From b9bc0e5ac8032bb63298a407c287e6055ef073de Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Wed, 18 Jan 2023 10:45:18 -0500 Subject: [PATCH 1/2] Ensure needFullSync is set at iptables proxy startup The unit tests were broken with MinimizeIPTablesRestore enabled because syncProxyRules() assumed that needFullSync would be set on the first (post-setInitialized()) run, but the unit tests didn't ensure that. (In fact, there was a race condition in the real Proxier case as well; theoretically syncProxyRules() could be run by the BoundedFrequencyRunner after OnServiceSynced() called setInitialized() but before it called forceSyncProxyRules(), thus causing the first real sync to try to do a partial sync and fail. This is now fixed as well.) --- pkg/proxy/iptables/proxier.go | 5 +++-- pkg/proxy/iptables/proxier_test.go | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index fbde2f8db8b..846a7ec6ff3 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -265,6 +265,7 @@ func NewProxier(ipFamily v1.IPFamily, serviceChanges: proxy.NewServiceChangeTracker(newServiceInfo, ipFamily, recorder, nil), endpointsMap: make(proxy.EndpointsMap), endpointsChanges: proxy.NewEndpointChangeTracker(hostname, newEndpointInfo, ipFamily, recorder, nil), + needFullSync: true, syncPeriod: syncPeriod, iptables: ipt, masqueradeAll: masqueradeAll, @@ -538,7 +539,7 @@ func (proxier *Proxier) OnServiceSynced() { proxier.mu.Unlock() // Sync unconditionally - this is called once per lifetime. - proxier.forceSyncProxyRules() + proxier.syncProxyRules() } // OnEndpointSliceAdd is called whenever creation of a new endpoint slice object @@ -574,7 +575,7 @@ func (proxier *Proxier) OnEndpointSlicesSynced() { proxier.mu.Unlock() // Sync unconditionally - this is called once per lifetime. - proxier.forceSyncProxyRules() + proxier.syncProxyRules() } // OnNodeAdd is called whenever creation of new node object diff --git a/pkg/proxy/iptables/proxier_test.go b/pkg/proxy/iptables/proxier_test.go index 6b050a14713..18590faf914 100644 --- a/pkg/proxy/iptables/proxier_test.go +++ b/pkg/proxy/iptables/proxier_test.go @@ -408,6 +408,7 @@ func NewFakeProxier(ipt utiliptables.Interface) *Proxier { serviceChanges: proxy.NewServiceChangeTracker(newServiceInfo, ipfamily, nil, nil), endpointsMap: make(proxy.EndpointsMap), endpointsChanges: proxy.NewEndpointChangeTracker(testHostname, newEndpointInfo, ipfamily, nil, nil), + needFullSync: true, iptables: ipt, masqueradeMark: "0x4000", localDetector: detectLocal, From 4aec2b8b72e2affa79f3e0ccc3796167265facfc Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Tue, 17 Jan 2023 13:39:03 -0500 Subject: [PATCH 2/2] Move KEP-3453 MinimizeIPTablesRestore to beta --- pkg/features/kube_features.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/features/kube_features.go b/pkg/features/kube_features.go index 8069c573468..395132429c1 100644 --- a/pkg/features/kube_features.go +++ b/pkg/features/kube_features.go @@ -534,6 +534,7 @@ const ( // owner: @danwinship // kep: http://kep.k8s.io/3453 // alpha: v1.26 + // beta: v1.27 // // Enables new performance-improving code in kube-proxy iptables mode MinimizeIPTablesRestore featuregate.Feature = "MinimizeIPTablesRestore" @@ -975,7 +976,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS MinDomainsInPodTopologySpread: {Default: true, PreRelease: featuregate.Beta}, - MinimizeIPTablesRestore: {Default: false, PreRelease: featuregate.Alpha}, + MinimizeIPTablesRestore: {Default: true, PreRelease: featuregate.Beta}, MixedProtocolLBService: {Default: true, PreRelease: featuregate.GA, LockToDefault: true}, // remove in 1.28