clean up iptables/ipvs proxy mode descriptions a bit #44110
Conversation
The iptables kube-proxy documentation notes that it has "lower system overhead", but doesn't mention what it's lower than; it's talking about the userspace proxy, which no longer exists, and which no current documentation readers would think to compare the iptables proxy mode to. Likewise, there is no point in explaining how iptables mode endpoint selection differs from userspace mode endpoint selection, because the iptables mode behaves in the way that everyone would consider normal. It was the userspace proxy that was weird, and so we had to document the *change* in behavior when we introduced the iptables proxy, but there's no reason to keep documenting "we don't do something you wouldn't have expected us to do" now.
👷 Deploy Preview for kubernetes-io-vnext-staging processing.
|
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
sig/docs
|
/sig network |
k8s-ci-robot
added
the
sig/network
| @@ -266,7 +255,7 @@ the node before starting kube-proxy. | |||
|
|
|||
| When kube-proxy starts in IPVS proxy mode, it verifies whether IPVS | |||
| kernel modules are available. If the IPVS kernel modules are not detected, then kube-proxy | |||
| falls back to running in iptables proxy mode. | |||
| will exit with an error. | |||
There was a problem hiding this comment.
| will exit with an error. | |
| exits with an error. Kubernetes does offer you some features that you can use to help | |
| with that; for example, you can define an | |
| {{< glossary_tooltip text="init container" term_id="init-container" >}} that ensures the relevant | |
| modules are loaded before starting the container for `kube-proxy`. |
?
There was a problem hiding this comment.
That's a separate thing really; this is about if you try to run the ipvs proxy on a system that doesn't have the relevant kernel modules available at all. (Like if you try to specify a fancy new ipvs scheduler mode on an older kernel.)
There was a problem hiding this comment.
Can we document the minimum Linux kernel version for IPVS mode (maybe for different flavors, if that matters)?
I'd assumed it was 2.2.0 or something venerable, that we could assume everyone has.
|
Hey @danwinship! If we can land this before I freeze the website on Monday, it's good to go in with dev-1.29. |
danwinship
force-pushed
the
proxy-refactor
branch
from
eea8460 to
fb0220c
Compare
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: ac8339c8a74e3ec97f8db9866ecd8cecf0413205
|
Move the "watches Services and EndpointSlices" and "control loop" text to the top level, since that applies to all proxy modes. Likewise, the allegedly iptables-specific graphic is actually sufficiently abstract to apply to any possible proxy. Also fix an out-of-date claim about ipvs mode falling back to iptables mode.
danwinship
force-pushed
the
proxy-refactor
branch
from
fb0220c to
f5d05dc
Compare
k8s-ci-robot
removed
the
lgtm
|
/assign @aojea |
|
/label tide/merge-method-squash |
k8s-ci-robot
added
the
tide/merge-method-squash
|
@danwinship The test cases failed due to Netlify build timeout failures. |
|
No need to squash for 3 commits. |
k8s-ci-robot
removed
the
tide/merge-method-squash
danwinship
force-pushed
the
proxy-refactor
branch
from
f5d05dc to
d5c5300
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: fb5979179156812011815469b12df77bd41d4ae5
|
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Noticed while adding the nftables documentation.
filing this against
dev-1.29because @sftim said to but nothing in here is new in 1.29.