Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dualstack support for kube-proxy iptables mode #82462

Merged
merged 1 commit into from
Jan 7, 2020
Merged

Dualstack support for kube-proxy iptables mode #82462

merged 1 commit into from
Jan 7, 2020

Conversation

vllry
Copy link
Contributor

@vllry vllry commented Sep 8, 2019
edited
Loading

What type of PR is this?
/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

kube-proxy: Added dual-stack IPv4/IPv6 support to the iptables proxier.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. sig/network Categorizes an issue or PR as relevant to SIG Network. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Sep 8, 2019
@vllry vllry force-pushed the dualstack-iptables branch from 896405c to c8f301b Compare September 8, 2019 05:32
@vllry
Copy link
Contributor Author

vllry commented Sep 8, 2019

/uncc @nicksardo
/uncc @caseydavenport

@vllry vllry force-pushed the dualstack-iptables branch 4 times, most recently from ac34b97 to 17dcc69 Compare September 12, 2019 05:27
@vllry vllry force-pushed the dualstack-iptables branch 2 times, most recently from c3db649 to f64d914 Compare September 12, 2019 05:56
@vllry vllry mentioned this pull request Sep 12, 2019
Closed
@vllry vllry force-pushed the dualstack-iptables branch from f64d914 to 735881c Compare September 12, 2019 07:17
@aojea
Copy link
Member

aojea commented Sep 12, 2019

/test pull-kubernetes-integration

@aojea aojea mentioned this pull request Sep 12, 2019
Merged
8 tasks
@vllry vllry force-pushed the dualstack-iptables branch from 735881c to cab0a8f Compare September 14, 2019 21:38
@vllry
Copy link
Contributor Author

vllry commented Sep 15, 2019

/test pull-kubernetes-kubemark-e2e-gce-big

@vllry vllry force-pushed the dualstack-iptables branch from 23cb1fe to 7bd40f2 Compare December 17, 2019 06:48
@vllry vllry force-pushed the dualstack-iptables branch from 7bd40f2 to 23957a6 Compare December 17, 2019 06:50
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Dec 17, 2019
thockin
thockin reviewed Dec 17, 2019
View reviewed changes
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

relatively minor comments from me, I think, and even these could be done in a followup unless someone disagrees strongly?

cmd/kube-proxy/app/server_others.go
klog.V(0).Info("creating dualStackProxier for iptables.")

// Create iptables handlers for both families, one is already created
// Always ordered as IPv4, IPv6
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be fair, this is copying the ipvs logic. If we want to raise the bar, we should do so for both proxiers.

Perhaps, instead of [2]utiliptables.Interface it should be a map[core.IPFamily]utiliptables.Interface. Remove order from the equasion, since that seems to be meaningless anyway (and assumed ordering is bound to explode on us some day).

cmd/kube-proxy/app/server_others.go
@@ -164,6 +164,56 @@ func newProxyServer(
healthzServer,
config.NodePortAddresses,
)

if utilfeature.DefaultFeatureGate.Enabled(features.IPv6DualStack) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ipvs follows this same logic. If dual-stack is enabled, make a dual-stack proxier. We want to diminish the meaning of cluster-cidr here, so I do not think testing that should be used. TL;DR is that we have no real way to know whether dual-stack is enabled or not except to try it, and even that could change at run time. Very little cost (I think) to setting up both modes, but we do need to handle failure gracefully if dual-stack is enabled on a single-stack node.

pkg/proxy/iptables/proxier.go
nodePortAddresses []string,
) (proxy.Provider, error) {
// Create an ipv4 instance of the single-stack proxier
ipv4Proxier, err := NewProxier(ipt[0], sysctl,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ipt[] is now guaranteed to be v4, v6. Are clusterCidr[] and nodeIP? It seems they are, though same comments as above - perhaps turning it into maps would be better

@thockin
Copy link
Member

thockin commented Dec 17, 2019

In other words, I will approve and hold, @vllry can decide to clear the hold or fix now.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 17, 2019
@thockin
Copy link
Member

thockin commented Dec 17, 2019

/retest

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: thockin, vllry

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 17, 2019
@vllry
Copy link
Contributor Author

vllry commented Dec 17, 2019

Perhaps, instead of [2]utiliptables.Interface it should be a map[core.IPFamily]utiliptables.Interface. Remove order from the equasion, since that seems to be meaningless anyway (and assumed ordering is bound to explode on us some day).

I do prefer this idea, I think it was actually in an earlier draft of this PR. Would probably suggest this be a followup, and I'll try to handle the other suggestions before merging.

@danwinship
Copy link
Contributor

In other words, I will approve and hold

except you forgot to actually
/hold
🙂

(Assuming the hold is wanted since @vllry said she was going to address your other suggestions.)

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 17, 2019
@thockin
Copy link
Member

thockin commented Dec 17, 2019

@vllry my comments seem to be exclusively about maps. If you want to do a follow-up, feel free to clear the hold.

Thanks @danwinship for catching my flub

@aojea aojea mentioned this pull request Jan 2, 2020
Closed
@vllry
Copy link
Contributor Author

vllry commented Jan 7, 2020

Thanks everything, this was a very long time coming. Will look at the map/ordering comments as followups, as they address issues that existed prior to this PR.

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jan 7, 2020
@vllry
Copy link
Contributor Author

vllry commented Jan 7, 2020

/retest

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel or /hold comment for consistent failures.

@aojea
Copy link
Member

aojea commented Jan 7, 2020

/retest
known flake #75355

@k8s-ci-robot k8s-ci-robot merged commit 5373fa3 into kubernetes:master Jan 7, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Jan 7, 2020
@lachie83
Copy link
Member

lachie83 commented Jan 7, 2020

What what!!!

@lachie83
Copy link
Member

lachie83 commented Jan 7, 2020

Awesome work getting this merged. Thank you very much @vllry and sig-network!

@vllry vllry mentioned this pull request Jan 13, 2020
Closed
@neolit123 neolit123 mentioned this pull request Feb 28, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mars1024 mars1024 mars1024 left review comments

@khenidak khenidak khenidak left review comments

@aojea aojea aojea left review comments

@thockin thockin thockin left review comments

@anguslees anguslees anguslees left review comments

Assignees

@danwinship danwinship

@nicksardo nicksardo

@robscott robscott

@caseydavenport caseydavenport

@thockin thockin

@khenidak khenidak

@dcbw dcbw

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ipvs cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/network Categorizes an issue or PR as relevant to SIG Network. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
v1.18
Development

Successfully merging this pull request may close these issues.