From 034ab83d92cee58713cc3fd11401f1c140321119 Mon Sep 17 00:00:00 2001 From: jay vyas Date: Wed, 8 Sep 2021 20:34:10 -0400 Subject: [PATCH] kube-proxy disclaimer about cleanup (#28147) * kube-proxy disclaimer about cleanup * Update content/en/docs/concepts/services-networking/service.md Co-authored-by: Tim Bannister * Update content/en/docs/concepts/services-networking/service.md Co-authored-by: Tim Bannister * kube-proxy config note * Update service.md kube proxy configuration Co-authored-by: Tim Bannister --- .../concepts/services-networking/service.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/content/en/docs/concepts/services-networking/service.md b/content/en/docs/concepts/services-networking/service.md index 55a1351500..ee1c7514da 100644 --- a/content/en/docs/concepts/services-networking/service.md +++ b/content/en/docs/concepts/services-networking/service.md @@ -242,9 +242,25 @@ There are a few reasons for using proxying for Services: on the DNS records could impose a high load on DNS that then becomes difficult to manage. +Later in this page you can read about various kube-proxy implementations work. Overall, +you should note that, when running `kube-proxy`, kernel level rules may be +modified (for example, iptables rules might get created), which won't get cleaned up, +in some cases until you reboot. Thus, running kube-proxy is something that should +only be done by an administrator which understands the consequences of having a +low level, privileged network proxying service on a computer. Although the `kube-proxy` +executable supports a `cleanup` function, this function is not an official feature and +thus is only available to use as-is. + +### Configuration + +Note that the kube-proxy starts up in different modes, which are determined by its configuration. +- The kube-proxy's configuration is done via a ConfigMap, and the ConfigMap for kube-proxy effectively deprecates the behaviour for almost all of the flags for the kube-proxy. +- The ConfigMap for the kube-proxy does not support live reloading of configuration. +- The ConfigMap parameters for the kube-proxy cannot all be validated and verified on startup. For example, if your operating system doesn't allow you to run iptables commands, the standard kernel kube-proxy implementation will not work. Likewise, if you have an operating system which doesn't support `netsh`, it will not run in Windows userspace mode. + ### User space proxy mode {#proxy-mode-userspace} -In this mode, kube-proxy watches the Kubernetes control plane for the addition and +In this (legacy) mode, kube-proxy watches the Kubernetes control plane for the addition and removal of Service and Endpoint objects. For each Service it opens a port (randomly chosen) on the local node. Any connections to this "proxy port" are proxied to one of the Service's backend Pods (as reported via