github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #114181 from danwinship/minimize-iptables-ensure-rule

Browse Source 
Don't re-run EnsureChain/EnsureRules on partial syncs
This commit is contained in:
Kubernetes Prow Robot 2022-12-10 07:53:59 -08:00 committed by GitHub
commit 7f1b8a33a8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
pkg/proxy/iptables/proxier.go
View File

@ -863,19 +863,31 @@ func (proxier *Proxier) syncProxyRules() {
} }
}() }()
// Create and link the kube chains. if !tryPartialSync {
for _, jump := range iptablesJumpChains { // Ensure that our jump rules (eg from PREROUTING to KUBE-SERVICES) exist.
if _, err := proxier.iptables.EnsureChain(jump.table, jump.dstChain); err != nil { // We can't do this as part of the iptables-restore because we don't want
klog.ErrorS(err, "Failed to ensure chain exists", "table", jump.table, "chain", jump.dstChain) // to specify/replace *all* of the rules in PREROUTING, etc.
return //
} // We need to create these rules when kube-proxy first starts, and we need
args := append(jump.extraArgs, // to recreate them if the utiliptables Monitor detects that iptables has
"-m", "comment", "--comment", jump.comment, // been flushed. In both of those cases, the code will force a full sync.
"-j", string(jump.dstChain), // In all other cases, it ought to be safe to assume that the rules
) // already exist, so we'll skip this step when doing a partial sync, to
if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, jump.table, jump.srcChain, args...); err != nil { // save us from having to invoke /sbin/iptables 20 times on each sync
klog.ErrorS(err, "Failed to ensure chain jumps", "table", jump.table, "srcChain", jump.srcChain, "dstChain", jump.dstChain) // (which will be very slow on hosts with lots of iptables rules).
return for _, jump := range iptablesJumpChains {
if _, err := proxier.iptables.EnsureChain(jump.table, jump.dstChain); err != nil {
klog.ErrorS(err, "Failed to ensure chain exists", "table", jump.table, "chain", jump.dstChain)
return
}
args := append(jump.extraArgs,
"-m", "comment", "--comment", jump.comment,
"-j", string(jump.dstChain),
)
if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, jump.table, jump.srcChain, args...); err != nil {
klog.ErrorS(err, "Failed to ensure chain jumps", "table", jump.table, "srcChain", jump.srcChain, "dstChain", jump.dstChain)
return
}
} }
} }