New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reject Rules for ExternalIP and svc port if no ep #44547
Conversation
Hi @ketkulka. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/approve @bprashanth @justinsb @thockin |
@k8s-bot ok to test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We talked about adding a utility KUBE-MARK-REJECT rule (like KUBE-MARK-DROP) and simply inserting that into the service-chain, which would simplify and catch all these cases.
@freehan did we kill that idea?
pkg/proxy/iptables/proxier.go
Outdated
@@ -1017,6 +1017,20 @@ func (proxier *Proxier) syncProxyRules(reason syncReason) { | |||
// Allow traffic bound for external IPs that happen to be recognized as local IPs to stay local. | |||
// This covers cases like GCE load-balancers which get added to the local routing table. | |||
writeLine(natRules, append(dstLocalOnlyArgs, "-j", string(svcChain))...) | |||
|
|||
// If the service has no endpoints then reject packets coming from externalIP |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/from/via
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in new version
pkg/proxy/iptables/proxier.go
Outdated
if len(newEndpoints[svcName]) == 0 { | ||
writeLine(filterRules, | ||
"-A", string(kubeServicesChain), | ||
"-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints from externalIPs"`, svcNameString), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/from externalIPs// - simpler is better
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed in new version
pkg/proxy/iptables/proxier.go
Outdated
writeLine(filterRules, | ||
"-A", string(kubeServicesChain), | ||
"-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints from externalIPs"`, svcNameString), | ||
"-m", "addrtype", "--dst-type", "LOCAL", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why are you checking addrtype?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed addrtype. fixed in new version
Needs a |
Thanks! /lgtm |
Thanks for approving.
I think the label was not added properly.
Thanks
Ketan
… On Apr 20, 2017, at 3:27 PM, Minhan Xia ***@***.***> wrote:
Thanks! /lgtm
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#44547 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA_K0qSprn_iM-iWM3Zed2gbAA4IPwSYks5rx9vYgaJpZM4M_AoK>.
|
/lgtm |
@k8s-bot test this |
|
got conflict with 2f25043 |
uploaded a new patch. hopefully this passes. |
/lgtm |
Thanks! |
@ketkulka I'd make sure you've rebased off master, and that |
actually i think that's what i did and it passed locally. git remote add upstream https://github.com/kubernetes/kubernetes.git i will do it once again. |
- Install ICMP Reject Rules for externalIP and svc port if no endpoints are present - Includes Unit Test case - Fixes kubernetes#44516
uploaded a new patch.
this time on my local test; i saw this OK for iptable test
ok k8s.io/kubernetes/pkg/proxy/iptables 0.072s
Apologies for too many small fixes.
… On Apr 21, 2017, at 4:37 PM, Ketan Kulkarni ***@***.***> wrote:
Looking into failures. Will send a new patch.
Sorry for the trouble. Looks like I missed one more line in tests.
> On Apr 21, 2017, at 4:36 PM, k8s-ci-robot ***@***.*** ***@***.***>> wrote:
>
> @ketkulka <https://github.com/ketkulka>: The following test(s) failed:
>
> Test name Commit Details Rerun command
> Jenkins unit/integration b0978b3 <b0978b3> link <https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/44547/pull-kubernetes-unit/27356/> @k8s-bot unit test this
> Jenkins GCE e2e b0978b3 <b0978b3> link <https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/44547/pull-kubernetes-e2e-gce/27376/> @k8s-bot cvm gce e2e test this
> Jenkins Bazel Build b0978b3 <b0978b3> link <https://k8s-gubernator.appspot.com/build/kubernetes-jenkins/pr-logs/pull/44547/pull-kubernetes-bazel/14426/> @k8s-bot bazel test this
> Full PR test history <https://k8s-gubernator.appspot.com/pr/44547>. Your PR dashboard <https://k8s-gubernator.appspot.com/pr/ketkulka>. Please help us cut down on flakes by linking to an open issue <https://github.com/kubernetes/kubernetes/issues?q=is:issue+is:open> when you hit one in your PR.
>
> <https://github.com/kubernetes/community/blob/master/contributors/devel/pull-request-commands.md> <https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:> <https://github.com/kubernetes/test-infra/blob/master/prow/commands.md>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub <#44547 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA_K0pY72cBAw2dEEcwYTAliTTgCFKdFks5ryT10gaJpZM4M_AoK>.
>
|
okay, main tests are passing now, and it looks good locally for me too |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cblecker, freehan, ketkulka, thockin
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue |
should this be picked for upcoming release? |
@ketkulka This should make it into 1.7 |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Split KUBE-SERVICES chain to re-shrink the INPUT chain **What this PR does / why we need it**: #43972 added an iptables rule "`-A INPUT -j KUBE-SERVICES`" to make NodePort ICMP rejection work. (Previously the KUBE-SERVICES chain was only run from OUTPUT, not INPUT.) #44547 extended that patch for ExternalIP rejection as well. However, the KUBE-SERVICES chain may potentially have a very large number of ICMP reject rules for plain ClusterIP services (the ones that get run from OUTPUT), and it seems that for some reason the kernel is much more sensitive to the length of the INPUT chain than it is to the length of the OUTPUT chain. So a node that worked fine with kube 1.6 (when KUBE-SERVICES was only run from OUTPUT) might fall over with kube 1.7 (with KUBE-SERVICES being run from both INPUT and OUTPUT). (Specifically, a node with about 5000 ClusterIP reject rules that ran fine with OpenShift 3.6 [kube 1.6] slowed almost to a complete halt with OpenShift 3.7 [kube 1.7].) This PR fixes things by splitting out the "new" part of KUBE-SERVICES (NodePort and ExternalIP reject rules) into a separate KUBE-EXTERNAL-SERVICES chain run from INPUT, and moves KUBE-SERVICES back to being only run from OUTPUT. (So, yes, this assumes that you don't have 5000 NodePort/ExternalIP services, but, if you do, there's not much we can do, since those rules *have* to be run on the INPUT side.) Oh, and I left in the code to clean up the "`-A INPUT -j KUBE-SERVICES`" rule even though we don't generate it any more, so it gets fixed on upgrade. **Release note**: ```release-note Reorganized iptables rules to fix a performance regression on clusters with thousands of services. ``` @kubernetes/sig-network-bugs @kubernetes/rh-networking
if no endpoints are present
What this PR does / why we need it:
Explained in issue #44516
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close that issue when PR gets merged): fixes #Fixes #44516
Special notes for your reviewer:
Similar to #43415
Feedback welcome. Will be happy to improve the patch.
Unit Test done and passing.
Release note: