-
-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add masquerade mode #782
Add masquerade mode #782
Conversation
woah, we don't need to have |
17735c6
to
3bd1635
Compare
bdafd39
to
9f793cf
Compare
Love this! Other than some linting, looks good. |
I still need to spend some time making minor modifications and testing. |
d413c09
to
243a28a
Compare
0bb11ea
to
425ac7a
Compare
@thebsdbox cc. This PR is now ready and can be reviewed. |
@@ -350,6 +352,14 @@ var kubeVipManager = &cobra.Command{ | |||
} | |||
} | |||
|
|||
if initConfig.LoadBalancerForwardingMethod == "masquerade" { | |||
log.Infof("sysctl set net.ipv4.vs.conntrack to 1") | |||
err := sysctl.WriteProcSys("/proc/sys/net/ipv4/vs/conntrack", "1") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think it's better or nice to have to also add sysctl.WriteProcSys("/proc/sys/net/ipv4/ip_forward", "1")
? If it is 0, the packet still cannot be forwarded.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you think it's better or nice to have to also add
sysctl.WriteProcSys("/proc/sys/net/ipv4/ip_forward", "1")
? If it is 0, the packet still cannot be forwarded.
Yes, if it is 0, packets will not be forwarded. If kube-vip does not handle it, users who need to use this mode must add it manually.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we add it? How do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we add it? How do you think?
I think kube-vip doesn't need to set ip_forward. When using Kubernetes, other components or scripts typically set this parameter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh got it. For example kube-proxy etc. things always need ip_forward is 1.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The only reason this would be a potential issue is Cilium and it's kube-proxy replacement
pkg/vip/address.go
Outdated
// addIptablesRulesForMasquerade add iptables rules for MASQUERADE | ||
// insert example | ||
// sudo iptables -t mangle -I PREROUTING -d 10.1.105.1 -p tcp --dport 6443 -j MARK --set-xmark 0x1119 | ||
// sudo iptables -t nat -I POSTROUTING -m mark --mark 0x1119 -j MASQUERADE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Lan, just curious:
I use iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.113.200 --vport 8443 -j MASQUERADE
to configure masquerade directly, learning from some materials from internet.
Is there some additional benefit of one of both, if comparing these two methods?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Lan, just curious: I use
iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.113.200 --vport 8443 -j MASQUERADE
to configure masquerade directly, learning from some materials from internet. Is there some additional benefit of one of both, if comparing these two methods?
I haven't used the rule you mentioned; it seems more suitable for ipvs. I will test it tomorrow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not familiar with this rule, can anyone shed some light?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Lan, just curious: I use
iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.113.200 --vport 8443 -j MASQUERADE
to configure masquerade directly, learning from some materials from internet. Is there some additional benefit of one of both, if comparing these two methods?
For kube-vip, the command iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.113.200 --vport 8443 -j MASQUERADE
is more appropriate and eliminates the need to configure the mark
parameter. I have updated the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for the delay in review, I've been on PTO. Back now, and it's KubeCon.. but I'll be as quick as I can. |
Signed-off-by: lou-lan <loulan@loulan.me>
// Return our created load-balancer | ||
return lb, nil | ||
} | ||
|
||
func (lb *IPVSLoadBalancer) RemoveIPVSLB() error { | ||
close(lb.stop) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @lou-lan just curious, has the cleanup on iptabales, ipvs and VIP ever worked in your setup if you delete kube-vip?
|
||
func delMasqueradeRuleForVIP(ipt *iptables.IPTables, vip, comment string) error { | ||
err := ipt.DeleteIfExists(iptables.TableNat, iptables.ChainPOSTROUTING, | ||
"-d", "-m", "ipvs", "--vaddr", vip, "-j", "MASQUERADE", "-m", "comment", "--comment", comment) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one bug here is there is no "-d" in deletion.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
one bug here is there is no "-d" in deletion.
Yes, I was negligent here. When switching from the old iptables (MASQUERADE processing rules) to the new way of writing, I failed to remove this parameter.
Additional configuration list
backend_health_check_interval
iptables_backend
nft
,legacy
masquerade_mark
0x1119
iptables_backend
: Although we already have egress_withnftables, it is not sufficiently clear for users who want to configuremasquerade
mode. The newly added field does not require user specification by default; the program will determine it automatically.: we change iptable rule tomasquerade_mark
iptables -t nat -A POSTROUTING -m ipvs --vaddr 192.168.113.200 --vport 8443 -j MASQUERADE
, so remove this configration item, thanks @wyike .Required Permissions
We require the necessary permissions to set
net.ipv4.vs.conntrack=1
.Usage
Test
The cluster I am testing has 3 nodes.
172.16.25.136
is a VIP address in my cluster. He is currently located at nodeworkstation1
.When I run
kubectl get pods -n some-not-found-ns
, I can observe specific logs in each kube-api-server.And then i am shutdown
workstation1
, VIP is move toworkstation3
.In the above log, we can see
172.16.25.131
is removed.