Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kube-proxy mode nftables #11795

Open
RomainMou opened this issue Dec 13, 2024 · 3 comments
Open

kube-proxy mode nftables #11795

RomainMou opened this issue Dec 13, 2024 · 3 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@RomainMou
Copy link
Contributor

What would you like to be added

I would like to be able to use the kub-proxy mode nftables that seams to be the future of kube-proxy. https://kubernetes.io/docs/reference/networking/virtual-ips/#proxy-mode-nftables

Why is this needed

nftables seems to be the futur for kube-proxy, at least that what is explain here: https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/3866-nftables-proxy/README.md#the-ipvs-mode-of-kube-proxy-will-not-save-us.
@RomainMou RomainMou added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 13, 2024
@VannTen
Copy link
Contributor

VannTen commented Dec 13, 2024

This is pretty interesting. I'm not sure how much work that would be 🤔 ?

Also, is there a manual migration steps on existing clusters ? I see in your links the behaviour is slighty different on some corner cases, but do existing clusters can just switch without problems ?

@RomainMou
Copy link
Contributor Author

RomainMou commented Dec 13, 2024
edited
Loading

In the enhancement proposal, there is some information about the update / upgrade:

The new mode should not introduce any upgrade/downgrade problems, excepting that you can't downgrade or feature-disable a cluster using the new kube-proxy mode without switching it back to iptables or ipvs first. (The older kube-proxy would refuse to start if given --proxy-mode nftables, and wouldn't know how to clean up stale nftables service rules if any were present.)

When rolling out or rolling back the feature, it should be safe to enable the feature gate and change the configuration at the same time, since nothing cares about the feature gate except for kube-proxy itself. Likewise, it is expected to be safe to roll out the feature in a live cluster, even though this will result in different proxy modes running on different nodes, because Kubernetes service proxying is defined in such a way that no node needs to be aware of the implementation details of the service proxy implementation on any other node.

https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/3866-nftables-proxy#upgrade--downgrade-strategy

So I'm guessing there is no special manual migration except for the case where you use some of the behaviors that are different in this mode, but I didn't have time to test anything yet.

Another consideration is the compatibility of the network plugins, I guess.

@VannTen
Copy link
Contributor

VannTen commented Dec 13, 2024 via email

@k8s-ci-robot k8s-ci-robot added the triage/accepted Indicates an issue or PR is ready to be actively worked on. label Dec 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@VannTen @k8s-ci-robot @RomainMou