Document required iptables rules when using Antrea Proxy #1133
Labels
kind/documentation
Categorizes issue or PR as related to a documentation.
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
When using Antrea Proxy, one would expect kube-proxy / iptables performance not to impact Pod-to-Service traffic performance, since this traffic is handled in OVS. However, in practice performance deteriorates as the number of Services increase. This is because encapsulated traffic needlessly visits the kube-proxy iptables rules, incurring high CPU usage. The UDP tunnels are also added needlessly to the connection tracking table.
To avoid this issue, @tnqn @wenyingd and @edwardbadboy suggest installing the following iptables rules:
These rules added to the raw table will ensure that all Geneve traffic bypasses connection tracking and kube-proxy iptables rules. The specific rules will differ based on the encapsulation mode being used.
At the very least, this should be documented. We should also investigate whether these rules can be installed by Antrea programmatically to simplify usage, or if there is any potential adverse effect.
Credits go to @tnqn @wenyingd and @edwardbadboy for troubleshooting this issue.
The text was updated successfully, but these errors were encountered: