New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --ipvs-exclude-cidrs flag to kube-proxy. #62083
Add --ipvs-exclude-cidrs flag to kube-proxy. #62083
Conversation
pkg/proxy/ipvs/proxier.go
Outdated
for cs := range currentServices { | ||
svc := currentServices[cs] | ||
for _, excludedCidr := range proxier.excludeCIDRs { | ||
_, net, err := net.ParseCIDR(excludedCidr) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
bad naming of variable ... conflicts with imported package name
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
pkg/proxy/ipvs/proxier.go
Outdated
} | ||
// Only remove if the service VIP is not in the list of CIDR's to exclude | ||
// and if it was not processed in the latest sync loop. | ||
if net.Contains(svc.Address) && !activeServices[cs] { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
net.Contains() or !net.Contains() ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch!
fa7db76
to
22943bf
Compare
95109c6
to
516b354
Compare
/assign @m1093782566 |
/cc @pires @GoelDeepak |
@rramkumar1: GitHub didn't allow me to request PR reviews from the following users: GoelDeepak. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
for i := range excludeCIDRs { | ||
if _, _, err := net.ParseCIDR(excludeCIDRs[i]); err != nil { | ||
allErrs = append(allErrs, field.Invalid(fldPath, excludeCIDRs, "must be a valid IP block")) | ||
break |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be a good UX if all CIDRs were validated and all that are invalid were reported, instead of reporting the first invalid and breaking.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
pkg/proxy/ipvs/proxier.go
Outdated
// make sure it does not fall within an excluded CIDR range. | ||
okayToDelete := true | ||
for _, excludedCIDR := range proxier.excludeCIDRs { | ||
_, n, err := net.ParseCIDR(excludedCIDR) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we validating this again? Isn't it supposed to be validated during configuration check?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we can't ignore the error here, then I'd say we can skip configuration validation completely and just have the validation happen here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The intent was not validation but rather to convert the string representation of the CIDR to net struct. I guess I could remove the error check since we know from the previous validation that no error is possible? Does that sound okay?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
516b354
to
836fbf0
Compare
836fbf0
to
39bdd21
Compare
allErrs := field.ErrorList{} | ||
|
||
for i := range excludeCIDRs { | ||
if _, _, err := net.ParseCIDR(excludeCIDRs[i]); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Single IP should be valid as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Single IP as in x.x.x.x/32
is a valid CIDR.
pkg/proxy/ipvs/proxier_test.go
Outdated
@@ -2393,11 +2392,93 @@ func Test_syncService(t *testing.T) { | |||
} | |||
} | |||
|
|||
<<<<<<< HEAD |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ouch!
pkg/proxy/ipvs/proxier_test.go
Outdated
func buildFakeProxier(nodeIP []net.IP) (*iptablestest.FakeIPTables, *Proxier) { | ||
ipt := iptablestest.NewFake() | ||
ipvs := ipvstest.NewFake() | ||
ipset := ipsettest.NewFake(testIPSetVersion) | ||
return ipt, NewFakeProxier(ipt, ipvs, ipset, nil) | ||
======= |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bad rebase :/
pkg/proxy/ipvs/proxier_test.go
Outdated
t.Errorf("Expected ipvs5 to be removed after cleanup. It still remains") | ||
} | ||
} | ||
>>>>>>> Add --ipvs-exclude-cidrs flag to kube-proxy. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Again.
39bdd21
to
7bae3f6
Compare
@m1093782566 Seems like the test failures for pull-kubernetes-bazel-test are being caused by something I did not touch. |
7bae3f6
to
ac074f9
Compare
pkg/proxy/ipvs/proxier_test.go
Outdated
nodePortLocalSetUDP: NewIPSet(ipset, KubeNodePortLocalSetUDP, utilipset.BitmapPort, false), | ||
nodePortSetUDP: NewIPSet(ipset, KubeNodePortSetUDP, utilipset.BitmapPort, false), | ||
nodePortAddresses: make([]string, 0), | ||
networkInterfacer: proxyutiltest.NewFakeNetwork(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why did this change? Maybe this is where the test break comes from.
pkg/proxy/ipvs/proxier.go
Outdated
// make sure it does not fall within an excluded CIDR range. | ||
okayToDelete := true | ||
for _, excludedCIDR := range proxier.excludeCIDRs { | ||
// Any validation of this CIDR already should have occured. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that verify steps now include spellchecking.
W0409 19:58:08.458] pkg/proxy/ipvs/proxier.go:1474:55: "occured" is a misspelling of "occurred"
I0409 19:58:09.113] +++ exit code: 1
I0409 19:58:09.117] +++ error: 1
I0409 19:58:09.235] FAILED verify-spelling.sh 4s
4afe2b9
to
b063079
Compare
@pires Fixed the test failures. Any more comments on your end? |
@m1093782566 Any comments? |
LGTM except one comment. |
cmd/kube-proxy/app/server.go
Outdated
@@ -149,6 +149,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { | |||
fs.DurationVar(&o.config.IPTables.MinSyncPeriod.Duration, "iptables-min-sync-period", o.config.IPTables.MinSyncPeriod.Duration, "The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m').") | |||
fs.DurationVar(&o.config.IPVS.SyncPeriod.Duration, "ipvs-sync-period", o.config.IPVS.SyncPeriod.Duration, "The maximum interval of how often ipvs rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.") | |||
fs.DurationVar(&o.config.IPVS.MinSyncPeriod.Duration, "ipvs-min-sync-period", o.config.IPVS.MinSyncPeriod.Duration, "The minimum interval of how often the ipvs rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m').") | |||
fs.StringSliceVar(&o.config.IPVS.ExcludeCIDRs, "ipvs-exclude-cidrs", o.config.IPVS.ExcludeCIDRs, "A list of CIDR's which the ipvs proxier should not touch when cleaning up IPVS rules.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is that a comma separated list? Comment, please.
LGTM as well but @m1093782566 comment is spot on. |
b063079
to
056ae44
Compare
Done. |
/retest |
/lgtm |
/test pull-kubernetes-integration |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pires, rramkumar1, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kubernetes-integration |
1 similar comment
/test pull-kubernetes-integration |
/test all [submit-queue is verifying that this PR is safe to merge] |
/test pull-kubernetes-e2e-kops-aws |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
It would be great if this could be cherrypicked into v1.10.x. |
This is a change in behavior, so I don't think that is possible. |
What this PR does / why we need it:
Add a flag to kube-proxy called --ipvs-exclude-cidrs. This flag allows a user to specify a list of CIDR ranges that should not be included in the cleanup of IPVS rules.
Fixes: #59507
Release note:
/assign @m1093782566