github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-28 14:07:14 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #126072 from aroradaman/proxy-config-v1alpah2-windows

Browse Source 
kube-proxy: internal config: add Linux and Windows section
This commit is contained in:
Kubernetes Prow Robot 2024-07-16 19:37:12 -07:00 committed by GitHub
commit 8aff9d3192
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
15 changed files with 358 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/kube-proxy/app/init_windows.go
View File

@ -37,7 +37,7 @@ func initForOS(windowsService bool) error {
} }
func (o *Options) addOSFlags(fs *pflag.FlagSet) { func (o *Options) addOSFlags(fs *pflag.FlagSet) {
fs.BoolVar(&o.WindowsService, "windows-service", o.WindowsService, "Enable Windows Service Control Manager API integration") fs.BoolVar(&o.config.Windows.RunAsService, "windows-service", o.config.Windows.RunAsService, "Enable Windows Service Control Manager API integration")
fs.StringVar(&o.config.Winkernel.SourceVip, "source-vip", o.config.Winkernel.SourceVip, "The IP address of the source VIP for non-DSR.") fs.StringVar(&o.config.Winkernel.SourceVip, "source-vip", o.config.Winkernel.SourceVip, "The IP address of the source VIP for non-DSR.")
fs.StringVar(&o.config.Winkernel.NetworkName, "network-name", o.config.Winkernel.NetworkName, "The name of the cluster network.") fs.StringVar(&o.config.Winkernel.NetworkName, "network-name", o.config.Winkernel.NetworkName, "The name of the cluster network.")
fs.BoolVar(&o.config.Winkernel.EnableDSR, "enable-dsr", o.config.Winkernel.EnableDSR, "If true make kube-proxy apply DSR policies for service VIP") fs.BoolVar(&o.config.Winkernel.EnableDSR, "enable-dsr", o.config.Winkernel.EnableDSR, "If true make kube-proxy apply DSR policies for service VIP")

24
cmd/kube-proxy/app/options.go
View File

@ -54,9 +54,6 @@ type Options struct {
CleanupAndExit bool CleanupAndExit bool
// InitAndExit, when true, makes the proxy server makes configurations that need privileged access, then exit. // InitAndExit, when true, makes the proxy server makes configurations that need privileged access, then exit.
InitAndExit bool InitAndExit bool
// WindowsService should be set to true if kube-proxy is running as a service on Windows.
// Its corresponding flag only gets registered in Windows builds
WindowsService bool
// config is the proxy server's configuration object. // config is the proxy server's configuration object.
config *kubeproxyconfig.KubeProxyConfiguration config *kubeproxyconfig.KubeProxyConfiguration
// watcher is used to watch on the update change of ConfigFile // watcher is used to watch on the update change of ConfigFile
@ -121,7 +118,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
"This parameter is ignored if a config file is specified by --config.") "This parameter is ignored if a config file is specified by --config.")
fs.Int32Var(o.config.IPTables.MasqueradeBit, "iptables-masquerade-bit", ptr.Deref(o.config.IPTables.MasqueradeBit, 14), "If using the iptables or ipvs proxy mode, the bit of the fwmark space to mark packets requiring SNAT with. Must be within the range [0, 31].") fs.Int32Var(o.config.IPTables.MasqueradeBit, "iptables-masquerade-bit", ptr.Deref(o.config.IPTables.MasqueradeBit, 14), "If using the iptables or ipvs proxy mode, the bit of the fwmark space to mark packets requiring SNAT with. Must be within the range [0, 31].")
fs.BoolVar(&o.config.IPTables.MasqueradeAll, "masquerade-all", o.config.IPTables.MasqueradeAll, "If using the iptables or ipvs proxy mode, SNAT all traffic sent via Service cluster IPs. This may be required with some CNI plugins.") fs.BoolVar(&o.config.Linux.MasqueradeAll, "masquerade-all", o.config.Linux.MasqueradeAll, "SNAT all traffic sent via Service cluster IPs. This may be required with some CNI plugins. Only supported on Linux.")
fs.BoolVar(o.config.IPTables.LocalhostNodePorts, "iptables-localhost-nodeports", ptr.Deref(o.config.IPTables.LocalhostNodePorts, true), "If false, kube-proxy will disable the legacy behavior of allowing NodePort services to be accessed via localhost. (Applies only to iptables mode and IPv4; localhost NodePorts are never allowed with other proxy modes or with IPv6.)") fs.BoolVar(o.config.IPTables.LocalhostNodePorts, "iptables-localhost-nodeports", ptr.Deref(o.config.IPTables.LocalhostNodePorts, true), "If false, kube-proxy will disable the legacy behavior of allowing NodePort services to be accessed via localhost. (Applies only to iptables mode and IPv4; localhost NodePorts are never allowed with other proxy modes or with IPv6.)")
fs.DurationVar(&o.config.IPTables.SyncPeriod.Duration, "iptables-sync-period", o.config.IPTables.SyncPeriod.Duration, "An interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.") fs.DurationVar(&o.config.IPTables.SyncPeriod.Duration, "iptables-sync-period", o.config.IPTables.SyncPeriod.Duration, "An interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.")
fs.DurationVar(&o.config.IPTables.MinSyncPeriod.Duration, "iptables-min-sync-period", o.config.IPTables.MinSyncPeriod.Duration, "The minimum period between iptables rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate iptables resync.") fs.DurationVar(&o.config.IPTables.MinSyncPeriod.Duration, "iptables-min-sync-period", o.config.IPTables.MinSyncPeriod.Duration, "The minimum period between iptables rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate iptables resync.")
@ -144,21 +141,20 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
fs.StringSliceVar(&o.config.NodePortAddresses, "nodeport-addresses", o.config.NodePortAddresses, fs.StringSliceVar(&o.config.NodePortAddresses, "nodeport-addresses", o.config.NodePortAddresses,
"A list of CIDR ranges that contain valid node IPs, or alternatively, the single string 'primary'. If set to a list of CIDRs, connections to NodePort services will only be accepted on node IPs in one of the indicated ranges. If set to 'primary', NodePort services will only be accepted on the node's primary IP(s) according to the Node object. If unset, NodePort connections will be accepted on all local IPs. This parameter is ignored if a config file is specified by --config.") "A list of CIDR ranges that contain valid node IPs, or alternatively, the single string 'primary'. If set to a list of CIDRs, connections to NodePort services will only be accepted on node IPs in one of the indicated ranges. If set to 'primary', NodePort services will only be accepted on the node's primary IP(s) according to the Node object. If unset, NodePort connections will be accepted on all local IPs. This parameter is ignored if a config file is specified by --config.")
fs.Int32Var(o.config.OOMScoreAdj, "oom-score-adj", ptr.Deref(o.config.OOMScoreAdj, int32(qos.KubeProxyOOMScoreAdj)), "The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]. This parameter is ignored if a config file is specified by --config.") fs.Int32Var(o.config.Linux.OOMScoreAdj, "oom-score-adj", ptr.Deref(o.config.Linux.OOMScoreAdj, int32(qos.KubeProxyOOMScoreAdj)), "The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]. This parameter is ignored if a config file is specified by --config.")
fs.Int32Var(o.config.Conntrack.MaxPerCore, "conntrack-max-per-core", *o.config.Conntrack.MaxPerCore, fs.Int32Var(o.config.Linux.Conntrack.MaxPerCore, "conntrack-max-per-core", *o.config.Linux.Conntrack.MaxPerCore,
"Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min).") "Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min).")
fs.Int32Var(o.config.Conntrack.Min, "conntrack-min", *o.config.Conntrack.Min, fs.Int32Var(o.config.Linux.Conntrack.Min, "conntrack-min", *o.config.Linux.Conntrack.Min,
"Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core (set conntrack-max-per-core=0 to leave the limit as-is).") "Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core (set conntrack-max-per-core=0 to leave the limit as-is).")
fs.DurationVar(&o.config.Conntrack.TCPEstablishedTimeout.Duration, "conntrack-tcp-timeout-established", o.config.Conntrack.TCPEstablishedTimeout.Duration, "Idle timeout for established TCP connections (0 to leave as-is)") fs.DurationVar(&o.config.Linux.Conntrack.TCPEstablishedTimeout.Duration, "conntrack-tcp-timeout-established", o.config.Linux.Conntrack.TCPEstablishedTimeout.Duration, "Idle timeout for established TCP connections (0 to leave as-is)")
fs.DurationVar( fs.DurationVar(
&o.config.Conntrack.TCPCloseWaitTimeout.Duration, "conntrack-tcp-timeout-close-wait", &o.config.Linux.Conntrack.TCPCloseWaitTimeout.Duration, "conntrack-tcp-timeout-close-wait",
o.config.Conntrack.TCPCloseWaitTimeout.Duration, o.config.Linux.Conntrack.TCPCloseWaitTimeout.Duration,
"NAT timeout for TCP connections in the CLOSE_WAIT state") "NAT timeout for TCP connections in the CLOSE_WAIT state")
fs.BoolVar(&o.config.Conntrack.TCPBeLiberal, "conntrack-tcp-be-liberal", o.config.Conntrack.TCPBeLiberal, "Enable liberal mode for tracking TCP packets by setting nf_conntrack_tcp_be_liberal to 1") fs.BoolVar(&o.config.Linux.Conntrack.TCPBeLiberal, "conntrack-tcp-be-liberal", o.config.Linux.Conntrack.TCPBeLiberal, "Enable liberal mode for tracking TCP packets by setting nf_conntrack_tcp_be_liberal to 1")
fs.DurationVar(&o.config.Conntrack.UDPTimeout.Duration, "conntrack-udp-timeout", o.config.Conntrack.UDPTimeout.Duration, "Idle timeout for UNREPLIED UDP connections (0 to leave as-is)") fs.DurationVar(&o.config.Linux.Conntrack.UDPTimeout.Duration, "conntrack-udp-timeout", o.config.Linux.Conntrack.UDPTimeout.Duration, "Idle timeout for UNREPLIED UDP connections (0 to leave as-is)")
fs.DurationVar(&o.config.Conntrack.UDPStreamTimeout.Duration, "conntrack-udp-timeout-stream", o.config.Conntrack.UDPStreamTimeout.Duration, "Idle timeout for ASSURED UDP connections (0 to leave as-is)") fs.DurationVar(&o.config.Linux.Conntrack.UDPStreamTimeout.Duration, "conntrack-udp-timeout-stream", o.config.Linux.Conntrack.UDPStreamTimeout.Duration, "Idle timeout for ASSURED UDP connections (0 to leave as-is)")
fs.DurationVar(&o.config.ConfigSyncPeriod.Duration, "config-sync-period", o.config.ConfigSyncPeriod.Duration, "How often configuration from the apiserver is refreshed. Must be greater than 0.") fs.DurationVar(&o.config.ConfigSyncPeriod.Duration, "config-sync-period", o.config.ConfigSyncPeriod.Duration, "How often configuration from the apiserver is refreshed. Must be greater than 0.")
fs.Int32Var(&o.healthzPort, "healthz-port", o.healthzPort, "The port to bind the health check server. Use 0 to disable.") fs.Int32Var(&o.healthzPort, "healthz-port", o.healthzPort, "The port to bind the health check server. Use 0 to disable.")

17
cmd/kube-proxy/app/options_test.go
View File

@ -196,17 +196,20 @@ nodePortAddresses:
}, },
ClusterCIDR: tc.clusterCIDR, ClusterCIDR: tc.clusterCIDR,
ConfigSyncPeriod: metav1.Duration{Duration: 15 * time.Second}, ConfigSyncPeriod: metav1.Duration{Duration: 15 * time.Second},
Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ Linux: kubeproxyconfig.KubeProxyLinuxConfiguration{
MaxPerCore: ptr.To[int32](2), Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
Min: ptr.To[int32](1), MaxPerCore: ptr.To[int32](2),
TCPCloseWaitTimeout: &metav1.Duration{Duration: 10 * time.Second}, Min: ptr.To[int32](1),
TCPEstablishedTimeout: &metav1.Duration{Duration: 20 * time.Second}, TCPCloseWaitTimeout: &metav1.Duration{Duration: 10 * time.Second},
TCPEstablishedTimeout: &metav1.Duration{Duration: 20 * time.Second},
},
MasqueradeAll: true,
OOMScoreAdj: ptr.To[int32](17),
}, },
FeatureGates: map[string]bool{}, FeatureGates: map[string]bool{},
HealthzBindAddress: tc.healthzBindAddress, HealthzBindAddress: tc.healthzBindAddress,
HostnameOverride: "foo", HostnameOverride: "foo",
IPTables: kubeproxyconfig.KubeProxyIPTablesConfiguration{ IPTables: kubeproxyconfig.KubeProxyIPTablesConfiguration{
MasqueradeAll: true,
MasqueradeBit: ptr.To[int32](17), MasqueradeBit: ptr.To[int32](17),
LocalhostNodePorts: ptr.To(true), LocalhostNodePorts: ptr.To(true),
MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second},
@ -218,14 +221,12 @@ nodePortAddresses:
ExcludeCIDRs: []string{"10.20.30.40/16", "fd00:1::0/64"}, ExcludeCIDRs: []string{"10.20.30.40/16", "fd00:1::0/64"},
}, },
NFTables: kubeproxyconfig.KubeProxyNFTablesConfiguration{ NFTables: kubeproxyconfig.KubeProxyNFTablesConfiguration{
MasqueradeAll: true,
MasqueradeBit: ptr.To[int32](18), MasqueradeBit: ptr.To[int32](18),
MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second},
SyncPeriod: metav1.Duration{Duration: 60 * time.Second}, SyncPeriod: metav1.Duration{Duration: 60 * time.Second},
}, },
MetricsBindAddress: tc.metricsBindAddress, MetricsBindAddress: tc.metricsBindAddress,
Mode: kubeproxyconfig.ProxyMode(tc.mode), Mode: kubeproxyconfig.ProxyMode(tc.mode),
OOMScoreAdj: ptr.To[int32](17),
PortRange: "2-7", PortRange: "2-7",
NodePortAddresses: []string{"10.20.30.40/16", "fd00:1::0/64"}, NodePortAddresses: []string{"10.20.30.40/16", "fd00:1::0/64"},
DetectLocalMode: kubeproxyconfig.LocalModeClusterCIDR, DetectLocalMode: kubeproxyconfig.LocalModeClusterCIDR,

6
cmd/kube-proxy/app/server.go
View File

@ -104,7 +104,7 @@ with the apiserver API to configure the proxy.`,
RunE: func(cmd *cobra.Command, args []string) error { RunE: func(cmd *cobra.Command, args []string) error {
verflag.PrintAndExitIfRequested() verflag.PrintAndExitIfRequested()
if err := initForOS(opts.WindowsService); err != nil { if err := initForOS(opts.config.Windows.RunAsService); err != nil {
return fmt.Errorf("failed os init: %w", err) return fmt.Errorf("failed os init: %w", err)
} }
@ -493,9 +493,9 @@ func (s *ProxyServer) Run(ctx context.Context) error {
// TODO(vmarmol): Use container config for this. // TODO(vmarmol): Use container config for this.
var oomAdjuster *oom.OOMAdjuster var oomAdjuster *oom.OOMAdjuster
if s.Config.OOMScoreAdj != nil { if s.Config.Linux.OOMScoreAdj != nil {
oomAdjuster = oom.NewOOMAdjuster() oomAdjuster = oom.NewOOMAdjuster()
if err := oomAdjuster.ApplyOOMScoreAdj(0, int(*s.Config.OOMScoreAdj)); err != nil { if err := oomAdjuster.ApplyOOMScoreAdj(0, int(*s.Config.Linux.OOMScoreAdj)); err != nil {
logger.V(2).Info("Failed to apply OOMScore", "err", err) logger.V(2).Info("Failed to apply OOMScore", "err", err)
} }
} }

32
cmd/kube-proxy/app/server_linux.go
View File

@ -180,7 +180,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
exec.New(), exec.New(),
config.IPTables.SyncPeriod.Duration, config.IPTables.SyncPeriod.Duration,
config.IPTables.MinSyncPeriod.Duration, config.IPTables.MinSyncPeriod.Duration,
config.IPTables.MasqueradeAll, config.Linux.MasqueradeAll,
*config.IPTables.LocalhostNodePorts, *config.IPTables.LocalhostNodePorts,
int(*config.IPTables.MasqueradeBit), int(*config.IPTables.MasqueradeBit),
localDetectors, localDetectors,
@ -204,7 +204,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
exec.New(), exec.New(),
config.IPTables.SyncPeriod.Duration, config.IPTables.SyncPeriod.Duration,
config.IPTables.MinSyncPeriod.Duration, config.IPTables.MinSyncPeriod.Duration,
config.IPTables.MasqueradeAll, config.Linux.MasqueradeAll,
*config.IPTables.LocalhostNodePorts, *config.IPTables.LocalhostNodePorts,
int(*config.IPTables.MasqueradeBit), int(*config.IPTables.MasqueradeBit),
localDetectors[s.PrimaryIPFamily], localDetectors[s.PrimaryIPFamily],
@ -245,7 +245,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
config.IPVS.TCPTimeout.Duration, config.IPVS.TCPTimeout.Duration,
config.IPVS.TCPFinTimeout.Duration, config.IPVS.TCPFinTimeout.Duration,
config.IPVS.UDPTimeout.Duration, config.IPVS.UDPTimeout.Duration,
config.IPTables.MasqueradeAll, config.Linux.MasqueradeAll,
int(*config.IPTables.MasqueradeBit), int(*config.IPTables.MasqueradeBit),
localDetectors, localDetectors,
s.Hostname, s.Hostname,
@ -273,7 +273,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
config.IPVS.TCPTimeout.Duration, config.IPVS.TCPTimeout.Duration,
config.IPVS.TCPFinTimeout.Duration, config.IPVS.TCPFinTimeout.Duration,
config.IPVS.UDPTimeout.Duration, config.IPVS.UDPTimeout.Duration,
config.IPTables.MasqueradeAll, config.Linux.MasqueradeAll,
int(*config.IPTables.MasqueradeBit), int(*config.IPTables.MasqueradeBit),
localDetectors[s.PrimaryIPFamily], localDetectors[s.PrimaryIPFamily],
s.Hostname, s.Hostname,
@ -297,7 +297,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
ctx, ctx,
config.NFTables.SyncPeriod.Duration, config.NFTables.SyncPeriod.Duration,
config.NFTables.MinSyncPeriod.Duration, config.NFTables.MinSyncPeriod.Duration,
config.NFTables.MasqueradeAll, config.Linux.MasqueradeAll,
int(*config.NFTables.MasqueradeBit), int(*config.NFTables.MasqueradeBit),
localDetectors, localDetectors,
s.Hostname, s.Hostname,
@ -315,7 +315,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
s.PrimaryIPFamily, s.PrimaryIPFamily,
config.NFTables.SyncPeriod.Duration, config.NFTables.SyncPeriod.Duration,
config.NFTables.MinSyncPeriod.Duration, config.NFTables.MinSyncPeriod.Duration,
config.NFTables.MasqueradeAll, config.Linux.MasqueradeAll,
int(*config.NFTables.MasqueradeBit), int(*config.NFTables.MasqueradeBit),
localDetectors[s.PrimaryIPFamily], localDetectors[s.PrimaryIPFamily],
s.Hostname, s.Hostname,
@ -338,7 +338,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
func (s *ProxyServer) setupConntrack(ctx context.Context) error { func (s *ProxyServer) setupConntrack(ctx context.Context) error {
ct := &realConntracker{} ct := &realConntracker{}
max, err := getConntrackMax(ctx, s.Config.Conntrack) max, err := getConntrackMax(ctx, s.Config.Linux.Conntrack)
if err != nil { if err != nil {
return err return err
} }
@ -361,35 +361,35 @@ func (s *ProxyServer) setupConntrack(ctx context.Context) error {
} }
} }
if s.Config.Conntrack.TCPEstablishedTimeout != nil && s.Config.Conntrack.TCPEstablishedTimeout.Duration > 0 { if s.Config.Linux.Conntrack.TCPEstablishedTimeout != nil && s.Config.Linux.Conntrack.TCPEstablishedTimeout.Duration > 0 {
timeout := int(s.Config.Conntrack.TCPEstablishedTimeout.Duration / time.Second) timeout := int(s.Config.Linux.Conntrack.TCPEstablishedTimeout.Duration / time.Second)
if err := ct.SetTCPEstablishedTimeout(ctx, timeout); err != nil { if err := ct.SetTCPEstablishedTimeout(ctx, timeout); err != nil {
return err return err
} }
} }
if s.Config.Conntrack.TCPCloseWaitTimeout != nil && s.Config.Conntrack.TCPCloseWaitTimeout.Duration > 0 { if s.Config.Linux.Conntrack.TCPCloseWaitTimeout != nil && s.Config.Linux.Conntrack.TCPCloseWaitTimeout.Duration > 0 {
timeout := int(s.Config.Conntrack.TCPCloseWaitTimeout.Duration / time.Second) timeout := int(s.Config.Linux.Conntrack.TCPCloseWaitTimeout.Duration / time.Second)
if err := ct.SetTCPCloseWaitTimeout(ctx, timeout); err != nil { if err := ct.SetTCPCloseWaitTimeout(ctx, timeout); err != nil {
return err return err
} }
} }
if s.Config.Conntrack.TCPBeLiberal { if s.Config.Linux.Conntrack.TCPBeLiberal {
if err := ct.SetTCPBeLiberal(ctx, 1); err != nil { if err := ct.SetTCPBeLiberal(ctx, 1); err != nil {
return err return err
} }
} }
if s.Config.Conntrack.UDPTimeout.Duration > 0 { if s.Config.Linux.Conntrack.UDPTimeout.Duration > 0 {
timeout := int(s.Config.Conntrack.UDPTimeout.Duration / time.Second) timeout := int(s.Config.Linux.Conntrack.UDPTimeout.Duration / time.Second)
if err := ct.SetUDPTimeout(ctx, timeout); err != nil { if err := ct.SetUDPTimeout(ctx, timeout); err != nil {
return err return err
} }
} }
if s.Config.Conntrack.UDPStreamTimeout.Duration > 0 { if s.Config.Linux.Conntrack.UDPStreamTimeout.Duration > 0 {
timeout := int(s.Config.Conntrack.UDPStreamTimeout.Duration / time.Second) timeout := int(s.Config.Linux.Conntrack.UDPStreamTimeout.Duration / time.Second)
if err := ct.SetUDPStreamTimeout(ctx, timeout); err != nil { if err := ct.SetUDPStreamTimeout(ctx, timeout); err != nil {
return err return err
} }

7
pkg/generated/openapi/zz_generated.openapi.go generated
View File

@ -59531,6 +59531,13 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyConfiguration(ref common.R
Format: "", Format: "",
}, },
}, },
"windowsRunAsService": {
SchemaProps: spec.SchemaProps{
Description: "windowsRunAsService, if true, enables Windows service control manager API integration.",
Type: []string{"boolean"},
Format: "",
},
},
}, },
Required: []string{"clientConnection", "hostnameOverride", "bindAddress", "healthzBindAddress", "metricsBindAddress", "bindAddressHardFail", "enableProfiling", "showHiddenMetricsForVersion", "mode", "iptables", "ipvs", "nftables", "winkernel", "detectLocalMode", "detectLocal", "clusterCIDR", "nodePortAddresses", "oomScoreAdj", "conntrack", "configSyncPeriod", "portRange"}, Required: []string{"clientConnection", "hostnameOverride", "bindAddress", "healthzBindAddress", "metricsBindAddress", "bindAddressHardFail", "enableProfiling", "showHiddenMetricsForVersion", "mode", "iptables", "ipvs", "nftables", "winkernel", "detectLocalMode", "detectLocal", "clusterCIDR", "nodePortAddresses", "oomScoreAdj", "conntrack", "configSyncPeriod", "portRange"},
}, },

10
pkg/proxy/apis/config/fuzzer/fuzzer.go
View File

@ -35,17 +35,17 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
c.FuzzNoCustom(obj) c.FuzzNoCustom(obj)
obj.BindAddress = fmt.Sprintf("%d.%d.%d.%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256)) obj.BindAddress = fmt.Sprintf("%d.%d.%d.%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256))
obj.ClientConnection.ContentType = c.RandString() obj.ClientConnection.ContentType = c.RandString()
obj.Conntrack.MaxPerCore = ptr.To(c.Int31()) obj.Linux.Conntrack.MaxPerCore = ptr.To(c.Int31())
obj.Conntrack.Min = ptr.To(c.Int31()) obj.Linux.Conntrack.Min = ptr.To(c.Int31())
obj.Conntrack.TCPCloseWaitTimeout = &metav1.Duration{Duration: time.Duration(c.Int63()) * time.Hour} obj.Linux.Conntrack.TCPCloseWaitTimeout = &metav1.Duration{Duration: time.Duration(c.Int63()) * time.Hour}
obj.Conntrack.TCPEstablishedTimeout = &metav1.Duration{Duration: time.Duration(c.Int63()) * time.Hour} obj.Linux.Conntrack.TCPEstablishedTimeout = &metav1.Duration{Duration: time.Duration(c.Int63()) * time.Hour}
obj.FeatureGates = map[string]bool{c.RandString(): true} obj.FeatureGates = map[string]bool{c.RandString(): true}
obj.HealthzBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536)) obj.HealthzBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536))
obj.IPTables.MasqueradeBit = ptr.To(c.Int31()) obj.IPTables.MasqueradeBit = ptr.To(c.Int31())
obj.IPTables.LocalhostNodePorts = ptr.To(c.RandBool()) obj.IPTables.LocalhostNodePorts = ptr.To(c.RandBool())
obj.NFTables.MasqueradeBit = ptr.To(c.Int31()) obj.NFTables.MasqueradeBit = ptr.To(c.Int31())
obj.MetricsBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536)) obj.MetricsBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536))
obj.OOMScoreAdj = ptr.To(c.Int31()) obj.Linux.OOMScoreAdj = ptr.To(c.Int31())
obj.ClientConnection.ContentType = "bar" obj.ClientConnection.ContentType = "bar"
obj.NodePortAddresses = []string{"1.2.3.0/24"} obj.NodePortAddresses = []string{"1.2.3.0/24"}
if obj.Logging.Format == "" { if obj.Logging.Format == "" {

38
pkg/proxy/apis/config/types.go
View File

@ -22,16 +22,32 @@ import (
logsapi "k8s.io/component-base/logs/api/v1" logsapi "k8s.io/component-base/logs/api/v1"
) )
// KubeProxyLinuxConfiguration contains Linux platform related configuration details for the
// Kubernetes proxy server that aren't specific to a particular backend.
type KubeProxyLinuxConfiguration struct {
// conntrack contains conntrack-related configuration options.
Conntrack KubeProxyConntrackConfiguration
// masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs. This may
// be required with some CNI plugins.
MasqueradeAll bool
// oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within
// the range [-1000, 1000]
OOMScoreAdj *int32
}
// KubeProxyWindowsConfiguration contains Windows platform related configuration details for the
// Kubernetes proxy server that aren't specific to a particular backend
type KubeProxyWindowsConfiguration struct {
// runAsService, if true, enables Windows service control manager API integration.
RunAsService bool
}
// KubeProxyIPTablesConfiguration contains iptables-related configuration // KubeProxyIPTablesConfiguration contains iptables-related configuration
// details for the Kubernetes proxy server. // details for the Kubernetes proxy server.
type KubeProxyIPTablesConfiguration struct { type KubeProxyIPTablesConfiguration struct {
// masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using // masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using
// the iptables or ipvs proxy mode. Values must be within the range [0, 31]. // the iptables or ipvs proxy mode. Values must be within the range [0, 31].
MasqueradeBit *int32 MasqueradeBit *int32
// masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs,
// when using the iptables or ipvs proxy mode. This may be required with some CNI
// plugins.
MasqueradeAll bool
// localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior // localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior
// of allowing NodePort services to be accessed via localhost. (Applies only to // of allowing NodePort services to be accessed via localhost. (Applies only to
// iptables mode and IPv4; localhost NodePorts are never allowed with other proxy // iptables mode and IPv4; localhost NodePorts are never allowed with other proxy
@ -83,9 +99,6 @@ type KubeProxyNFTablesConfiguration struct {
// masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using // masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using
// the nftables proxy mode. Values must be within the range [0, 31]. // the nftables proxy mode. Values must be within the range [0, 31].
MasqueradeBit *int32 MasqueradeBit *int32
// masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs,
// when using the nftables mode. This may be required with some CNI plugins.
MasqueradeAll bool
// syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently // syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
// various re-synchronizing and cleanup operations are performed. Must be greater // various re-synchronizing and cleanup operations are performed. Must be greater
// than 0. // than 0.
@ -165,6 +178,12 @@ type DetectLocalConfiguration struct {
type KubeProxyConfiguration struct { type KubeProxyConfiguration struct {
metav1.TypeMeta metav1.TypeMeta
// linux contains Linux-related configuration options.
Linux KubeProxyLinuxConfiguration
// windows contains Windows-related configuration options.
Windows KubeProxyWindowsConfiguration
// featureGates is a map of feature names to bools that enable or disable alpha/experimental features. // featureGates is a map of feature names to bools that enable or disable alpha/experimental features.
FeatureGates map[string]bool FeatureGates map[string]bool
@ -232,11 +251,6 @@ type KubeProxyConfiguration struct {
// object. If unset, NodePort connections will be accepted on all local IPs. // object. If unset, NodePort connections will be accepted on all local IPs.
NodePortAddresses []string NodePortAddresses []string
// oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within
// the range [-1000, 1000]
OOMScoreAdj *int32
// conntrack contains conntrack-related configuration options.
Conntrack KubeProxyConntrackConfiguration
// configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater // configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater
// than 0. // than 0.
ConfigSyncPeriod metav1.Duration ConfigSyncPeriod metav1.Duration

67
pkg/proxy/apis/config/v1alpha1/conversion.go Normal file
View File

@ -0,0 +1,67 @@
/*
Copyright 2024 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package v1alpha1
import (
"k8s.io/apimachinery/pkg/conversion"
"k8s.io/kube-proxy/config/v1alpha1"
"k8s.io/kubernetes/pkg/proxy/apis/config"
)
// Convert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration is defined here, because public conversion is not auto-generated due to existing warnings.
func Convert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(in *config.KubeProxyConfiguration, out *v1alpha1.KubeProxyConfiguration, scope conversion.Scope) error {
if err := autoConvert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(in, out, scope); err != nil {
return err
}
out.WindowsRunAsService = in.Windows.RunAsService
out.Conntrack = v1alpha1.KubeProxyConntrackConfiguration(in.Linux.Conntrack)
out.OOMScoreAdj = in.Linux.OOMScoreAdj
switch in.Mode {
case config.ProxyModeNFTables:
out.NFTables.MasqueradeAll = in.Linux.MasqueradeAll
default:
out.IPTables.MasqueradeAll = in.Linux.MasqueradeAll
}
return nil
}
// Convert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration is defined here, because public conversion is not auto-generated due to existing warnings.
func Convert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(in *v1alpha1.KubeProxyConfiguration, out *config.KubeProxyConfiguration, scope conversion.Scope) error {
if err := autoConvert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(in, out, scope); err != nil {
return err
}
out.Windows.RunAsService = in.WindowsRunAsService
out.Linux.Conntrack = config.KubeProxyConntrackConfiguration(in.Conntrack)
out.Linux.OOMScoreAdj = in.OOMScoreAdj
switch config.ProxyMode(in.Mode) {
case config.ProxyModeNFTables:
out.Linux.MasqueradeAll = in.NFTables.MasqueradeAll
default:
out.Linux.MasqueradeAll = in.IPTables.MasqueradeAll
}
return nil
}
// Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration is defined here, because public conversion is not auto-generated due to existing warnings.
func Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in *v1alpha1.KubeProxyIPTablesConfiguration, out *config.KubeProxyIPTablesConfiguration, scope conversion.Scope) error {
return autoConvert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in, out, scope)
}
// Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration is defined here, because public conversion is not auto-generated due to existing warnings.
func Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in *v1alpha1.KubeProxyNFTablesConfiguration, out *config.KubeProxyNFTablesConfiguration, scope conversion.Scope) error {
return autoConvert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in, out, scope)
}

85
pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go generated
View File

@ -27,7 +27,7 @@ import (
v1 "k8s.io/apimachinery/pkg/apis/meta/v1" v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
conversion "k8s.io/apimachinery/pkg/conversion" conversion "k8s.io/apimachinery/pkg/conversion"
runtime "k8s.io/apimachinery/pkg/runtime" runtime "k8s.io/apimachinery/pkg/runtime"
configv1alpha1 "k8s.io/component-base/config/v1alpha1" componentbaseconfigv1alpha1 "k8s.io/component-base/config/v1alpha1"
v1alpha1 "k8s.io/kube-proxy/config/v1alpha1" v1alpha1 "k8s.io/kube-proxy/config/v1alpha1"
config "k8s.io/kubernetes/pkg/proxy/apis/config" config "k8s.io/kubernetes/pkg/proxy/apis/config"
) )
@ -49,16 +49,6 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil { }); err != nil {
return err return err
} }
if err := s.AddGeneratedConversionFunc((*v1alpha1.KubeProxyConfiguration)(nil), (*config.KubeProxyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(a.(*v1alpha1.KubeProxyConfiguration), b.(*config.KubeProxyConfiguration), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*config.KubeProxyConfiguration)(nil), (*v1alpha1.KubeProxyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(a.(*config.KubeProxyConfiguration), b.(*v1alpha1.KubeProxyConfiguration), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*v1alpha1.KubeProxyConntrackConfiguration)(nil), (*config.KubeProxyConntrackConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { if err := s.AddGeneratedConversionFunc((*v1alpha1.KubeProxyConntrackConfiguration)(nil), (*config.KubeProxyConntrackConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_KubeProxyConntrackConfiguration_To_config_KubeProxyConntrackConfiguration(a.(*v1alpha1.KubeProxyConntrackConfiguration), b.(*config.KubeProxyConntrackConfiguration), scope) return Convert_v1alpha1_KubeProxyConntrackConfiguration_To_config_KubeProxyConntrackConfiguration(a.(*v1alpha1.KubeProxyConntrackConfiguration), b.(*config.KubeProxyConntrackConfiguration), scope)
}); err != nil { }); err != nil {
@ -69,11 +59,6 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil { }); err != nil {
return err return err
} }
if err := s.AddGeneratedConversionFunc((*v1alpha1.KubeProxyIPTablesConfiguration)(nil), (*config.KubeProxyIPTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(a.(*v1alpha1.KubeProxyIPTablesConfiguration), b.(*config.KubeProxyIPTablesConfiguration), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*config.KubeProxyIPTablesConfiguration)(nil), (*v1alpha1.KubeProxyIPTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { if err := s.AddGeneratedConversionFunc((*config.KubeProxyIPTablesConfiguration)(nil), (*v1alpha1.KubeProxyIPTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_config_KubeProxyIPTablesConfiguration_To_v1alpha1_KubeProxyIPTablesConfiguration(a.(*config.KubeProxyIPTablesConfiguration), b.(*v1alpha1.KubeProxyIPTablesConfiguration), scope) return Convert_config_KubeProxyIPTablesConfiguration_To_v1alpha1_KubeProxyIPTablesConfiguration(a.(*config.KubeProxyIPTablesConfiguration), b.(*v1alpha1.KubeProxyIPTablesConfiguration), scope)
}); err != nil { }); err != nil {
@ -89,11 +74,6 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil { }); err != nil {
return err return err
} }
if err := s.AddGeneratedConversionFunc((*v1alpha1.KubeProxyNFTablesConfiguration)(nil), (*config.KubeProxyNFTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(a.(*v1alpha1.KubeProxyNFTablesConfiguration), b.(*config.KubeProxyNFTablesConfiguration), scope)
}); err != nil {
return err
}
if err := s.AddGeneratedConversionFunc((*config.KubeProxyNFTablesConfiguration)(nil), (*v1alpha1.KubeProxyNFTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error { if err := s.AddGeneratedConversionFunc((*config.KubeProxyNFTablesConfiguration)(nil), (*v1alpha1.KubeProxyNFTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_config_KubeProxyNFTablesConfiguration_To_v1alpha1_KubeProxyNFTablesConfiguration(a.(*config.KubeProxyNFTablesConfiguration), b.(*v1alpha1.KubeProxyNFTablesConfiguration), scope) return Convert_config_KubeProxyNFTablesConfiguration_To_v1alpha1_KubeProxyNFTablesConfiguration(a.(*config.KubeProxyNFTablesConfiguration), b.(*v1alpha1.KubeProxyNFTablesConfiguration), scope)
}); err != nil { }); err != nil {
@ -109,6 +89,26 @@ func RegisterConversions(s *runtime.Scheme) error {
}); err != nil { }); err != nil {
return err return err
} }
if err := s.AddConversionFunc((*config.KubeProxyConfiguration)(nil), (*v1alpha1.KubeProxyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(a.(*config.KubeProxyConfiguration), b.(*v1alpha1.KubeProxyConfiguration), scope)
}); err != nil {
return err
}
if err := s.AddConversionFunc((*v1alpha1.KubeProxyConfiguration)(nil), (*config.KubeProxyConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(a.(*v1alpha1.KubeProxyConfiguration), b.(*config.KubeProxyConfiguration), scope)
}); err != nil {
return err
}
if err := s.AddConversionFunc((*v1alpha1.KubeProxyIPTablesConfiguration)(nil), (*config.KubeProxyIPTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(a.(*v1alpha1.KubeProxyIPTablesConfiguration), b.(*config.KubeProxyIPTablesConfiguration), scope)
}); err != nil {
return err
}
if err := s.AddConversionFunc((*v1alpha1.KubeProxyNFTablesConfiguration)(nil), (*config.KubeProxyNFTablesConfiguration)(nil), func(a, b interface{}, scope conversion.Scope) error {
return Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(a.(*v1alpha1.KubeProxyNFTablesConfiguration), b.(*config.KubeProxyNFTablesConfiguration), scope)
}); err != nil {
return err
}
return nil return nil
} }
@ -136,7 +136,7 @@ func Convert_config_DetectLocalConfiguration_To_v1alpha1_DetectLocalConfiguratio
func autoConvert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(in *v1alpha1.KubeProxyConfiguration, out *config.KubeProxyConfiguration, s conversion.Scope) error { func autoConvert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(in *v1alpha1.KubeProxyConfiguration, out *config.KubeProxyConfiguration, s conversion.Scope) error {
out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates)) out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
if err := configv1alpha1.Convert_v1alpha1_ClientConnectionConfiguration_To_config_ClientConnectionConfiguration(&in.ClientConnection, &out.ClientConnection, s); err != nil { if err := componentbaseconfigv1alpha1.Convert_v1alpha1_ClientConnectionConfiguration_To_config_ClientConnectionConfiguration(&in.ClientConnection, &out.ClientConnection, s); err != nil {
return err return err
} }
out.Logging = in.Logging out.Logging = in.Logging
@ -166,23 +166,19 @@ func autoConvert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguratio
} }
out.ClusterCIDR = in.ClusterCIDR out.ClusterCIDR = in.ClusterCIDR
out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses)) out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses))
out.OOMScoreAdj = (*int32)(unsafe.Pointer(in.OOMScoreAdj)) // WARNING: in.OOMScoreAdj requires manual conversion: does not exist in peer-type
if err := Convert_v1alpha1_KubeProxyConntrackConfiguration_To_config_KubeProxyConntrackConfiguration(&in.Conntrack, &out.Conntrack, s); err != nil { // WARNING: in.Conntrack requires manual conversion: does not exist in peer-type
return err
}
out.ConfigSyncPeriod = in.ConfigSyncPeriod out.ConfigSyncPeriod = in.ConfigSyncPeriod
out.PortRange = in.PortRange out.PortRange = in.PortRange
// WARNING: in.WindowsRunAsService requires manual conversion: does not exist in peer-type
return nil return nil
} }
// Convert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration is an autogenerated conversion function.
func Convert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(in *v1alpha1.KubeProxyConfiguration, out *config.KubeProxyConfiguration, s conversion.Scope) error {
return autoConvert_v1alpha1_KubeProxyConfiguration_To_config_KubeProxyConfiguration(in, out, s)
}
func autoConvert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(in *config.KubeProxyConfiguration, out *v1alpha1.KubeProxyConfiguration, s conversion.Scope) error { func autoConvert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(in *config.KubeProxyConfiguration, out *v1alpha1.KubeProxyConfiguration, s conversion.Scope) error {
// WARNING: in.Linux requires manual conversion: does not exist in peer-type
// WARNING: in.Windows requires manual conversion: does not exist in peer-type
out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates)) out.FeatureGates = *(*map[string]bool)(unsafe.Pointer(&in.FeatureGates))
if err := configv1alpha1.Convert_config_ClientConnectionConfiguration_To_v1alpha1_ClientConnectionConfiguration(&in.ClientConnection, &out.ClientConnection, s); err != nil { if err := componentbaseconfigv1alpha1.Convert_config_ClientConnectionConfiguration_To_v1alpha1_ClientConnectionConfiguration(&in.ClientConnection, &out.ClientConnection, s); err != nil {
return err return err
} }
out.Logging = in.Logging out.Logging = in.Logging
@ -212,20 +208,11 @@ func autoConvert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguratio
} }
out.ClusterCIDR = in.ClusterCIDR out.ClusterCIDR = in.ClusterCIDR
out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses)) out.NodePortAddresses = *(*[]string)(unsafe.Pointer(&in.NodePortAddresses))
out.OOMScoreAdj = (*int32)(unsafe.Pointer(in.OOMScoreAdj))
if err := Convert_config_KubeProxyConntrackConfiguration_To_v1alpha1_KubeProxyConntrackConfiguration(&in.Conntrack, &out.Conntrack, s); err != nil {
return err
}
out.ConfigSyncPeriod = in.ConfigSyncPeriod out.ConfigSyncPeriod = in.ConfigSyncPeriod
out.PortRange = in.PortRange out.PortRange = in.PortRange
return nil return nil
} }
// Convert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration is an autogenerated conversion function.
func Convert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(in *config.KubeProxyConfiguration, out *v1alpha1.KubeProxyConfiguration, s conversion.Scope) error {
return autoConvert_config_KubeProxyConfiguration_To_v1alpha1_KubeProxyConfiguration(in, out, s)
}
func autoConvert_v1alpha1_KubeProxyConntrackConfiguration_To_config_KubeProxyConntrackConfiguration(in *v1alpha1.KubeProxyConntrackConfiguration, out *config.KubeProxyConntrackConfiguration, s conversion.Scope) error { func autoConvert_v1alpha1_KubeProxyConntrackConfiguration_To_config_KubeProxyConntrackConfiguration(in *v1alpha1.KubeProxyConntrackConfiguration, out *config.KubeProxyConntrackConfiguration, s conversion.Scope) error {
out.MaxPerCore = (*int32)(unsafe.Pointer(in.MaxPerCore)) out.MaxPerCore = (*int32)(unsafe.Pointer(in.MaxPerCore))
out.Min = (*int32)(unsafe.Pointer(in.Min)) out.Min = (*int32)(unsafe.Pointer(in.Min))
@ -260,21 +247,15 @@ func Convert_config_KubeProxyConntrackConfiguration_To_v1alpha1_KubeProxyConntra
func autoConvert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in *v1alpha1.KubeProxyIPTablesConfiguration, out *config.KubeProxyIPTablesConfiguration, s conversion.Scope) error { func autoConvert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in *v1alpha1.KubeProxyIPTablesConfiguration, out *config.KubeProxyIPTablesConfiguration, s conversion.Scope) error {
out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit)) out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit))
out.MasqueradeAll = in.MasqueradeAll // WARNING: in.MasqueradeAll requires manual conversion: does not exist in peer-type
out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts)) out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts))
out.SyncPeriod = in.SyncPeriod out.SyncPeriod = in.SyncPeriod
out.MinSyncPeriod = in.MinSyncPeriod out.MinSyncPeriod = in.MinSyncPeriod
return nil return nil
} }
// Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration is an autogenerated conversion function.
func Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in *v1alpha1.KubeProxyIPTablesConfiguration, out *config.KubeProxyIPTablesConfiguration, s conversion.Scope) error {
return autoConvert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in, out, s)
}
func autoConvert_config_KubeProxyIPTablesConfiguration_To_v1alpha1_KubeProxyIPTablesConfiguration(in *config.KubeProxyIPTablesConfiguration, out *v1alpha1.KubeProxyIPTablesConfiguration, s conversion.Scope) error { func autoConvert_config_KubeProxyIPTablesConfiguration_To_v1alpha1_KubeProxyIPTablesConfiguration(in *config.KubeProxyIPTablesConfiguration, out *v1alpha1.KubeProxyIPTablesConfiguration, s conversion.Scope) error {
out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit)) out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit))
out.MasqueradeAll = in.MasqueradeAll
out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts)) out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts))
out.SyncPeriod = in.SyncPeriod out.SyncPeriod = in.SyncPeriod
out.MinSyncPeriod = in.MinSyncPeriod out.MinSyncPeriod = in.MinSyncPeriod
@ -322,20 +303,14 @@ func Convert_config_KubeProxyIPVSConfiguration_To_v1alpha1_KubeProxyIPVSConfigur
func autoConvert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in *v1alpha1.KubeProxyNFTablesConfiguration, out *config.KubeProxyNFTablesConfiguration, s conversion.Scope) error { func autoConvert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in *v1alpha1.KubeProxyNFTablesConfiguration, out *config.KubeProxyNFTablesConfiguration, s conversion.Scope) error {
out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit)) out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit))
out.MasqueradeAll = in.MasqueradeAll // WARNING: in.MasqueradeAll requires manual conversion: does not exist in peer-type
out.SyncPeriod = in.SyncPeriod out.SyncPeriod = in.SyncPeriod
out.MinSyncPeriod = in.MinSyncPeriod out.MinSyncPeriod = in.MinSyncPeriod
return nil return nil
} }
// Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration is an autogenerated conversion function.
func Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in *v1alpha1.KubeProxyNFTablesConfiguration, out *config.KubeProxyNFTablesConfiguration, s conversion.Scope) error {
return autoConvert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in, out, s)
}
func autoConvert_config_KubeProxyNFTablesConfiguration_To_v1alpha1_KubeProxyNFTablesConfiguration(in *config.KubeProxyNFTablesConfiguration, out *v1alpha1.KubeProxyNFTablesConfiguration, s conversion.Scope) error { func autoConvert_config_KubeProxyNFTablesConfiguration_To_v1alpha1_KubeProxyNFTablesConfiguration(in *config.KubeProxyNFTablesConfiguration, out *v1alpha1.KubeProxyNFTablesConfiguration, s conversion.Scope) error {
out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit)) out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit))
out.MasqueradeAll = in.MasqueradeAll
out.SyncPeriod = in.SyncPeriod out.SyncPeriod = in.SyncPeriod
out.MinSyncPeriod = in.MinSyncPeriod out.MinSyncPeriod = in.MinSyncPeriod
return nil return nil

18
pkg/proxy/apis/config/validation/validation.go
View File

@ -54,14 +54,10 @@ func Validate(config *kubeproxyconfig.KubeProxyConfiguration) field.ErrorList {
case kubeproxyconfig.ProxyModeNFTables: case kubeproxyconfig.ProxyModeNFTables:
allErrs = append(allErrs, validateKubeProxyNFTablesConfiguration(config.NFTables, newPath.Child("KubeProxyNFTablesConfiguration"))...) allErrs = append(allErrs, validateKubeProxyNFTablesConfiguration(config.NFTables, newPath.Child("KubeProxyNFTablesConfiguration"))...)
} }
allErrs = append(allErrs, validateKubeProxyConntrackConfiguration(config.Conntrack, newPath.Child("KubeProxyConntrackConfiguration"))...) allErrs = append(allErrs, validateKubeProxyLinuxConfiguration(config.Linux, newPath.Child("KubeProxyLinuxConfiguration"))...)
allErrs = append(allErrs, validateProxyMode(config.Mode, newPath.Child("Mode"))...) allErrs = append(allErrs, validateProxyMode(config.Mode, newPath.Child("Mode"))...)
allErrs = append(allErrs, validateClientConnectionConfiguration(config.ClientConnection, newPath.Child("ClientConnection"))...) allErrs = append(allErrs, validateClientConnectionConfiguration(config.ClientConnection, newPath.Child("ClientConnection"))...)
if config.OOMScoreAdj != nil && (*config.OOMScoreAdj < -1000 || *config.OOMScoreAdj > 1000) {
allErrs = append(allErrs, field.Invalid(newPath.Child("OOMScoreAdj"), *config.OOMScoreAdj, "must be within the range [-1000, 1000]"))
}
if config.ConfigSyncPeriod.Duration <= 0 { if config.ConfigSyncPeriod.Duration <= 0 {
allErrs = append(allErrs, field.Invalid(newPath.Child("ConfigSyncPeriod"), config.ConfigSyncPeriod, "must be greater than 0")) allErrs = append(allErrs, field.Invalid(newPath.Child("ConfigSyncPeriod"), config.ConfigSyncPeriod, "must be greater than 0"))
} }
@ -178,6 +174,18 @@ func validateKubeProxyNFTablesConfiguration(config kubeproxyconfig.KubeProxyNFTa
return allErrs return allErrs
} }
func validateKubeProxyLinuxConfiguration(config kubeproxyconfig.KubeProxyLinuxConfiguration, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
allErrs = append(allErrs, validateKubeProxyConntrackConfiguration(config.Conntrack, fldPath.Child("KubeProxyConntrackConfiguration"))...)
if config.OOMScoreAdj != nil && (*config.OOMScoreAdj < -1000 || *config.OOMScoreAdj > 1000) {
allErrs = append(allErrs, field.Invalid(fldPath.Child("OOMScoreAdj"), *config.OOMScoreAdj, "must be within the range [-1000, 1000]"))
}
return allErrs
}
func validateKubeProxyConntrackConfiguration(config kubeproxyconfig.KubeProxyConntrackConfiguration, fldPath *field.Path) field.ErrorList { func validateKubeProxyConntrackConfiguration(config kubeproxyconfig.KubeProxyConntrackConfiguration, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{} allErrs := field.ErrorList{}

202
pkg/proxy/apis/config/validation/validation_test.go
View File

@ -39,15 +39,17 @@ func TestValidateKubeProxyConfiguration(t *testing.T) {
ClusterCIDR: "192.168.59.0/24", ClusterCIDR: "192.168.59.0/24",
ConfigSyncPeriod: metav1.Duration{Duration: 1 * time.Second}, ConfigSyncPeriod: metav1.Duration{Duration: 1 * time.Second},
IPTables: kubeproxyconfig.KubeProxyIPTablesConfiguration{ IPTables: kubeproxyconfig.KubeProxyIPTablesConfiguration{
MasqueradeAll: true,
SyncPeriod: metav1.Duration{Duration: 5 * time.Second}, SyncPeriod: metav1.Duration{Duration: 5 * time.Second},
MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second},
}, },
Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{ Linux: kubeproxyconfig.KubeProxyLinuxConfiguration{
MaxPerCore: ptr.To[int32](1), Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
Min: ptr.To[int32](1), MaxPerCore: ptr.To[int32](1),
TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, Min: ptr.To[int32](1),
TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second},
TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second},
},
MasqueradeAll: true,
}, },
Logging: logsapi.LoggingConfiguration{ Logging: logsapi.LoggingConfiguration{
Format: "text", Format: "text",
@ -216,7 +218,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) {
}{ }{
"valid iptables config": { "valid iptables config": {
config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ config: kubeproxyconfig.KubeProxyIPTablesConfiguration{
MasqueradeAll: true,
SyncPeriod: metav1.Duration{Duration: 5 * time.Second}, SyncPeriod: metav1.Duration{Duration: 5 * time.Second},
MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second},
}, },
@ -225,7 +226,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) {
"valid custom MasqueradeBit": { "valid custom MasqueradeBit": {
config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ config: kubeproxyconfig.KubeProxyIPTablesConfiguration{
MasqueradeBit: ptr.To[int32](5), MasqueradeBit: ptr.To[int32](5),
MasqueradeAll: true,
SyncPeriod: metav1.Duration{Duration: 5 * time.Second}, SyncPeriod: metav1.Duration{Duration: 5 * time.Second},
MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second},
}, },
@ -233,7 +233,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) {
}, },
"SyncPeriod must be > 0": { "SyncPeriod must be > 0": {
config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ config: kubeproxyconfig.KubeProxyIPTablesConfiguration{
MasqueradeAll: true,
SyncPeriod: metav1.Duration{Duration: -5 * time.Second}, SyncPeriod: metav1.Duration{Duration: -5 * time.Second},
MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second},
}, },
@ -243,7 +242,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) {
"MinSyncPeriod must be > 0": { "MinSyncPeriod must be > 0": {
config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ config: kubeproxyconfig.KubeProxyIPTablesConfiguration{
MasqueradeBit: ptr.To[int32](5), MasqueradeBit: ptr.To[int32](5),
MasqueradeAll: true,
SyncPeriod: metav1.Duration{Duration: 5 * time.Second}, SyncPeriod: metav1.Duration{Duration: 5 * time.Second},
MinSyncPeriod: metav1.Duration{Duration: -1 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: -1 * time.Second},
}, },
@ -252,7 +250,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) {
"MasqueradeBit cannot be < 0": { "MasqueradeBit cannot be < 0": {
config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ config: kubeproxyconfig.KubeProxyIPTablesConfiguration{
MasqueradeBit: ptr.To[int32](-10), MasqueradeBit: ptr.To[int32](-10),
MasqueradeAll: true,
SyncPeriod: metav1.Duration{Duration: 5 * time.Second}, SyncPeriod: metav1.Duration{Duration: 5 * time.Second},
MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 2 * time.Second},
}, },
@ -261,7 +258,6 @@ func TestValidateKubeProxyIPTablesConfiguration(t *testing.T) {
"SyncPeriod must be >= MinSyncPeriod": { "SyncPeriod must be >= MinSyncPeriod": {
config: kubeproxyconfig.KubeProxyIPTablesConfiguration{ config: kubeproxyconfig.KubeProxyIPTablesConfiguration{
MasqueradeBit: ptr.To[int32](5), MasqueradeBit: ptr.To[int32](5),
MasqueradeAll: true,
SyncPeriod: metav1.Duration{Duration: 1 * time.Second}, SyncPeriod: metav1.Duration{Duration: 1 * time.Second},
MinSyncPeriod: metav1.Duration{Duration: 5 * time.Second}, MinSyncPeriod: metav1.Duration{Duration: 5 * time.Second},
}, },
@ -369,103 +365,155 @@ func TestValidateKubeProxyIPVSConfiguration(t *testing.T) {
} }
} }
func TestValidateKubeProxyConntrackConfiguration(t *testing.T) { func TestValidateKubeProxyLinuxConfiguration(t *testing.T) {
newPath := field.NewPath("KubeProxyConfiguration") newPath := field.NewPath("KubeProxyConfiguration")
for name, testCase := range map[string]struct { for name, testCase := range map[string]struct {
config kubeproxyconfig.KubeProxyConntrackConfiguration config kubeproxyconfig.KubeProxyLinuxConfiguration
expectedErrs field.ErrorList expectedErrs field.ErrorList
}{ }{
"valid 5 second timeouts": { "valid 5 second timeouts": {
config: kubeproxyconfig.KubeProxyConntrackConfiguration{ config: kubeproxyconfig.KubeProxyLinuxConfiguration{
MaxPerCore: ptr.To[int32](1), Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
Min: ptr.To[int32](1), MaxPerCore: ptr.To[int32](1),
TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, Min: ptr.To[int32](1),
TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, UDPTimeout: metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second},
},
OOMScoreAdj: ptr.To[int32](0),
}, },
expectedErrs: field.ErrorList{}, expectedErrs: field.ErrorList{},
}, },
"valid duration equal to 0 second timeout": { "valid duration equal to 0 second timeout": {
config: kubeproxyconfig.KubeProxyConntrackConfiguration{ config: kubeproxyconfig.KubeProxyLinuxConfiguration{
MaxPerCore: ptr.To[int32](1), Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
Min: ptr.To[int32](1), MaxPerCore: ptr.To[int32](1),
TCPEstablishedTimeout: &metav1.Duration{Duration: 0 * time.Second}, Min: ptr.To[int32](1),
TCPCloseWaitTimeout: &metav1.Duration{Duration: 0 * time.Second}, TCPEstablishedTimeout: &metav1.Duration{Duration: 0 * time.Second},
UDPTimeout: metav1.Duration{Duration: 0 * time.Second}, TCPCloseWaitTimeout: &metav1.Duration{Duration: 0 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 0 * time.Second}, UDPTimeout: metav1.Duration{Duration: 0 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 0 * time.Second},
},
OOMScoreAdj: ptr.To[int32](0),
}, },
expectedErrs: field.ErrorList{}, expectedErrs: field.ErrorList{},
}, },
"invalid MaxPerCore < 0": { "invalid MaxPerCore < 0": {
config: kubeproxyconfig.KubeProxyConntrackConfiguration{ config: kubeproxyconfig.KubeProxyLinuxConfiguration{
MaxPerCore: ptr.To[int32](-1), Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
Min: ptr.To[int32](1), MaxPerCore: ptr.To[int32](-1),
TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, Min: ptr.To[int32](1),
TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, UDPTimeout: metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second},
},
OOMScoreAdj: ptr.To[int32](0),
}, },
expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.MaxPerCore"), ptr.To[int32](-1), "must be greater than or equal to 0")}, expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.MaxPerCore"), ptr.To[int32](-1), "must be greater than or equal to 0")},
}, },
"invalid minimum < 0": { "invalid minimum < 0": {
config: kubeproxyconfig.KubeProxyConntrackConfiguration{ config: kubeproxyconfig.KubeProxyLinuxConfiguration{
MaxPerCore: ptr.To[int32](1), Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
Min: ptr.To[int32](-1), MaxPerCore: ptr.To[int32](1),
TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, Min: ptr.To[int32](-1),
TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, UDPTimeout: metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second},
},
OOMScoreAdj: ptr.To[int32](0),
}, },
expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.Min"), ptr.To[int32](-1), "must be greater than or equal to 0")}, expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.Min"), ptr.To[int32](-1), "must be greater than or equal to 0")},
}, },
"invalid TCPEstablishedTimeout < 0": { "invalid TCPEstablishedTimeout < 0": {
config: kubeproxyconfig.KubeProxyConntrackConfiguration{ config: kubeproxyconfig.KubeProxyLinuxConfiguration{
MaxPerCore: ptr.To[int32](1), Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
Min: ptr.To[int32](1), MaxPerCore: ptr.To[int32](1),
TCPEstablishedTimeout: &metav1.Duration{Duration: -5 * time.Second}, Min: ptr.To[int32](1),
TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, TCPEstablishedTimeout: &metav1.Duration{Duration: -5 * time.Second},
UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, UDPTimeout: metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second},
},
OOMScoreAdj: ptr.To[int32](0),
}, },
expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.TCPEstablishedTimeout"), &metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.TCPEstablishedTimeout"), &metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")},
}, },
"invalid TCPCloseWaitTimeout < 0": { "invalid TCPCloseWaitTimeout < 0": {
config: kubeproxyconfig.KubeProxyConntrackConfiguration{ config: kubeproxyconfig.KubeProxyLinuxConfiguration{
MaxPerCore: ptr.To[int32](1), Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
Min: ptr.To[int32](1), MaxPerCore: ptr.To[int32](1),
TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, Min: ptr.To[int32](1),
TCPCloseWaitTimeout: &metav1.Duration{Duration: -5 * time.Second}, TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, TCPCloseWaitTimeout: &metav1.Duration{Duration: -5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, UDPTimeout: metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second},
},
OOMScoreAdj: ptr.To[int32](0),
}, },
expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.TCPCloseWaitTimeout"), &metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.TCPCloseWaitTimeout"), &metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")},
}, },
"invalid UDPTimeout < 0": { "invalid UDPTimeout < 0": {
config: kubeproxyconfig.KubeProxyConntrackConfiguration{ config: kubeproxyconfig.KubeProxyLinuxConfiguration{
MaxPerCore: ptr.To[int32](1), Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
Min: ptr.To[int32](1), MaxPerCore: ptr.To[int32](1),
TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, Min: ptr.To[int32](1),
TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPTimeout: metav1.Duration{Duration: -5 * time.Second}, TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second}, UDPTimeout: metav1.Duration{Duration: -5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second},
},
OOMScoreAdj: ptr.To[int32](999),
}, },
expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.UDPTimeout"), metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.UDPTimeout"), metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")},
}, },
"invalid UDPStreamTimeout < 0": { "invalid UDPStreamTimeout < 0": {
config: kubeproxyconfig.KubeProxyConntrackConfiguration{ config: kubeproxyconfig.KubeProxyLinuxConfiguration{
MaxPerCore: ptr.To[int32](1), Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
Min: ptr.To[int32](1), MaxPerCore: ptr.To[int32](1),
TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second}, Min: ptr.To[int32](1),
TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second}, TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPTimeout: metav1.Duration{Duration: 5 * time.Second}, TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: -5 * time.Second}, UDPTimeout: metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: -5 * time.Second},
},
OOMScoreAdj: ptr.To[int32](-999),
}, },
expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeConntrackConfiguration.UDPStreamTimeout"), metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")}, expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.KubeProxyConntrackConfiguration.UDPStreamTimeout"), metav1.Duration{Duration: -5 * time.Second}, "must be greater than or equal to 0")},
},
"invalid OOMScoreAdj < -1000": {
config: kubeproxyconfig.KubeProxyLinuxConfiguration{
Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
MaxPerCore: ptr.To[int32](1),
Min: ptr.To[int32](1),
TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second},
TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPTimeout: metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second},
},
OOMScoreAdj: ptr.To[int32](-1001),
},
expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.OOMScoreAdj"), int32(-1001), "must be within the range [-1000, 1000]")},
},
"invalid OOMScoreAdj > 1000": {
config: kubeproxyconfig.KubeProxyLinuxConfiguration{
Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
MaxPerCore: ptr.To[int32](1),
Min: ptr.To[int32](1),
TCPEstablishedTimeout: &metav1.Duration{Duration: 5 * time.Second},
TCPCloseWaitTimeout: &metav1.Duration{Duration: 5 * time.Second},
UDPTimeout: metav1.Duration{Duration: 5 * time.Second},
UDPStreamTimeout: metav1.Duration{Duration: 5 * time.Second},
},
OOMScoreAdj: ptr.To[int32](1001),
},
expectedErrs: field.ErrorList{field.Invalid(newPath.Child("KubeProxyLinuxConfiguration.OOMScoreAdj"), int32(1001), "must be within the range [-1000, 1000]")},
}, },
} { } {
t.Run(name, func(t *testing.T) { t.Run(name, func(t *testing.T) {
errs := validateKubeProxyConntrackConfiguration(testCase.config, newPath.Child("KubeConntrackConfiguration")) errs := validateKubeProxyLinuxConfiguration(testCase.config, newPath.Child("KubeProxyLinuxConfiguration"))
assert.Equal(t, testCase.expectedErrs, errs, "did not get expected validation errors") assert.Equal(t, testCase.expectedErrs, errs, "did not get expected validation errors")
}) })
} }

46
pkg/proxy/apis/config/zz_generated.deepcopy.go generated
View File

@ -46,6 +46,8 @@ func (in *DetectLocalConfiguration) DeepCopy() *DetectLocalConfiguration {
func (in *KubeProxyConfiguration) DeepCopyInto(out *KubeProxyConfiguration) { func (in *KubeProxyConfiguration) DeepCopyInto(out *KubeProxyConfiguration) {
*out = *in *out = *in
out.TypeMeta = in.TypeMeta out.TypeMeta = in.TypeMeta
in.Linux.DeepCopyInto(&out.Linux)
out.Windows = in.Windows
if in.FeatureGates != nil { if in.FeatureGates != nil {
in, out := &in.FeatureGates, &out.FeatureGates in, out := &in.FeatureGates, &out.FeatureGates
*out = make(map[string]bool, len(*in)) *out = make(map[string]bool, len(*in))
@ -65,12 +67,6 @@ func (in *KubeProxyConfiguration) DeepCopyInto(out *KubeProxyConfiguration) {
*out = make([]string, len(*in)) *out = make([]string, len(*in))
copy(*out, *in) copy(*out, *in)
} }
if in.OOMScoreAdj != nil {
in, out := &in.OOMScoreAdj, &out.OOMScoreAdj
*out = new(int32)
**out = **in
}
in.Conntrack.DeepCopyInto(&out.Conntrack)
out.ConfigSyncPeriod = in.ConfigSyncPeriod out.ConfigSyncPeriod = in.ConfigSyncPeriod
return return
} }
@ -185,6 +181,28 @@ func (in *KubeProxyIPVSConfiguration) DeepCopy() *KubeProxyIPVSConfiguration {
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KubeProxyLinuxConfiguration) DeepCopyInto(out *KubeProxyLinuxConfiguration) {
*out = *in
in.Conntrack.DeepCopyInto(&out.Conntrack)
if in.OOMScoreAdj != nil {
in, out := &in.OOMScoreAdj, &out.OOMScoreAdj
*out = new(int32)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeProxyLinuxConfiguration.
func (in *KubeProxyLinuxConfiguration) DeepCopy() *KubeProxyLinuxConfiguration {
if in == nil {
return nil
}
out := new(KubeProxyLinuxConfiguration)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KubeProxyNFTablesConfiguration) DeepCopyInto(out *KubeProxyNFTablesConfiguration) { func (in *KubeProxyNFTablesConfiguration) DeepCopyInto(out *KubeProxyNFTablesConfiguration) {
*out = *in *out = *in
@ -208,6 +226,22 @@ func (in *KubeProxyNFTablesConfiguration) DeepCopy() *KubeProxyNFTablesConfigura
return out return out
} }
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KubeProxyWindowsConfiguration) DeepCopyInto(out *KubeProxyWindowsConfiguration) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeProxyWindowsConfiguration.
func (in *KubeProxyWindowsConfiguration) DeepCopy() *KubeProxyWindowsConfiguration {
if in == nil {
return nil
}
out := new(KubeProxyWindowsConfiguration)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *KubeProxyWinkernelConfiguration) DeepCopyInto(out *KubeProxyWinkernelConfiguration) { func (in *KubeProxyWinkernelConfiguration) DeepCopyInto(out *KubeProxyWinkernelConfiguration) {
*out = *in *out = *in

4
pkg/proxy/kubemark/hollow_proxy.go
View File

@ -68,7 +68,9 @@ func NewHollowProxy(
Config: &proxyconfigapi.KubeProxyConfiguration{ Config: &proxyconfigapi.KubeProxyConfiguration{
Mode: proxyconfigapi.ProxyMode("fake"), Mode: proxyconfigapi.ProxyMode("fake"),
ConfigSyncPeriod: metav1.Duration{Duration: 30 * time.Second}, ConfigSyncPeriod: metav1.Duration{Duration: 30 * time.Second},
OOMScoreAdj: ptr.To[int32](0), Linux: proxyconfigapi.KubeProxyLinuxConfiguration{
OOMScoreAdj: ptr.To[int32](0),
},
}, },
Client: client, Client: client,

3
staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go
View File

@ -243,6 +243,9 @@ type KubeProxyConfiguration struct {
// portRange was previously used to configure the userspace proxy, but is now unused. // portRange was previously used to configure the userspace proxy, but is now unused.
PortRange string `json:"portRange"` PortRange string `json:"portRange"`
// windowsRunAsService, if true, enables Windows service control manager API integration.
WindowsRunAsService bool `json:"windowsRunAsService,omitempty"`
} }
// ProxyMode represents modes used by the Kubernetes proxy server. // ProxyMode represents modes used by the Kubernetes proxy server.