-
Notifications
You must be signed in to change notification settings - Fork 39.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clear conntrack entries on 0 -> 1 endpoint transition with externalIPs #75265
Clear conntrack entries on 0 -> 1 endpoint transition with externalIPs #75265
Conversation
Hi @JacobTanenbaum. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@dcbw PTAL |
/ok-to-test |
/area kube-proxy |
/lgtm |
/priority important-soon |
/milestone v1.14 |
/hold |
@spiffxp without this addition udp services with external IPs are broken if there is a stream of packets active when all endpoints go down and are restarted |
@spiffxp if at all possible we'd like to get this fix into v1.14. If that's not possible, we might be OK with an /approve-for-1.14.1 |
/assign @freehan |
LGTM |
This PR #73323 should have covered the case right? |
@freehan ideally it should have, PR #73323 cleans up conntrack entries for entries in endpointUpdateResult.StaleEndpoints which handles when an endpoint gets deleted. It does not account for clearing on endpoint creation (which only needs conntrack to be cleared when going from 0 -> 1 endpoints backing the service) which is accounted for in endpointUpdateResult.StaleServiceNames |
looks fairly important for me for stability of 1.14.0. /approve leaving the hold to @spiffxp |
As part of the endpoint creation process when going from 0 -> 1 conntrack entries are cleared. This is to prevent an existing conntrack entry from preventing traffic to the service. Currently the system ignores the existance of the services external IP addresses, which exposes that errant behavior This adds the externalIP addresses of udp services to the list of conntrack entries that get cleared. Allowing traffic to flow Signed-off-by: Jacob Tanenbaum <[email protected]>
6791eb9
to
c354816
Compare
@JacobTanenbaum thanks for the update that also fixes IPVS. |
/retest |
2 similar comments
/retest |
/retest |
/hold cancel |
/retest |
@JacobTanenbaum @thockin The Code Thaw is starting tomorrow, Tuesday PST EOD. Would it be possible for this PR to get reviewed and approved by then? Otherwise it'll have to compete with bunch of other PRs post-thaw. |
@@ -673,6 +673,9 @@ func (proxier *Proxier) syncProxyRules() { | |||
if svcInfo, ok := proxier.serviceMap[svcPortName]; ok && svcInfo != nil && svcInfo.GetProtocol() == v1.ProtocolUDP { | |||
klog.V(2).Infof("Stale udp service %v -> %s", svcPortName, svcInfo.ClusterIPString()) | |||
staleServices.Insert(svcInfo.ClusterIPString()) | |||
for _, extIP := range svcInfo.ExternalIPStrings() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we catch status.ingress.ip too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@thockin yes we should catch status.ingress.ip also. I will submit another PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving for velcoity but is this complete?
/approve
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JacobTanenbaum, nikopen, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
As part of the endpoint creation process when going from 0 -> 1 conntrack entries
are cleared. This is to prevent an existing conntrack entry from preventing traffic
to the service. Currently the system ignores the existance of the services external IP
addresses, which exposes that errant behavior
This adds the externalIP addresses of udp services to the list of conntrack entries that
get cleared. Allowing traffic to flow
Signed-off-by: Jacob Tanenbaum [email protected]
/kind bug
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: