From 9483c272f496dfdd22025ce778f0807aa4f7495e Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Sat, 19 Feb 2022 11:50:53 -0500 Subject: [PATCH] Log metadata about kube-proxy iptables-restore calls For each iptables-restore call, log the number of services, endpoints, filter chains, filter rules, NAT chains, and NAT rules in the update at V(2), in addition to logging the actual rules if V(9). --- pkg/proxy/iptables/proxier.go | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index ed3e1af53b9..757430ae687 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -893,10 +893,6 @@ func (proxier *Proxier) syncProxyRules() { proxier.natChains.Reset() proxier.natRules.Reset() - // Write table headers. - proxier.filterChains.Write("*filter") - proxier.natChains.Write("*nat") - // Make sure we keep stats for the top-level chains, if they existed // (which most should have because we created them above). for _, chainName := range []utiliptables.Chain{kubeServicesChain, kubeExternalServicesChain, kubeForwardChain, kubeNodePortsChain} { @@ -1510,19 +1506,28 @@ func (proxier *Proxier) syncProxyRules() { metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableFilter)).Set(float64(proxier.filterRules.Lines())) metrics.IptablesRulesTotal.WithLabelValues(string(utiliptables.TableNAT)).Set(float64(proxier.natRules.Lines())) - // Write the end-of-table markers. - proxier.filterRules.Write("COMMIT") - proxier.natRules.Write("COMMIT") - // Sync rules. - // NOTE: NoFlushTables is used so we don't flush non-kubernetes chains in the table proxier.iptablesData.Reset() + proxier.iptablesData.WriteString("*filter\n") proxier.iptablesData.Write(proxier.filterChains.Bytes()) proxier.iptablesData.Write(proxier.filterRules.Bytes()) + proxier.iptablesData.WriteString("COMMIT\n") + proxier.iptablesData.WriteString("*nat\n") proxier.iptablesData.Write(proxier.natChains.Bytes()) proxier.iptablesData.Write(proxier.natRules.Bytes()) + proxier.iptablesData.WriteString("COMMIT\n") + klog.V(2).InfoS("Reloading service iptables data", + "numServices", len(proxier.serviceMap), + "numEndpoints", proxier.endpointChainsNumber, + "numFilterChains", proxier.filterChains.Lines(), + "numFilterRules", proxier.filterRules.Lines(), + "numNATChains", proxier.natChains.Lines(), + "numNATRules", proxier.natRules.Lines(), + ) klog.V(9).InfoS("Restoring iptables", "rules", proxier.iptablesData.Bytes()) + + // NOTE: NoFlushTables is used so we don't flush non-kubernetes chains in the table err = proxier.iptables.RestoreAll(proxier.iptablesData.Bytes(), utiliptables.NoFlushTables, utiliptables.RestoreCounters) if err != nil { if pErr, ok := err.(utiliptables.ParseError); ok {