6032: initial proposal for localhost NodePort userspace proxy #6042
6032: initial proposal for localhost NodePort userspace proxy #6042AustinAbro321 wants to merge 2 commits intokubernetes:masterfrom
Conversation
k8s-ci-robot
added
the
kind/kep
k8s-ci-robot
added
the
sig/network
|
Welcome @AustinAbro321! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @AustinAbro321. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
size/L
AustinAbro321
force-pushed
the
localhost-userspace-proxy-6032
branch
from
a626812 to
bac3edc
Compare
|
|
||
| ## Summary | ||
|
|
||
| This KEP proposes implementing a userspace proxy to enable localhost NodePort services across all proxy backends. The iptables proxy already works with localhost NodePorts; however, it requires enabling a dangerous permission, `route_localnet`, on each node to allow the kernel to rewrite traffic to localhost. By instead rewriting traffic directly at the userspace level, no extra permissions are set, and localhost NodePorts will work on all proxy backends and IPv6. |
There was a problem hiding this comment.
Question for sig leads: do we want to add this feature to IPVS, given that it's deprecated?
There was a problem hiding this comment.
I was also curious on this. I'm fine with the decision either way
Signed-off-by: Austin Abro <austinabro321@gmail.com>
AustinAbro321
force-pushed
the
localhost-userspace-proxy-6032
branch
from
c4e1075 to
a67ae3d
Compare
|
Oh, you may also need a file in |
k8s-ci-robot
added
ok-to-test
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: AustinAbro321 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
AustinAbro321
force-pushed
the
localhost-userspace-proxy-6032
branch
from
c291053 to
9b1f3fb
Compare
|
|
||
| Add a userspace TCP-only proxy to "kube-proxy" that listens on the loopback address (`127.0.0.1` / `::1`) for each NodePort and forwards connections to a service's endpoints. Each backend proxy (`iptables`, `nftables`, `ipvs`) instantiates this proxy when `--nodeport-addresses` contains a loopback CIDR, and reconciles its set of listeners on every sync. | ||
|
|
||
| `iptables` and `ipvs` default to `0.0.0.0/0` or `::/0`, allowing all IPs, including localhost, when `--nodeport-addresses` is unset. `nftables` currently defaults to `primary`, accepting connections only to the node IP. `nftables` will begin defaulting to `primary,<loopback-address>` to include localhost. The `--nodeport-addresses` flag will change to allow using the `primary` keyword alongside IP addresses. |
There was a problem hiding this comment.
Changing the default of nftables might be controversial. LMK thoughts @danwinship
AustinAbro321
force-pushed
the
localhost-userspace-proxy-6032
branch
from
9b1f3fb to
0f8b0f1
Compare
3 participants
I have a metric in this proposal, though I am uncertain on its value. I'm open to alternative ideas for metrics