Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only run connection-rejecting rules on new connections #60306

Merged
merged 1 commit into from
Feb 25, 2018
Merged

Only run connection-rejecting rules on new connections #60306

merged 1 commit into from
Feb 25, 2018

Conversation

danwinship
Copy link
Contributor

Kube-proxy has two iptables chains full of rules to reject incoming connections to services that don't have any endpoints. Currently these rules get tested against all incoming packets, but that's unnecessary; if a connection to a given service has already been established, then we can't have been rejecting connections to that service. By only checking the first packet in each new connection, we can get rid of a lot of unnecessary checks on incoming traffic.

Fixes #56842

Release note:

Additional changes to iptables kube-proxy backend to improve performance on clusters with very large numbers of services.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 23, 2018
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Feb 23, 2018
@danwinship danwinship force-pushed the proxier-connstate-new branch from 3b0f847 to 2259416 Compare February 23, 2018 13:51
@danwinship
Copy link
Contributor Author

/assign @dcbw

@danwinship danwinship mentioned this pull request Feb 23, 2018
Merged
@thockin thockin self-assigned this Feb 23, 2018
thockin
thockin reviewed Feb 23, 2018
View reviewed changes
pkg/proxy/iptables/proxier.go
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals"},
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules"},
{utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules"},
{utiliptables.TableFilter, kubeExternalServicesChain, utiliptables.ChainInput, "kubernetes externally-visible service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

worth making a var for this slice?

@thockin
Copy link
Member

thockin commented Feb 23, 2018

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 23, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 23, 2018
@dcbw
Copy link
Member

dcbw commented Feb 23, 2018

also /lgtm

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@thockin
Copy link
Member

thockin commented Feb 24, 2018 via email

@k8s-github-robot
Copy link

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit c11ae9d into kubernetes:master Feb 25, 2018
@danwinship danwinship mentioned this pull request Feb 26, 2018
Merged
openshift-merge-robot added a commit to openshift/origin that referenced this pull request Feb 27, 2018
@openshift-merge-robot
Merge pull request #18754 from danwinship/upstream-iptables-fixes
e2e14cb 
Automatic merge from submit-queue (batch tested with PRs 18754, 18761).

kube-proxy iptables performance fixes

Pull in multiple upstream iptables fixes to improve performance in "very large clusters" (ie, Online).

Includes kubernetes/kubernetes#57336, kubernetes/kubernetes#56164, kubernetes/kubernetes#57461, and kubernetes/kubernetes#60306.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1514174
openshift-publish-robot pushed a commit to openshift/kubernetes that referenced this pull request Feb 27, 2018
@k8s-publishing-bot
Merge pull request kubernetes#18754 from danwinship/upstream-iptables…
ecd850a 
…-fixes

Automatic merge from submit-queue (batch tested with PRs 18754, 18761).

kube-proxy iptables performance fixes

Pull in multiple upstream iptables fixes to improve performance in "very large clusters" (ie, Online).

Includes kubernetes#57336, kubernetes#56164, kubernetes#57461, and kubernetes#60306.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1514174

Origin-commit: e2e14cb4fe6a6789936da736d627ae96ca822116
openshift-publish-robot pushed a commit to openshift/kubernetes that referenced this pull request Mar 5, 2018
@k8s-publishing-bot
Merge pull request kubernetes#18754 from danwinship/upstream-iptables…
1ca4d58 
…-fixes

Automatic merge from submit-queue (batch tested with PRs 18754, 18761).

kube-proxy iptables performance fixes

Pull in multiple upstream iptables fixes to improve performance in "very large clusters" (ie, Online).

Includes kubernetes#57336, kubernetes#56164, kubernetes#57461, and kubernetes#60306.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1514174

Origin-commit: e2e14cb4fe6a6789936da736d627ae96ca822116
@danwinship danwinship deleted the proxier-connstate-new branch March 26, 2018 13:27
@an1310 an1310 mentioned this pull request Mar 28, 2018
Closed
@danwinship danwinship mentioned this pull request Jun 20, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thockin thockin thockin left review comments

@freehan freehan Awaiting requested review from freehan

@justinsb justinsb Awaiting requested review from justinsb

Assignees

@thockin thockin

@dcbw dcbw

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@danwinship @thockin @k8s-ci-robot @dcbw @k8s-github-robot @fejta-bot