mirror of https://github.com/k3s-io/k3s.git
Merge pull request #60306 from danwinship/proxier-connstate-new
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Only run connection-rejecting rules on new connections Kube-proxy has two iptables chains full of rules to reject incoming connections to services that don't have any endpoints. Currently these rules get tested against all incoming packets, but that's unnecessary; if a connection to a given service has already been established, then we can't have been rejecting connections to that service. By only checking the first packet in each new connection, we can get rid of a lot of unnecessary checks on incoming traffic. Fixes #56842 **Release note**: ```release-note Additional changes to iptables kube-proxy backend to improve performance on clusters with very large numbers of services. ```pull/6/head
Kubernetes Submit Queue
GitHub
commit
c11ae9d21e
|
|
@ -434,20 +434,23 @@ type iptablesJumpChain struct {
|
|||
chain utiliptables.Chain
|
||||
sourceChain utiliptables.Chain
|
||||
comment string
|
||||
extraArgs []string
|
||||
}
|
||||
|
||||
var iptablesJumpChains = []iptablesJumpChain{
|
||||
{utiliptables.TableFilter, kubeExternalServicesChain, utiliptables.ChainInput, "kubernetes externally-visible service portals"},
|
||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals"},
|
||||
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals"},
|
||||
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals"},
|
||||
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules"},
|
||||
{utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules"},
|
||||
{utiliptables.TableFilter, kubeExternalServicesChain, utiliptables.ChainInput, "kubernetes externally-visible service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
||||
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", nil},
|
||||
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals", nil},
|
||||
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
|
||||
{utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules", nil},
|
||||
}
|
||||
|
||||
var iptablesCleanupOnlyChains = []iptablesJumpChain{
|
||||
// Present in kube 1.6 - 1.9. Removed by #56164 in favor of kubeExternalServicesChain
|
||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainInput, "kubernetes service portals"},
|
||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainInput, "kubernetes service portals", nil},
|
||||
// Present in kube <= 1.9. Removed by #60306 in favor of rule with extraArgs
|
||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", nil},
|
||||
}
|
||||
|
||||
// CleanupLeftovers removes all iptables rules and chains created by the Proxier
|
||||
|
|
@ -455,10 +458,10 @@ var iptablesCleanupOnlyChains = []iptablesJumpChain{
|
|||
func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
|
||||
// Unlink our chains
|
||||
for _, chain := range append(iptablesJumpChains, iptablesCleanupOnlyChains...) {
|
||||
args := []string{
|
||||
args := append(chain.extraArgs,
|
||||
"-m", "comment", "--comment", chain.comment,
|
||||
"-j", string(chain.chain),
|
||||
}
|
||||
)
|
||||
if err := ipt.DeleteRule(chain.table, chain.sourceChain, args...); err != nil {
|
||||
if !utiliptables.IsNotFoundError(err) {
|
||||
glog.Errorf("Error removing pure-iptables proxy rule: %v", err)
|
||||
|
|
@ -732,10 +735,10 @@ func (proxier *Proxier) syncProxyRules() {
|
|||
glog.Errorf("Failed to ensure that %s chain %s exists: %v", chain.table, kubeServicesChain, err)
|
||||
return
|
||||
}
|
||||
args := []string{
|
||||
args := append(chain.extraArgs,
|
||||
"-m", "comment", "--comment", chain.comment,
|
||||
"-j", string(chain.chain),
|
||||
}
|
||||
)
|
||||
if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, chain.table, chain.sourceChain, args...); err != nil {
|
||||
glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", chain.table, chain.sourceChain, chain.chain, err)
|
||||
return
|
||||
|
|
|
|||
Loading…
Reference in New Issue