mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-22 03:11:40 +00:00
Merge pull request #36332 from MrHohn/kube-proxy-ratelimit-fix
Automatic merge from submit-queue Default kube-proxy to the old behavior for proxier sync. Fix #36281. This PR defaults `minSyncPeriod` to 0 and makes kube-proxy fall back to the old behavior to fix the immediate problem #36266. @bprashanth
This commit is contained in:
Kubernetes Submit Queue
GitHub
commit
82c488bd6e
@ -78,7 +78,7 @@ func (s *ProxyServerConfig) AddFlags(fs *pflag.FlagSet) {
|
||||
fs.Var(&s.Mode, "proxy-mode", "Which proxy mode to use: 'userspace' (older) or 'iptables' (faster). If blank, look at the Node object on the Kubernetes API and respect the '"+ExperimentalProxyModeAnnotation+"' annotation if provided. Otherwise use the best-available proxy (currently iptables). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.")
|
||||
fs.Int32Var(s.IPTablesMasqueradeBit, "iptables-masquerade-bit", util.Int32PtrDerefOr(s.IPTablesMasqueradeBit, 14), "If using the pure iptables proxy, the bit of the fwmark space to mark packets requiring SNAT with. Must be within the range [0, 31].")
|
||||
fs.DurationVar(&s.IPTablesSyncPeriod.Duration, "iptables-sync-period", s.IPTablesSyncPeriod.Duration, "The maximum interval of how often iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.")
|
||||
fs.DurationVar(&s.IPTablesMinSyncPeriod.Duration, "iptables-min-sync-period", s.IPTablesMinSyncPeriod.Duration, "The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m'). Must be greater than 0.")
|
||||
fs.DurationVar(&s.IPTablesMinSyncPeriod.Duration, "iptables-min-sync-period", s.IPTablesMinSyncPeriod.Duration, "The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m').")
|
||||
fs.DurationVar(&s.ConfigSyncPeriod, "config-sync-period", s.ConfigSyncPeriod, "How often configuration from the apiserver is refreshed. Must be greater than 0.")
|
||||
fs.BoolVar(&s.MasqueradeAll, "masquerade-all", s.MasqueradeAll, "If using the pure iptables proxy, SNAT everything")
|
||||
fs.StringVar(&s.ClusterCIDR, "cluster-cidr", s.ClusterCIDR, "The CIDR range of pods in the cluster. It is used to bridge traffic coming from outside of the cluster. If not provided, no off-cluster bridging will be performed.")
|
||||
|
||||
@ -45,7 +45,7 @@ type KubeProxyConfiguration struct {
|
||||
// '2h22m'). Must be greater than 0.
|
||||
IPTablesSyncPeriod unversioned.Duration `json:"iptablesSyncPeriodSeconds"`
|
||||
// iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m',
|
||||
// '2h22m'). Must be greater than 0.
|
||||
// '2h22m').
|
||||
IPTablesMinSyncPeriod unversioned.Duration `json:"iptablesMinSyncPeriodSeconds"`
|
||||
// kubeconfigPath is the path to the kubeconfig file with authorization information (the
|
||||
// master location is set by the master flag).
|
||||
|
||||
@ -80,9 +80,6 @@ func SetDefaults_KubeProxyConfiguration(obj *KubeProxyConfiguration) {
|
||||
if obj.IPTablesSyncPeriod.Duration == 0 {
|
||||
obj.IPTablesSyncPeriod = unversioned.Duration{Duration: 30 * time.Second}
|
||||
}
|
||||
if obj.IPTablesMinSyncPeriod.Duration == 0 {
|
||||
obj.IPTablesMinSyncPeriod = unversioned.Duration{Duration: 2 * time.Second}
|
||||
}
|
||||
zero := unversioned.Duration{}
|
||||
if obj.UDPIdleTimeout == zero {
|
||||
obj.UDPIdleTimeout = unversioned.Duration{Duration: 250 * time.Millisecond}
|
||||
|
||||
@ -42,7 +42,7 @@ type KubeProxyConfiguration struct {
|
||||
// '2h22m'). Must be greater than 0.
|
||||
IPTablesSyncPeriod unversioned.Duration `json:"iptablesSyncPeriodSeconds"`
|
||||
// iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m',
|
||||
// '2h22m'). Must be greater than 0.
|
||||
// '2h22m').
|
||||
IPTablesMinSyncPeriod unversioned.Duration `json:"iptablesMinSyncPeriodSeconds"`
|
||||
// kubeconfigPath is the path to the kubeconfig file with authorization information (the
|
||||
// master location is set by the master flag).
|
||||
|
||||
@ -1920,7 +1920,7 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{
|
||||
},
|
||||
"iptablesMinSyncPeriodSeconds": {
|
||||
SchemaProps: spec.SchemaProps{
|
||||
Description: "iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.",
|
||||
Description: "iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m').",
|
||||
Ref: spec.MustCreateRef("#/definitions/unversioned.Duration"),
|
||||
},
|
||||
},
|
||||
@ -13674,7 +13674,7 @@ var OpenAPIDefinitions *common.OpenAPIDefinitions = &common.OpenAPIDefinitions{
|
||||
},
|
||||
"iptablesMinSyncPeriodSeconds": {
|
||||
SchemaProps: spec.SchemaProps{
|
||||
Description: "iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.",
|
||||
Description: "iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', '2h22m').",
|
||||
Ref: spec.MustCreateRef("#/definitions/unversioned.Duration"),
|
||||
},
|
||||
},
|
||||
|
||||
@ -222,8 +222,8 @@ var _ proxy.ProxyProvider = &Proxier{}
|
||||
// will not terminate if a particular iptables call fails.
|
||||
func NewProxier(ipt utiliptables.Interface, sysctl utilsysctl.Interface, exec utilexec.Interface, syncPeriod time.Duration, minSyncPeriod time.Duration, masqueradeAll bool, masqueradeBit int, clusterCIDR string, hostname string, nodeIP net.IP) (*Proxier, error) {
|
||||
// check valid user input
|
||||
if minSyncPeriod == 0 || minSyncPeriod > syncPeriod {
|
||||
return nil, fmt.Errorf("min-sync (%v) must be < sync(%v) and > 0 ", minSyncPeriod, syncPeriod)
|
||||
if minSyncPeriod > syncPeriod {
|
||||
return nil, fmt.Errorf("min-sync (%v) must be < sync(%v)", minSyncPeriod, syncPeriod)
|
||||
}
|
||||
|
||||
// Set the route_localnet sysctl we need for
|
||||
@ -252,16 +252,21 @@ func NewProxier(ipt utiliptables.Interface, sysctl utilsysctl.Interface, exec ut
|
||||
|
||||
go healthcheck.Run()
|
||||
|
||||
syncsPerSecond := float32(time.Second) / float32(minSyncPeriod)
|
||||
var throttle flowcontrol.RateLimiter
|
||||
// Defaulting back to not limit sync rate when minSyncPeriod is 0.
|
||||
if minSyncPeriod != 0 {
|
||||
syncsPerSecond := float32(time.Second) / float32(minSyncPeriod)
|
||||
// The average use case will process 2 updates in short succession
|
||||
throttle = flowcontrol.NewTokenBucketRateLimiter(syncsPerSecond, 2)
|
||||
}
|
||||
|
||||
return &Proxier{
|
||||
serviceMap: make(map[proxy.ServicePortName]*serviceInfo),
|
||||
endpointsMap: make(map[proxy.ServicePortName][]*endpointsInfo),
|
||||
portsMap: make(map[localPort]closeable),
|
||||
syncPeriod: syncPeriod,
|
||||
minSyncPeriod: minSyncPeriod,
|
||||
// The average use case will process 2 updates in short succession
|
||||
throttle: flowcontrol.NewTokenBucketRateLimiter(syncsPerSecond, 2),
|
||||
serviceMap: make(map[proxy.ServicePortName]*serviceInfo),
|
||||
endpointsMap: make(map[proxy.ServicePortName][]*endpointsInfo),
|
||||
portsMap: make(map[localPort]closeable),
|
||||
syncPeriod: syncPeriod,
|
||||
minSyncPeriod: minSyncPeriod,
|
||||
throttle: throttle,
|
||||
iptables: ipt,
|
||||
masqueradeAll: masqueradeAll,
|
||||
masqueradeMark: masqueradeMark,
|
||||
|
||||
@ -45,7 +45,7 @@ type KubeProxyConfiguration struct {
|
||||
// '2h22m'). Must be greater than 0.
|
||||
IPTablesSyncPeriod unversioned.Duration `json:"iptablesSyncPeriodSeconds"`
|
||||
// iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m',
|
||||
// '2h22m'). Must be greater than 0.
|
||||
// '2h22m').
|
||||
IPTablesMinSyncPeriod unversioned.Duration `json:"iptablesMinSyncPeriodSeconds"`
|
||||
// kubeconfigPath is the path to the kubeconfig file with authorization information (the
|
||||
// master location is set by the master flag).
|
||||
|
||||
@ -80,9 +80,6 @@ func SetDefaults_KubeProxyConfiguration(obj *KubeProxyConfiguration) {
|
||||
if obj.IPTablesSyncPeriod.Duration == 0 {
|
||||
obj.IPTablesSyncPeriod = unversioned.Duration{Duration: 30 * time.Second}
|
||||
}
|
||||
if obj.IPTablesMinSyncPeriod.Duration == 0 {
|
||||
obj.IPTablesMinSyncPeriod = unversioned.Duration{Duration: 2 * time.Second}
|
||||
}
|
||||
zero := unversioned.Duration{}
|
||||
if obj.UDPIdleTimeout == zero {
|
||||
obj.UDPIdleTimeout = unversioned.Duration{Duration: 250 * time.Millisecond}
|
||||
|
||||
@ -42,7 +42,7 @@ type KubeProxyConfiguration struct {
|
||||
// '2h22m'). Must be greater than 0.
|
||||
IPTablesSyncPeriod unversioned.Duration `json:"iptablesSyncPeriodSeconds"`
|
||||
// iptablesMinSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m',
|
||||
// '2h22m'). Must be greater than 0.
|
||||
// '2h22m').
|
||||
IPTablesMinSyncPeriod unversioned.Duration `json:"iptablesMinSyncPeriodSeconds"`
|
||||
// kubeconfigPath is the path to the kubeconfig file with authorization information (the
|
||||
// master location is set by the master flag).
|
||||
|
||||
Loading…
Reference in New Issue
Block a user