diff --git a/config/v1alpha1/types.go b/config/v1alpha1/types.go index 44ee448..1349612 100644 --- a/config/v1alpha1/types.go +++ b/config/v1alpha1/types.go @@ -26,36 +26,44 @@ import ( // details for the Kubernetes proxy server. type KubeProxyIPTablesConfiguration struct { // masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using - // the pure iptables proxy mode. Values must be within the range [0, 31]. + // the iptables or ipvs proxy mode. Values must be within the range [0, 31]. MasqueradeBit *int32 `json:"masqueradeBit"` - // masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode. + // masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs, + // when using the iptables or ipvs proxy mode. This may be required with some CNI + // plugins. MasqueradeAll bool `json:"masqueradeAll"` - // LocalhostNodePorts tells kube-proxy to allow service NodePorts to be accessed via - // localhost (iptables mode only) + // localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior + // of allowing NodePort services to be accessed via localhost. (Applies only to + // iptables mode and IPv4; localhost NodePorts are never allowed with other proxy + // modes or with IPv6.) LocalhostNodePorts *bool `json:"localhostNodePorts"` - // syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m', - // '2h22m'). Must be greater than 0. + // syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently + // various re-synchronizing and cleanup operations are performed. Must be greater + // than 0. SyncPeriod metav1.Duration `json:"syncPeriod"` - // minSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', - // '2h22m'). + // minSyncPeriod is the minimum period between iptables rule resyncs (e.g. '5s', + // '1m', '2h22m'). A value of 0 means every Service or EndpointSlice change will + // result in an immediate iptables resync. MinSyncPeriod metav1.Duration `json:"minSyncPeriod"` } // KubeProxyIPVSConfiguration contains ipvs-related configuration // details for the Kubernetes proxy server. type KubeProxyIPVSConfiguration struct { - // syncPeriod is the period that ipvs rules are refreshed (e.g. '5s', '1m', - // '2h22m'). Must be greater than 0. + // syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently + // various re-synchronizing and cleanup operations are performed. Must be greater + // than 0. SyncPeriod metav1.Duration `json:"syncPeriod"` - // minSyncPeriod is the minimum period that ipvs rules are refreshed (e.g. '5s', '1m', - // '2h22m'). + // minSyncPeriod is the minimum period between IPVS rule resyncs (e.g. '5s', '1m', + // '2h22m'). A value of 0 means every Service or EndpointSlice change will result + // in an immediate IPVS resync. MinSyncPeriod metav1.Duration `json:"minSyncPeriod"` - // ipvs scheduler + // scheduler is the IPVS scheduler to use Scheduler string `json:"scheduler"` - // excludeCIDRs is a list of CIDR's which the ipvs proxier should not touch + // excludeCIDRs is a list of CIDRs which the ipvs proxier should not touch // when cleaning up ipvs services. ExcludeCIDRs []string `json:"excludeCIDRs"` - // strict ARP configure arp_ignore and arp_announce to avoid answering ARP queries + // strictARP configures arp_ignore and arp_announce to avoid answering ARP queries // from kube-ipvs0 interface StrictARP bool `json:"strictARP"` // tcpTimeout is the timeout value used for idle IPVS TCP sessions. @@ -76,7 +84,7 @@ type KubeProxyConntrackConfiguration struct { // per CPU core (0 to leave the limit as-is and ignore min). MaxPerCore *int32 `json:"maxPerCore"` // min is the minimum value of connect-tracking records to allocate, - // regardless of conntrackMaxPerCore (set maxPerCore=0 to leave the limit as-is). + // regardless of maxPerCore (set maxPerCore=0 to leave the limit as-is). Min *int32 `json:"min"` // tcpEstablishedTimeout is how long an idle TCP connection will be kept open // (e.g. '2s'). Must be greater than 0 to set. @@ -101,29 +109,29 @@ type KubeProxyWinkernelConfiguration struct { // networkName is the name of the network kube-proxy will use // to create endpoints and policies NetworkName string `json:"networkName"` - // sourceVip is the IP address of the source VIP endoint used for + // sourceVip is the IP address of the source VIP endpoint used for // NAT when loadbalancing SourceVip string `json:"sourceVip"` // enableDSR tells kube-proxy whether HNS policies should be created // with DSR EnableDSR bool `json:"enableDSR"` - // RootHnsEndpointName is the name of hnsendpoint that is attached to + // rootHnsEndpointName is the name of hnsendpoint that is attached to // l2bridge for root network namespace RootHnsEndpointName string `json:"rootHnsEndpointName"` - // ForwardHealthCheckVip forwards service VIP for health check port on + // forwardHealthCheckVip forwards service VIP for health check port on // Windows ForwardHealthCheckVip bool `json:"forwardHealthCheckVip"` } // DetectLocalConfiguration contains optional settings related to DetectLocalMode option type DetectLocalConfiguration struct { - // BridgeInterface is a string argument which represents a single bridge interface name. - // Kube-proxy considers traffic as local if originating from this given bridge. - // This argument should be set if DetectLocalMode is set to LocalModeBridgeInterface. + // bridgeInterface is a bridge interface name. When DetectLocalMode is set to + // LocalModeBridgeInterface, kube-proxy will consider traffic to be local if + // it originates from this bridge. BridgeInterface string `json:"bridgeInterface"` - // InterfaceNamePrefix is a string argument which represents a single interface prefix name. - // Kube-proxy considers traffic as local if originating from one or more interfaces which match - // the given prefix. This argument should be set if DetectLocalMode is set to LocalModeInterfaceNamePrefix. + // interfaceNamePrefix is an interface name prefix. When DetectLocalMode is set to + // LocalModeInterfaceNamePrefix, kube-proxy will consider traffic to be local if + // it originates from any interface whose name begins with this prefix. InterfaceNamePrefix string `json:"interfaceNamePrefix"` } @@ -137,25 +145,34 @@ type KubeProxyConfiguration struct { // featureGates is a map of feature names to bools that enable or disable alpha/experimental features. FeatureGates map[string]bool `json:"featureGates,omitempty"` - // bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0 - // for all interfaces) + // bindAddress can be used to override kube-proxy's idea of what its node's + // primary IP is. Note that the name is a historical artifact, and kube-proxy does + // not actually bind any sockets to this IP. BindAddress string `json:"bindAddress"` - // healthzBindAddress is the IP address and port for the health check server to serve on, - // defaulting to 0.0.0.0:10256 + // healthzBindAddress is the IP address and port for the health check server to + // serve on, defaulting to "0.0.0.0:10256" (if bindAddress is unset or IPv4), or + // "[::]:10256" (if bindAddress is IPv6). HealthzBindAddress string `json:"healthzBindAddress"` - // metricsBindAddress is the IP address and port for the metrics server to serve on, - // defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces) + // metricsBindAddress is the IP address and port for the metrics server to serve + // on, defaulting to "127.0.0.1:10249" (if bindAddress is unset or IPv4), or + // "[::1]:10249" (if bindAddress is IPv6). (Set to "0.0.0.0:10249" / "[::]:10249" + // to bind on all interfaces.) MetricsBindAddress string `json:"metricsBindAddress"` - // bindAddressHardFail, if true, kube-proxy will treat failure to bind to a port as fatal and exit + // bindAddressHardFail, if true, tells kube-proxy to treat failure to bind to a + // port as fatal and exit BindAddressHardFail bool `json:"bindAddressHardFail"` // enableProfiling enables profiling via web interface on /debug/pprof handler. // Profiling handlers will be handled by metrics server. EnableProfiling bool `json:"enableProfiling"` - // clusterCIDR is the CIDR range of the pods in the cluster. It is used to - // bridge traffic coming from outside of the cluster. If not provided, - // no off-cluster bridging will be performed. + // clusterCIDR is the CIDR range of the pods in the cluster. (For dual-stack + // clusters, this can be a comma-separated dual-stack pair of CIDR ranges.). When + // DetectLocalMode is set to LocalModeClusterCIDR, kube-proxy will consider + // traffic to be local if its source IP is in this range. (Otherwise it is not + // used.) ClusterCIDR string `json:"clusterCIDR"` - // hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname. + // hostnameOverride, if non-empty, will be used as the name of the Node that + // kube-proxy is running on. If unset, the node name is assumed to be the same as + // the node's hostname. HostnameOverride string `json:"hostnameOverride"` // clientConnection specifies the kubeconfig file and client connection settings for the proxy // server to use when communicating with the apiserver. @@ -169,29 +186,26 @@ type KubeProxyConfiguration struct { OOMScoreAdj *int32 `json:"oomScoreAdj"` // mode specifies which proxy mode to use. Mode ProxyMode `json:"mode"` - // portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed - // in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen. + // portRange was previously used to configure the userspace proxy, but is now unused. PortRange string `json:"portRange"` // conntrack contains conntrack-related configuration options. Conntrack KubeProxyConntrackConfiguration `json:"conntrack"` // configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater // than 0. ConfigSyncPeriod metav1.Duration `json:"configSyncPeriod"` - // nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid - // IP blocks. These values are as a parameter to select the interfaces where nodeport works. - // In case someone would like to expose a service on localhost for local visit and some other interfaces for - // particular purpose, a list of IP blocks would do that. - // If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort. - // If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node. - // An empty string slice is meant to select all network interfaces. + // nodePortAddresses is a list of CIDR ranges that contain valid node IPs. If set, + // connections to NodePort services will only be accepted on node IPs in one of + // the indicated ranges. If unset, NodePort connections will be accepted on all + // local IPs. NodePortAddresses []string `json:"nodePortAddresses"` // winkernel contains winkernel-related configuration options. Winkernel KubeProxyWinkernelConfiguration `json:"winkernel"` - // ShowHiddenMetricsForVersion is the version for which you want to show hidden metrics. + // showHiddenMetricsForVersion is the version for which you want to show hidden metrics. ShowHiddenMetricsForVersion string `json:"showHiddenMetricsForVersion"` - // DetectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR + + // detectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR DetectLocalMode LocalMode `json:"detectLocalMode"` - // DetectLocal contains optional configuration settings related to DetectLocalMode. + // detectLocal contains optional configuration settings related to DetectLocalMode. DetectLocal DetectLocalConfiguration `json:"detectLocal"` // logging specifies the options of logging. // Refer to [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go)