Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

only manage kubernetes masquerade and postrouting iptables rules in kubelet #82116

Closed
wants to merge 7 commits into from
Closed

only manage kubernetes masquerade and postrouting iptables rules in kubelet #82116

wants to merge 7 commits into from

Conversation

liuxu623
Copy link
Contributor

@liuxu623 liuxu623 commented Aug 29, 2019
edited
Loading

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind cleanup

What this PR does / why we need it:
These iptables rules already managed by kubelet, so we should remove code in iptables/ipvs proxier.

*nat
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Aug 29, 2019
@k8s-ci-robot
Copy link
Contributor

Hi @liuxu623. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 29, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: liuxu623
To complete the pull request process, please assign dnardo, random-liu
You can assign the PR to them by writing /assign @dnardo @random-liu in a comment when ready.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added area/ipvs area/kubelet sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 29, 2019
@liuxu623
Copy link
Contributor Author

/assign @dnardo @Random-Liu

@aojea aojea mentioned this pull request Aug 29, 2019
Closed
@danwinship
Copy link
Contributor

So I also just filed a bug about this, #82125.

In particular, kube-proxy has a command-line argument related to this, which needs to be dealt with as well, so it's not just a matter of deleting code.

danwinship
danwinship reviewed Aug 29, 2019
View reviewed changes
pkg/proxy/iptables/proxier.go Show resolved Hide resolved
pkg/proxy/iptables/proxier.go Outdated Show resolved Hide resolved
pkg/proxy/ipvs/proxier.go
@@ -1591,7 +1576,7 @@ func (proxier *Proxier) createAndLinkeKubeChain() {
if chain, ok := existingNATChains[ch.chain]; ok {
writeBytesLine(proxier.natChains, chain)
} else {
writeLine(proxier.natChains, utiliptables.MakeChainLine(kubePostroutingChain))
writeLine(proxier.natChains, utiliptables.MakeChainLine(ch.chain))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

um... I'm not sure what this code is doing but this clearly changes its behavior...

Copy link
Contributor Author

@liuxu623 liuxu623 Aug 29, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this code is copy form iptables/proxier.go#L763-L778, it means if chain not exist, create it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure what the original intent here was (maybe @m1093782566 knows), but this does seem wrong but I don't think it broke anyone because we already ensure the chain exists in line 1605.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I write some test code, iptables_test1.go and iptables_test2.go, when all kube iptables chains not exist, iptables_test1.go output is

:KUBE-POSTROUTING - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-POSTROUTING - [0:0]

iptables_test2.go output is

:KUBE-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-NODE-PORT - [0:0]
:KUBE-LOAD-BALANCER - [0:0]

Copy link
Contributor Author

@liuxu623 liuxu623 Sep 5, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And you are right, we already ensure the chain exists in line 1605, so I think we don't actually need line 1609-1622 anymore.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can do this in iptables proxier too, use iptables.EnsureChain to create not exist chains instead of iptables.RestoreAll.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Letting RestoreAll ensure the chains is more efficient than making extra EnsureChain calls. We should only call EnsureChain for the chains that we can't ensure from RestoreAll because we aren't filling in their contents. (eg, the RestoreAll input might include -j KUBE-MARK-DROP in some rule, but we can't actually define the KUBE-MARK-DROP chain in RestoreAll because we don't know exactly what the rule in that chain is supposed to be. So we should EnsureChain it.)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, so we should remove EnsureChain ? Becase we already use RestoreAll to ensure the chains exists.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 29, 2019
@liuxu623 liuxu623 force-pushed the master branch 2 times, most recently from b9d291a to e6e7200 Compare August 30, 2019 01:07
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 4, 2019
@danwinship
Copy link
Contributor

Tim has raised some concerns about this idea in #82125, and there is also related discussion in #84945 around these rules. I think this needs a KEP to iron out the details. I'm closing this PR for now but we may be able to use some of this code later when we agree on a path forward.
/close

@k8s-ci-robot
Copy link
Contributor

@danwinship: Closed this PR.

In response to this:

Tim has raised some concerns about this idea in #82125, and there is also related discussion in #84945 around these rules. I think this needs a KEP to iron out the details. I'm closing this PR for now but we may be able to use some of this code later when we agree on a path forward.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 13, 2019
@k8s-ci-robot
Copy link
Contributor

@liuxu623: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewsykim andrewsykim andrewsykim left review comments

@danwinship danwinship danwinship left review comments

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr

@nicksardo nicksardo Awaiting requested review from nicksardo

Assignees

@Random-Liu Random-Liu

@dnardo dnardo

Labels
area/ipvs area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. release-note-none Denotes a PR that doesn't merit a release note. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@liuxu623 @k8s-ci-robot @danwinship @fejta-bot @andrewsykim @Random-Liu @dnardo