kube-proxy iptables performance fixes

[danwinship]

Pull in multiple upstream iptables fixes to improve performance in "very large clusters" (ie, Online).

Includes kubernetes/kubernetes#57336, kubernetes/kubernetes#56164, kubernetes/kubernetes#57461, and kubernetes/kubernetes#60306.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1514174

[danwinship]

/test extended_networking

@eparis, can you compare with what we're currently doing on Online? I think we are currently hacking it with one change that effectively bypasses KUBE-SERVICES from INPUT (which has the same effect as "UPSTREAM: 56164: Split out a KUBE-EXTERNAL-SERVICES chain...") and another that adds "-m conntrack --connstate NEW", like "UPSTREAM: 60306: Only run connection-rejecting rules on new connections"

Also, do we want to backport this to 3.7 (which may require some annoying rebasing) or is just 3.9 fine at this point?

[eparis]

3.9 is fine.

[eparis]

[Unit]
Description=Temporary fix to OpenShift iptables rules on INPUT chain
After=atomic-openshift-node.service
Wants=atomic-openshift-node.service


[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=-/usr/sbin/iptables -w -N KUBE-SERVICES
ExecStart=-/usr/sbin/iptables -w -D INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
ExecStart=/usr/sbin/iptables -w -A INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
ExecStart=/usr/sbin/iptables -w -I INPUT -m comment --comment "kubernetes service portals" -d 172.17.0.0/24 -j KUBE-SERVICES
ExecReload=-/usr/sbin/iptables -w -D INPUT -m comment --comment "kubernetes service portals" -d 172.17.0.0/24 -j KUBE-SERVICES
ExecReload=-/usr/sbin/iptables -w -D INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
ExecReload=/usr/sbin/iptables -w -A INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
ExecReload=/usr/sbin/iptables -w -I INPUT -m comment --comment "kubernetes service portals" -d 172.17.0.0/24 -j KUBE-SERVICES
ExecStop=-/usr/sbin/iptables -w -D INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
ExecStop=-/usr/sbin/iptables -w -D INPUT -m comment --comment "kubernetes service portals" -d 172.17.0.0/24 -j KUBE-SERVICES
ExecStop=/usr/sbin/iptables -w -I INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
StandardOutput=syslog
StandardError=syslog

[Install]
WantedBy=multi-user.target

[eparis]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, eparis

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• vendor/k8s.io/kubernetes/pkg/OWNERS [eparis]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[smarterclayton]

/retest

…

On Tue, Feb 27, 2018 at 1:06 AM, OpenShift CI Robot < ***@***.***> wrote: @danwinship <https://github.com/danwinship>: The following tests *failed*, say /retest to rerun them all: Test name Commit Details Rerun command ci/openshift-jenkins/extended_networking_minimal a64dfec <a64dfec> link <https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/18754/test_pull_request_origin_extended_networking_minimal/14772/> /test extended_networking_minimal ci/openshift-jenkins/end_to_end a64dfec <a64dfec> link <https://openshift-gce-devel.appspot.com/build/origin-ci-test/pr-logs/pull/18754/test_pull_request_origin_end_to_end/10008/> /test end_to_end Full PR test history <https://openshift-gce-devel.appspot.com/pr/18754>. Your PR dashboard <https://openshift-gce-devel.appspot.com/pr/danwinship>. Please help us cut down on flakes by linking to <https://github.com/kubernetes/community/blob/master/contributors/devel/flaky-tests.md#filing-issues-for-flaky-tests> an open issue <https://github.com/openshift/origin/issues?q=is:issue+is:open> when you hit one in your PR. Instructions for interacting with me using PR comments are available here <https://git.k8s.io/community/contributors/devel/pull-requests.md>. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra <https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:> repository. I understand the commands that are listed here <https://go.k8s.io/bot-commands>. — You are receiving this because your review was requested. Reply to this email directly, view it on GitHub <#18754 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p--G69dWdA6xXtMAWZ57h2oqNIyJks5tY5tigaJpZM4ST_EH> .

[smarterclayton]

/retest

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-merge-robot]

Automatic merge from submit-queue (batch tested with PRs 18754, 18761).