Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Ensure the KUBE-MARK-DROP chain in kube-proxy mode=ipvs #82214
What type of PR is this?
What this PR does / why we need it:
Also in dual-stack the
Which issue(s) this PR fixes:
Special notes for your reviewer:
Nobody seem to remember why the
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
Hi @uablrek. Thanks for your PR.
I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with
Once the patch is verified, the new status will be reflected by the
I understand the commands that are listed here.
mostly by analogy with
But yes, there is a race, and it makes sense for the proxy to create the chains it needs (but to leave kubelet to fill in the rules).
[APPROVALNOTIFIER] This PR is APPROVED
The full list of commands accepted by this bot can be found here.
The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing
But I disagree with the proposal. IMO all binaries that uses any chain should ensure it's existence. The name "EnsureChain" is very good. The agreement should be what binary that shall remove it. There is a PR that I can't find that make sure the chain is not removed by
@uablrek So, yes, as I said above, it's good for kube-proxy to ensure that the chain exists (since they can't write out rules jumping to it otherwise), but there has to be only a single place where we add the rules to those chains, because those rules are configurable, and can change between releases, and we don't have a good way to ensure that kubelet and kube-proxy get configured the same way, and we're not guaranteed to always be running the same versions of kubelet and kube-proxy during a cluster upgrade.