := &fakeKernelCompatTester{c.kernelCompat}
|
||||
r := getProxyMode(c.flag, versioner, kcompater)
|
||||
ipsetver := &fakeIPSetVersioner{c.ipsetVersion, c.ipsetError}
|
||||
r := getProxyMode(c.flag, versioner, ipsetver, kcompater)
|
||||
if r != c.expected {
|
||||
t.Errorf("Case[%d] Expected %q, got %q", i, c.expected, r)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user