skip iptables sync if no endpoint changes

[freehan]

Alternative to #41173
fixes: #26637
No need to checksum. Just compare endpoint maps.

[k8s-reviewable]

This change is 

[freehan]

I think this one is cleaner than the checksum one.
I did my best to sort out the original logic and build on top of it. It probably need a major refactor at some point. But since this PR is aiming for cherrypick, so only changing the minimum

[bprashanth]

/lgtm

[bprashanth]

nit: suggest rewording to "Check stale connections against endpoints missing from the update"

[bprashanth]

Comment: The only significant diff is that we were only doing the work to buildEndpointInfoList lazily, but that function only seems as expensive as flattenEndpointsInfo anyway (O(endpoints)), so I don't think we're burning any more cpu.

[bprashanth]

Comment: this version seems cleaner since we're not deleting from the map we're iterating, and there's no residual state as we start with a fresh map everytime.

[bprashanth]

/approve

[freehan]

Should we get this in and let it soak for some time before cherry-pick into 1.5?

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

The following people have approved this PR: bprashanth, freehan

Needs approval from an approver in each of these OWNERS Files:

• pkg/proxy/iptables/OWNERS [bprashanth]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[freehan]

adding label based on #41223 (review)

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 41223, 40892, 41220, 41207, 41242)

[dcbw]

@freehan I've had #39484 sitting around since forever that @thockin hasn't gotten to. That adds a boatload of testcases.

And one of those testcases catches an error in this PR, which is that healthcheck updates are not correctly added anymore because proxier.updateHealthCheckEntries() is no longer called for every svcPort in the new endpoints map too.

I'm happy to fix that up in #39484 if you like, provided I can actually get somebody (@thockin ? @bprashanth ?) to review it.

[freehan]

@dcbw Thanks for noticing!

Please go ahead with the fix in #39484.

[dcbw]

@freehan I've rebased and repushed #39484, would you mind taking a look at it too? Thanks!

[thockin]

Thanks guys,

I have been out for about 2 weeks (combo of vaca, work, sick) and am now trying to get all these PRs accounted for. Minhan can own the review.

I have another set of PRs between me, @timothysc, and @danwinship which make sync be called at a max rate - all together these should be a nice improvement.

Should we do this same transform over Service updates?

[dcbw]

@thockin yeah, we probably should do the same for Service updates, but it's not as big of an issue since Service updates are much less frequent than Endpoints.

[freehan]

@dcbw
I understand the bug you are referring in #41223 (comment)

I think that should not cause any problem at this point. Here is the theory:

1. create new service svc1
2. OnEndpointsUpdate gets called with new service endpoint.
3. Since updateHealthCheckEntries is only called for previous known service ports in proxier.endpointsMap, healthcheck for the newly added service endpoint will not be included.
4. OnEndpointsUpdate gets called again with the same of endpoints.
5. This time, proxier.endpointsMap includes svc1 and healthcheck is updated.

Since OnEndpointsUpdate is called at least twice a second (Due to master election logic in kube-controller-manager and kube-scheduler), having a half second delay to update health check should not cause any problem, right?

I intended to cherry-pick this into 1.5 to help some customers. I think #39484 is too big for cherry-pick. I can add a surgical fix to combine svcPorts from newEndpointMap and proxier.endpointsMap, and trigger updateHealthCheckEntries. For #39484, just need to rebase and delete the surgical fix.

What do you think?