New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only run connection-rejecting rules on new connections #60306

Merged
merged 1 commit into from Feb 25, 2018

Conversation

Projects
None yet
6 participants
@danwinship
Contributor

danwinship commented Feb 23, 2018

Kube-proxy has two iptables chains full of rules to reject incoming connections to services that don't have any endpoints. Currently these rules get tested against all incoming packets, but that's unnecessary; if a connection to a given service has already been established, then we can't have been rejecting connections to that service. By only checking the first packet in each new connection, we can get rid of a lot of unnecessary checks on incoming traffic.

Fixes #56842

Release note:

Additional changes to iptables kube-proxy backend to improve performance on clusters with very large numbers of services.
@danwinship

This comment has been minimized.

Contributor

danwinship commented Feb 23, 2018

/assign @dcbw

{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals"},
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules"},
{utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules"},
{utiliptables.TableFilter, kubeExternalServicesChain, utiliptables.ChainInput, "kubernetes externally-visible service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},

This comment has been minimized.

@thockin

thockin Feb 23, 2018

Member

worth making a var for this slice?

@thockin

This comment has been minimized.

Member

thockin commented Feb 23, 2018

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm label Feb 23, 2018

@k8s-ci-robot

This comment has been minimized.

Contributor

k8s-ci-robot commented Feb 23, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dcbw

This comment has been minimized.

Member

dcbw commented Feb 23, 2018

also /lgtm

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Feb 24, 2018

/test all [submit-queue is verifying that this PR is safe to merge]

@fejta-bot

This comment has been minimized.

fejta-bot commented Feb 24, 2018

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Feb 24, 2018

/test all [submit-queue is verifying that this PR is safe to merge]

@fejta-bot

This comment has been minimized.

fejta-bot commented Feb 24, 2018

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Feb 24, 2018

/test all [submit-queue is verifying that this PR is safe to merge]

@thockin

This comment has been minimized.

Member

thockin commented Feb 24, 2018

@k8s-merge-robot

This comment has been minimized.

Contributor

k8s-merge-robot commented Feb 25, 2018

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-merge-robot k8s-merge-robot merged commit c11ae9d into kubernetes:master Feb 25, 2018

12 of 13 checks passed

Submit Queue Required Github CI test is not green: pull-kubernetes-unit
Details
cla/linuxfoundation danwinship authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-unit Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details

openshift-merge-robot added a commit to openshift/origin that referenced this pull request Feb 27, 2018

Merge pull request #18754 from danwinship/upstream-iptables-fixes
Automatic merge from submit-queue (batch tested with PRs 18754, 18761).

kube-proxy iptables performance fixes

Pull in multiple upstream iptables fixes to improve performance in "very large clusters" (ie, Online).

Includes kubernetes/kubernetes#57336, kubernetes/kubernetes#56164, kubernetes/kubernetes#57461, and kubernetes/kubernetes#60306.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1514174

openshift-publish-robot pushed a commit to openshift/kubernetes that referenced this pull request Feb 27, 2018

Merge pull request kubernetes#18754 from danwinship/upstream-iptables…
…-fixes

Automatic merge from submit-queue (batch tested with PRs 18754, 18761).

kube-proxy iptables performance fixes

Pull in multiple upstream iptables fixes to improve performance in "very large clusters" (ie, Online).

Includes kubernetes#57336, kubernetes#56164, kubernetes#57461, and kubernetes#60306.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1514174

Origin-commit: e2e14cb4fe6a6789936da736d627ae96ca822116

openshift-publish-robot pushed a commit to openshift/kubernetes that referenced this pull request Mar 5, 2018

Merge pull request kubernetes#18754 from danwinship/upstream-iptables…
…-fixes

Automatic merge from submit-queue (batch tested with PRs 18754, 18761).

kube-proxy iptables performance fixes

Pull in multiple upstream iptables fixes to improve performance in "very large clusters" (ie, Online).

Includes kubernetes#57336, kubernetes#56164, kubernetes#57461, and kubernetes#60306.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1514174

Origin-commit: e2e14cb4fe6a6789936da736d627ae96ca822116

openshift-publish-robot pushed a commit to openshift/kubernetes that referenced this pull request Mar 23, 2018

Merge pull request kubernetes#18754 from danwinship/upstream-iptables…
…-fixes

Automatic merge from submit-queue (batch tested with PRs 18754, 18761).

kube-proxy iptables performance fixes

Pull in multiple upstream iptables fixes to improve performance in "very large clusters" (ie, Online).

Includes kubernetes#57336, kubernetes#56164, kubernetes#57461, and kubernetes#60306.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1514174

Origin-commit: e2e14cb4fe6a6789936da736d627ae96ca822116

@danwinship danwinship deleted the danwinship:proxier-connstate-new branch Mar 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment