From b68312e6884ec7f7c8552ba187cdcf00b7d723c8 Mon Sep 17 00:00:00 2001 From: SataQiu <1527062125@qq.com> Date: Tue, 26 May 2020 15:32:05 +0800 Subject: [PATCH] kube-proxy: move GetNodeAddresses call out of internal loop to avoid repeated computation Signed-off-by: SataQiu <1527062125@qq.com> --- pkg/proxy/iptables/proxier.go | 54 +++++++++++++++++------------------ 1 file changed, 26 insertions(+), 28 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 4344319482d..8296d9e91e1 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -809,6 +809,11 @@ func (proxier *Proxier) syncProxyRules() { localAddrSet := utilnet.IPSet{} localAddrSet.Insert(localAddrs...) + nodeAddresses, err := utilproxy.GetNodeAddresses(proxier.nodePortAddresses, proxier.networkInterfacer) + if err != nil { + klog.Errorf("Failed to get node ip address matching nodeport cidrs %v, services with nodeport may not work as intended: %v", proxier.nodePortAddresses, err) + } + // We assume that if this was called, we really want to sync them, // even if nothing changed in the meantime. In other words, callers are // responsible for detecting no-op changes and not calling this function. @@ -1195,14 +1200,12 @@ func (proxier *Proxier) syncProxyRules() { if svcInfo.NodePort() != 0 { // Hold the local port open so no other process can open it // (because the socket might open but it would never work). - addresses, err := utilproxy.GetNodeAddresses(proxier.nodePortAddresses, proxier.networkInterfacer) - if err != nil { - klog.Errorf("Failed to get node ip address matching nodeport cidr: %v", err) + if len(nodeAddresses) == 0 { continue } lps := make([]utilproxy.LocalPort, 0) - for address := range addresses { + for address := range nodeAddresses { lp := utilproxy.LocalPort{ Description: "nodePort for " + svcNameString, IP: address, @@ -1464,36 +1467,31 @@ func (proxier *Proxier) syncProxyRules() { // Finally, tail-call to the nodeports chain. This needs to be after all // other service portal rules. - addresses, err := utilproxy.GetNodeAddresses(proxier.nodePortAddresses, proxier.networkInterfacer) - if err != nil { - klog.Errorf("Failed to get node ip address matching nodeport cidr") - } else { - isIPv6 := proxier.iptables.IsIPv6() - for address := range addresses { - // TODO(thockin, m1093782566): If/when we have dual-stack support we will want to distinguish v4 from v6 zero-CIDRs. - if utilproxy.IsZeroCIDR(address) { - args = append(args[:0], - "-A", string(kubeServicesChain), - "-m", "comment", "--comment", `"kubernetes service nodeports; NOTE: this must be the last rule in this chain"`, - "-m", "addrtype", "--dst-type", "LOCAL", - "-j", string(kubeNodePortsChain)) - writeLine(proxier.natRules, args...) - // Nothing else matters after the zero CIDR. - break - } - // Ignore IP addresses with incorrect version - if isIPv6 && !utilnet.IsIPv6String(address) || !isIPv6 && utilnet.IsIPv6String(address) { - klog.Errorf("IP address %s has incorrect IP version", address) - continue - } - // create nodeport rules for each IP one by one + isIPv6 := proxier.iptables.IsIPv6() + for address := range nodeAddresses { + // TODO(thockin, m1093782566): If/when we have dual-stack support we will want to distinguish v4 from v6 zero-CIDRs. + if utilproxy.IsZeroCIDR(address) { args = append(args[:0], "-A", string(kubeServicesChain), "-m", "comment", "--comment", `"kubernetes service nodeports; NOTE: this must be the last rule in this chain"`, - "-d", address, + "-m", "addrtype", "--dst-type", "LOCAL", "-j", string(kubeNodePortsChain)) writeLine(proxier.natRules, args...) + // Nothing else matters after the zero CIDR. + break } + // Ignore IP addresses with incorrect version + if isIPv6 && !utilnet.IsIPv6String(address) || !isIPv6 && utilnet.IsIPv6String(address) { + klog.Errorf("IP address %s has incorrect IP version", address) + continue + } + // create nodeport rules for each IP one by one + args = append(args[:0], + "-A", string(kubeServicesChain), + "-m", "comment", "--comment", `"kubernetes service nodeports; NOTE: this must be the last rule in this chain"`, + "-d", address, + "-j", string(kubeNodePortsChain)) + writeLine(proxier.natRules, args...) } // Drop the packets in INVALID state, which would potentially cause