Document required iptables rules when using Antrea Proxy #1133
Comments
antoninbas
added
the
kind/documentation
antoninbas
added
the
priority/important-soon
|
Agree this could be in next release, this should only matter when there are many iptables rules and many short-live connections. A proper change may need to limit the destination IPs to Node IPs of the cluster only, otherwise UDP connections to another endpoint that happens to use geneve/vxlan UDP port may be affected if conntrack is desired. |
I thought about this, but haven't come up with an approach that could bypass conntrack only for Pod-to-Pod traffic going throught host network. It's because PREROUTING chain is the only chance we can add "NOTRACK" for routed packets, but we cannot identify Pod-to-Pod packets from real Pod-to-Pod packets and the response of Pod-to-Service packets. |
When using Antrea Proxy, one would expect kube-proxy / iptables performance not to impact Pod-to-Service traffic performance, since this traffic is handled in OVS. However, in practice performance deteriorates as the number of Services increase. This is because encapsulated traffic needlessly visits the kube-proxy iptables rules, incurring high CPU usage. The UDP tunnels are also added needlessly to the connection tracking table.
To avoid this issue, @tnqn @wenyingd and @edwardbadboy suggest installing the following iptables rules:
These rules added to the raw table will ensure that all Geneve traffic bypasses connection tracking and kube-proxy iptables rules. The specific rules will differ based on the encapsulation mode being used.
At the very least, this should be documented. We should also investigate whether these rules can be installed by Antrea programmatically to simplify usage, or if there is any potential adverse effect.
Credits go to @tnqn @wenyingd and @edwardbadboy for troubleshooting this issue.
The text was updated successfully, but these errors were encountered: