Fix redundancy in kube-proxy iptables and ipvs docs

Move the "watches Services and EndpointSlices" and "control loop" text to the top level, since that applies to all proxy modes. Likewise, the allegedly iptables-specific graphic is actually sufficiently abstract to apply to any possible proxy. Also fix an out-of-date claim about ipvs mode falling back to iptables mode.
kubernetes · Nov 27, 2023 · 74a0da8 · 74a0da8
1 parent d6f0778
commit 74a0da8
Showing 1 changed file with 20 additions and 19 deletions.
diff --git a/content/en/docs/reference/networking/virtual-ips.md b/content/en/docs/reference/networking/virtual-ips.md
@@ -14,6 +14,18 @@ The `kube-proxy` component is responsible for implementing a _virtual IP_
 mechanism for {{< glossary_tooltip term_id="service" text="Services">}}
 of `type` other than
 [`ExternalName`](/docs/concepts/services-networking/service/#externalname).
+Kube-proxy watches the Kubernetes {{< glossary_tooltip
+term_id="control-plane" text="control plane" >}} for the addition and
+removal of Service and EndpointSlice {{< glossary_tooltip
+term_id="object" text="objects." >}} For each Service, kube-proxy
+calls appropriate APIs (depending on the kube-proxy mode) to configure
+the node to capture traffic to the Service's `clusterIP` and `port`,
+and redirect that traffic to one of the Service's endpoint IPs
+(usually a Pod, but possibly an arbitrary user-provided IP). A control
+loop ensures that the rules on each node are reliably synchronized with
+the Service and EndpointSlice state as indicated by the API server.
+
+{{< figure src="/images/docs/services-iptables-overview.svg" title="Virtual IP mechanism for Services, using iptables mode" class="diagram-medium" >}}
 
 A question that pops up every now and then is why Kubernetes relies on
 proxying to forward inbound traffic to backends. What about other
@@ -57,7 +69,7 @@ The kube-proxy starts up in different modes, which are determined by its configu
 On Linux nodes, the available modes for kube-proxy are:
 
 [`iptables`](#proxy-mode-iptables)
-: A mode where the kube-proxy configures packet forwarding rules using iptables, on Linux.
+: A mode where the kube-proxy configures packet forwarding rules using iptables.
 
 [`ipvs`](#proxy-mode-ipvs)
 : a mode where the kube-proxy configures packet forwarding rules using ipvs.
@@ -74,18 +86,10 @@ There is only one mode available for kube-proxy on Windows:
 
 _This proxy mode is only available on Linux nodes._
 
-In this mode, kube-proxy watches the Kubernetes
-{{< glossary_tooltip term_id="control-plane" text="control plane" >}} for the addition and
-removal of Service and EndpointSlice {{< glossary_tooltip term_id="object" text="objects." >}}
-For each Service, it installs
-iptables rules, which capture traffic to the Service's `clusterIP` and `port`,
-and redirect that traffic to one of the Service's
-backend sets. For each endpoint, it installs iptables rules which
-select a backend Pod.
-
-By default, kube-proxy in iptables mode chooses a backend at random.
-
-{{< figure src="/images/docs/services-iptables-overview.svg" title="Virtual IP mechanism for Services, using iptables mode" class="diagram-medium" >}}
+In this mode, kube-proxy configures packet forwarding rules using the
+iptables API of the kernel netfilter subsystem. For each endpoint, it
+installs iptables rules which, by default, select a backend Pod at
+random.
 
 #### Example {#packet-processing-iptables}
 
@@ -193,11 +197,8 @@ and is likely to hurt functionality more than it improves performance.
 
 _This proxy mode is only available on Linux nodes._
 
-In `ipvs` mode, kube-proxy watches Kubernetes Services and EndpointSlices,
-calls `netlink` interface to create IPVS rules accordingly and synchronizes
-IPVS rules with Kubernetes Services and EndpointSlices periodically.
-This control loop ensures that IPVS status matches the desired state.
-When accessing a Service, IPVS directs traffic to one of the backend Pods.
+In `ipvs` mode, kube-proxy uses the kernel IPVS and iptables APIs to
+create rules to redirect traffic from Service IPs to endpoint IPs.
 
 The IPVS proxy mode is based on netfilter hook function that is similar to
 iptables mode, but uses a hash table as the underlying data structure and works
@@ -252,7 +253,7 @@ the node before starting kube-proxy.
 
 When kube-proxy starts in IPVS proxy mode, it verifies whether IPVS
 kernel modules are available. If the IPVS kernel modules are not detected, then kube-proxy
-falls back to running in iptables proxy mode.
+will exit with an error.
 {{< /note >}}
 
 {{< figure src="/images/docs/services-ipvs-overview.svg" title="Virtual IP address mechanism for Services, using IPVS mode" class="diagram-medium" >}}