Merge pull request #120354 from aroradaman/proxy-conntrack-api

Add support for `nf_conntrack_tcp_be_liberal` sysctl to kube-proxy
2025-08-04 18:00:08 +00:00 · 2023-10-31 19:15:44 +01:00 · 2023-10-31 19:15:44 +01:00 · 5d03ce7ae4
commit 5d03ce7ae4
parent 2c300ef6b0 9ae77364e9
9 changed files with 34 additions and 1 deletions
--- a/cmd/kube-proxy/app/conntrack.go
+++ b/cmd/kube-proxy/app/conntrack.go
@ -39,6 +39,8 @@ type Conntracker interface {
 	SetTCPEstablishedTimeout(seconds int) error
 	// SetTCPCloseWaitTimeout adjusts nf_conntrack_tcp_timeout_close_wait.
 	SetTCPCloseWaitTimeout(seconds int) error
 	// SetTCPBeLiberal adjusts nf_conntrack_tcp_be_liberal.
 	SetTCPBeLiberal(value int) error
 	// SetUDPTimeout adjusts nf_conntrack_udp_timeout.
 	SetUDPTimeout(seconds int) error
 	// SetUDPStreamTimeout adjusts nf_conntrack_udp_timeout_stream.
@ -96,6 +98,10 @@ func (rct realConntracker) SetTCPCloseWaitTimeout(seconds int) error {
 	return rct.setIntSysCtl("nf_conntrack_tcp_timeout_close_wait", seconds)
 }
 func (rct realConntracker) SetTCPBeLiberal(value int) error {
 	return rct.setIntSysCtl("nf_conntrack_tcp_be_liberal", value)
 }
 func (rct realConntracker) SetUDPTimeout(seconds int) error {
 	return rct.setIntSysCtl("nf_conntrack_udp_timeout", seconds)
 }
--- a/cmd/kube-proxy/app/server.go
+++ b/cmd/kube-proxy/app/server.go
@ -209,6 +209,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 		&o.config.Conntrack.TCPCloseWaitTimeout.Duration, "conntrack-tcp-timeout-close-wait",
 		o.config.Conntrack.TCPCloseWaitTimeout.Duration,
 		"NAT timeout for TCP connections in the CLOSE_WAIT state")
 	fs.BoolVar(&o.config.Conntrack.TCPBeLiberal, "conntrack-tcp-be-liberal", o.config.Conntrack.TCPBeLiberal, "Enable liberal mode for tracking TCP packets by setting nf_conntrack_tcp_be_liberal to 1")
 	fs.DurationVar(&o.config.Conntrack.UDPTimeout.Duration, "conntrack-udp-timeout", o.config.Conntrack.UDPTimeout.Duration, "Idle timeout for UNREPLIED UDP connections (0 to leave as-is)")
 	fs.DurationVar(&o.config.Conntrack.UDPStreamTimeout.Duration, "conntrack-udp-timeout-stream", o.config.Conntrack.UDPStreamTimeout.Duration, "Idle timeout for ASSURED UDP connections (0 to leave as-is)")
--- a/cmd/kube-proxy/app/server_others.go
+++ b/cmd/kube-proxy/app/server_others.go
@ -333,6 +333,12 @@ func (s *ProxyServer) setupConntrack() error {
 		}
 	}
 	if s.Config.Conntrack.TCPBeLiberal {
 		if err := ct.SetTCPBeLiberal(1); err != nil {
 			return err
 		}
 	}
 	if s.Config.Conntrack.UDPTimeout.Duration > 0 {
 		timeout := int(s.Config.Conntrack.UDPTimeout.Duration / time.Second)
 		if err := ct.SetUDPTimeout(timeout); err != nil {
--- a/pkg/generated/openapi/zz_generated.openapi.go
+++ b/pkg/generated/openapi/zz_generated.openapi.go
@ -54358,6 +54358,14 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConntrackConfiguration(ref
 							Ref:         ref("k8s.io/apimachinery/pkg/apis/meta/v1.Duration"),
 						},
 					},
 					"tcpBeLiberal": {
 						SchemaProps: spec.SchemaProps{
 							Description: "tcpBeLiberal, if true, kube-proxy will configure conntrack to run in liberal mode for TCP connections and packets with out-of-window sequence numbers won't be marked INVALID.",
 							Default:     false,
 							Type:        []string{"boolean"},
 							Format:      "",
 						},
 					},
 					"udpTimeout": {
 						SchemaProps: spec.SchemaProps{
 							Description: "udpTimeout is how long an idle UDP conntrack entry in UNREPLIED state will remain in the conntrack table (e.g. '30s'). Must be greater than 0 to set.",
@ -54371,7 +54379,7 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConntrackConfiguration(ref
 						},
 					},
 				},
-				Required: []string{"maxPerCore", "min", "tcpEstablishedTimeout", "tcpCloseWaitTimeout", "udpTimeout", "udpStreamTimeout"},
+				Required: []string{"maxPerCore", "min", "tcpEstablishedTimeout", "tcpCloseWaitTimeout", "tcpBeLiberal", "udpTimeout", "udpStreamTimeout"},
 			},
 		},
 		Dependencies: []string{
--- a/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml
+++ b/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml
@ -12,6 +12,7 @@ configSyncPeriod: 15m0s
 conntrack:
  maxPerCore: 32768
  min: 131072
  tcpBeLiberal: false
  tcpCloseWaitTimeout: 1h0m0s
  tcpEstablishedTimeout: 24h0m0s
  udpStreamTimeout: 0s
--- a/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml
+++ b/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml
@ -12,6 +12,7 @@ configSyncPeriod: 15m0s
 conntrack:
  maxPerCore: 32768
  min: 131072
  tcpBeLiberal: false
  tcpCloseWaitTimeout: 1h0m0s
  tcpEstablishedTimeout: 24h0m0s
  udpStreamTimeout: 0s
--- a/pkg/proxy/apis/config/types.go
+++ b/pkg/proxy/apis/config/types.go
@ -97,6 +97,10 @@ type KubeProxyConntrackConfiguration struct {
 	// in CLOSE_WAIT state will remain in the conntrack
 	// table. (e.g. '60s'). Must be greater than 0 to set.
 	TCPCloseWaitTimeout *metav1.Duration
 	// tcpBeLiberal, if true, kube-proxy will configure conntrack
 	// to run in liberal mode for TCP connections and packets with
 	// out-of-window sequence numbers won't be marked INVALID.
 	TCPBeLiberal bool
 	// udpTimeout is how long an idle UDP conntrack entry in
 	// UNREPLIED state will remain in the conntrack table
 	// (e.g. '30s'). Must be greater than 0 to set.
--- a/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go
+++ b/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go
@ -215,6 +215,7 @@ func autoConvert_v1alpha1_KubeProxyConntrackConfiguration_To_config_KubeProxyCon
 	out.Min = (*int32)(unsafe.Pointer(in.Min))
 	out.TCPEstablishedTimeout = (*v1.Duration)(unsafe.Pointer(in.TCPEstablishedTimeout))
 	out.TCPCloseWaitTimeout = (*v1.Duration)(unsafe.Pointer(in.TCPCloseWaitTimeout))
 	out.TCPBeLiberal = in.TCPBeLiberal
 	out.UDPTimeout = in.UDPTimeout
 	out.UDPStreamTimeout = in.UDPStreamTimeout
 	return nil
@ -230,6 +231,7 @@ func autoConvert_config_KubeProxyConntrackConfiguration_To_v1alpha1_KubeProxyCon
 	out.Min = (*int32)(unsafe.Pointer(in.Min))
 	out.TCPEstablishedTimeout = (*v1.Duration)(unsafe.Pointer(in.TCPEstablishedTimeout))
 	out.TCPCloseWaitTimeout = (*v1.Duration)(unsafe.Pointer(in.TCPCloseWaitTimeout))
 	out.TCPBeLiberal = in.TCPBeLiberal
 	out.UDPTimeout = in.UDPTimeout
 	out.UDPStreamTimeout = in.UDPStreamTimeout
 	return nil
--- a/staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go
+++ b/staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go
@ -93,6 +93,10 @@ type KubeProxyConntrackConfiguration struct {
 	// in CLOSE_WAIT state will remain in the conntrack
 	// table. (e.g. '60s'). Must be greater than 0 to set.
 	TCPCloseWaitTimeout *metav1.Duration `json:"tcpCloseWaitTimeout"`
 	// tcpBeLiberal, if true, kube-proxy will configure conntrack
 	// to run in liberal mode for TCP connections and packets with
 	// out-of-window sequence numbers won't be marked INVALID.
 	TCPBeLiberal bool `json:"tcpBeLiberal"`
 	// udpTimeout is how long an idle UDP conntrack entry in
 	// UNREPLIED state will remain in the conntrack table
 	// (e.g. '30s'). Must be greater than 0 to set.