Add Windows support to kube-proxy #36079
Conversation
|
We found a Contributor License Agreement for you (the sender of this pull request) and all commit authors, but as best as we can tell these commits were authored by someone else. If that's the case, please add them to this pull request and have them confirm that they're okay with these commits being contributed to Google. If we're mistaken and you did author these commits, just reply here to confirm. |
pires
force-pushed
the
windows_kube_proxy
branch
from
d90e1ce
to
93945b5
Compare
|
I'm okay with these commits being contributed to Google. Also, sorry @dcbw for cc'ing you but your feedback on #sig-network was important. |
k8s-github-robot
added
size/XL
|
Jenkins unit/integration failed for commit 93945b5. Full PR test history. The magic incantation to run this job again is |
k8s-github-robot
added
size/XXL
|
Jenkins verification failed for commit 1bcba7d. Full PR test history. The magic incantation to run this job again is |
|
Is this on the 1.5 release feature list? Otherwise it's unlikely this will make feature freeze on monday because review bandwidth is fairly limited. @kubernetes/sig-network |
| // GetInterfaceToAddIP returns the interface name where Service IP needs to be added | ||
| // IP Address needs to be added for netsh portproxy to redirect traffic | ||
| // Reads Environment variable INTERFACE_TO_ADD_SERVICE_IP, if it is not defined then "vEthernet (HNSTransparent)" is returned | ||
| func (runner *runner) GetInterfaceToAddIP() string { |
There was a problem hiding this comment.
Is there a reason you are using an environment variable for this? Generally this would be a flag to the proxy (we don't use environment variables except in rare conditions).
| @@ -260,8 +263,10 @@ func CleanupLeftovers(ipt iptables.Interface) (encounteredError bool) { | |||
|
|
|||
| // Sync is called to immediately synchronize the proxier state to iptables | |||
| func (proxier *Proxier) Sync() { | |||
| if err := iptablesInit(proxier.iptables); err != nil { | |||
| glog.Errorf("Failed to ensure iptables: %v", err) | |||
| if runtime.GOOS != "windows" { | |||
There was a problem hiding this comment.
Seems like these are details of the proxier implementation (or should be hidden under an interface method like .init()).
There was a problem hiding this comment.
Yeah, I'd agree that there are too many:
if runtime.GOOS != windows
for my liking, I'd prefer to see both iptables and netsh implement some sort of init() interface and just call:"
if iptables != nil { iptables.init() }
or something like that...
|
This is one of the PRs to introduce Windows Server Containers support for k8s and which will be introduced in release 1.5 in alpha (kubernetes/enhancements#116) |
brendandburns
added
cla: human-approved
release-note
| @@ -260,8 +263,10 @@ func CleanupLeftovers(ipt iptables.Interface) (encounteredError bool) { | |||
|
|
|||
| // Sync is called to immediately synchronize the proxier state to iptables | |||
| func (proxier *Proxier) Sync() { | |||
| if err := iptablesInit(proxier.iptables); err != nil { | |||
| glog.Errorf("Failed to ensure iptables: %v", err) | |||
| if runtime.GOOS != "windows" { | |||
There was a problem hiding this comment.
Yeah, I'd agree that there are too many:
if runtime.GOOS != windows
for my liking, I'd prefer to see both iptables and netsh implement some sort of init() interface and just call:"
if iptables != nil { iptables.init() }
or something like that...
| return nil | ||
| } | ||
|
|
||
| /* if local, err := isLocalIP(portal.ip); err != nil { |
| @@ -90,6 +90,7 @@ go_library( | |||
| "github.com/Azure/azure-sdk-for-go/arm/network/version.go", | |||
| "github.com/Azure/azure-sdk-for-go/arm/network/virtualnetworkgatewayconnections.go", | |||
| "github.com/Azure/azure-sdk-for-go/arm/network/virtualnetworkgateways.go", | |||
| "github.com/Azure/azure-sdk-for-go/arm/network/virtualnetworkpeerings.go", | |||
There was a problem hiding this comment.
I don't think this is actually used in this PR? Revert?
There was a problem hiding this comment.
It's not used in this PR but it seems hack/update-bazel.sh wants that to be there.
|
@smarterclayton I'm happy to take the review for this one. |
|
This is awesome, but I am afraid I am not going to have time to review it On Thu, Nov 3, 2016 at 4:13 AM, Brendan Burns notifications@github.com
|
|
@thockin I'm happy to do the review, is your review required? |
|
@thockin fwiw, I did a first pass and it's nearly entirely additive, with some minor refactoring, I don't see it interfering w/ the existing iptables on linux stuff. |
There was a problem hiding this comment.
From a very high level: I'd rather see this as a whole distinct proxy-mode. The userspace proxy is exceedingly fragile and is overdue for deprecation. I don't want a) to change it b) to keep it because Windows needs it. I'd much rather see this copied and customized for Windows. Less conditionals, less scaryness, and more freedom for you all.
Is there a feture-repo issue to track this and other windows work?
| limitations under the License. | ||
| */ | ||
|
|
||
| package netsh |
|
If you can fork this so it is almost entirely self-contained, I would be On Thu, Nov 3, 2016 at 5:14 AM, Brendan Burns notifications@github.com
|
|
@thockin I think it's basically structured that way already. The linux-specific stuff is copy/pasted out into a separate linux-specific file, but it's basically unchanged. There's an interface extracted and it is then implemented by a Linux version and a Windows version. (besides, isn't userspace proxy in-active for basically all Linux clusters?) |
Is it possible to add a proxy mode dedicated for windows ? |
brendandburns
added
lgtm
|
LGTM, thanks for the patience. @pires please make sure to come through with the cleanups asap. |
|
@brendanburns should we do it before 1.5 gets cut? Am under the impression refactors should happen after 1.5. But please, advise. |
k8s-github-robot
added
the
needs-rebase
pires
force-pushed
the
windows_kube_proxy
branch
from
966495a
to
5d4c784
Compare
k8s-github-robot
removed
lgtm
|
@feiskyer the PR needed rebase so I went ahead and fixed copyright headers. |
pires
force-pushed
the
windows_kube_proxy
branch
from
5d4c784
to
562d075
Compare
|
ping @brendandburns for add lgtm back |
jbhurat
added
lgtm
|
LGTMz |
|
fwiw, github is confused, I added LGTM, not jbhurat... |
|
I've said this before, Github just can't handle projects like Kubernetes. |
|
Release-czar approved post-code freeze merge--This was LGTMed and in the merge-queue at code freeze time for 1.5. Adding 1.5 milestone to let it gets merged after code freeze. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue |
Automatic merge from submit-queue Powershell script to start kubelet and kube-proxy **What this PR does / why we need it**: This PR adds a powershell script to run kubelet and kube-proxy on Windows. It expects the required arguments like `API Server` location and uses appropriate defaults. **Which issue this PR fixes** : fixes # #34270 **Special notes for your reviewer**: This PR is for supporting Windows Server Containers for k8s, the work for which is covered under kubernetes/enhancements#116 This PR should be merged after #31707 and #36079 PRs are merged **Release note**: ```release-note ```
What this PR does / why we need it:
This is the first stab at supporting kube-proxy (userspace mode) on Windows
Which issue this PR fixes :
fixes #30278
Special notes for your reviewer:
The MVP uses
netsh portproxyto redirect traffic fromServiceIP:ServicePortto aLocalIP:LocalPort.For the next version we are expecting to have guidance from Microsoft Container Networking team.
Limitations:
Current implementation does not support DNS queries over UDP as
netsh portproxycurrently only supports TCP. We are working with Microsoft to remediate this.cc: @brendandburns @dcbw
Release note:
This change is