github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 14:37:00 +00:00
Code Issues Projects Releases Wiki Activity

Don't re-run EnsureChain/EnsureRules on partial syncs

Browse Source 
We currently invoke /sbin/iptables 24 times on each syncProxyRules
before calling iptables-restore. Since even trivial iptables
invocations are slow on hosts with lots of iptables rules, this adds a
lot of time to each sync. Since these checks are expected to be a
no-op 99% of the time, skip them on partial syncs.
This commit is contained in:
Dan Winship 2022-11-29 09:38:40 -05:00
parent 7061704297
commit bfa4948bb6
1 changed files with 25 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
pkg/proxy/iptables/proxier.go
View File

@ -863,19 +863,31 @@ func (proxier *Proxier) syncProxyRules() {
} }
}() }()
// Create and link the kube chains. if !tryPartialSync {
for _, jump := range iptablesJumpChains { // Ensure that our jump rules (eg from PREROUTING to KUBE-SERVICES) exist.
if _, err := proxier.iptables.EnsureChain(jump.table, jump.dstChain); err != nil { // We can't do this as part of the iptables-restore because we don't want
klog.ErrorS(err, "Failed to ensure chain exists", "table", jump.table, "chain", jump.dstChain) // to specify/replace *all* of the rules in PREROUTING, etc.
return //
} // We need to create these rules when kube-proxy first starts, and we need
args := append(jump.extraArgs, // to recreate them if the utiliptables Monitor detects that iptables has
"-m", "comment", "--comment", jump.comment, // been flushed. In both of those cases, the code will force a full sync.
"-j", string(jump.dstChain), // In all other cases, it ought to be safe to assume that the rules
) // already exist, so we'll skip this step when doing a partial sync, to
if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, jump.table, jump.srcChain, args...); err != nil { // save us from having to invoke /sbin/iptables 20 times on each sync
klog.ErrorS(err, "Failed to ensure chain jumps", "table", jump.table, "srcChain", jump.srcChain, "dstChain", jump.dstChain) // (which will be very slow on hosts with lots of iptables rules).
return for _, jump := range iptablesJumpChains {
if _, err := proxier.iptables.EnsureChain(jump.table, jump.dstChain); err != nil {
klog.ErrorS(err, "Failed to ensure chain exists", "table", jump.table, "chain", jump.dstChain)
return
}
args := append(jump.extraArgs,
"-m", "comment", "--comment", jump.comment,
"-j", string(jump.dstChain),
)
if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, jump.table, jump.srcChain, args...); err != nil {
klog.ErrorS(err, "Failed to ensure chain jumps", "table", jump.table, "srcChain", jump.srcChain, "dstChain", jump.dstChain)
return
}
} }
} }