From 6c10c97c3c9ac64f761835e0d1e81c390ee25d8b Mon Sep 17 00:00:00 2001 From: Daman Arora Date: Tue, 16 Jul 2024 17:43:29 +0530 Subject: [PATCH] kube-proxy: internal config: add Linux section Introduce Linux section for internal configuration of kube-proxy adhering to the v1alpha2 version specifications as detailed in https://kep.k8s.io/784. Signed-off-by: Daman Arora --- cmd/kube-proxy/app/options.go | 21 +- cmd/kube-proxy/app/options_test.go | 17 +- cmd/kube-proxy/app/server.go | 4 +- cmd/kube-proxy/app/server_linux.go | 32 +-- pkg/proxy/apis/config/fuzzer/fuzzer.go | 10 +- pkg/proxy/apis/config/types.go | 28 +-- pkg/proxy/apis/config/v1alpha1/conversion.go | 26 +++ .../v1alpha1/zz_generated.conversion.go | 47 ++-- .../apis/config/validation/validation.go | 18 +- .../apis/config/validation/validation_test.go | 202 +++++++++++------- .../apis/config/zz_generated.deepcopy.go | 29 ++- pkg/proxy/kubemark/hollow_proxy.go | 4 +- 12 files changed, 263 insertions(+), 175 deletions(-) diff --git a/cmd/kube-proxy/app/options.go b/cmd/kube-proxy/app/options.go index 21dd45c4b5c..5018a67727d 100644 --- a/cmd/kube-proxy/app/options.go +++ b/cmd/kube-proxy/app/options.go @@ -118,7 +118,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { "This parameter is ignored if a config file is specified by --config.") fs.Int32Var(o.config.IPTables.MasqueradeBit, "iptables-masquerade-bit", ptr.Deref(o.config.IPTables.MasqueradeBit, 14), "If using the iptables or ipvs proxy mode, the bit of the fwmark space to mark packets requiring SNAT with. Must be within the range [0, 31].") - fs.BoolVar(&o.config.IPTables.MasqueradeAll, "masquerade-all", o.config.IPTables.MasqueradeAll, "If using the iptables or ipvs proxy mode, SNAT all traffic sent via Service cluster IPs. This may be required with some CNI plugins.") + fs.BoolVar(&o.config.Linux.MasqueradeAll, "masquerade-all", o.config.Linux.MasqueradeAll, "SNAT all traffic sent via Service cluster IPs. This may be required with some CNI plugins. Only supported on Linux.") fs.BoolVar(o.config.IPTables.LocalhostNodePorts, "iptables-localhost-nodeports", ptr.Deref(o.config.IPTables.LocalhostNodePorts, true), "If false, kube-proxy will disable the legacy behavior of allowing NodePort services to be accessed via localhost. (Applies only to iptables mode and IPv4; localhost NodePorts are never allowed with other proxy modes or with IPv6.)") fs.DurationVar(&o.config.IPTables.SyncPeriod.Duration, "iptables-sync-period", o.config.IPTables.SyncPeriod.Duration, "An interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.") fs.DurationVar(&o.config.IPTables.MinSyncPeriod.Duration, "iptables-min-sync-period", o.config.IPTables.MinSyncPeriod.Duration, "The minimum period between iptables rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate iptables resync.") @@ -141,21 +141,20 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { fs.StringSliceVar(&o.config.NodePortAddresses, "nodeport-addresses", o.config.NodePortAddresses, "A list of CIDR ranges that contain valid node IPs, or alternatively, the single string 'primary'. If set to a list of CIDRs, connections to NodePort services will only be accepted on node IPs in one of the indicated ranges. If set to 'primary', NodePort services will only be accepted on the node's primary IP(s) according to the Node object. If unset, NodePort connections will be accepted on all local IPs. This parameter is ignored if a config file is specified by --config.") - fs.Int32Var(o.config.OOMScoreAdj, "oom-score-adj", ptr.Deref(o.config.OOMScoreAdj, int32(qos.KubeProxyOOMScoreAdj)), "The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]. This parameter is ignored if a config file is specified by --config.") - fs.Int32Var(o.config.Conntrack.MaxPerCore, "conntrack-max-per-core", *o.config.Conntrack.MaxPerCore, + fs.Int32Var(o.config.Linux.OOMScoreAdj, "oom-score-adj", ptr.Deref(o.config.Linux.OOMScoreAdj, int32(qos.KubeProxyOOMScoreAdj)), "The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]. This parameter is ignored if a config file is specified by --config.") + fs.Int32Var(o.config.Linux.Conntrack.MaxPerCore, "conntrack-max-per-core", *o.config.Linux.Conntrack.MaxPerCore, "Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min).") - fs.Int32Var(o.config.Conntrack.Min, "conntrack-min", *o.config.Conntrack.Min, + fs.Int32Var(o.config.Linux.Conntrack.Min, "conntrack-min", *o.config.Linux.Conntrack.Min, "Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core (set conntrack-max-per-core=0 to leave the limit as-is).") - fs.DurationVar(&o.config.Conntrack.TCPEstablishedTimeout.Duration, "conntrack-tcp-timeout-established", o.config.Conntrack.TCPEstablishedTimeout.Duration, "Idle timeout for established TCP connections (0 to leave as-is)") + fs.DurationVar(&o.config.Linux.Conntrack.TCPEstablishedTimeout.Duration, "conntrack-tcp-timeout-established", o.config.Linux.Conntrack.TCPEstablishedTimeout.Duration, "Idle timeout for established TCP connections (0 to leave as-is)") fs.DurationVar( - &o.config.Conntrack.TCPCloseWaitTimeout.Duration, "conntrack-tcp-timeout-close-wait", - o.config.Conntrack.TCPCloseWaitTimeout.Duration, + &o.config.Linux.Conntrack.TCPCloseWaitTimeout.Duration, "conntrack-tcp-timeout-close-wait", + o.config.Linux.Conntrack.TCPCloseWaitTimeout.Duration, "NAT timeout for TCP connections in the CLOSE_WAIT state") - fs.BoolVar(&o.config.Conntrack.TCPBeLiberal, "conntrack-tcp-be-liberal", o.config.Conntrack.TCPBeLiberal, "Enable liberal mode for tracking TCP packets by setting nf_conntrack_tcp_be_liberal to 1") - fs.DurationVar(&o.config.Conntrack.UDPTimeout.Duration, "conntrack-udp-timeout", o.config.Conntrack.UDPTimeout.Duration, "Idle timeout for UNREPLIED UDP connections (0 to leave as-is)") - fs.DurationVar(&o.config.Conntrack.UDPStreamTimeout.Duration, "conntrack-udp-timeout-stream", o.config.Conntrack.UDPStreamTimeout.Duration, "Idle timeout for ASSURED UDP connections (0 to leave as-is)") - + fs.BoolVar(&o.config.Linux.Conntrack.TCPBeLiberal, "conntrack-tcp-be-liberal", o.config.Linux.Conntrack.TCPBeLiberal, "Enable liberal mode for tracking TCP packets by setting nf_conntrack_tcp_be_liberal to 1") + fs.DurationVar(&o.config.Linux.Conntrack.UDPTimeout.Duration, "conntrack-udp-timeout", o.config.Linux.Conntrack.UDPTimeout.Duration, "Idle timeout for UNREPLIED UDP connections (0 to leave as-is)") + fs.DurationVar(&o.config.Linux.Conntrack.UDPStreamTimeout.Duration, "conntrack-udp-timeout-stream", o.config.Linux.Conntrack.UDPStreamTimeout.Duration, "Idle timeout for ASSURED UDP connections (0 to leave as-is)") fs.DurationVar(&o.config.ConfigSyncPeriod.Duration, "config-sync-period", o.config.ConfigSyncPeriod.Duration, "How often configuration from the apiserver is refreshed. Must be greater than 0.") fs.Int32Var(&o.healthzPort, "healthz-port", o.healthzPort, "The port to bind the health check server. Use 0 to disable.") diff --git a/cmd/kube-proxy/app/options_test.go b/cmd/kube-proxy/app/options_test.go index 0ea8b28b41e..e8d716c5b65 100644 --- a/cmd/kube-proxy/app/options_test.go +++ b/cmd/kube-proxy/app/options_test.go @@ -196,17 +196,20 @@ nodePortAddresses: }, ClusterCIDR: tc.clusterCIDR, ConfigSyncPeriod: metav1.Duration{Duration: 15 * time.Second}, - Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ - MaxPerCore: ptr.To[int32](2), - Min: ptr.To[int32](1), - TCPCloseWaitTimeout: &metav1.Duration{Duration: 10 * time.Second}, - TCPEstablishedTimeout: &metav1.Duration{Duration: 20 * time.Second}, + Linux: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](2), + Min: ptr.To[int32](1), + TCPCloseWaitTimeout: &metav1.Duration{Duration: 10 * time.Second}, + TCPEstablishedTimeout: &metav1.Duration{Duration: 20 * time.Second}, + }, + MasqueradeAll: true, + OOMScoreAdj: ptr.To[int32](17), }, FeatureGates: map[string]bool{}, HealthzBindAddress: tc.healthzBindAddress, HostnameOverride: "foo", IPTables: kubeproxyconfig.KubeProxyIPTablesConfiguration{ - MasqueradeAll: true, MasqueradeBit: ptr.To[int32](17), LocalhostNodePorts: ptr.To(true), MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second}, @@ -218,14 +221,12 @@ nodePortAddresses: ExcludeCIDRs: []string{"10.20.30.40/16", "fd00:1::0/64"}, }, NFTables: kubeproxyconfig.KubeProxyNFTablesConfiguration{ - MasqueradeAll: true, MasqueradeBit: ptr.To[int32](18), MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second}, SyncPeriod: metav1.Duration{Duration: 60 * time.Second}, }, MetricsBindAddress: tc.metricsBindAddress, Mode: kubeproxyconfig.ProxyMode(tc.mode), - OOMScoreAdj: ptr.To[int32](17), PortRange: "2-7", NodePortAddresses: []string{"10.20.30.40/16", "fd00:1::0/64"}, DetectLocalMode: kubeproxyconfig.LocalModeClusterCIDR, diff --git a/cmd/kube-proxy/app/server.go b/cmd/kube-proxy/app/server.go index b09f83e2931..c0dc1bd0a90 100644 --- a/cmd/kube-proxy/app/server.go +++ b/cmd/kube-proxy/app/server.go @@ -493,9 +493,9 @@ func (s *ProxyServer) Run(ctx context.Context) error { // TODO(vmarmol): Use container config for this. var oomAdjuster *oom.OOMAdjuster - if s.Config.OOMScoreAdj != nil { + if s.Config.Linux.OOMScoreAdj != nil { oomAdjuster = oom.NewOOMAdjuster() - if err := oomAdjuster.ApplyOOMScoreAdj(0, int(*s.Config.OOMScoreAdj)); err != nil { + if err := oomAdjuster.ApplyOOMScoreAdj(0, int(*s.Config.Linux.OOMScoreAdj)); err != nil { logger.V(2).Info("Failed to apply OOMScore", "err", err) } } diff --git a/cmd/kube-proxy/app/server_linux.go b/cmd/kube-proxy/app/server_linux.go index d052d2bb790..9e3121b09ba 100644 --- a/cmd/kube-proxy/app/server_linux.go +++ b/cmd/kube-proxy/app/server_linux.go @@ -180,7 +180,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi. exec.New(), config.IPTables.SyncPeriod.Duration, config.IPTables.MinSyncPeriod.Duration, - config.IPTables.MasqueradeAll, + config.Linux.MasqueradeAll, *config.IPTables.LocalhostNodePorts, int(*config.IPTables.MasqueradeBit), localDetectors, @@ -204,7 +204,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi. exec.New(), config.IPTables.SyncPeriod.Duration, config.IPTables.MinSyncPeriod.Duration, - config.IPTables.MasqueradeAll, + config.Linux.MasqueradeAll, *config.IPTables.LocalhostNodePorts, int(*config.IPTables.MasqueradeBit), localDetectors[s.PrimaryIPFamily], @@ -245,7 +245,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi. config.IPVS.TCPTimeout.Duration, config.IPVS.TCPFinTimeout.Duration, config.IPVS.UDPTimeout.Duration, - config.IPTables.MasqueradeAll, + config.Linux.MasqueradeAll, int(*config.IPTables.MasqueradeBit), localDetectors, s.Hostname, @@ -273,7 +273,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi. config.IPVS.TCPTimeout.Duration, config.IPVS.TCPFinTimeout.Duration, config.IPVS.UDPTimeout.Duration, - config.IPTables.MasqueradeAll, + config.Linux.MasqueradeAll, int(*config.IPTables.MasqueradeBit), localDetectors[s.PrimaryIPFamily], s.Hostname, @@ -297,7 +297,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi. ctx, config.NFTables.SyncPeriod.Duration, config.NFTables.MinSyncPeriod.Duration, - config.NFTables.MasqueradeAll, + config.Linux.MasqueradeAll, int(*config.NFTables.MasqueradeBit), localDetectors, s.Hostname, @@ -315,7 +315,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi. s.PrimaryIPFamily, config.NFTables.SyncPeriod.Duration, config.NFTables.MinSyncPeriod.Duration, - config.NFTables.MasqueradeAll, + config.Linux.MasqueradeAll, int(*config.NFTables.MasqueradeBit), localDetectors[s.PrimaryIPFamily], s.Hostname, @@ -338,7 +338,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi. func (s *ProxyServer) setupConntrack(ctx context.Context) error { ct := &realConntracker{} - max, err := getConntrackMax(ctx, s.Config.Conntrack) + max, err := getConntrackMax(ctx, s.Config.Linux.Conntrack) if err != nil { return err } @@ -361,35 +361,35 @@ func (s *ProxyServer) setupConntrack(ctx context.Context) error { } } - if s.Config.Conntrack.TCPEstablishedTimeout != nil && s.Config.Conntrack.TCPEstablishedTimeout.Duration > 0 { - timeout := int(s.Config.Conntrack.TCPEstablishedTimeout.Duration / time.Second) + if s.Config.Linux.Conntrack.TCPEstablishedTimeout != nil && s.Config.Linux.Conntrack.TCPEstablishedTimeout.Duration > 0 { + timeout := int(s.Config.Linux.Conntrack.TCPEstablishedTimeout.Duration / time.Second) if err := ct.SetTCPEstablishedTimeout(ctx, timeout); err != nil { return err } } - if s.Config.Conntrack.TCPCloseWaitTimeout != nil && s.Config.Conntrack.TCPCloseWaitTimeout.Duration > 0 { - timeout := int(s.Config.Conntrack.TCPCloseWaitTimeout.Duration / time.Second) + if s.Config.Linux.Conntrack.TCPCloseWaitTimeout != nil && s.Config.Linux.Conntrack.TCPCloseWaitTimeout.Duration > 0 { + timeout := int(s.Config.Linux.Conntrack.TCPCloseWaitTimeout.Duration / time.Second) if err := ct.SetTCPCloseWaitTimeout(ctx, timeout); err != nil { return err } } - if s.Config.Conntrack.TCPBeLiberal { + if s.Config.Linux.Conntrack.TCPBeLiberal { if err := ct.SetTCPBeLiberal(ctx, 1); err != nil { return err } } - if s.Config.Conntrack.UDPTimeout.Duration > 0 { - timeout := int(s.Config.Conntrack.UDPTimeout.Duration / time.Second) + if s.Config.Linux.Conntrack.UDPTimeout.Duration > 0 { + timeout := int(s.Config.Linux.Conntrack.UDPTimeout.Duration / time.Second) if err := ct.SetUDPTimeout(ctx, timeout); err != nil { return err } } - if s.Config.Conntrack.UDPStreamTimeout.Duration > 0 { - timeout := int(s.Config.Conntrack.UDPStreamTimeout.Duration / time.Second) + if s.Config.Linux.Conntrack.UDPStreamTimeout.Duration > 0 { + timeout := int(s.Config.Linux.Conntrack.UDPStreamTimeout.Duration / time.Second) if err := ct.SetUDPStreamTimeout(ctx, timeout); err != nil { return err } diff --git a/pkg/proxy/apis/config/fuzzer/fuzzer.go b/pkg/proxy/apis/config/fuzzer/fuzzer.go index 161ab5021aa..abadf34ee6e 100644 --- a/pkg/proxy/apis/config/fuzzer/fuzzer.go +++ b/pkg/proxy/apis/config/fuzzer/fuzzer.go @@ -35,17 +35,17 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { c.FuzzNoCustom(obj) obj.BindAddress = fmt.Sprintf("%d.%d.%d.%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256)) obj.ClientConnection.ContentType = c.RandString() - obj.Conntrack.MaxPerCore = ptr.To(c.Int31()) - obj.Conntrack.Min = ptr.To(c.Int31()) - obj.Conntrack.TCPCloseWaitTimeout = &metav1.Duration{Duration: time.Duration(c.Int63()) * time.Hour} - obj.Conntrack.TCPEstablishedTimeout = &metav1.Duration{Duration: time.Duration(c.Int63()) * time.Hour} + obj.Linux.Conntrack.MaxPerCore = ptr.To(c.Int31()) + obj.Linux.Conntrack.Min = ptr.To(c.Int31()) + obj.Linux.Conntrack.TCPCloseWaitTimeout = &metav1.Duration{Duration: time.Duration(c.Int63()) * time.Hour} + obj.Linux.Conntrack.TCPEstablishedTimeout = &metav1.Duration{Duration: time.Duration(c.Int63()) * time.Hour} obj.FeatureGates = map[string]bool{c.RandString(): true} obj.HealthzBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536)) obj.IPTables.MasqueradeBit = ptr.To(c.Int31()) obj.IPTables.LocalhostNodePorts = ptr.To(c.RandBool()) obj.NFTables.MasqueradeBit = ptr.To(c.Int31()) obj.MetricsBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536)) - obj.OOMScoreAdj = ptr.To(c.Int31()) + obj.Linux.OOMScoreAdj = ptr.To(c.Int31()) obj.ClientConnection.ContentType = "bar" obj.NodePortAddresses = []string{"1.2.3.0/24"} if obj.Logging.Format == "" { diff --git a/pkg/proxy/apis/config/types.go b/pkg/proxy/apis/config/types.go index 1f6a62de694..5f1c415b89f 100644 --- a/pkg/proxy/apis/config/types.go +++ b/pkg/proxy/apis/config/types.go @@ -22,6 +22,19 @@ import ( logsapi "k8s.io/component-base/logs/api/v1" ) +// KubeProxyLinuxConfiguration contains Linux platform related configuration details for the +// Kubernetes proxy server that aren't specific to a particular backend. +type KubeProxyLinuxConfiguration struct { + // conntrack contains conntrack-related configuration options. + Conntrack KubeProxyConntrackConfiguration + // masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs. This may + // be required with some CNI plugins. + MasqueradeAll bool + // oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within + // the range [-1000, 1000] + OOMScoreAdj *int32 +} + // KubeProxyWindowsConfiguration contains Windows platform related configuration details for the // Kubernetes proxy server that aren't specific to a particular backend type KubeProxyWindowsConfiguration struct { @@ -35,10 +48,6 @@ type KubeProxyIPTablesConfiguration struct { // masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using // the iptables or ipvs proxy mode. Values must be within the range [0, 31]. MasqueradeBit *int32 - // masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs, - // when using the iptables or ipvs proxy mode. This may be required with some CNI - // plugins. - MasqueradeAll bool // localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior // of allowing NodePort services to be accessed via localhost. (Applies only to // iptables mode and IPv4; localhost NodePorts are never allowed with other proxy @@ -90,9 +99,6 @@ type KubeProxyNFTablesConfiguration struct { // masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using // the nftables proxy mode. Values must be within the range [0, 31]. MasqueradeBit *int32 - // masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs, - // when using the nftables mode. This may be required with some CNI plugins. - MasqueradeAll bool // syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently // various re-synchronizing and cleanup operations are performed. Must be greater // than 0. @@ -172,6 +178,9 @@ type DetectLocalConfiguration struct { type KubeProxyConfiguration struct { metav1.TypeMeta + // linux contains Linux-related configuration options. + Linux KubeProxyLinuxConfiguration + // windows contains Windows-related configuration options. Windows KubeProxyWindowsConfiguration @@ -242,11 +251,6 @@ type KubeProxyConfiguration struct { // object. If unset, NodePort connections will be accepted on all local IPs. NodePortAddresses []string - // oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within - // the range [-1000, 1000] - OOMScoreAdj *int32 - // conntrack contains conntrack-related configuration options. - Conntrack KubeProxyConntrackConfiguration // configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater // than 0. ConfigSyncPeriod metav1.Duration diff --git a/pkg/proxy/apis/config/v1alpha1/conversion.go b/pkg/proxy/apis/config/v1alpha1/conversion.go index 071cb5db452..1d8f197c06d 100644 --- a/pkg/proxy/apis/config/v1alpha1/conversion.go +++ b/pkg/proxy/apis/config/v1alpha1/conversion.go @@ -28,6 +28,14 @@ func Convert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(in return err } out.WindowsRunAsService = in.Windows.RunAsService + out.Conntrack = v1alpha1.KubeProxyConntrackConfiguration(in.Linux.Conntrack) + out.OOMScoreAdj = in.Linux.OOMScoreAdj + switch in.Mode { + case config.ProxyModeNFTables: + out.NFTables.MasqueradeAll = in.Linux.MasqueradeAll + default: + out.IPTables.MasqueradeAll = in.Linux.MasqueradeAll + } return nil } @@ -37,5 +45,23 @@ func Convert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(in return err } out.Windows.RunAsService = in.WindowsRunAsService + out.Linux.Conntrack = config.KubeProxyConntrackConfiguration(in.Conntrack) + out.Linux.OOMScoreAdj = in.OOMScoreAdj + switch config.ProxyMode(in.Mode) { + case config.ProxyModeNFTables: + out.Linux.MasqueradeAll = in.NFTables.MasqueradeAll + default: + out.Linux.MasqueradeAll = in.IPTables.MasqueradeAll + } return nil } + +// Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration is defined here, because public conversion is not auto-generated due to existing warnings. +func Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in *v1alpha1.KubeProxyIPTablesConfiguration, out *config.KubeProxyIPTablesConfiguration, scope conversion.Scope) error { + return autoConvert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in, out, scope) +} + +// Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration is defined here, because public conversion is not auto-generated due to existing warnings. +func Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in *v1alpha1.KubeProxyNFTablesConfiguration, out *config.KubeProxyNFTablesConfiguration, scope conversion.Scope) error { + return autoConvert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in, out, scope) +} diff --git a/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go b/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go index c3a6d6b9dce..e2624e13de6 100644 --- a/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go +++ b/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go @@ -59,11 +59,6 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*v1alpha1.KubeProxyIPTablesConfiguration)(nil), (*config.KubeProxyIPTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(a.(*v1alpha1.KubeProxyIPTablesConfiguration), b.(*config.KubeProxyIPTablesConfiguration), scope) - }); err != nil { - return err - } if err := s.AddGeneratedConversionFunc((*config.KubeProxyIPTablesConfiguration)(nil), (*v1alpha1.KubeProxyIPTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_config_KubeProxyIPTablesConfiguration_To_v1alpha1_KubeProxyIPTablesConfiguration(a.(*config.KubeProxyIPTablesConfiguration), b.(*v1alpha1.KubeProxyIPTablesConfiguration), scope) }); err != nil { @@ -79,11 +74,6 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } - if err := s.AddGeneratedConversionFunc((*v1alpha1.KubeProxyNFTablesConfiguration)(nil), (*config.KubeProxyNFTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { - return Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(a.(*v1alpha1.KubeProxyNFTablesConfiguration), b.(*config.KubeProxyNFTablesConfiguration), scope) - }); err != nil { - return err - } if err := s.AddGeneratedConversionFunc((*config.KubeProxyNFTablesConfiguration)(nil), (*v1alpha1.KubeProxyNFTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { return Convert_config_KubeProxyNFTablesConfiguration_To_v1alpha1_KubeProxyNFTablesConfiguration(a.(*config.KubeProxyNFTablesConfiguration), b.(*v1alpha1.KubeProxyNFTablesConfiguration), scope) }); err != nil { @@ -109,6 +99,16 @@ func RegisterConversions(s *runtime.Scheme) error { }); err != nil { return err } + if err := s.AddConversionFunc((*v1alpha1.KubeProxyIPTablesConfiguration)(nil), (*config.KubeProxyIPTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(a.(*v1alpha1.KubeProxyIPTablesConfiguration), b.(*config.KubeProxyIPTablesConfiguration), scope) + }); err != nil { + return err + } + if err := s.AddConversionFunc((*v1alpha1.KubeProxyNFTablesConfiguration)(nil), (*config.KubeProxyNFTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(a.(*v1alpha1.KubeProxyNFTablesConfiguration), b.(*config.KubeProxyNFTablesConfiguration), scope) + }); err != nil { + return err + } return nil } @@ -166,10 +166,8 @@ func autoConvert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguratio } out.ClusterCIDR = in.ClusterCIDR out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses)) - out.OOMScoreAdj = (*int32)(unsafe.Pointer(in.OOMScoreAdj)) - if err := Convert_v1alpha1_KubeProxyConntrackConfiguration_To_config_KubeProxyConntrackConfiguration(&in.Conntrack, &out.Conntrack, s); err != nil { - return err - } + // WARNING: in.OOMScoreAdj requires manual conversion: does not exist in peer-type + // WARNING: in.Conntrack requires manual conversion: does not exist in peer-type out.ConfigSyncPeriod = in.ConfigSyncPeriod out.PortRange = in.PortRange // WARNING: in.WindowsRunAsService requires manual conversion: does not exist in peer-type @@ -177,6 +175,7 @@ func autoConvert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguratio } func autoConvert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(in *config.KubeProxyConfiguration, out *v1alpha1.KubeProxyConfiguration, s conversion.Scope) error { + // WARNING: in.Linux requires manual conversion: does not exist in peer-type // WARNING: in.Windows requires manual conversion: does not exist in peer-type out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates)) if err := componentbaseconfigv1alpha1.Convert_config_ClientConnectionConfiguration_To_v1alpha1_ClientConnectionConfiguration(&in.ClientConnection, &out.ClientConnection, s); err != nil { @@ -209,10 +208,6 @@ func autoConvert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguratio } out.ClusterCIDR = in.ClusterCIDR out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses)) - out.OOMScoreAdj = (*int32)(unsafe.Pointer(in.OOMScoreAdj)) - if err := Convert_config_KubeProxyConntrackConfiguration_To_v1alpha1_KubeProxyConntrackConfiguration(&in.Conntrack, &out.Conntrack, s); err != nil { - return err - } out.ConfigSyncPeriod = in.ConfigSyncPeriod out.PortRange = in.PortRange return nil @@ -252,21 +247,15 @@ func Convert_config_KubeProxyConntrackConfiguration_To_v1alpha1_KubeProxyConntra func autoConvert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in *v1alpha1.KubeProxyIPTablesConfiguration, out *config.KubeProxyIPTablesConfiguration, s conversion.Scope) error { out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit)) - out.MasqueradeAll = in.MasqueradeAll + // WARNING: in.MasqueradeAll requires manual conversion: does not exist in peer-type out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts)) out.SyncPeriod = in.SyncPeriod out.MinSyncPeriod = in.MinSyncPeriod return nil } -// Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration is an autogenerated conversion function. -func Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in *v1alpha1.KubeProxyIPTablesConfiguration, out *config.KubeProxyIPTablesConfiguration, s conversion.Scope) error { - return autoConvert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in, out, s) -} - func autoConvert_config_KubeProxyIPTablesConfiguration_To_v1alpha1_KubeProxyIPTablesConfiguration(in *config.KubeProxyIPTablesConfiguration, out *v1alpha1.KubeProxyIPTablesConfiguration, s conversion.Scope) error { out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit)) - out.MasqueradeAll = in.MasqueradeAll out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts)) out.SyncPeriod = in.SyncPeriod out.MinSyncPeriod = in.MinSyncPeriod @@ -314,20 +303,14 @@ func Convert_config_KubeProxyIPVSConfiguration_To_v1alpha1_KubeProxyIPVSConfigur func autoConvert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in *v1alpha1.KubeProxyNFTablesConfiguration, out *config.KubeProxyNFTablesConfiguration, s conversion.Scope) error { out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit)) - out.MasqueradeAll = in.MasqueradeAll + // WARNING: in.MasqueradeAll requires manual conversion: does not exist in peer-type out.SyncPeriod = in.SyncPeriod out.MinSyncPeriod = in.MinSyncPeriod return nil } -// Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration is an autogenerated conversion function. -func Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in *v1alpha1.KubeProxyNFTablesConfiguration, out *config.KubeProxyNFTablesConfiguration, s conversion.Scope) error { - return autoConvert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in, out, s) -} - func autoConvert_config_KubeProxyNFTablesConfiguration_To_v1alpha1_KubeProxyNFTablesConfiguration(in *config.KubeProxyNFTablesConfiguration, out *v1alpha1.KubeProxyNFTablesConfiguration, s conversion.Scope) error { out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit)) - out.MasqueradeAll = in.MasqueradeAll out.SyncPeriod = in.SyncPeriod out.MinSyncPeriod = in.MinSyncPeriod return nil diff --git a/pkg/proxy/apis/config/validation/validation.go b/pkg/proxy/apis/config/validation/validation.go index fb596aa779c..3325db88713 100644 --- a/pkg/proxy/apis/config/validation/validation.go +++ b/pkg/proxy/apis/config/validation/validation.go @@ -54,14 +54,10 @@ func Validate(config *kubeproxyconfig.KubeProxyConfiguration) field.ErrorList { case kubeproxyconfig.ProxyModeNFTables: allErrs = append(allErrs, validateKubeProxyNFTablesConfiguration(config.NFTables, newPath.Child("KubeProxyNFTablesConfiguration"))...) } - allErrs = append(allErrs, validateKubeProxyConntrackConfiguration(config.Conntrack, newPath.Child("KubeProxyConntrackConfiguration"))...) + allErrs = append(allErrs, validateKubeProxyLinuxConfiguration(config.Linux, newPath.Child("KubeProxyLinuxConfiguration"))...) allErrs = append(allErrs, validateProxyMode(config.Mode, newPath.Child("Mode"))...) allErrs = append(allErrs, validateClientConnectionConfiguration(config.ClientConnection, newPath.Child("ClientConnection"))...) - if config.OOMScoreAdj != nil && (*config.OOMScoreAdj < -1000 || *config.OOMScoreAdj > 1000) { - allErrs = append(allErrs, field.Invalid(newPath.Child("OOMScoreAdj"), *config.OOMScoreAdj, "must be within the range [-1000, 1000]")) - } - if config.ConfigSyncPeriod.Duration <= 0 { allErrs = append(allErrs, field.Invalid(newPath.Child("ConfigSyncPeriod"), config.ConfigSyncPeriod, "must be greater than 0")) } @@ -178,6 +174,18 @@ func validateKubeProxyNFTablesConfiguration(config kubeproxyconfig.KubeProxyNFTa return allErrs } +func validateKubeProxyLinuxConfiguration(config kubeproxyconfig.KubeProxyLinuxConfiguration, fldPath *field.Path) field.ErrorList { + allErrs := field.ErrorList{} + + allErrs = append(allErrs, validateKubeProxyConntrackConfiguration(config.Conntrack, fldPath.Child("KubeProxyConntrackConfiguration"))...) + + if config.OOMScoreAdj != nil && (*config.OOMScoreAdj < -1000 || *config.OOMScoreAdj > 1000) { + allErrs = append(allErrs, field.Invalid(fldPath.Child("OOMScoreAdj"), *config.OOMScoreAdj, "must be within the range [-1000, 1000]")) + } + + return allErrs +} + func validateKubeProxyConntrackConfiguration(config kubeproxyconfig.KubeProxyConntrackConfiguration, fldPath *field.Path) field.ErrorList { allErrs := field.ErrorList{} diff --git a/pkg/proxy/apis/config/validation/validation_test.go b/pkg/proxy/apis/config/validation/validation_test.go index 30cda3e1dd9..2f55f76c15a 100644 --- a/pkg/proxy/apis/config/validation/validation_test.go +++ b/pkg/proxy/apis/config/validation/validation_test.go @@ -39,15 +39,17 @@ func TestValidateKubeProxyConfiguration(t *testing.T) { ClusterCIDR: "192.168.59.0/24", ConfigSyncPeriod: metav1.Duration{Duration: 1 * time.Second}, IPTables: kubeproxyconfig.KubeProxyIPTablesConfiguration{ - MasqueradeAll: true, SyncPeriod: metav1.Duration{Duration: 5 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second}, }, - Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ - MaxPerCore: ptr.To[int32](1), - Min: ptr.To[int32](1), - TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, - TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, + Linux: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](1), + Min: ptr.To[int32](1), + TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, + TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, + }, + MasqueradeAll: true, }, Logging: logsapi.LoggingConfiguration{ Format: "text", @@ -216,7 +218,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) { }{ "valid iptables config": { config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ - MasqueradeAll: true, SyncPeriod: metav1.Duration{Duration: 5 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second}, }, @@ -225,7 +226,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) { "valid custom MasqueradeBit": { config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ MasqueradeBit: ptr.To[int32](5), - MasqueradeAll: true, SyncPeriod: metav1.Duration{Duration: 5 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second}, }, @@ -233,7 +233,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) { }, "SyncPeriod must be > 0": { config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ - MasqueradeAll: true, SyncPeriod: metav1.Duration{Duration: -5 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second}, }, @@ -243,7 +242,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) { "MinSyncPeriod must be > 0": { config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ MasqueradeBit: ptr.To[int32](5), - MasqueradeAll: true, SyncPeriod: metav1.Duration{Duration: 5 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: -1 * time.Second}, }, @@ -252,7 +250,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) { "MasqueradeBit cannot be < 0": { config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ MasqueradeBit: ptr.To[int32](-10), - MasqueradeAll: true, SyncPeriod: metav1.Duration{Duration: 5 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second}, }, @@ -261,7 +258,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) { "SyncPeriod must be >= MinSyncPeriod": { config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ MasqueradeBit: ptr.To[int32](5), - MasqueradeAll: true, SyncPeriod: metav1.Duration{Duration: 1 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 5 * time.Second}, }, @@ -369,103 +365,155 @@ func TestValidateKubeProxyIPVSConfiguration(t *testing.T) { } } -func TestValidateKubeProxyConntrackConfiguration(t *testing.T) { +func TestValidateKubeProxyLinuxConfiguration(t *testing.T) { newPath := field.NewPath("KubeProxyConfiguration") for name, testCase := range map[string]struct { - config kubeproxyconfig.KubeProxyConntrackConfiguration + config kubeproxyconfig.KubeProxyLinuxConfiguration expectedErrs field.ErrorList }{ "valid 5 second timeouts": { - config: kubeproxyconfig.KubeProxyConntrackConfiguration{ - MaxPerCore: ptr.To[int32](1), - Min: ptr.To[int32](1), - TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, - TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, - UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, - UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + config: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](1), + Min: ptr.To[int32](1), + TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, + TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, + UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, + UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + }, + OOMScoreAdj: ptr.To[int32](0), }, expectedErrs: field.ErrorList{}, }, "valid duration equal to 0 second timeout": { - config: kubeproxyconfig.KubeProxyConntrackConfiguration{ - MaxPerCore: ptr.To[int32](1), - Min: ptr.To[int32](1), - TCPEstablishedTimeout: &metav1.Duration{Duration: 0 * time.Second}, - TCPCloseWaitTimeout: &metav1.Duration{Duration: 0 * time.Second}, - UDPTimeout: metav1.Duration{Duration: 0 * time.Second}, - UDPStreamTimeout: metav1.Duration{Duration: 0 * time.Second}, + config: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](1), + Min: ptr.To[int32](1), + TCPEstablishedTimeout: &metav1.Duration{Duration: 0 * time.Second}, + TCPCloseWaitTimeout: &metav1.Duration{Duration: 0 * time.Second}, + UDPTimeout: metav1.Duration{Duration: 0 * time.Second}, + UDPStreamTimeout: metav1.Duration{Duration: 0 * time.Second}, + }, + OOMScoreAdj: ptr.To[int32](0), }, expectedErrs: field.ErrorList{}, }, "invalid MaxPerCore < 0": { - config: kubeproxyconfig.KubeProxyConntrackConfiguration{ - MaxPerCore: ptr.To[int32](-1), - Min: ptr.To[int32](1), - TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, - TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, - UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, - UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + config: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](-1), + Min: ptr.To[int32](1), + TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, + TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, + UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, + UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + }, + OOMScoreAdj: ptr.To[int32](0), }, - expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.MaxPerCore"), ptr.To[int32](-1), "must be greater than or equal to 0")}, + expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.MaxPerCore"), ptr.To[int32](-1), "must be greater than or equal to 0")}, }, "invalid minimum < 0": { - config: kubeproxyconfig.KubeProxyConntrackConfiguration{ - MaxPerCore: ptr.To[int32](1), - Min: ptr.To[int32](-1), - TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, - TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, - UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, - UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + config: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](1), + Min: ptr.To[int32](-1), + TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, + TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, + UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, + UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + }, + OOMScoreAdj: ptr.To[int32](0), }, - expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.Min"), ptr.To[int32](-1), "must be greater than or equal to 0")}, + expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.Min"), ptr.To[int32](-1), "must be greater than or equal to 0")}, }, "invalid TCPEstablishedTimeout < 0": { - config: kubeproxyconfig.KubeProxyConntrackConfiguration{ - MaxPerCore: ptr.To[int32](1), - Min: ptr.To[int32](1), - TCPEstablishedTimeout: &metav1.Duration{Duration: -5 * time.Second}, - TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, - UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, - UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + config: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](1), + Min: ptr.To[int32](1), + TCPEstablishedTimeout: &metav1.Duration{Duration: -5 * time.Second}, + TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, + UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, + UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + }, + OOMScoreAdj: ptr.To[int32](0), }, - expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.TCPEstablishedTimeout"), &metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, + expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.TCPEstablishedTimeout"), &metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, }, "invalid TCPCloseWaitTimeout < 0": { - config: kubeproxyconfig.KubeProxyConntrackConfiguration{ - MaxPerCore: ptr.To[int32](1), - Min: ptr.To[int32](1), - TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, - TCPCloseWaitTimeout: &metav1.Duration{Duration: -5 * time.Second}, - UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, - UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + config: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](1), + Min: ptr.To[int32](1), + TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, + TCPCloseWaitTimeout: &metav1.Duration{Duration: -5 * time.Second}, + UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, + UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + }, + OOMScoreAdj: ptr.To[int32](0), }, - expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.TCPCloseWaitTimeout"), &metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, + expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.TCPCloseWaitTimeout"), &metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, }, "invalid UDPTimeout < 0": { - config: kubeproxyconfig.KubeProxyConntrackConfiguration{ - MaxPerCore: ptr.To[int32](1), - Min: ptr.To[int32](1), - TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, - TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, - UDPTimeout: metav1.Duration{Duration: -5 * time.Second}, - UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + config: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](1), + Min: ptr.To[int32](1), + TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, + TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, + UDPTimeout: metav1.Duration{Duration: -5 * time.Second}, + UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + }, + OOMScoreAdj: ptr.To[int32](999), }, - expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.UDPTimeout"), metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, + expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.UDPTimeout"), metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, }, "invalid UDPStreamTimeout < 0": { - config: kubeproxyconfig.KubeProxyConntrackConfiguration{ - MaxPerCore: ptr.To[int32](1), - Min: ptr.To[int32](1), - TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, - TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, - UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, - UDPStreamTimeout: metav1.Duration{Duration: -5 * time.Second}, + config: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](1), + Min: ptr.To[int32](1), + TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, + TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, + UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, + UDPStreamTimeout: metav1.Duration{Duration: -5 * time.Second}, + }, + OOMScoreAdj: ptr.To[int32](-999), }, - expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.UDPStreamTimeout"), metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, + expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.UDPStreamTimeout"), metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, + }, + "invalid OOMScoreAdj < -1000": { + config: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](1), + Min: ptr.To[int32](1), + TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, + TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, + UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, + UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + }, + OOMScoreAdj: ptr.To[int32](-1001), + }, + expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.OOMScoreAdj"), int32(-1001), "must be within the range [-1000, 1000]")}, + }, + "invalid OOMScoreAdj > 1000": { + config: kubeproxyconfig.KubeProxyLinuxConfiguration{ + Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ + MaxPerCore: ptr.To[int32](1), + Min: ptr.To[int32](1), + TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, + TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, + UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, + UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, + }, + OOMScoreAdj: ptr.To[int32](1001), + }, + expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.OOMScoreAdj"), int32(1001), "must be within the range [-1000, 1000]")}, }, } { t.Run(name, func(t *testing.T) { - errs := validateKubeProxyConntrackConfiguration(testCase.config, newPath.Child("KubeConntrackConfiguration")) + errs := validateKubeProxyLinuxConfiguration(testCase.config, newPath.Child("KubeProxyLinuxConfiguration")) assert.Equal(t, testCase.expectedErrs, errs, "did not get expected validation errors") }) } diff --git a/pkg/proxy/apis/config/zz_generated.deepcopy.go b/pkg/proxy/apis/config/zz_generated.deepcopy.go index 671eba121e8..57c07f696dd 100644 --- a/pkg/proxy/apis/config/zz_generated.deepcopy.go +++ b/pkg/proxy/apis/config/zz_generated.deepcopy.go @@ -46,6 +46,7 @@ func (in *DetectLocalConfiguration) DeepCopy() *DetectLocalConfiguration { func (in *KubeProxyConfiguration) DeepCopyInto(out *KubeProxyConfiguration) { *out = *in out.TypeMeta = in.TypeMeta + in.Linux.DeepCopyInto(&out.Linux) out.Windows = in.Windows if in.FeatureGates != nil { in, out := &in.FeatureGates, &out.FeatureGates @@ -66,12 +67,6 @@ func (in *KubeProxyConfiguration) DeepCopyInto(out *KubeProxyConfiguration) { *out = make([]string, len(*in)) copy(*out, *in) } - if in.OOMScoreAdj != nil { - in, out := &in.OOMScoreAdj, &out.OOMScoreAdj - *out = new(int32) - **out = **in - } - in.Conntrack.DeepCopyInto(&out.Conntrack) out.ConfigSyncPeriod = in.ConfigSyncPeriod return } @@ -186,6 +181,28 @@ func (in *KubeProxyIPVSConfiguration) DeepCopy() *KubeProxyIPVSConfiguration { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeProxyLinuxConfiguration) DeepCopyInto(out *KubeProxyLinuxConfiguration) { + *out = *in + in.Conntrack.DeepCopyInto(&out.Conntrack) + if in.OOMScoreAdj != nil { + in, out := &in.OOMScoreAdj, &out.OOMScoreAdj + *out = new(int32) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeProxyLinuxConfiguration. +func (in *KubeProxyLinuxConfiguration) DeepCopy() *KubeProxyLinuxConfiguration { + if in == nil { + return nil + } + out := new(KubeProxyLinuxConfiguration) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubeProxyNFTablesConfiguration) DeepCopyInto(out *KubeProxyNFTablesConfiguration) { *out = *in diff --git a/pkg/proxy/kubemark/hollow_proxy.go b/pkg/proxy/kubemark/hollow_proxy.go index 135e065d227..36bdcf6f6c4 100644 --- a/pkg/proxy/kubemark/hollow_proxy.go +++ b/pkg/proxy/kubemark/hollow_proxy.go @@ -68,7 +68,9 @@ func NewHollowProxy( Config: &proxyconfigapi.KubeProxyConfiguration{ Mode: proxyconfigapi.ProxyMode("fake"), ConfigSyncPeriod: metav1.Duration{Duration: 30 * time.Second}, - OOMScoreAdj: ptr.To[int32](0), + Linux: proxyconfigapi.KubeProxyLinuxConfiguration{ + OOMScoreAdj: ptr.To[int32](0), + }, }, Client: client,