-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add proxy-mode:ipvs in service.md #5571
Conversation
Deploy preview ready! Built with commit 8ce0c77 https://deploy-preview-5571--kubernetes-io-master-staging.netlify.com |
cc @m1093782566 , I added some description about ipvs mode, maybe you can help me review this, thanks |
|
||
In this mode, kube-proxy watches the Kubernetes master for the addition and | ||
removal of `Service` and `Endpoints` objects. For each `Service` it installs | ||
iptables rules which direct requests for TCP/UDP based services to one of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/iptables/ipvs
Please ref: kubernetes/community#692, you can do better. |
@m1093782566 Thanks, I thought now it's better. |
### Proxy-mode: ipvs | ||
|
||
In this mode, kube-proxy watches Kubernetes `services` and `endpoints`, | ||
call `netlink` interface create ipvs `virtual server` and `real server` accordingly. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and it creates IPVS "virtual server" and "real server" accordingly.
- a reader doesn't care the fact that
netlink
interface exists and gets called; virtual server
andreal server
are not supposed to be verbatim.
table as the underlying data structure and work in the kernal state. | ||
That means ipvs redirects traffic can be much faster, and have much | ||
better performance when sync proxy rules. Furthermore, ipvs provides more | ||
options for load balancing algorithm, such as: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fix the grammar errors.
Self /assign @m1093782566 for technical review. |
consistent with the expectation. When access the `service`, traffic will | ||
be redirect to one of the backend `pod`. | ||
|
||
Ipvs based on netfilter hook function, like iptables proxy, but use hash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Similar to iptables, IPVS is based on netfilter...
**Note:** ipvs mode assumed IPVS kernel modules are installed on the node | ||
before running kube-proxy. When kube-proxy starts, if proxy mode is ipvs, | ||
kube-proxy would validate if IPVS modules are installed on the node, if | ||
it's not installed kube-proxy will fall back to userspace proxy mode. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
userspace -> iptables
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ipvs.CanUseIPVSProxier will return (false, error) if ipvs modules are not installed. so kube-proxy will fall back to userspace proxy mode.
I am not sure if I am missing something. @m1093782566 @dujun1990
func tryIPVSProxy(iptver iptables.IPTablesVersioner, kcompat iptables.KernelCompatTester) string {
// guaranteed false on error, error only necessary for debugging
// IPVS Proxier relies on iptables
useIPVSProxy, err := ipvs.CanUseIPVSProxier()
if err != nil {
utilruntime.HandleError(fmt.Errorf("can't determine whether to use ipvs proxy, using userspace proxier: %v", err))
return proxyModeUserspace
}
if useIPVSProxy {
return proxyModeIPVS
}
// TODO: Check ipvs version
// Try to fallback to iptables before falling back to userspace
glog.V(1).Infof("Can't use ipvs proxier, trying iptables proxier")
return tryIPTablesProxy(iptver, kcompat)
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, that's not intended - I assume it's a bug. See bug fix in kubernetes/kubernetes#54120. FYI
@@ -203,6 +203,35 @@ having working [readiness probes](/docs/tasks/configure-pod-container/configure- | |||
|
|||
![Services overview diagram for iptables proxy](/images/docs/services-iptables-overview.svg) | |||
|
|||
### Proxy-mode: ipvs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should say [alpha]
and/or have some sort of note in bold letters at the top that this is an alpha feature and not recommended for production clusters yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this needs to note that this is an alpha feature, and list any limitations.
FYI, you can use the call out formatting for the note: https://kubernetes.io/docs/home/contribute/style-guide/#callout-formatting |
+1 |
Ping @Lion-Wei. It looks like this is very close to being ready. |
ping @Lion-Wei |
@m1093782566 @chenopis @caseydavenport , thank you all, sorry did't fix this in time. |
@Lion-Wei @m1093782566 @tengqm @carlory @caseydavenport Is this ready to merge? If so, can one of you give tech approval? Thanks. |
/cc @m1093782566 @carlory @caseydavenport @steveperry-53 , slightly cc. : ) |
This change is