Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Metric to track conntrack state invalid packets dropped by iptables #122812

Merged
merged 2 commits into from
Apr 27, 2024
Merged

Metric to track conntrack state invalid packets dropped by iptables #122812

merged 2 commits into from
Apr 27, 2024

Conversation

aroradaman
Copy link
Member

@aroradaman aroradaman commented Jan 16, 2024
edited

Metric to track number of packets dropped by iptables which were marked INVALID by conntrack.

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Subtask of #122572

Does this PR introduce a user-facing change?

The iptables mode of kube-proxy now tracks packets that are wrongfully marked invalid by conntrack and subsequently dropped by introducing `kubeproxy_iptables_ct_state_invalid_dropped_packets_total` metric

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jan 16, 2024
@aroradaman
Copy link
Member Author

/sig network
/cc. @danwinship

@k8s-ci-robot k8s-ci-robot added sig/network Categorizes an issue or PR as relevant to SIG Network. area/ipvs area/kube-proxy and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 16, 2024
@aroradaman
Copy link
Member Author

/test pull-kubernetes-verify
/test pull-kubernetes-unit
/test pull-kubernetes-e2e-kind

@aroradaman
Copy link
Member Author

Tested locally on kind

root@kind-worker:/# curl --silent 127.0.0.1:10249/metrics | grep kubeproxy_iptables_ct_invalid_dropped_packets
# HELP kubeproxy_iptables_ct_invalid_dropped_packets [ALPHA] Cumulative invalid packets dropped by iptables
# TYPE kubeproxy_iptables_ct_invalid_dropped_packets counter
kubeproxy_iptables_ct_invalid_dropped_packets 0

root@kind-worker:/# curl --silent 127.0.0.1:10249/metrics | grep kubeproxy_iptables_ct_invalid_dropped_packets
# HELP kubeproxy_iptables_ct_invalid_dropped_packets [ALPHA] Cumulative invalid packets dropped by iptables
# TYPE kubeproxy_iptables_ct_invalid_dropped_packets counter
kubeproxy_iptables_ct_invalid_dropped_packets 240

root@kind-worker:/# curl --silent 127.0.0.1:10249/metrics | grep kubeproxy_iptables_ct_invalid_dropped_packets
# HELP kubeproxy_iptables_ct_invalid_dropped_packets [ALPHA] Cumulative invalid packets dropped by iptables
# TYPE kubeproxy_iptables_ct_invalid_dropped_packets counter
kubeproxy_iptables_ct_invalid_dropped_packets 614

root@kind-worker:/# curl --silent 127.0.0.1:10249/metrics | grep kubeproxy_iptables_ct_invalid_dropped_packets
# HELP kubeproxy_iptables_ct_invalid_dropped_packets [ALPHA] Cumulative invalid packets dropped by iptables
# TYPE kubeproxy_iptables_ct_invalid_dropped_packets counter
kubeproxy_iptables_ct_invalid_dropped_packets 967

@aojea
Copy link
Member

aojea commented Jan 16, 2024

love this

danwinship
danwinship reviewed Jan 16, 2024
View reviewed changes
Copy link
Contributor

@danwinship danwinship left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice

pkg/proxy/iptables/proxier.go Outdated Show resolved Hide resolved
pkg/proxy/iptables/proxier.go Outdated Show resolved Hide resolved
pkg/proxy/iptables/proxier.go Outdated Show resolved Hide resolved
pkg/util/iptables/save_restore.go Outdated Show resolved Hide resolved
pkg/util/iptables/save_restore.go Outdated Show resolved Hide resolved
pkg/util/iptables/save_restore.go Outdated Show resolved Hide resolved
pkg/util/iptables/testing/fake.go Outdated Show resolved Hide resolved
@danwinship danwinship mentioned this pull request Jan 17, 2024
Open
27 tasks
@aroradaman
Copy link
Member Author

Tried preserving the counters.

Added the drop rule in FORWARD instead of KUBE-FORWARD to prevent counter resets. Now the rule is ensured just like the base-chain jump rules.

@aroradaman aroradaman marked this pull request as ready for review January 17, 2024 17:25
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 17, 2024
@aroradaman aroradaman marked this pull request as draft January 22, 2024 21:11
@aojea
Copy link
Member

aojea commented Apr 23, 2024

/kind feature

@aroradaman please add a release note

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. and removed do-not-merge/needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Apr 23, 2024
aojea
aojea reviewed Apr 23, 2024
View reviewed changes
pkg/proxy/util/nfacct/nfacct_linux.go
Comment on lines +40 to +43
// NFNL_MSG_ACCT_NEW
cmdNew = 0
// NFNL_MSG_ACCT_GET
cmdGet = 1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can see 3 commands here https://nftables.org/projects/libnetfilter_acct/doxygen/html/group__nlmsg.html , are this related?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. We don't need the third one NFNL_MSG_ACCT_GET_CTRZERO, it does get + atomic reset to zero.

aojea
aojea reviewed Apr 23, 2024
View reviewed changes
pkg/proxy/metrics/metrics.go
@@ -264,3 +275,40 @@ func RegisterMetrics() {
func SinceInSeconds(start time.Time) float64 {
return time.Since(start).Seconds()
}

var _ metrics.StableCollector = &ctStateInvalidPacketsCollector{}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I´m not familiar with this stuff, @dgrisonnet do you mind to take a look to the metrics part?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh it seems was already reviewed by instrumentation #122812 (comment)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This also removed the metric sync dependency on proxier sync loop 😃

@aojea
Copy link
Member

aojea commented Apr 23, 2024
edited

@aroradaman you have to rebase, I don't understand the minor details but it seems they were thoroughly reviewed, the INVALID DROP rules for conntrack now also uses the accounting system of iptables to store the value with the number of packets that match and report them via metrics. To do this a new low level netlink library was added

LGTM

/assign @danwinship @thockin

@thockin
Copy link
Member

thockin commented Apr 23, 2024

/approve

Approve for go.mod

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aroradaman, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 23, 2024
@danwinship
Copy link
Contributor

lgtm but needs rebase (yay post-unfreeze mergefest)

also needs a release note... doesn't need to be super-detailed since there will eventually be a larger nftables release note and upgrading-from-iptables documentation, but at least the general idea (new metric to help iptables kube-proxy users know if they are depending on iptables-kube-proxy-specific features)

as discussed here there's no e2e test because this particular rule doesn't get hit in all cluster types, but we have plans for other nfacct-based metrics and will add an e2e for one of them.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 25, 2024
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Apr 25, 2024
@aroradaman
Copy link
Member Author

aroradaman commented Apr 25, 2024
edited

rebased, release-note added and addressed #122812 (comment).

@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Apr 26, 2024
@aroradaman
pkg/proxy/util/nfacct: utility to interact with nfacct subsystem
6b52916 
nfacct is netfilter's accounting subsystem. This utility allows
interactions with the subsystem using lower level netlink API.

Signed-off-by: Daman Arora <aroradaman@gmail.com>
@aroradaman
pkg/proxy/iptables: track ct state invalid dropped packets
3363ec4 
Track packets dropped by proxy which were marked invalid by conntrack
using nfacct netfilter extended accounting infrastructure.

Signed-off-by: Daman Arora <aroradaman@gmail.com>
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 27, 2024
@danwinship
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 27, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 769d1550d33e4411eafefeaca3bafac35a3e25d2

@k8s-ci-robot k8s-ci-robot merged commit de9a932 into kubernetes:master Apr 27, 2024
16 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.31 milestone Apr 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@logicalhan logicalhan logicalhan left review comments

@dashpole dashpole dashpole left review comments

@aojea aojea aojea left review comments

@dgrisonnet dgrisonnet dgrisonnet left review comments

@andrewsykim andrewsykim Awaiting requested review from andrewsykim

@bowei bowei Awaiting requested review from bowei

@MrHohn MrHohn Awaiting requested review from MrHohn

@khenidak khenidak Awaiting requested review from khenidak

@danwinship danwinship Awaiting requested review from danwinship

Assignees

@danwinship danwinship

@logicalhan logicalhan

@thockin thockin

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/dependency Issues or PRs related to dependency changes area/e2e-test-framework Issues or PRs related to refactoring the kubernetes e2e test framework area/ipvs area/kube-proxy area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/instrumentation Categorizes an issue or PR as relevant to SIG Instrumentation. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.31
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@aroradaman @k8s-ci-robot @aojea @danwinship @dashpole @thockin @logicalhan @dgrisonnet