[kubeproxy/ipvs] New sysctls to improve pod termination

[lbernail]

What type of PR is this?
/kind bug

What this PR does / why we need it:
This PR enables two IPVS sysctls:

• net/ipv4/vs/expire_nodest_conn: delete connections associated to a real server that has been deleted. This is not important with graceful termination (because real servers are removed when connections have terminated/expired) but very important without it, see IPVS default sysctls and configuration #71358 (so this sysctl should be backported to 1.12 and 1.11)
• net/ipv4/vs/expire_quiescent_template: expire persistent connections to a real server when its weight has been set to 0 (otherwise future connections from a client with the same IP will be sent to an endpoint that is no longer available. In addition, if a client keeps trying to send traffic, the real server will not be removed until persistency expires which by default takes 3h).

Which issue(s) this PR fixes:
Fixes: #71809
Partially addresses: #71358

Special notes for your reviewer:
expire_quiescent_template defaults to 0 because when using ClientIP affinity it makes sense to continue sending traffic to the same backend even its weight is set to 0. However in Kubernetes pod shutdown is (usually) pretty fast and new connections will be blackholed. In addition, if the client retries to connect often, the number of connections will never reach 0 for this backend and the real server will not be removed until the persistency timer expires.

Does this PR introduce a user-facing change?:

kube-proxy in IPVS mode will stop initiating connections to terminating pods for services with sessionAffinity set.

/sig network
/area ipvs
/assign @m1093782566

[k8s-ci-robot]

Hi @lbernail. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[m1093782566]

/ok-to-test

[m1093782566]

A general question:

Does "net/ipv4/vs/expire_nodest_conn" and "net/ipv4/vs/expire_quiescent_template" exist in all versions of kernel?

[lbernail]

Does "net/ipv4/vs/expire_nodest_conn" and "net/ipv4/vs/expire_quiescent_template" exist in all versions of kernel?

I just checked, and they are available in 2.6 kernels. What is the oldest kernel version we want to support?

[m1093782566]

Thanks! I don't think we should support kernel < 2.6.

/lgtm

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lbernail, m1093782566

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/proxy/ipvs/OWNERS [m1093782566]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[m1093782566]

/retest

[m1093782566]

💯