github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 22:46:12 +00:00
Code Issues Projects Releases Wiki Activity

kube-proxy: remove iptables-to-userspace fallback

Browse Source 
Back when iptables was first made the default, there were
theoretically some users who wouldn't have been able to support it due
to having an old /sbin/iptables. But kube-proxy no longer does the
things that didn't work with old iptables, and we removed that check a
long time ago. There is also a check for a new-enough kernel version,
but it's checking for a feature which was added in kernel 3.6, and no
one could possibly be running Kubernetes with a kernel that old. So
the fallback code now never actually falls back, so it should just be
removed.
This commit is contained in:
Dan Winship 2022-08-11 12:11:43 -04:00
parent 477d14e53b
commit 9f69a3a9d4
2 changed files with 7 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
cmd/kube-proxy/app/server_others.go
View File

@ -43,7 +43,6 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/types"
utilnet "k8s.io/apimachinery/pkg/util/net" utilnet "k8s.io/apimachinery/pkg/util/net"
utilruntime "k8s.io/apimachinery/pkg/util/runtime"
clientset "k8s.io/client-go/kubernetes" clientset "k8s.io/client-go/kubernetes"
toolswatch "k8s.io/client-go/tools/watch" toolswatch "k8s.io/client-go/tools/watch"
"k8s.io/component-base/configz" "k8s.io/component-base/configz"
@ -146,7 +145,7 @@ func newProxyServer(
var proxier proxy.Provider var proxier proxy.Provider
var detectLocalMode proxyconfigapi.LocalMode var detectLocalMode proxyconfigapi.LocalMode
proxyMode := getProxyMode(string(config.Mode), canUseIPVS, iptables.LinuxKernelCompatTester{}) proxyMode := getProxyMode(string(config.Mode), canUseIPVS)
detectLocalMode, err = getDetectLocalMode(config) detectLocalMode, err = getDetectLocalMode(config)
if err != nil { if err != nil {
return nil, fmt.Errorf("cannot determine detect-local-mode: %v", err) return nil, fmt.Errorf("cannot determine detect-local-mode: %v", err)
@ -556,43 +555,27 @@ func cidrTuple(cidrList string) [2]string {
return cidrs return cidrs
} }
func getProxyMode(proxyMode string, canUseIPVS bool, kcompat iptables.KernelCompatTester) string { func getProxyMode(proxyMode string, canUseIPVS bool) string {
switch proxyMode { switch proxyMode {
case proxyModeUserspace: case proxyModeUserspace:
return proxyModeUserspace return proxyModeUserspace
case proxyModeIPTables: case proxyModeIPTables:
return tryIPTablesProxy(kcompat) return proxyModeIPTables
case proxyModeIPVS: case proxyModeIPVS:
return tryIPVSProxy(canUseIPVS, kcompat) return tryIPVSProxy(canUseIPVS)
} }
klog.InfoS("Unknown proxy mode, assuming iptables proxy", "proxyMode", proxyMode) klog.InfoS("Unknown proxy mode, assuming iptables proxy", "proxyMode", proxyMode)
return tryIPTablesProxy(kcompat) return proxyModeIPTables
} }
func tryIPVSProxy(canUseIPVS bool, kcompat iptables.KernelCompatTester) string { func tryIPVSProxy(canUseIPVS bool) string {
if canUseIPVS { if canUseIPVS {
return proxyModeIPVS return proxyModeIPVS
} }
// Try to fallback to iptables before falling back to userspace
klog.V(1).InfoS("Can't use ipvs proxier, trying iptables proxier") klog.V(1).InfoS("Can't use ipvs proxier, trying iptables proxier")
return tryIPTablesProxy(kcompat)
}
func tryIPTablesProxy(kcompat iptables.KernelCompatTester) string {
// guaranteed false on error, error only necessary for debugging
useIPTablesProxy, err := iptables.CanUseIPTablesProxier(kcompat)
if err != nil {
utilruntime.HandleError(fmt.Errorf("can't determine whether to use iptables proxy, using userspace proxier: %v", err))
return proxyModeUserspace
}
if useIPTablesProxy {
return proxyModeIPTables return proxyModeIPTables
} }
// Fallback.
klog.V(1).InfoS("Can't use iptables proxy, using userspace proxier")
return proxyModeUserspace
}
// cleanupAndExit remove iptables rules and ipset/ipvs rules // cleanupAndExit remove iptables rules and ipset/ipvs rules
func cleanupAndExit() error { func cleanupAndExit() error {

28
pkg/proxy/iptables/proxier.go
View File

@ -85,34 +85,6 @@ const (
largeClusterEndpointsThreshold = 1000 largeClusterEndpointsThreshold = 1000
) )
// KernelCompatTester tests whether the required kernel capabilities are
// present to run the iptables proxier.
type KernelCompatTester interface {
IsCompatible() error
}
// CanUseIPTablesProxier returns true if we should use the iptables Proxier
// instead of the "classic" userspace Proxier.
func CanUseIPTablesProxier(kcompat KernelCompatTester) (bool, error) {
if err := kcompat.IsCompatible(); err != nil {
return false, err
}
return true, nil
}
var _ KernelCompatTester = LinuxKernelCompatTester{}
// LinuxKernelCompatTester is the Linux implementation of KernelCompatTester
type LinuxKernelCompatTester struct{}
// IsCompatible checks for the required sysctls. We don't care about the value, just
// that it exists. If this Proxier is chosen, we'll initialize it as we
// need.
func (lkct LinuxKernelCompatTester) IsCompatible() error {
_, err := utilsysctl.New().GetSysctl(sysctlRouteLocalnet)
return err
}
const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet" const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet"
const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables" const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables"