Add --ipvs-exclude-cidrs flag to kube-proxy. #62083
Conversation
k8s-ci-robot
added
do-not-merge/release-note-label-needed
pkg/proxy/ipvs/proxier.go
Outdated
| for cs := range currentServices { | ||
| svc := currentServices[cs] | ||
| for _, excludedCidr := range proxier.excludeCIDRs { | ||
| _, net, err := net.ParseCIDR(excludedCidr) |
There was a problem hiding this comment.
bad naming of variable ... conflicts with imported package name
pkg/proxy/ipvs/proxier.go
Outdated
| } | ||
| // Only remove if the service VIP is not in the list of CIDR's to exclude | ||
| // and if it was not processed in the latest sync loop. | ||
| if net.Contains(svc.Address) && !activeServices[cs] { |
There was a problem hiding this comment.
net.Contains() or !net.Contains() ?
rramkumar1
force-pushed
the
ipvs-exclude-cidrs-flag
branch
2 times, most recently
from
fa7db76
to
22943bf
Compare
k8s-ci-robot
added
size/L
rramkumar1
force-pushed
the
ipvs-exclude-cidrs-flag
branch
2 times, most recently
from
95109c6
to
516b354
Compare
k8s-ci-robot
added
release-note
rramkumar1
changed the title
|
/assign @m1093782566 |
|
/cc @pires @GoelDeepak |
|
@rramkumar1: GitHub didn't allow me to request PR reviews from the following users: GoelDeepak. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| for i := range excludeCIDRs { | ||
| if _, _, err := net.ParseCIDR(excludeCIDRs[i]); err != nil { | ||
| allErrs = append(allErrs, field.Invalid(fldPath, excludeCIDRs, "must be a valid IP block")) | ||
| break |
There was a problem hiding this comment.
I think it would be a good UX if all CIDRs were validated and all that are invalid were reported, instead of reporting the first invalid and breaking.
pkg/proxy/ipvs/proxier.go
Outdated
| // make sure it does not fall within an excluded CIDR range. | ||
| okayToDelete := true | ||
| for _, excludedCIDR := range proxier.excludeCIDRs { | ||
| _, n, err := net.ParseCIDR(excludedCIDR) |
There was a problem hiding this comment.
Why are we validating this again? Isn't it supposed to be validated during configuration check?
There was a problem hiding this comment.
If we can't ignore the error here, then I'd say we can skip configuration validation completely and just have the validation happen here.
There was a problem hiding this comment.
The intent was not validation but rather to convert the string representation of the CIDR to net struct. I guess I could remove the error check since we know from the previous validation that no error is possible? Does that sound okay?
rramkumar1
force-pushed
the
ipvs-exclude-cidrs-flag
branch
from
516b354
to
836fbf0
Compare
k8s-ci-robot
added
the
needs-rebase
rramkumar1
force-pushed
the
ipvs-exclude-cidrs-flag
branch
from
836fbf0
to
39bdd21
Compare
k8s-ci-robot
removed
the
needs-rebase
| allErrs := field.ErrorList{} | ||
|
|
||
| for i := range excludeCIDRs { | ||
| if _, _, err := net.ParseCIDR(excludeCIDRs[i]); err != nil { |
There was a problem hiding this comment.
Single IP should be valid as well?
There was a problem hiding this comment.
Single IP as in x.x.x.x/32 is a valid CIDR.
pkg/proxy/ipvs/proxier_test.go
Outdated
| @@ -2393,11 +2392,93 @@ func Test_syncService(t *testing.T) { | |||
| } | |||
| } | |||
|
|
|||
| <<<<<<< HEAD | |||
pkg/proxy/ipvs/proxier_test.go
Outdated
| func buildFakeProxier(nodeIP []net.IP) (*iptablestest.FakeIPTables, *Proxier) { | ||
| ipt := iptablestest.NewFake() | ||
| ipvs := ipvstest.NewFake() | ||
| ipset := ipsettest.NewFake(testIPSetVersion) | ||
| return ipt, NewFakeProxier(ipt, ipvs, ipset, nil) | ||
| ======= |
pkg/proxy/ipvs/proxier_test.go
Outdated
| t.Errorf("Expected ipvs5 to be removed after cleanup. It still remains") | ||
| } | ||
| } | ||
| >>>>>>> Add --ipvs-exclude-cidrs flag to kube-proxy. |
rramkumar1
force-pushed
the
ipvs-exclude-cidrs-flag
branch
from
39bdd21
to
7bae3f6
Compare
|
@m1093782566 Seems like the test failures for pull-kubernetes-bazel-test are being caused by something I did not touch. |
rramkumar1
force-pushed
the
ipvs-exclude-cidrs-flag
branch
from
7bae3f6
to
ac074f9
Compare
pkg/proxy/ipvs/proxier_test.go
Outdated
| nodePortLocalSetUDP: NewIPSet(ipset, KubeNodePortLocalSetUDP, utilipset.BitmapPort, false), | ||
| nodePortSetUDP: NewIPSet(ipset, KubeNodePortSetUDP, utilipset.BitmapPort, false), | ||
| nodePortAddresses: make([]string, 0), | ||
| networkInterfacer: proxyutiltest.NewFakeNetwork(), |
There was a problem hiding this comment.
Why did this change? Maybe this is where the test break comes from.
pkg/proxy/ipvs/proxier.go
Outdated
| // make sure it does not fall within an excluded CIDR range. | ||
| okayToDelete := true | ||
| for _, excludedCIDR := range proxier.excludeCIDRs { | ||
| // Any validation of this CIDR already should have occured. |
There was a problem hiding this comment.
It seems that verify steps now include spellchecking.
W0409 19:58:08.458] pkg/proxy/ipvs/proxier.go:1474:55: "occured" is a misspelling of "occurred"
I0409 19:58:09.113] +++ exit code: 1
I0409 19:58:09.117] +++ error: 1
I0409 19:58:09.235] FAILED verify-spelling.sh 4s
4afe2b9
to
b063079
Compare
|
@pires Fixed the test failures. Any more comments on your end? |
|
@m1093782566 Any comments? |
|
LGTM except one comment. |
cmd/kube-proxy/app/server.go
Outdated
| @@ -149,6 +149,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { | |||
| fs.DurationVar(&o.config.IPTables.MinSyncPeriod.Duration, "iptables-min-sync-period", o.config.IPTables.MinSyncPeriod.Duration, "The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m').") | |||
| fs.DurationVar(&o.config.IPVS.SyncPeriod.Duration, "ipvs-sync-period", o.config.IPVS.SyncPeriod.Duration, "The maximum interval of how often ipvs rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.") | |||
| fs.DurationVar(&o.config.IPVS.MinSyncPeriod.Duration, "ipvs-min-sync-period", o.config.IPVS.MinSyncPeriod.Duration, "The minimum interval of how often the ipvs rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m').") | |||
| fs.StringSliceVar(&o.config.IPVS.ExcludeCIDRs, "ipvs-exclude-cidrs", o.config.IPVS.ExcludeCIDRs, "A list of CIDR's which the ipvs proxier should not touch when cleaning up IPVS rules.") | |||
There was a problem hiding this comment.
Is that a comma separated list? Comment, please.
|
LGTM as well but @m1093782566 comment is spot on. |
rramkumar1
force-pushed
the
ipvs-exclude-cidrs-flag
branch
from
b063079
to
056ae44
Compare
|
Done. |
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/test pull-kubernetes-integration |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pires, rramkumar1, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/test pull-kubernetes-integration |
1 similar comment
|
/test pull-kubernetes-integration |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
/test pull-kubernetes-e2e-kops-aws |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
It would be great if this could be cherrypicked into v1.10.x. |
|
This is a change in behavior, so I don't think that is possible. |
What this PR does / why we need it:
Add a flag to kube-proxy called --ipvs-exclude-cidrs. This flag allows a user to specify a list of CIDR ranges that should not be included in the cleanup of IPVS rules.
Fixes: #59507
Release note:
/assign @m1093782566