Skip to content

Commit 61b06f9

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #92748 from aojea/automated-cherry-pick-of-#92584-upstream-release-1.16
Automated cherry pick of #92584: kube-proxy ipvs masquerade hairpin traffic
2 parents 2e2f6f5 + 7fa266c commit 61b06f9

File tree

2 files changed

+42
-36
lines changed

2 files changed

+42
-36
lines changed

cluster/gce/gci/configure-helper.sh

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1462,7 +1462,15 @@ function prepare-kube-proxy-manifest-variables {
14621462
params+=" --feature-gates=${FEATURE_GATES}"
14631463
fi
14641464
if [[ "${KUBE_PROXY_MODE:-}" == "ipvs" ]];then
1465-
sudo modprobe -a ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh nf_conntrack_ipv4
1465+
# use 'nf_conntrack' instead of 'nf_conntrack_ipv4' for linux kernel >= 4.19
1466+
# https://github.com/kubernetes/kubernetes/pull/70398
1467+
local -r kernel_version=$(uname -r | cut -d\. -f1,2)
1468+
local conntrack_module="nf_conntrack"
1469+
if [[ $(printf "${kernel_version}\n4.18\n" | sort -V | tail -1) == "4.18" ]]; then
1470+
conntrack_module="nf_conntrack_ipv4"
1471+
fi
1472+
1473+
sudo modprobe -a ip_vs ip_vs_rr ip_vs_wrr ip_vs_sh ${conntrack_module}
14661474
if [[ $? -eq 0 ]];
14671475
then
14681476
params+=" --proxy-mode=ipvs"

pkg/proxy/ipvs/proxier.go

Lines changed: 33 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -1649,6 +1649,39 @@ func (proxier *Proxier) writeIptablesRules() {
16491649
)
16501650
}
16511651

1652+
// Install the kubernetes-specific postrouting rules. We use a whole chain for
1653+
// this so that it is easier to flush and change, for example if the mark
1654+
// value should ever change.
1655+
// NB: THIS MUST MATCH the corresponding code in the kubelet
1656+
writeLine(proxier.natRules, []string{
1657+
"-A", string(kubePostroutingChain),
1658+
"-m", "mark", "!", "--mark", fmt.Sprintf("%s/%s", proxier.masqueradeMark, proxier.masqueradeMark),
1659+
"-j", "RETURN",
1660+
}...)
1661+
// Clear the mark to avoid re-masquerading if the packet re-traverses the network stack.
1662+
writeLine(proxier.natRules, []string{
1663+
"-A", string(kubePostroutingChain),
1664+
// XOR proxier.masqueradeMark to unset it
1665+
"-j", "MARK", "--xor-mark", proxier.masqueradeMark,
1666+
}...)
1667+
masqRule := []string{
1668+
"-A", string(kubePostroutingChain),
1669+
"-m", "comment", "--comment", `"kubernetes service traffic requiring SNAT"`,
1670+
"-j", "MASQUERADE",
1671+
}
1672+
if proxier.iptables.HasRandomFully() {
1673+
masqRule = append(masqRule, "--random-fully")
1674+
}
1675+
writeLine(proxier.natRules, masqRule...)
1676+
1677+
// Install the kubernetes-specific masquerade mark rule. We use a whole chain for
1678+
// this so that it is easier to flush and change, for example if the mark
1679+
// value should ever change.
1680+
writeLine(proxier.natRules, []string{
1681+
"-A", string(KubeMarkMasqChain),
1682+
"-j", "MARK", "--or-mark", proxier.masqueradeMark,
1683+
}...)
1684+
16521685
// Write the end-of-table markers.
16531686
writeLine(proxier.filterRules, "COMMIT")
16541687
writeLine(proxier.natRules, "COMMIT")
@@ -1707,41 +1740,6 @@ func (proxier *Proxier) createAndLinkeKubeChain() {
17071740
}
17081741
}
17091742

1710-
// Install the kubernetes-specific postrouting rules. We use a whole chain for
1711-
// this so that it is easier to flush and change, for example if the mark
1712-
// value should ever change.
1713-
// NB: THIS MUST MATCH the corresponding code in the kubelet
1714-
writeLine(proxier.natRules, []string{
1715-
"-A", string(kubePostroutingChain),
1716-
"-m", "mark", "!", "--mark", fmt.Sprintf("%s/%s", proxier.masqueradeMark, proxier.masqueradeMark),
1717-
"-j", "RETURN",
1718-
}...)
1719-
// Clear the mark to avoid re-masquerading if the packet re-traverses the network stack.
1720-
writeLine(proxier.natRules, []string{
1721-
"-A", string(kubePostroutingChain),
1722-
// XOR proxier.masqueradeMark to unset it
1723-
"-j", "MARK", "--xor-mark", proxier.masqueradeMark,
1724-
}...)
1725-
masqRule := []string{
1726-
"-A", string(kubePostroutingChain),
1727-
"-m", "comment", "--comment", `"kubernetes service traffic requiring SNAT"`,
1728-
"-j", "MASQUERADE",
1729-
}
1730-
if proxier.iptables.HasRandomFully() {
1731-
masqRule = append(masqRule, "--random-fully")
1732-
klog.V(3).Info("Using `--random-fully` in the MASQUERADE rule for iptables")
1733-
} else {
1734-
klog.V(2).Info("Not using `--random-fully` in the MASQUERADE rule for iptables because the local version of iptables does not support it")
1735-
}
1736-
writeLine(proxier.natRules, masqRule...)
1737-
1738-
// Install the kubernetes-specific masquerade mark rule. We use a whole chain for
1739-
// this so that it is easier to flush and change, for example if the mark
1740-
// value should ever change.
1741-
writeLine(proxier.natRules, []string{
1742-
"-A", string(KubeMarkMasqChain),
1743-
"-j", "MARK", "--or-mark", proxier.masqueradeMark,
1744-
}...)
17451743
}
17461744

17471745
// getExistingChains get iptables-save output so we can check for existing chains and rules.

0 commit comments

Comments
 (0)