Reject Rules for ExternalIP and svc port if no ep #44547
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @ketkulka. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-github-robot
added
size/M
|
/approve @bprashanth @justinsb @thockin |
|
@k8s-bot ok to test |
k8s-ci-robot
removed
the
needs-ok-to-test
thockin
reviewed
Apr 17, 2017
pkg/proxy/iptables/proxier.go
Outdated
| @@ -1017,6 +1017,20 @@ func (proxier *Proxier) syncProxyRules(reason syncReason) { | |||
| // Allow traffic bound for external IPs that happen to be recognized as local IPs to stay local. | |||
| // This covers cases like GCE load-balancers which get added to the local routing table. | |||
| writeLine(natRules, append(dstLocalOnlyArgs, "-j", string(svcChain))...) | |||
|
|
|||
| // If the service has no endpoints then reject packets coming from externalIP | |||
There was a problem hiding this comment.
fixed in new version
pkg/proxy/iptables/proxier.go
Outdated
| if len(newEndpoints[svcName]) == 0 { | ||
| writeLine(filterRules, | ||
| "-A", string(kubeServicesChain), | ||
| "-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints from externalIPs"`, svcNameString), |
There was a problem hiding this comment.
s/from externalIPs// - simpler is better
There was a problem hiding this comment.
fixed in new version
pkg/proxy/iptables/proxier.go
Outdated
| writeLine(filterRules, | ||
| "-A", string(kubeServicesChain), | ||
| "-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints from externalIPs"`, svcNameString), | ||
| "-m", "addrtype", "--dst-type", "LOCAL", |
There was a problem hiding this comment.
removed addrtype. fixed in new version
thockin
added
release-note-none
Needs a |
k8s-github-robot
added
the
approved
|
Thanks! /lgtm |
|
Thanks for approving.
I think the label was not added properly.
Thanks
Ketan
… On Apr 20, 2017, at 3:27 PM, Minhan Xia ***@***.***> wrote:
Thanks! /lgtm
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#44547 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA_K0qSprn_iM-iWM3Zed2gbAA4IPwSYks5rx9vYgaJpZM4M_AoK>.
|
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@k8s-bot test this |
|
|
got conflict with 2f25043 |
k8s-github-robot
removed
the
lgtm
|
uploaded a new patch. hopefully this passes. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Thanks! |
|
@ketkulka I'd make sure you've rebased off master, and that |
|
actually i think that's what i did and it passed locally. git remote add upstream https://github.com/kubernetes/kubernetes.git i will do it once again. |
- Install ICMP Reject Rules for externalIP and svc port if no endpoints are present - Includes Unit Test case - Fixes kubernetes#44516
k8s-github-robot
removed
the
lgtm
|
uploaded a new patch.
this time on my local test; i saw this OK for iptable test
ok k8s.io/kubernetes/pkg/proxy/iptables 0.072s
Apologies for too many small fixes.
… On Apr 21, 2017, at 4:37 PM, Ketan Kulkarni ***@***.***> wrote:
Looking into failures. Will send a new patch.
Sorry for the trouble. Looks like I missed one more line in tests.
> On Apr 21, 2017, at 4:36 PM, k8s-ci-robot ***@***.*** ***@***.***>> wrote:
>
> @ketkulka <https://github.com/ketkulka>: The following test(s) failed:
>
> Test name Commit Details Rerun command
> Jenkins unit/integration b0978b3 <b0978b3> link <https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/44547/pull-kubernetes-unit/27356/> @k8s-bot unit test this
> Jenkins GCE e2e b0978b3 <b0978b3> link <https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/44547/pull-kubernetes-e2e-gce/27376/> @k8s-bot cvm gce e2e test this
> Jenkins Bazel Build b0978b3 <b0978b3> link <https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/44547/pull-kubernetes-bazel/14426/> @k8s-bot bazel test this
> Full PR test history <https://k8s-gubernator.appspot.com/pr/44547>. Your PR dashboard <https://k8s-gubernator.appspot.com/pr/ketkulka>. Please help us cut down on flakes by linking to an open issue <https://github.com/kubernetes/kubernetes/issues?q=is:issue+is:open> when you hit one in your PR.
>
> <https://github.com/kubernetes/community/blob/master/contributors/devel/pull-request-commands.md> <https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:> <https://github.com/kubernetes/test-infra/blob/master/prow/commands.md>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub <#44547 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA_K0pY72cBAw2dEEcwYTAliTTgCFKdFks5ryT10gaJpZM4M_AoK>.
>
|
|
okay, main tests are passing now, and it looks good locally for me too |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cblecker, freehan, ketkulka, thockin
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
Automatic merge from submit-queue |
|
should this be picked for upcoming release? |
|
@ketkulka This should make it into 1.7 |
k8s-github-robot
pushed a commit
that referenced
this pull request
Feb 23, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Split KUBE-SERVICES chain to re-shrink the INPUT chain **What this PR does / why we need it**: #43972 added an iptables rule "`-A INPUT -j KUBE-SERVICES`" to make NodePort ICMP rejection work. (Previously the KUBE-SERVICES chain was only run from OUTPUT, not INPUT.) #44547 extended that patch for ExternalIP rejection as well. However, the KUBE-SERVICES chain may potentially have a very large number of ICMP reject rules for plain ClusterIP services (the ones that get run from OUTPUT), and it seems that for some reason the kernel is much more sensitive to the length of the INPUT chain than it is to the length of the OUTPUT chain. So a node that worked fine with kube 1.6 (when KUBE-SERVICES was only run from OUTPUT) might fall over with kube 1.7 (with KUBE-SERVICES being run from both INPUT and OUTPUT). (Specifically, a node with about 5000 ClusterIP reject rules that ran fine with OpenShift 3.6 [kube 1.6] slowed almost to a complete halt with OpenShift 3.7 [kube 1.7].) This PR fixes things by splitting out the "new" part of KUBE-SERVICES (NodePort and ExternalIP reject rules) into a separate KUBE-EXTERNAL-SERVICES chain run from INPUT, and moves KUBE-SERVICES back to being only run from OUTPUT. (So, yes, this assumes that you don't have 5000 NodePort/ExternalIP services, but, if you do, there's not much we can do, since those rules *have* to be run on the INPUT side.) Oh, and I left in the code to clean up the "`-A INPUT -j KUBE-SERVICES`" rule even though we don't generate it any more, so it gets fixed on upgrade. **Release note**: ```release-note Reorganized iptables rules to fix a performance regression on clusters with thousands of services. ``` @kubernetes/sig-network-bugs @kubernetes/rh-networking
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
if no endpoints are present
What this PR does / why we need it:
Explained in issue #44516
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Fixes #44516Special notes for your reviewer:
Similar to #43415
Feedback welcome. Will be happy to improve the patch.
Unit Test done and passing.
Release note: