diff --git a/cmd/kube-proxy/app/options/options.go b/cmd/kube-proxy/app/options/options.go index 760bcfc34bb..dffa1ffcfdb 100644 --- a/cmd/kube-proxy/app/options/options.go +++ b/cmd/kube-proxy/app/options/options.go @@ -78,7 +78,7 @@ func (s *ProxyServerConfig) AddFlags(fs *pflag.FlagSet) { fs.Var(&s.Mode, "proxy-mode", "Which proxy mode to use: 'userspace' (older) or 'iptables' (faster). If blank, look at the Node object on the Kubernetes API and respect the '"+ExperimentalProxyModeAnnotation+"' annotation if provided. Otherwise use the best-available proxy (currently iptables). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.") fs.Int32Var(s.IPTablesMasqueradeBit, "iptables-masquerade-bit", util.Int32PtrDerefOr(s.IPTablesMasqueradeBit, 14), "If using the pure iptables proxy, the bit of the fwmark space to mark packets requiring SNAT with. Must be within the range [0, 31].") fs.DurationVar(&s.IPTablesSyncPeriod.Duration, "iptables-sync-period", s.IPTablesSyncPeriod.Duration, "The maximum interval of how often iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.") - fs.DurationVar(&s.IPTablesMinSyncPeriod.Duration, "iptables-min-sync-period", s.IPTablesMinSyncPeriod.Duration, "The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m'). Must be greater than 0.") + fs.DurationVar(&s.IPTablesMinSyncPeriod.Duration, "iptables-min-sync-period", s.IPTablesMinSyncPeriod.Duration, "The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m').") fs.DurationVar(&s.ConfigSyncPeriod, "config-sync-period", s.ConfigSyncPeriod, "How often configuration from the apiserver is refreshed. Must be greater than 0.") fs.BoolVar(&s.MasqueradeAll, "masquerade-all", s.MasqueradeAll, "If using the pure iptables proxy, SNAT everything") fs.StringVar(&s.ClusterCIDR, "cluster-cidr", s.ClusterCIDR, "The CIDR range of pods in the cluster. It is used to bridge traffic coming from outside of the cluster. If not provided, no off-cluster bridging will be performed.") diff --git a/pkg/apis/componentconfig/types.go b/pkg/apis/componentconfig/types.go index 23250e8b39e..9d268ccda6d 100644 --- a/pkg/apis/componentconfig/types.go +++ b/pkg/apis/componentconfig/types.go @@ -45,7 +45,7 @@ type KubeProxyConfiguration struct { // '2h22m'). Must be greater than 0. IPTablesSyncPeriod unversioned.Duration `json:"iptablesSyncPeriodSeconds"` // iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', - // '2h22m'). Must be greater than 0. + // '2h22m'). IPTablesMinSyncPeriod unversioned.Duration `json:"iptablesMinSyncPeriodSeconds"` // kubeconfigPath is the path to the kubeconfig file with authorization information (the // master location is set by the master flag). diff --git a/pkg/apis/componentconfig/v1alpha1/defaults.go b/pkg/apis/componentconfig/v1alpha1/defaults.go index 7ef2c59e776..e577b27beae 100644 --- a/pkg/apis/componentconfig/v1alpha1/defaults.go +++ b/pkg/apis/componentconfig/v1alpha1/defaults.go @@ -80,9 +80,6 @@ func SetDefaults_KubeProxyConfiguration(obj *KubeProxyConfiguration) { if obj.IPTablesSyncPeriod.Duration == 0 { obj.IPTablesSyncPeriod = unversioned.Duration{Duration: 30 * time.Second} } - if obj.IPTablesMinSyncPeriod.Duration == 0 { - obj.IPTablesMinSyncPeriod = unversioned.Duration{Duration: 2 * time.Second} - } zero := unversioned.Duration{} if obj.UDPIdleTimeout == zero { obj.UDPIdleTimeout = unversioned.Duration{Duration: 250 * time.Millisecond} diff --git a/pkg/apis/componentconfig/v1alpha1/types.go b/pkg/apis/componentconfig/v1alpha1/types.go index 48b296187ec..424423de0af 100644 --- a/pkg/apis/componentconfig/v1alpha1/types.go +++ b/pkg/apis/componentconfig/v1alpha1/types.go @@ -42,7 +42,7 @@ type KubeProxyConfiguration struct { // '2h22m'). Must be greater than 0. IPTablesSyncPeriod unversioned.Duration `json:"iptablesSyncPeriodSeconds"` // iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', - // '2h22m'). Must be greater than 0. + // '2h22m'). IPTablesMinSyncPeriod unversioned.Duration `json:"iptablesMinSyncPeriodSeconds"` // kubeconfigPath is the path to the kubeconfig file with authorization information (the // master location is set by the master flag). diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index e8108d09a15..1350bdde22f 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -1920,7 +1920,7 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ }, "iptablesMinSyncPeriodSeconds": { SchemaProps: spec.SchemaProps{ - Description: "iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.", + Description: "iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m').", Ref: spec.MustCreateRef("#/definitions/unversioned.Duration"), }, }, @@ -13674,7 +13674,7 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{ }, "iptablesMinSyncPeriodSeconds": { SchemaProps: spec.SchemaProps{ - Description: "iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.", + Description: "iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m').", Ref: spec.MustCreateRef("#/definitions/unversioned.Duration"), }, }, diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 5cd7347b076..85c7dd45a18 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -222,8 +222,8 @@ var _ proxy.ProxyProvider = &Proxier{} // will not terminate if a particular iptables call fails. func NewProxier(ipt utiliptables.Interface, sysctl utilsysctl.Interface, exec utilexec.Interface, syncPeriod time.Duration, minSyncPeriod time.Duration, masqueradeAll bool, masqueradeBit int, clusterCIDR string, hostname string, nodeIP net.IP) (*Proxier, error) { // check valid user input - if minSyncPeriod == 0 || minSyncPeriod > syncPeriod { - return nil, fmt.Errorf("min-sync (%v) must be < sync(%v) and > 0 ", minSyncPeriod, syncPeriod) + if minSyncPeriod > syncPeriod { + return nil, fmt.Errorf("min-sync (%v) must be < sync(%v)", minSyncPeriod, syncPeriod) } // Set the route_localnet sysctl we need for @@ -252,16 +252,21 @@ func NewProxier(ipt utiliptables.Interface, sysctl utilsysctl.Interface, exec ut go healthcheck.Run() - syncsPerSecond := float32(time.Second) / float32(minSyncPeriod) + var throttle flowcontrol.RateLimiter + // Defaulting back to not limit sync rate when minSyncPeriod is 0. + if minSyncPeriod != 0 { + syncsPerSecond := float32(time.Second) / float32(minSyncPeriod) + // The average use case will process 2 updates in short succession + throttle = flowcontrol.NewTokenBucketRateLimiter(syncsPerSecond, 2) + } return &Proxier{ - serviceMap: make(map[proxy.ServicePortName]*serviceInfo), - endpointsMap: make(map[proxy.ServicePortName][]*endpointsInfo), - portsMap: make(map[localPort]closeable), - syncPeriod: syncPeriod, - minSyncPeriod: minSyncPeriod, - // The average use case will process 2 updates in short succession - throttle: flowcontrol.NewTokenBucketRateLimiter(syncsPerSecond, 2), + serviceMap: make(map[proxy.ServicePortName]*serviceInfo), + endpointsMap: make(map[proxy.ServicePortName][]*endpointsInfo), + portsMap: make(map[localPort]closeable), + syncPeriod: syncPeriod, + minSyncPeriod: minSyncPeriod, + throttle: throttle, iptables: ipt, masqueradeAll: masqueradeAll, masqueradeMark: masqueradeMark, diff --git a/staging/src/k8s.io/client-go/pkg/apis/componentconfig/types.go b/staging/src/k8s.io/client-go/pkg/apis/componentconfig/types.go index 335b2cf4e14..c5eeb5f1385 100644 --- a/staging/src/k8s.io/client-go/pkg/apis/componentconfig/types.go +++ b/staging/src/k8s.io/client-go/pkg/apis/componentconfig/types.go @@ -45,7 +45,7 @@ type KubeProxyConfiguration struct { // '2h22m'). Must be greater than 0. IPTablesSyncPeriod unversioned.Duration `json:"iptablesSyncPeriodSeconds"` // iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', - // '2h22m'). Must be greater than 0. + // '2h22m'). IPTablesMinSyncPeriod unversioned.Duration `json:"iptablesMinSyncPeriodSeconds"` // kubeconfigPath is the path to the kubeconfig file with authorization information (the // master location is set by the master flag). diff --git a/staging/src/k8s.io/client-go/pkg/apis/componentconfig/v1alpha1/defaults.go b/staging/src/k8s.io/client-go/pkg/apis/componentconfig/v1alpha1/defaults.go index 8293fbaf759..70b395e1688 100644 --- a/staging/src/k8s.io/client-go/pkg/apis/componentconfig/v1alpha1/defaults.go +++ b/staging/src/k8s.io/client-go/pkg/apis/componentconfig/v1alpha1/defaults.go @@ -80,9 +80,6 @@ func SetDefaults_KubeProxyConfiguration(obj *KubeProxyConfiguration) { if obj.IPTablesSyncPeriod.Duration == 0 { obj.IPTablesSyncPeriod = unversioned.Duration{Duration: 30 * time.Second} } - if obj.IPTablesMinSyncPeriod.Duration == 0 { - obj.IPTablesMinSyncPeriod = unversioned.Duration{Duration: 2 * time.Second} - } zero := unversioned.Duration{} if obj.UDPIdleTimeout == zero { obj.UDPIdleTimeout = unversioned.Duration{Duration: 250 * time.Millisecond} diff --git a/staging/src/k8s.io/client-go/pkg/apis/componentconfig/v1alpha1/types.go b/staging/src/k8s.io/client-go/pkg/apis/componentconfig/v1alpha1/types.go index ec19fe0af9b..f23b1239423 100644 --- a/staging/src/k8s.io/client-go/pkg/apis/componentconfig/v1alpha1/types.go +++ b/staging/src/k8s.io/client-go/pkg/apis/componentconfig/v1alpha1/types.go @@ -42,7 +42,7 @@ type KubeProxyConfiguration struct { // '2h22m'). Must be greater than 0. IPTablesSyncPeriod unversioned.Duration `json:"iptablesSyncPeriodSeconds"` // iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', - // '2h22m'). Must be greater than 0. + // '2h22m'). IPTablesMinSyncPeriod unversioned.Duration `json:"iptablesMinSyncPeriodSeconds"` // kubeconfigPath is the path to the kubeconfig file with authorization information (the // master location is set by the master flag).