-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hyperkube: Build debian-hyperkube-base v1.1.0 image #92354
hyperkube: Build debian-hyperkube-base v1.1.0 image #92354
Conversation
- Use debian-iptables v12.1.0 as base image Should ensure kube-proxy behaves the same in hyperkube as it would for the standard kube-proxy image. - Removes the following packages (which are already present in the debian-iptables image): - conntrack - ebtables - iptables - ipset - kmod - netbase Signed-off-by: Stephen Augustus <saugustus@vmware.com>
/assign @BenTheElder @danwinship @cblecker cc-ing reporters/commenters: |
/release-note-none |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, justaugustus The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest
…On Tue, Jun 23, 2020 at 5:33 PM Kubernetes Prow Robot < ***@***.***> wrote:
[APPROVALNOTIFIER] This PR is *APPROVED*
This pull-request has been approved by: *BenTheElder
<#92354 (comment)>*,
*justaugustus <#92354#>*
The full list of commands accepted by this bot can be found here
<http://?repo=kubernetes%2Fkubernetes>.
The pull request process is described here
<https://git.k8s.io/community/contributors/guide/owners.md#the-code-review-process>
Needs approval from an approver in each of these files:
- build/OWNERS
<https://github.com/kubernetes/kubernetes/blob/release-1.18/build/OWNERS>
[BenTheElder]
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#92354 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAHADK4GW4AC7NEA5ZIGU2LRYFCTXANCNFSM4ODYCDEA>
.
|
/test pull-kubernetes-integration |
/test pull-kubernetes-integration |
/test pull-kubernetes-e2e-gce-100-performance |
/test pull-kubernetes-verify |
I think there is deeper problem with current iptables selection logic. There are manifests that still are hardcoded to use iptables-legacy. At least, dns-node-cache and flannel. If one of these manifests is used on the cluster, it creates enough legacy rules to force kube-proxy to legacy mode. On normal startup it is impossible, but think about a pod restart.... |
kube-proxy shouldn't be starting after pods like dns-node-cache and flannel on normal startup, and on pod restart it shouldn't be a problem if the other network tools in use also correctly implement something like this If they use iptables. If they don't implement this, those tools already left the system broke if the host used iptables / nft not matching them, and kube proxy is matching the host. |
/retest |
/test pull-kubernetes-e2e-gce-100-performance |
On restart kube-proxy will also have lots of old kube-proxy rules. |
/test pull-kubernetes-e2e-kind |
1 similar comment
/test pull-kubernetes-e2e-kind |
This flake is a known problematic test.
https://prow.k8s.io/view/gcs/kubernetes-jenkins/pr-logs/pull/92354/pull-kubernetes-e2e-kind/1275668877891604482
The following flake with the base image though, that one is ??
…On Tue, Jun 23, 2020, 23:48 Stephen Augustus ***@***.***> wrote:
/test pull-kubernetes-e2e-kind
—
You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
<#92354 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAHADK5TCWA5UMLCCTQCCTDRYGOUHANCNFSM4ODYCDEA>
.
|
/test pull-kubernetes-e2e-kind |
This makes sence. But you probably should mention this in release notes and/or docs. So maintainers of these tools will know what they should do and why. Also, the recommendation to unload/blacklist ip_tables kernel module might help. So people will know what breaks and why. |
??
|
agree re: relnotes @justaugustus |
Where are you seeing that failure?
This PR only builds the new image, which is why it doesn't include a release note. |
ack re the failure: the last kind flake, it's not related to this PR, but it is very ?? |
What type of PR is this?
/kind regression
/area dependency
/priority critical-urgent
What this PR does / why we need it:
Should ensure kube-proxy behaves the same in hyperkube as it would for
the standard kube-proxy image.
debian-iptables image):
Signed-off-by: Stephen Augustus saugustus@vmware.com
Which issue(s) this PR fixes:
Attempt to fix #92275, #92272, #92250.
Should supersede #92281.
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: