Hi @vfreex. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

I understand the commands that are listed here.

cc @MrHohn @mikedanese @dchen1107 Could you please take a look?
/sig network
/sig node
/sig cluster-lifecycle

I am not sure whether there are something missing.
Any suggestions and comments are appreciated.

/ok-to-test

Would love to hear from someone from @kubernetes/sig-network-bugs on this before approving.

What in kube-proxy loads kernel modules? Kube-proxy expects them to be already loaded, IIUC.

IPVS proxier will not work until the following kernel modules are loaded:

"ip_vs",
"ip_vs_rr",
"ip_vs_wrr",
"ip_vs_sh",
"nf_conntrack_ipv4",

Currently, we don't load them inside container since it needs to

1. mount /lib/modules/version-arch/ - I am not sure if there are some security risk.

2. It's hard to predict it exactly as we won't know which kernel version is currently being used at the host system. For instance, ip_vs_rr module in my box has many versions of ipvs_vs_rr.ko.

/lib/modules/3.10.0-327.el7.x86_64/kernel/net/netfilter/ipvs/ip_vs_rr.ko
/lib/modules/3.10.0-514.16.1.el7.x86_64/kernel/net/netfilter/ipvs/ip_vs_rr.ko
/lib/modules/3.10.0-514.26.2.el7.x86_64/kernel/net/netfilter/ipvs/ip_vs_rr.ko

/cc @dhilipkumars @cmluciano

If the issues I mentioned are not real problem, I am green at this PR.

@m1093782566

1. Determining the version of kernel should not be necessary if we mount the whole /lib/modules .
   The kernel should be able to load the correct version of .ko files.
2. The kube-proxy is already a privileged container, it actually can do nearly everything. I think it won't increase much security risk.

This approach is verified by manually starting a Docker container and load it inside a container.
I will verify this by running a real kube-proxy container, to check if there are something missing.

What in kube-proxy loads kernel modules? Kube-proxy expects them to be already loaded, IIUC.

This matches some of the functionality that I've noted.

Instead of mounting all modules, why not set the explicit settings for IPVS if detected here?

It appears that we enable some of these explicitly upon ipvs proxy creation here. Is it expected that we already have access to the modules directory since we are privileged? Similar module setup happens in conntrack.

I also see that some cluster CNI deployers are mounting in the /lib/modules entirely. It seems that there is precedent for this, but I am sympathetic to the possible risks of mounting this path full-stop albeit read-only.

cc @dcbw Any opinions on this?

@cmluciano

Instead of mounting all modules, why not set the explicit settings for IPVS if detected here?

Sorry, I don't fully understand your meaning.

It appears that we enable some of these explicitly upon ipvs proxy creation here.

We write some sysctl ariables there, but didn't load any kernel modules there.

Similar module setup happens in conntrack.

I assume we can read/write the conntrack file in /sys/modules since the module has been already loaded in host?

I also see that some cluster CNI deployers are mounting in the /lib/modules entirely.

Yes. This is the key of our discussion. Should we load entire /lib/modules? I remember you put forward some comments on it in #46580. Since there is a precedent in CNI, I feel the way of loading lib/modules entirely is not too suddenly now :)

@m1093782566
Hi, do you know where the dockerfile of gcr.io/google-containers/kube-proxy is?

xref: build/debian-iptables/Dockerfile

Good luck :)

Reposting from PR:51874
IMHO Highly recommend way would be to de-couple and insert such pre-start tests in the initContainers in kube-proxy's daemonset definition.

We should also document this elaborately in the user guides on how users can safely check ipvs prerequisite before starting to use them in their k8s setup?

Sorry for my late update.
I did a lot of tests of checking if ip_vs kernel modules are loaded automatically when the kube-proxy is running in a pod.

I tried running gcr.io/google-containers/kube-proxy on different nodes with different Linux distributions.
The following are what I find:

1. The ip_vs kernel modules are loaded automatically if the node is running Debian/Ubuntu.
2. The ip_vs kernel modules cannot be loaded automatically if the node is running Fedora/RHEL7/CentOS7. I will explain the root cause later.

The ip_vs kernel modules are actually loaded by

Kernel modules shipped with latest Fedora/RHEL7/CentOS7 are compressed with xz (lzma). However,
The gcr.io/google-containers/kube-proxy image includes a modprobe binary shipped with Debian 8's kmod package that was compiled without xz support.
So when kube-proxy tries to load the kernel modules, it will get an error like this:

insmod /lib/modules/4.12.11-300.fc26.x86_64/kernel/net/netfilter/ipvs/ip_vs.ko.xz 
modprobe: ERROR: could not insert 'ip_vs': Exec format error

After recompiling the kmod package in containers with ./configure --with-xz, kube-proxy is able to load the kernel modules automatically.

Hence, the kmod auto-loading feature proposed by this PR doesn't work on the node that shipped with compressed kernel modules, because the kmod package included in gcr.io/google-containers/kube-proxy image was compiled without compressed .ko support.

@vfreex

I appreciate your information, it's really impressive!

@vfreex thanks for the update the kernel versions of Debian/Ubuntu and Fedora/RHEL7/CentOS7 are the same in your test? If Debian is slightly behind then moment it starts supporting latest kernel it would have the same problem isnt it?
It would be great to see if someone had a chance to try this with coreos.

@dhilipkumars The kernel versions are not the same, from 3.10 to 4.12. All distributions are running their distribution-shipped kernels.
modprobe was run in gcr.io/google-containers/kube-proxy containers, whose image is Debian 8 Based. The problem is not the kernel version, but the modprobe binary in the gcr.io/google-containers/kube-proxy, which doesn't support loading xz compressed kernel modules.

thockin +1
If this is done in an init container, you should determine what kernel modules should be used in advance and write script to do that. Doing this is kube-proxy container is able to do it in an automated manner.

Per many suggestions above, could we open an issue and link it in a TODO comment to track the works of moving such functionality into init container? It does sound complicated and we could have further discussion.

Also an interesting article about allowing CAP_NET_ADMIN to load network modules: https://lwn.net/Articles/430462/

+1

To startwith what if initContainers loaded all the related modules that are necessary for kube-proxy? regardless of the options used?
Kube-proxy is anyways authorized to use either set of the moulels be it ipvs or iptables.

I feel it is still worthy to isolate this setup logic from the actual code? It gives the customers freedom to change any command line options etc in the future according to their environment/distrubution.

From kubeproxy standpoint it should just errorout or fallback if such modules are not available to it.

Can we get this PR in for now? IPVS beta work(running e2e tests in upstream CI for IPVS proxier) relies on this PR.

Per #52003 (comment), I opened #54497 to track the init container work and LGTMing this.

/lgtm

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MrHohn, vfreex

Associated issue: 51874

The full list of commands accepted by this bot can be found here.

/retest

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

/test all [submit-queue is verifying that this PR is safe to merge]

@vfreex: The following test failed, say /retest to rerun them all:

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Automatic merge from submit-queue (batch tested with PRs 52003, 54559, 54518). If you want to cherry-pick this change to another branch, please follow the instructions here.