From 9f69a3a9d4d5af4ddfd8802dc311d5d0205663a7 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Thu, 11 Aug 2022 12:11:43 -0400 Subject: [PATCH] kube-proxy: remove iptables-to-userspace fallback Back when iptables was first made the default, there were theoretically some users who wouldn't have been able to support it due to having an old /sbin/iptables. But kube-proxy no longer does the things that didn't work with old iptables, and we removed that check a long time ago. There is also a check for a new-enough kernel version, but it's checking for a feature which was added in kernel 3.6, and no one could possibly be running Kubernetes with a kernel that old. So the fallback code now never actually falls back, so it should just be removed. --- cmd/kube-proxy/app/server_others.go | 31 +++++++---------------------- pkg/proxy/iptables/proxier.go | 28 -------------------------- 2 files changed, 7 insertions(+), 52 deletions(-) diff --git a/cmd/kube-proxy/app/server_others.go b/cmd/kube-proxy/app/server_others.go index f0ac6210e5c..b64f25efe00 100644 --- a/cmd/kube-proxy/app/server_others.go +++ b/cmd/kube-proxy/app/server_others.go @@ -43,7 +43,6 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" utilnet "k8s.io/apimachinery/pkg/util/net" - utilruntime "k8s.io/apimachinery/pkg/util/runtime" clientset "k8s.io/client-go/kubernetes" toolswatch "k8s.io/client-go/tools/watch" "k8s.io/component-base/configz" @@ -146,7 +145,7 @@ func newProxyServer( var proxier proxy.Provider var detectLocalMode proxyconfigapi.LocalMode - proxyMode := getProxyMode(string(config.Mode), canUseIPVS, iptables.LinuxKernelCompatTester{}) + proxyMode := getProxyMode(string(config.Mode), canUseIPVS) detectLocalMode, err = getDetectLocalMode(config) if err != nil { return nil, fmt.Errorf("cannot determine detect-local-mode: %v", err) @@ -556,42 +555,26 @@ func cidrTuple(cidrList string) [2]string { return cidrs } -func getProxyMode(proxyMode string, canUseIPVS bool, kcompat iptables.KernelCompatTester) string { +func getProxyMode(proxyMode string, canUseIPVS bool) string { switch proxyMode { case proxyModeUserspace: return proxyModeUserspace case proxyModeIPTables: - return tryIPTablesProxy(kcompat) + return proxyModeIPTables case proxyModeIPVS: - return tryIPVSProxy(canUseIPVS, kcompat) + return tryIPVSProxy(canUseIPVS) } klog.InfoS("Unknown proxy mode, assuming iptables proxy", "proxyMode", proxyMode) - return tryIPTablesProxy(kcompat) + return proxyModeIPTables } -func tryIPVSProxy(canUseIPVS bool, kcompat iptables.KernelCompatTester) string { +func tryIPVSProxy(canUseIPVS bool) string { if canUseIPVS { return proxyModeIPVS } - // Try to fallback to iptables before falling back to userspace klog.V(1).InfoS("Can't use ipvs proxier, trying iptables proxier") - return tryIPTablesProxy(kcompat) -} - -func tryIPTablesProxy(kcompat iptables.KernelCompatTester) string { - // guaranteed false on error, error only necessary for debugging - useIPTablesProxy, err := iptables.CanUseIPTablesProxier(kcompat) - if err != nil { - utilruntime.HandleError(fmt.Errorf("can't determine whether to use iptables proxy, using userspace proxier: %v", err)) - return proxyModeUserspace - } - if useIPTablesProxy { - return proxyModeIPTables - } - // Fallback. - klog.V(1).InfoS("Can't use iptables proxy, using userspace proxier") - return proxyModeUserspace + return proxyModeIPTables } // cleanupAndExit remove iptables rules and ipset/ipvs rules diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index a5c9f695639..1cc9dfb5055 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -85,34 +85,6 @@ const ( largeClusterEndpointsThreshold = 1000 ) -// KernelCompatTester tests whether the required kernel capabilities are -// present to run the iptables proxier. -type KernelCompatTester interface { - IsCompatible() error -} - -// CanUseIPTablesProxier returns true if we should use the iptables Proxier -// instead of the "classic" userspace Proxier. -func CanUseIPTablesProxier(kcompat KernelCompatTester) (bool, error) { - if err := kcompat.IsCompatible(); err != nil { - return false, err - } - return true, nil -} - -var _ KernelCompatTester = LinuxKernelCompatTester{} - -// LinuxKernelCompatTester is the Linux implementation of KernelCompatTester -type LinuxKernelCompatTester struct{} - -// IsCompatible checks for the required sysctls. We don't care about the value, just -// that it exists. If this Proxier is chosen, we'll initialize it as we -// need. -func (lkct LinuxKernelCompatTester) IsCompatible() error { - _, err := utilsysctl.New().GetSysctl(sysctlRouteLocalnet) - return err -} - const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet" const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables"