Skip to content
This repository has been archived by the owner on Jun 29, 2022. It is now read-only.

Commit

Permalink
Expose --conntrack-max-per-core kube-proxy flag
Browse files Browse the repository at this point in the history 
This commit exposes --conntrack-max-per-core kube-proxy flag in
kubernetes Helm chart and adds required plumbing to expose it to the
user using HCL.

It also adds sample usage to CI configuration and e2e tests to verify
that settings are properly applied.

Closes #1081

Signed-off-by: Mateusz Gozdek <mateusz@kinvolk.io>
  • Loading branch information
@invidian
invidian committed Nov 20, 2020
1 parent ef6488d commit 62f1d0a
Show file tree
Hide file tree
Showing 29 changed files with 511 additions and 125 deletions.
3 changes: 3 additions & 0 deletions assets/charts/control-plane/kubernetes/templates/kube-proxy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,9 @@ spec:
- --proxy-mode=iptables
- --metrics-bind-address=$(HOST_IP)
- --healthz-bind-address=$(HOST_IP)
{{- if not (eq (int .Values.kubeProxy.conntrackMaxPerCore) 32768) }}
- --conntrack-max-per-core={{ .Values.kubeProxy.conntrackMaxPerCore }}
{{- end }}
env:
- name: NODE_NAME
valueFrom:
Expand Down
1 change: 1 addition & 0 deletions assets/charts/control-plane/kubernetes/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ kubeProxy:
image: k8s.gcr.io/kube-proxy:v1.19.3
podCIDR: 10.2.0.0/16
trustedCertsDir: /usr/share/ca-certificates
conntrackMaxPerCore: 32768
kubeScheduler:
image: k8s.gcr.io/kube-scheduler:v1.19.3
controlPlaneReplicas: 1
Expand Down
2 changes: 2 additions & 0 deletions assets/terraform-modules/aws/flatcar-linux/kubernetes/bootkube.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,6 @@ module "bootkube" {
encrypt_pod_traffic = var.encrypt_pod_traffic

ignore_x509_cn_check = var.ignore_x509_cn_check

conntrack_max_per_core = var.conntrack_max_per_core
}
5 changes: 5 additions & 0 deletions assets/terraform-modules/aws/flatcar-linux/kubernetes/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -196,3 +196,8 @@ variable "ignore_x509_cn_check" {
type = bool
default = false
}

variable "conntrack_max_per_core" {
description = "--conntrack-max-per-core value for kube-proxy. Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min)."
type = number
}
2 changes: 2 additions & 0 deletions assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/bootkube.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,6 @@ module "bootkube" {
encrypt_pod_traffic = var.encrypt_pod_traffic

ignore_x509_cn_check = var.ignore_x509_cn_check

conntrack_max_per_core = var.conntrack_max_per_core
}
5 changes: 5 additions & 0 deletions assets/terraform-modules/bare-metal/flatcar-linux/kubernetes/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -195,3 +195,8 @@ variable "ignore_x509_cn_check" {
type = bool
default = false
}

variable "conntrack_max_per_core" {
description = "--conntrack-max-per-core value for kube-proxy. Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min)."
type = number
}
1 change: 1 addition & 0 deletions assets/terraform-modules/bootkube/assets.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ resource "local_file" "kubernetes" {
serviceaccount_key = base64encode(tls_private_key.service-account.private_key_pem)
etcd_endpoints = var.etcd_endpoints
enable_tls_bootstrap = var.enable_tls_bootstrap
conntrack_max_per_core = var.conntrack_max_per_core
})
}

Expand Down
1 change: 1 addition & 0 deletions assets/terraform-modules/bootkube/resources/charts/kubernetes.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ kubeProxy:
image: ${kube_proxy_image}
podCIDR: ${pod_cidr}
trustedCertsDir: ${trusted_certs_dir}
conntrackMaxPerCore: ${conntrack_max_per_core}
kubeScheduler:
image: ${kube_scheduler_image}
controlPlaneReplicas: ${control_plane_replicas}
Expand Down
5 changes: 5 additions & 0 deletions assets/terraform-modules/bootkube/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,3 +185,8 @@ variable "encrypt_pod_traffic" {
type = bool
default = false
}

variable "conntrack_max_per_core" {
description = "--conntrack-max-per-core value for kube-proxy. Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min)."
type = number
}
2 changes: 2 additions & 0 deletions assets/terraform-modules/packet/flatcar-linux/kubernetes/bootkube.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,4 +48,6 @@ module "bootkube" {
encrypt_pod_traffic = var.encrypt_pod_traffic

ignore_x509_cn_check = var.ignore_x509_cn_check

conntrack_max_per_core = var.conntrack_max_per_core
}
5 changes: 5 additions & 0 deletions assets/terraform-modules/packet/flatcar-linux/kubernetes/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -213,3 +213,8 @@ variable "ignore_x509_cn_check" {
type = bool
default = false
}

variable "conntrack_max_per_core" {
description = "--conntrack-max-per-core value for kube-proxy. Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min)."
type = number
}
50 changes: 46 additions & 4 deletions ci/aws/aws-cluster.lokocfg.envsubst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,9 @@ EOF
instance_type = "i3.large"
spot_price = "0.08"
labels = {
"testing.io" = "yes",
"roleofnode" = "testing",
"testing.io" = "yes",
"roleofnode" = "testing",
"conntrack-modified" = "true",
}
tags = {
"deployment" = "ci"
Expand All @@ -62,6 +63,24 @@ storage:
group:
id: 500
EOF
,
<<EOF
storage:
files:
- path: /etc/modules-load.d/nf.conf
filesystem: root
mode: 0644
contents:
inline: |
nf_conntrack
- path: /etc/sysctl.d/nf.conf
filesystem: root
mode: 0644
contents:
inline: |
net.netfilter.nf_conntrack_max=50000
EOF
,
]
}

Expand All @@ -72,8 +91,9 @@ EOF
instance_type = "t2.small"
spot_price = "0.01"
labels = {
"testing.io" = "yes",
"roleofnode" = "testing",
"testing.io" = "yes",
"roleofnode" = "testing",
"conntrack-modified" = "true",
}
taints = {
"nodeType" = "storage:NoSchedule"
Expand All @@ -99,13 +119,35 @@ storage:
group:
id: 500
EOF
,
<<EOF
storage:
files:
- path: /etc/modules-load.d/nf.conf
filesystem: root
mode: 0644
contents:
inline: |
nf_conntrack
- path: /etc/sysctl.d/nf.conf
filesystem: root
mode: 0644
contents:
inline: |
net.netfilter.nf_conntrack_max=50000
EOF
,
]
}

# Adds oidc flags to API server with default values.
# Acts as a smoke test to check if API server is functional after addition
# of extra flags.
oidc {}

# Disable kube-proxy setting net.netfilter.nf_conntrack_max so we can
# set it per worker pool via CLC snippet.
conntrack_max_per_core = 0
}

component "metrics-server" {}
Expand Down
2 changes: 2 additions & 0 deletions ci/baremetal/baremetal-cluster.lokocfg.envsubst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ cluster "bare-metal" {
"testing.io" = "yes",
"roleofnode" = "testing",
}

conntrack_max_per_core = 65000
}

component "inspektor-gadget" {}
2 changes: 2 additions & 0 deletions ci/packet/packet-cluster.lokocfg.envsubst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,8 @@ EOF
oidc {}

ignore_x509_cn_check = true

conntrack_max_per_core = 65000
}

component "metrics-server" {}
Expand Down
Loading

0 comments on commit 62f1d0a

Please sign in to comment.