diff --git a/cmd/kube-proxy/app/conntrack.go b/cmd/kube-proxy/app/conntrack.go index 35ec5ca4643..610d73d56ca 100644 --- a/cmd/kube-proxy/app/conntrack.go +++ b/cmd/kube-proxy/app/conntrack.go @@ -39,6 +39,8 @@ type Conntracker interface { SetTCPEstablishedTimeout(seconds int) error // SetTCPCloseWaitTimeout adjusts nf_conntrack_tcp_timeout_close_wait. SetTCPCloseWaitTimeout(seconds int) error + // SetTCPBeLiberal adjusts nf_conntrack_tcp_be_liberal. + SetTCPBeLiberal(value int) error // SetUDPTimeout adjusts nf_conntrack_udp_timeout. SetUDPTimeout(seconds int) error // SetUDPStreamTimeout adjusts nf_conntrack_udp_timeout_stream. @@ -96,6 +98,10 @@ func (rct realConntracker) SetTCPCloseWaitTimeout(seconds int) error { return rct.setIntSysCtl("nf_conntrack_tcp_timeout_close_wait", seconds) } +func (rct realConntracker) SetTCPBeLiberal(value int) error { + return rct.setIntSysCtl("nf_conntrack_tcp_be_liberal", value) +} + func (rct realConntracker) SetUDPTimeout(seconds int) error { return rct.setIntSysCtl("nf_conntrack_udp_timeout", seconds) } diff --git a/cmd/kube-proxy/app/server.go b/cmd/kube-proxy/app/server.go index 529274c57cf..100b0cc0fb7 100644 --- a/cmd/kube-proxy/app/server.go +++ b/cmd/kube-proxy/app/server.go @@ -209,6 +209,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { &o.config.Conntrack.TCPCloseWaitTimeout.Duration, "conntrack-tcp-timeout-close-wait", o.config.Conntrack.TCPCloseWaitTimeout.Duration, "NAT timeout for TCP connections in the CLOSE_WAIT state") + fs.BoolVar(&o.config.Conntrack.TCPBeLiberal, "conntrack-tcp-be-liberal", o.config.Conntrack.TCPBeLiberal, "Enable liberal mode for tracking TCP packets by setting nf_conntrack_tcp_be_liberal to 1") fs.DurationVar(&o.config.Conntrack.UDPTimeout.Duration, "conntrack-udp-timeout", o.config.Conntrack.UDPTimeout.Duration, "Idle timeout for UNREPLIED UDP connections (0 to leave as-is)") fs.DurationVar(&o.config.Conntrack.UDPStreamTimeout.Duration, "conntrack-udp-timeout-stream", o.config.Conntrack.UDPStreamTimeout.Duration, "Idle timeout for ASSURED UDP connections (0 to leave as-is)") diff --git a/cmd/kube-proxy/app/server_others.go b/cmd/kube-proxy/app/server_others.go index ff3fff7e66b..2a4bf2bb2ce 100644 --- a/cmd/kube-proxy/app/server_others.go +++ b/cmd/kube-proxy/app/server_others.go @@ -333,6 +333,12 @@ func (s *ProxyServer) setupConntrack() error { } } + if s.Config.Conntrack.TCPBeLiberal { + if err := ct.SetTCPBeLiberal(1); err != nil { + return err + } + } + if s.Config.Conntrack.UDPTimeout.Duration > 0 { timeout := int(s.Config.Conntrack.UDPTimeout.Duration / time.Second) if err := ct.SetUDPTimeout(timeout); err != nil { diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 679f55c8464..c65aac2b0d9 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -54358,6 +54358,14 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConntrackConfiguration(ref Ref: ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"), }, }, + "tcpBeLiberal": { + SchemaProps: spec.SchemaProps{ + Description: "tcpBeLiberal, if true, kube-proxy will configure conntrack to run in liberal mode for TCP connections and packets with out-of-window sequence numbers won't be marked INVALID.", + Default: false, + Type: []string{"boolean"}, + Format: "", + }, + }, "udpTimeout": { SchemaProps: spec.SchemaProps{ Description: "udpTimeout is how long an idle UDP conntrack entry in UNREPLIED state will remain in the conntrack table (e.g. '30s'). Must be greater than 0 to set.", @@ -54371,7 +54379,7 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConntrackConfiguration(ref }, }, }, - Required: []string{"maxPerCore", "min", "tcpEstablishedTimeout", "tcpCloseWaitTimeout", "udpTimeout", "udpStreamTimeout"}, + Required: []string{"maxPerCore", "min", "tcpEstablishedTimeout", "tcpCloseWaitTimeout", "tcpBeLiberal", "udpTimeout", "udpStreamTimeout"}, }, }, Dependencies: []string{ diff --git a/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml b/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml index 91016c687f5..acb1a6d0d4e 100644 --- a/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml +++ b/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml @@ -12,6 +12,7 @@ configSyncPeriod: 15m0s conntrack: maxPerCore: 32768 min: 131072 + tcpBeLiberal: false tcpCloseWaitTimeout: 1h0m0s tcpEstablishedTimeout: 24h0m0s udpStreamTimeout: 0s diff --git a/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml b/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml index 91016c687f5..acb1a6d0d4e 100644 --- a/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml +++ b/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml @@ -12,6 +12,7 @@ configSyncPeriod: 15m0s conntrack: maxPerCore: 32768 min: 131072 + tcpBeLiberal: false tcpCloseWaitTimeout: 1h0m0s tcpEstablishedTimeout: 24h0m0s udpStreamTimeout: 0s diff --git a/pkg/proxy/apis/config/types.go b/pkg/proxy/apis/config/types.go index d677b9b1f74..bcf59ed0c4d 100644 --- a/pkg/proxy/apis/config/types.go +++ b/pkg/proxy/apis/config/types.go @@ -97,6 +97,10 @@ type KubeProxyConntrackConfiguration struct { // in CLOSE_WAIT state will remain in the conntrack // table. (e.g. '60s'). Must be greater than 0 to set. TCPCloseWaitTimeout *metav1.Duration + // tcpBeLiberal, if true, kube-proxy will configure conntrack + // to run in liberal mode for TCP connections and packets with + // out-of-window sequence numbers won't be marked INVALID. + TCPBeLiberal bool // udpTimeout is how long an idle UDP conntrack entry in // UNREPLIED state will remain in the conntrack table // (e.g. '30s'). Must be greater than 0 to set. diff --git a/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go b/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go index 8a20b642a4f..9bfb1fdf42a 100644 --- a/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go +++ b/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go @@ -215,6 +215,7 @@ func autoConvert_v1alpha1_KubeProxyConntrackConfiguration_To_config_KubeProxyCon out.Min = (*int32)(unsafe.Pointer(in.Min)) out.TCPEstablishedTimeout = (*v1.Duration)(unsafe.Pointer(in.TCPEstablishedTimeout)) out.TCPCloseWaitTimeout = (*v1.Duration)(unsafe.Pointer(in.TCPCloseWaitTimeout)) + out.TCPBeLiberal = in.TCPBeLiberal out.UDPTimeout = in.UDPTimeout out.UDPStreamTimeout = in.UDPStreamTimeout return nil @@ -230,6 +231,7 @@ func autoConvert_config_KubeProxyConntrackConfiguration_To_v1alpha1_KubeProxyCon out.Min = (*int32)(unsafe.Pointer(in.Min)) out.TCPEstablishedTimeout = (*v1.Duration)(unsafe.Pointer(in.TCPEstablishedTimeout)) out.TCPCloseWaitTimeout = (*v1.Duration)(unsafe.Pointer(in.TCPCloseWaitTimeout)) + out.TCPBeLiberal = in.TCPBeLiberal out.UDPTimeout = in.UDPTimeout out.UDPStreamTimeout = in.UDPStreamTimeout return nil diff --git a/staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go b/staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go index 133689ed9da..690f2cc4736 100644 --- a/staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go +++ b/staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go @@ -93,6 +93,10 @@ type KubeProxyConntrackConfiguration struct { // in CLOSE_WAIT state will remain in the conntrack // table. (e.g. '60s'). Must be greater than 0 to set. TCPCloseWaitTimeout *metav1.Duration `json:"tcpCloseWaitTimeout"` + // tcpBeLiberal, if true, kube-proxy will configure conntrack + // to run in liberal mode for TCP connections and packets with + // out-of-window sequence numbers won't be marked INVALID. + TCPBeLiberal bool `json:"tcpBeLiberal"` // udpTimeout is how long an idle UDP conntrack entry in // UNREPLIED state will remain in the conntrack table // (e.g. '30s'). Must be greater than 0 to set.