kube-proxy: internal config: consolidate SyncPeriod and MinSyncPeriod

Consolidate SyncPeriod and MinSyncPeriod for internal configuration
of kube-proxy adhering to the v1alpha2 version specifications as
detailed in https://kep.k8s.io/784.

Signed-off-by: Daman Arora <[email protected]>

Author: aroradaman

cmd/kube-proxy/app/options.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/fsnotify/fsnotify"
 	"github.com/spf13/pflag"
@@ -79,6 +80,13 @@ type Options struct {
 	hostnameOverride string
 
 	logger klog.Logger
+
+	// The fields below here are placeholders for flags that can't be directly mapped into
+	// config.KubeProxyConfiguration.
+	iptablesSyncPeriod    time.Duration
+	iptablesMinSyncPeriod time.Duration
+	ipvsSyncPeriod        time.Duration
+	ipvsMinSyncPeriod     time.Duration
 }
 
 // AddFlags adds flags to fs and binds them to options.
@@ -120,11 +128,11 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.Int32Var(o.config.IPTables.MasqueradeBit, "iptables-masquerade-bit", ptr.Deref(o.config.IPTables.MasqueradeBit, 14), "If using the iptables or ipvs proxy mode, the bit of the fwmark space to mark packets requiring SNAT with.  Must be within the range [0, 31].")
 	fs.BoolVar(&o.config.Linux.MasqueradeAll, "masquerade-all", o.config.Linux.MasqueradeAll, "SNAT all traffic sent via Service cluster IPs. This may be required with some CNI plugins. Only supported on Linux.")
 	fs.BoolVar(o.config.IPTables.LocalhostNodePorts, "iptables-localhost-nodeports", ptr.Deref(o.config.IPTables.LocalhostNodePorts, true), "If false, kube-proxy will disable the legacy behavior of allowing NodePort services to be accessed via localhost. (Applies only to iptables mode and IPv4; localhost NodePorts are never allowed with other proxy modes or with IPv6.)")
-	fs.DurationVar(&o.config.IPTables.SyncPeriod.Duration, "iptables-sync-period", o.config.IPTables.SyncPeriod.Duration, "An interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.")
-	fs.DurationVar(&o.config.IPTables.MinSyncPeriod.Duration, "iptables-min-sync-period", o.config.IPTables.MinSyncPeriod.Duration, "The minimum period between iptables rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate iptables resync.")
+	fs.DurationVar(&o.iptablesSyncPeriod, "iptables-sync-period", o.config.SyncPeriod.Duration, "An interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.")
+	fs.DurationVar(&o.iptablesMinSyncPeriod, "iptables-min-sync-period", o.config.MinSyncPeriod.Duration, "The minimum period between iptables rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate iptables resync.")
 
-	fs.DurationVar(&o.config.IPVS.SyncPeriod.Duration, "ipvs-sync-period", o.config.IPVS.SyncPeriod.Duration, "An interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.")
-	fs.DurationVar(&o.config.IPVS.MinSyncPeriod.Duration, "ipvs-min-sync-period", o.config.IPVS.MinSyncPeriod.Duration, "The minimum period between IPVS rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate IPVS resync.")
+	fs.DurationVar(&o.ipvsSyncPeriod, "ipvs-sync-period", o.config.SyncPeriod.Duration, "An interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.")
+	fs.DurationVar(&o.ipvsMinSyncPeriod, "ipvs-min-sync-period", o.config.MinSyncPeriod.Duration, "The minimum period between IPVS rule resyncs (e.g. '5s', '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will result in an immediate IPVS resync.")
 	fs.StringVar(&o.config.IPVS.Scheduler, "ipvs-scheduler", o.config.IPVS.Scheduler, "The ipvs scheduler type when proxy mode is ipvs")
 	fs.StringSliceVar(&o.config.IPVS.ExcludeCIDRs, "ipvs-exclude-cidrs", o.config.IPVS.ExcludeCIDRs, "A comma-separated list of CIDRs which the ipvs proxier should not touch when cleaning up IPVS rules.")
 	fs.BoolVar(&o.config.IPVS.StrictARP, "ipvs-strict-arp", o.config.IPVS.StrictARP, "Enable strict ARP by setting arp_ignore to 1 and arp_announce to 2")
@@ -216,6 +224,8 @@ func (o *Options) Complete(fs *pflag.FlagSet) error {
 		if err := o.initWatcher(); err != nil {
 			return err
 		}
+	} else {
+		o.processV1Alpha1Flags(fs)
 	}
 
 	o.platformApplyDefaults(o.config)
@@ -302,6 +312,22 @@ func (o *Options) processHostnameOverrideFlag() error {
 	return nil
 }
 
+// processV1Alpha1Flags processes v1alpha1 flags which can't be directly mapped to internal config.
+func (o *Options) processV1Alpha1Flags(fs *pflag.FlagSet) {
+	if fs.Changed("iptables-sync-period") && o.config.Mode != kubeproxyconfig.ProxyModeIPVS {
+		o.config.SyncPeriod.Duration = o.iptablesSyncPeriod
+	}
+	if fs.Changed("iptables-min-sync-period") && o.config.Mode != kubeproxyconfig.ProxyModeIPVS {
+		o.config.MinSyncPeriod.Duration = o.iptablesMinSyncPeriod
+	}
+	if fs.Changed("ipvs-sync-period") && o.config.Mode == kubeproxyconfig.ProxyModeIPVS {
+		o.config.SyncPeriod.Duration = o.ipvsSyncPeriod
+	}
+	if fs.Changed("ipvs-min-sync-period") && o.config.Mode == kubeproxyconfig.ProxyModeIPVS {
+		o.config.MinSyncPeriod.Duration = o.ipvsMinSyncPeriod
+	}
+}
+
 // Validate validates all the required options.
 func (o *Options) Validate() error {
 	if errs := validation.Validate(o.config); len(errs) != 0 {

cmd/kube-proxy/app/options_test.go

@@ -195,6 +195,8 @@ nodePortAddresses:
 					QPS:                7,
 				},
 				ClusterCIDR:      tc.clusterCIDR,
+				MinSyncPeriod:    metav1.Duration{Duration: 10 * time.Second},
+				SyncPeriod:       metav1.Duration{Duration: 60 * time.Second},
 				ConfigSyncPeriod: metav1.Duration{Duration: 15 * time.Second},
 				Linux: kubeproxyconfig.KubeProxyLinuxConfiguration{
 					Conntrack: kubeproxyconfig.KubeProxyConntrackConfiguration{
@@ -212,18 +214,12 @@ nodePortAddresses:
 				IPTables: kubeproxyconfig.KubeProxyIPTablesConfiguration{
 					MasqueradeBit:      ptr.To[int32](17),
 					LocalhostNodePorts: ptr.To(true),
-					MinSyncPeriod:      metav1.Duration{Duration: 10 * time.Second},
-					SyncPeriod:         metav1.Duration{Duration: 60 * time.Second},
 				},
 				IPVS: kubeproxyconfig.KubeProxyIPVSConfiguration{
-					MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second},
-					SyncPeriod:    metav1.Duration{Duration: 60 * time.Second},
-					ExcludeCIDRs:  []string{"10.20.30.40/16", "fd00:1::0/64"},
+					ExcludeCIDRs: []string{"10.20.30.40/16", "fd00:1::0/64"},
 				},
 				NFTables: kubeproxyconfig.KubeProxyNFTablesConfiguration{
 					MasqueradeBit: ptr.To[int32](18),
-					MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second},
-					SyncPeriod:    metav1.Duration{Duration: 60 * time.Second},
 				},
 				MetricsBindAddress: tc.metricsBindAddress,
 				Mode:               kubeproxyconfig.ProxyMode(tc.mode),
@@ -377,6 +373,90 @@ func TestProcessHostnameOverrideFlag(t *testing.T) {
 	}
 }
 
+// TestProcessV1Alpha1Flags tests processing v1alpha1 flags.
+func TestProcessV1Alpha1Flags(t *testing.T) {
+	testCases := []struct {
+		name     string
+		flags    []string
+		validate func(*kubeproxyconfig.KubeProxyConfiguration) bool
+	}{
+		{
+			name: "iptables configuration",
+			flags: []string{
+				"--iptables-sync-period=36s",
+				"--iptables-min-sync-period=3s",
+				"--proxy-mode=iptables",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return config.SyncPeriod == metav1.Duration{Duration: 36 * time.Second} &&
+					config.MinSyncPeriod == metav1.Duration{Duration: 3 * time.Second}
+			},
+		},
+		{
+			name: "iptables + ipvs configuration with iptables mode",
+			flags: []string{
+				"--iptables-sync-period=36s",
+				"--iptables-min-sync-period=3s",
+				"--ipvs-sync-period=16s",
+				"--ipvs-min-sync-period=7s",
+				"--proxy-mode=iptables",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return config.SyncPeriod == metav1.Duration{Duration: 36 * time.Second} &&
+					config.MinSyncPeriod == metav1.Duration{Duration: 3 * time.Second}
+			},
+		},
+		{
+			name: "winkernel configuration",
+			flags: []string{
+				"--iptables-sync-period=36s",
+				"--iptables-min-sync-period=3s",
+				"--proxy-mode=kernelspace",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return config.SyncPeriod == metav1.Duration{Duration: 36 * time.Second} &&
+					config.MinSyncPeriod == metav1.Duration{Duration: 3 * time.Second}
+			},
+		},
+		{
+			name: "ipvs + iptables configuration with ipvs mode",
+			flags: []string{
+				"--iptables-sync-period=36s",
+				"--iptables-min-sync-period=3s",
+				"--ipvs-sync-period=16s",
+				"--ipvs-min-sync-period=7s",
+				"--proxy-mode=ipvs",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return config.SyncPeriod == metav1.Duration{Duration: 16 * time.Second} &&
+					config.MinSyncPeriod == metav1.Duration{Duration: 7 * time.Second}
+			},
+		},
+		{
+			name: "ipvs configuration",
+			flags: []string{
+				"--ipvs-sync-period=16s",
+				"--ipvs-min-sync-period=7s",
+				"--proxy-mode=ipvs",
+			},
+			validate: func(config *kubeproxyconfig.KubeProxyConfiguration) bool {
+				return config.SyncPeriod == metav1.Duration{Duration: 16 * time.Second} &&
+					config.MinSyncPeriod == metav1.Duration{Duration: 7 * time.Second}
+			},
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			options := NewOptions()
+			fs := new(pflag.FlagSet)
+			options.AddFlags(fs)
+			require.NoError(t, fs.Parse(tc.flags))
+			options.processV1Alpha1Flags(fs)
+			require.True(t, tc.validate(options.config))
+		})
+	}
+}
+
 // TestOptionsComplete checks that command line flags are combined with a
 // config properly.
 func TestOptionsComplete(t *testing.T) {

cmd/kube-proxy/app/server.go

@@ -222,7 +222,7 @@ func newProxyServer(ctx context.Context, config *kubeproxyconfig.KubeProxyConfig
 	}
 
 	if len(config.HealthzBindAddress) > 0 {
-		s.HealthzServer = healthcheck.NewProxierHealthServer(config.HealthzBindAddress, 2*config.IPTables.SyncPeriod.Duration)
+		s.HealthzServer = healthcheck.NewProxierHealthServer(config.HealthzBindAddress, 2*config.SyncPeriod.Duration)
 	}
 
 	err = s.platformSetup(ctx)

cmd/kube-proxy/app/server_linux.go

@@ -178,8 +178,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 				ipt,
 				utilsysctl.New(),
 				exec.New(),
-				config.IPTables.SyncPeriod.Duration,
-				config.IPTables.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.Linux.MasqueradeAll,
 				*config.IPTables.LocalhostNodePorts,
 				int(*config.IPTables.MasqueradeBit),
@@ -202,8 +202,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 				iptInterface,
 				utilsysctl.New(),
 				exec.New(),
-				config.IPTables.SyncPeriod.Duration,
-				config.IPTables.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.Linux.MasqueradeAll,
 				*config.IPTables.LocalhostNodePorts,
 				int(*config.IPTables.MasqueradeBit),
@@ -238,8 +238,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 				ipsetInterface,
 				utilsysctl.New(),
 				execer,
-				config.IPVS.SyncPeriod.Duration,
-				config.IPVS.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.IPVS.ExcludeCIDRs,
 				config.IPVS.StrictARP,
 				config.IPVS.TCPTimeout.Duration,
@@ -266,8 +266,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 				ipsetInterface,
 				utilsysctl.New(),
 				execer,
-				config.IPVS.SyncPeriod.Duration,
-				config.IPVS.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.IPVS.ExcludeCIDRs,
 				config.IPVS.StrictARP,
 				config.IPVS.TCPTimeout.Duration,
@@ -295,8 +295,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 			// TODO this has side effects that should only happen when Run() is invoked.
 			proxier, err = nftables.NewDualStackProxier(
 				ctx,
-				config.NFTables.SyncPeriod.Duration,
-				config.NFTables.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.Linux.MasqueradeAll,
 				int(*config.NFTables.MasqueradeBit),
 				localDetectors,
@@ -313,8 +313,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 			proxier, err = nftables.NewProxier(
 				ctx,
 				s.PrimaryIPFamily,
-				config.NFTables.SyncPeriod.Duration,
-				config.NFTables.MinSyncPeriod.Duration,
+				config.SyncPeriod.Duration,
+				config.MinSyncPeriod.Duration,
 				config.Linux.MasqueradeAll,
 				int(*config.NFTables.MasqueradeBit),
 				localDetectors[s.PrimaryIPFamily],

cmd/kube-proxy/app/server_windows.go

@@ -91,8 +91,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 
 	if dualStackMode {
 		proxier, err = winkernel.NewDualStackProxier(
-			config.IPTables.SyncPeriod.Duration,
-			config.IPTables.MinSyncPeriod.Duration,
+			config.SyncPeriod.Duration,
+			config.MinSyncPeriod.Duration,
 			s.Hostname,
 			s.NodeIPs,
 			s.Recorder,
@@ -103,8 +103,8 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
 	} else {
 		proxier, err = winkernel.NewProxier(
 			s.PrimaryIPFamily,
-			config.IPTables.SyncPeriod.Duration,
-			config.IPTables.MinSyncPeriod.Duration,
+			config.SyncPeriod.Duration,
+			config.MinSyncPeriod.Duration,
 			s.Hostname,
 			s.NodeIPs[s.PrimaryIPFamily],
 			s.Recorder,

pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml

@@ -35,7 +35,7 @@ ipvs:
   minSyncPeriod: 0s
   scheduler: ""
   strictARP: false
-  syncPeriod: 30s
+  syncPeriod: 0s
   tcpFinTimeout: 0s
   tcpTimeout: 0s
   udpTimeout: 0s
@@ -54,8 +54,8 @@ mode: ""
 nftables:
   masqueradeAll: false
   masqueradeBit: 14
-  minSyncPeriod: 1s
-  syncPeriod: 30s
+  minSyncPeriod: 0s
+  syncPeriod: 0s
 nodePortAddresses: null
 oomScoreAdj: -999
 portRange: ""

pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml

@@ -35,7 +35,7 @@ ipvs:
   minSyncPeriod: 0s
   scheduler: ""
   strictARP: false
-  syncPeriod: 30s
+  syncPeriod: 0s
   tcpFinTimeout: 0s
   tcpTimeout: 0s
   udpTimeout: 0s
@@ -54,8 +54,8 @@ mode: ""
 nftables:
   masqueradeAll: false
   masqueradeBit: 14
-  minSyncPeriod: 1s
-  syncPeriod: 30s
+  minSyncPeriod: 0s
+  syncPeriod: 0s
 nodePortAddresses: null
 oomScoreAdj: -999
 portRange: ""

pkg/proxy/apis/config/types.go

@@ -53,27 +53,11 @@ type KubeProxyIPTablesConfiguration struct {
 	// iptables mode and IPv4; localhost NodePorts are never allowed with other proxy
 	// modes or with IPv6.)
 	LocalhostNodePorts *bool
-	// syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
-	// various re-synchronizing and cleanup operations are performed. Must be greater
-	// than 0.
-	SyncPeriod metav1.Duration
-	// minSyncPeriod is the minimum period between iptables rule resyncs (e.g. '5s',
-	// '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will
-	// result in an immediate iptables resync.
-	MinSyncPeriod metav1.Duration
 }
 
 // KubeProxyIPVSConfiguration contains ipvs-related configuration
 // details for the Kubernetes proxy server.
 type KubeProxyIPVSConfiguration struct {
-	// syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
-	// various re-synchronizing and cleanup operations are performed. Must be greater
-	// than 0.
-	SyncPeriod metav1.Duration
-	// minSyncPeriod is the minimum period between IPVS rule resyncs (e.g. '5s', '1m',
-	// '2h22m'). A value of 0 means every Service or EndpointSlice change will result
-	// in an immediate IPVS resync.
-	MinSyncPeriod metav1.Duration
 	// scheduler is the IPVS scheduler to use
 	Scheduler string
 	// excludeCIDRs is a list of CIDRs which the ipvs proxier should not touch
@@ -99,14 +83,6 @@ type KubeProxyNFTablesConfiguration struct {
 	// masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using
 	// the nftables proxy mode. Values must be within the range [0, 31].
 	MasqueradeBit *int32
-	// syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
-	// various re-synchronizing and cleanup operations are performed. Must be greater
-	// than 0.
-	SyncPeriod metav1.Duration
-	// minSyncPeriod is the minimum period between iptables rule resyncs (e.g. '5s',
-	// '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will
-	// result in an immediate iptables resync.
-	MinSyncPeriod metav1.Duration
 }
 
 // KubeProxyConntrackConfiguration contains conntrack settings for
@@ -251,6 +227,14 @@ type KubeProxyConfiguration struct {
 	// object. If unset, NodePort connections will be accepted on all local IPs.
 	NodePortAddresses []string
 
+	// syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
+	// various re-synchronizing and cleanup operations are performed. Must be greater
+	// than 0.
+	SyncPeriod metav1.Duration
+	// minSyncPeriod is the minimum period between proxier rule resyncs (e.g. '5s',
+	// '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will
+	// result in an immediate proxier resync.
+	MinSyncPeriod metav1.Duration
 	// configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater
 	// than 0.
 	ConfigSyncPeriod metav1.Duration