Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove kube-proxy userspace modes #112133

Merged
merged 1 commit into from Oct 15, 2022
Merged

Remove kube-proxy userspace modes #112133

merged 1 commit into from Oct 15, 2022

Conversation

knabben
Copy link
Member

@knabben knabben commented Aug 30, 2022
edited by thockin

What type of PR is this?

/sig network
/sig windows
/kind cleanup
/kind api-change

What this PR does / why we need it:

Remove both Linux and Windows userspace deprecated Kube-proxy modes.
Remove the UDPIdleTimeout config used only on this mode.

Which issue(s) this PR fixes:

Fixes #103860

Special notes for your reviewer:

A few points:

  • UDPIdleTimeout config is gone since only used on userspace
  • Both fallbacks do not exist anymore, so we need to agree on what will happen, fail close when it is not supported, maybe ensuring iptables and kernel space checks as a first thing?

Does this PR introduce a user-facing change?

kube-proxy: The `userspace` proxy mode (deprecated for over a year) is no longer supported on either Linux or Windows.  Users should use `iptables` or `ipvs` on Linux, or `kernelspace` on Windows.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/network Categorizes an issue or PR as relevant to SIG Network. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. sig/windows Categorizes an issue or PR as relevant to SIG Windows. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Aug 30, 2022
@knabben knabben changed the title Remove kube-proxy userspace modes [wip] Remove kube-proxy userspace modes Aug 30, 2022
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. area/e2e-test-framework Issues or PRs related to refactoring the kubernetes e2e test framework labels Aug 30, 2022
@k8s-ci-robot k8s-ci-robot added the sig/testing Categorizes an issue or PR as relevant to SIG Testing. label Aug 30, 2022
@k8s-ci-robot k8s-ci-robot added area/code-generation sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Aug 30, 2022
@danwinship
Copy link
Contributor

Both fallbacks do not exist anymore, so we need to agree on what will happen, fail close when it is not supported, maybe ensuring iptables and kernel space checks as a first thing?

All systems that could have run the userspace can also run the iptables proxy.

There is no longer any fallback-ing in the Linux proxy (#111806). So if someone is specifying --mode userspace, the behavior that is consistent with the rest of kube-proxy's current behavior would be to fail with an error. I'm not sure that's consistent with our deprecation rules though. (ie, this would make 1.25→1.26 upgrades fail catastrophically for anyone still using --mode userspace.) So we might want to just treat that as "warn and then fall back to iptables".

danwinship
danwinship reviewed Aug 31, 2022
View reviewed changes
cmd/kube-proxy/app/server.go Outdated
@@ -160,7 +160,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
fs.Var(&utilflag.IPPortVar{Val: &o.config.MetricsBindAddress}, "metrics-bind-address", "The IP address with port for the metrics server to serve on (set to '0.0.0.0:10249' for all IPv4 interfaces and '[::]:10249' for all IPv6 interfaces). Set empty to disable. This parameter is ignored if a config file is specified by --config.")
fs.BoolVar(&o.config.BindAddressHardFail, "bind-address-hard-fail", o.config.BindAddressHardFail, "If true kube-proxy will treat failure to bind to a port as fatal and exit")
fs.Var(utilflag.PortRangeVar{Val: &o.config.PortRange}, "proxy-port-range", "Range of host ports (beginPort-endPort, single port or beginPort+offset, inclusive) that may be consumed in order to proxy service traffic. If (unspecified, 0, or 0-0) then ports will be randomly chosen.")
fs.Var(&o.config.Mode, "proxy-mode", "Which proxy mode to use: 'iptables' (Linux-only), 'ipvs' (Linux-only), 'kernelspace' (Windows-only), or 'userspace' (Linux/Windows, deprecated). The default value is 'iptables' on Linux and 'userspace' on Windows(will be 'kernelspace' in a future release). "+
fs.Var(&o.config.Mode, "proxy-mode", "Which proxy mode to use: 'iptables' (Linux-only), 'ipvs' (Linux-only), 'kernelspace' (Windows-only). The default value is 'iptables' on Linux and 'kernelspace' on Windows. "+
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe rewrite this some more now that there are no overlapping Linux/Windows modes?

"Which proxy mode to use: on Linux this can be 'iptables' (default) or 'ipvs'. On Windows the only supported value is 'kernelspace'."

?

cmd/kube-proxy/app/server_others.go
// Always ordered as IPv4, IPv6
if primaryProtocol == utiliptables.ProtocolIPv4 {
ipt[0] = iptInterface
ipt[1] = utiliptables.New(execer, utiliptables.ProtocolIPv6)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The iptinterface initialization stuff could be rewritten to make more sense now. eg, you can remove iptInterface (and ProxyServer.IptInterface) and only have ipt, and you don't even need to figure out primaryProtocol unless dualStack gets set false

(Maybe do this as an additional refactoring commit to make it more obvious that this commit is just removing userspace and nothign else.)

(Oh, I see you left a "todo" about EndpointSlices so maybe you're planning on doing another PR later?)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danwinship I would prefer to refactor this part on a separated commit and let this interface as is for now, wdyt?

On this PR already cleaned the UseEndpointSlices and forced the modes to use it by default.

cmd/kube-proxy/app/server_others.go
for _, perFamilyIpt := range ipt {
if !perFamilyIpt.Present() {
klog.V(0).InfoS("kube-proxy running in single-stack mode, this ipFamily is not supported", "ipFamily", perFamilyIpt.Protocol())
dualStack = false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(lol, this doesn't actually check that primaryProtocol is the one that's supported...)

cmd/kube-proxy/app/server_others.go Outdated
@@ -367,7 +338,7 @@ func newProxyServer(
OOMScoreAdj: config.OOMScoreAdj,
ConfigSyncPeriod: config.ConfigSyncPeriod.Duration,
HealthzServer: healthzServer,
UseEndpointSlices: useEndpointSlices,
UseEndpointSlices: true, // todo (knabben) change all places
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO or FIXME is more standard

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My intent is to remove the options and keep the true code path, going to fix the todo yet on this PR.

cmd/kube-proxy/app/server_others.go Outdated
@@ -571,7 +542,7 @@ func cleanupAndExit() error {

var encounteredError bool
for _, ipt := range ipts {
encounteredError = userspace.CleanupLeftovers(ipt) || encounteredError

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

possibly we should leave this for a while longer? (but if not, then you shouldn't leave a blank line behind)

cmd/kube-proxy/app/server.go Show resolved Hide resolved
cmd/kube-proxy/app/server_windows.go Outdated
}

winkernel.RegisterMetrics()
klog.V(0).InfoS("Using Kernelspace Proxier.")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure this is necessary to say any more since it's the only option?

cmd/kube-proxy/app/server_windows.go Show resolved Hide resolved
staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go Outdated
@@ -196,7 +193,7 @@ type KubeProxyConfiguration struct {
// In Linux platform, if proxy mode is blank, use the best-available proxy (currently iptables, but may change in the
// future). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are
// insufficient, this always falls back to the userspace proxy. IPVS mode will be enabled when proxy mode is set to 'ipvs',
// and the fall back path is firstly iptables and then userspace.
// and the fall back path is firstly iptables.
//
// In Windows platform, if proxy mode is blank, use the best-available proxy (currently userspace, but may change in the
// future). If winkernel proxy is selected, regardless of how, but the Windows kernel can't support this mode of proxy,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like you failed to remove the docs text about windows userspace

test/e2e/framework/.import-restrictions Show resolved Hide resolved
@leilajal
Copy link
Contributor

leilajal commented Sep 1, 2022

/remove-sig api-machinery

@k8s-ci-robot k8s-ci-robot removed the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label Sep 1, 2022
@jayunit100
Copy link
Member

@daschott just fyi for headsup userspace is going awayyyy

@jayunit100
Copy link
Member

@ibabou FYI

@daschott
Copy link
Contributor

daschott commented Sep 6, 2022

cc @sbangari FYI

@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/scalability Categorizes an issue or PR as relevant to SIG Scalability. labels Sep 7, 2022
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jun 20, 2023
@XinShuYang
Enable Windows ProxyAll by default
c8dc834 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jun 21, 2023
@XinShuYang
Enable Windows ProxyAll by default
c08fbbc 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jun 21, 2023
@XinShuYang
Enable Windows ProxyAll by default
d50faaa 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jun 21, 2023
@XinShuYang
Enable Windows ProxyAll by default
ab3e5e8 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jun 26, 2023
@XinShuYang
Enable Windows ProxyAll by default
038cf2c 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jun 29, 2023
@XinShuYang
Enable Windows ProxyAll by default
bf1e4be 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 3, 2023
@XinShuYang
Enable Windows ProxyAll by default
9c5a194 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 3, 2023
@XinShuYang
Enable Windows ProxyAll by default
0f26324 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 6, 2023
@XinShuYang
Enable Windows ProxyAll by default
7c85cf3 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 7, 2023
@XinShuYang
Enable Windows ProxyAll by default
86608a6 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 7, 2023
@XinShuYang
Enable Windows ProxyAll by default
c64071d 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 10, 2023
@XinShuYang
Enable Windows ProxyAll by default
c302f50 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 10, 2023
@XinShuYang
Enable Windows ProxyAll by default
477fbf3 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 10, 2023
@XinShuYang
Enable Windows ProxyAll by default
7a57cf0 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 10, 2023
@XinShuYang
Enable Windows ProxyAll by default
e2e708b 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 10, 2023
@XinShuYang
Enable Windows ProxyAll by default
77d9bdf 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 11, 2023
@XinShuYang
Enable Windows ProxyAll by default
f8ef113 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 11, 2023
@XinShuYang
Enable Windows ProxyAll by default
6acca2f 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 12, 2023
@XinShuYang
Enable Windows ProxyAll by default
e17cf93 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 12, 2023
@XinShuYang
Enable Windows ProxyAll by default
a1376de 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 13, 2023
@XinShuYang
Enable Windows ProxyAll by default
bfb8c25 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 14, 2023
@XinShuYang
Enable Windows ProxyAll by default
5fc08d9 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 14, 2023
@XinShuYang
Enable Windows ProxyAll by default
d6677b4 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 17, 2023
@XinShuYang
Enable Windows ProxyAll by default
17ed563 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 18, 2023
@XinShuYang
Enable Windows ProxyAll by default
10e1551 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 18, 2023
@XinShuYang
Enable Windows ProxyAll by default
6363ff9 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
XinShuYang added a commit to XinShuYang/antrea that referenced this pull request Jul 18, 2023
@XinShuYang
Enable Windows ProxyAll by default
ba16c30 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
tnqn pushed a commit to antrea-io/antrea that referenced this pull request Jul 18, 2023
@XinShuYang
Enable Windows ProxyAll by default (#4980)
350c760 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
shi0rik0 pushed a commit to shi0rik0/antrea that referenced this pull request Jul 19, 2023
@XinShuYang @shi0rik0
Enable Windows ProxyAll by default (antrea-io#4980)
542102c 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
shi0rik0 pushed a commit to shi0rik0/antrea that referenced this pull request Jul 19, 2023
@XinShuYang @shi0rik0
Enable Windows ProxyAll by default (antrea-io#4980)
e369eb6 
Enable windows proxyall feature by default because the kube-proxy userspace
datapath has been removed since kubernetes 1.26.
(kubernetes/kubernetes#112133)

Signed-off-by: Shuyang Xin <gavinx@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danwinship danwinship danwinship left review comments

@thockin thockin thockin left review comments

@aojea aojea Awaiting requested review from aojea

Assignees

@danwinship danwinship

@thockin thockin

@aojea aojea

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/code-generation area/e2e-test-framework Issues or PRs related to refactoring the kubernetes e2e test framework area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/scalability Categorizes an issue or PR as relevant to SIG Scalability. sig/testing Categorizes an issue or PR as relevant to SIG Testing. sig/windows Categorizes an issue or PR as relevant to SIG Windows. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
[sig-release] Bug Triage
Archived in project
[sig-windows] PR tracking
Status: Done
Milestone
v1.26
Development

Successfully merging this pull request may close these issues.

Removing UserSpace Proxying from Kubernetes core/