diff --git a/config/v1alpha1/doc.go b/config/v1alpha1/doc.go new file mode 100644 index 0000000..8c733a9 --- /dev/null +++ b/config/v1alpha1/doc.go @@ -0,0 +1,19 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +k8s:deepcopy-gen=package +// +groupName=kubeproxy.config.k8s.io +package v1alpha1 // import "k8s.io/kube-proxy/config/v1alpha1" diff --git a/config/v1alpha1/register.go b/config/v1alpha1/register.go new file mode 100644 index 0000000..92d92c4 --- /dev/null +++ b/config/v1alpha1/register.go @@ -0,0 +1,49 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// GroupName is the group name use in this package +const GroupName = "kubeproxy.config.k8s.io" + +// SchemeGroupVersion is group version used to register these objects +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"} + +var ( + // localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes. + SchemeBuilder runtime.SchemeBuilder + localSchemeBuilder = &SchemeBuilder + AddToScheme = localSchemeBuilder.AddToScheme +) + +func init() { + // We only register manually written functions here. The registration of the + // generated functions takes place in the generated files. The separation + // makes the code compile even when the generated files are missing. + localSchemeBuilder.Register(addKnownTypes) +} + +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &KubeProxyConfiguration{}, + ) + return nil +} diff --git a/config/v1alpha1/types.go b/config/v1alpha1/types.go new file mode 100644 index 0000000..b9c370b --- /dev/null +++ b/config/v1alpha1/types.go @@ -0,0 +1,154 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + apimachineryconfigv1alpha1 "k8s.io/apimachinery/pkg/apis/config/v1alpha1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// KubeProxyIPTablesConfiguration contains iptables-related configuration +// details for the Kubernetes proxy server. +type KubeProxyIPTablesConfiguration struct { + // masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using + // the pure iptables proxy mode. Values must be within the range [0, 31]. + MasqueradeBit *int32 `json:"masqueradeBit"` + // masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode. + MasqueradeAll bool `json:"masqueradeAll"` + // syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m', + // '2h22m'). Must be greater than 0. + SyncPeriod metav1.Duration `json:"syncPeriod"` + // minSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m', + // '2h22m'). + MinSyncPeriod metav1.Duration `json:"minSyncPeriod"` +} + +// KubeProxyIPVSConfiguration contains ipvs-related configuration +// details for the Kubernetes proxy server. +type KubeProxyIPVSConfiguration struct { + // syncPeriod is the period that ipvs rules are refreshed (e.g. '5s', '1m', + // '2h22m'). Must be greater than 0. + SyncPeriod metav1.Duration `json:"syncPeriod"` + // minSyncPeriod is the minimum period that ipvs rules are refreshed (e.g. '5s', '1m', + // '2h22m'). + MinSyncPeriod metav1.Duration `json:"minSyncPeriod"` + // ipvs scheduler + Scheduler string `json:"scheduler"` + // excludeCIDRs is a list of CIDR's which the ipvs proxier should not touch + // when cleaning up ipvs services. + ExcludeCIDRs []string `json:"excludeCIDRs"` +} + +// KubeProxyConntrackConfiguration contains conntrack settings for +// the Kubernetes proxy server. +type KubeProxyConntrackConfiguration struct { + // max is the maximum number of NAT connections to track (0 to + // leave as-is). This takes precedence over maxPerCore and min. + Max *int32 `json:"max"` + // maxPerCore is the maximum number of NAT connections to track + // per CPU core (0 to leave the limit as-is and ignore min). + MaxPerCore *int32 `json:"maxPerCore"` + // min is the minimum value of connect-tracking records to allocate, + // regardless of conntrackMaxPerCore (set maxPerCore=0 to leave the limit as-is). + Min *int32 `json:"min"` + // tcpEstablishedTimeout is how long an idle TCP connection will be kept open + // (e.g. '2s'). Must be greater than 0 to set. + TCPEstablishedTimeout *metav1.Duration `json:"tcpEstablishedTimeout"` + // tcpCloseWaitTimeout is how long an idle conntrack entry + // in CLOSE_WAIT state will remain in the conntrack + // table. (e.g. '60s'). Must be greater than 0 to set. + TCPCloseWaitTimeout *metav1.Duration `json:"tcpCloseWaitTimeout"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// KubeProxyConfiguration contains everything necessary to configure the +// Kubernetes proxy server. +type KubeProxyConfiguration struct { + metav1.TypeMeta `json:",inline"` + + // featureGates is a map of feature names to bools that enable or disable alpha/experimental features. + FeatureGates map[string]bool `json:"featureGates,omitempty"` + + // bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0 + // for all interfaces) + BindAddress string `json:"bindAddress"` + // healthzBindAddress is the IP address and port for the health check server to serve on, + // defaulting to 0.0.0.0:10256 + HealthzBindAddress string `json:"healthzBindAddress"` + // metricsBindAddress is the IP address and port for the metrics server to serve on, + // defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces) + MetricsBindAddress string `json:"metricsBindAddress"` + // enableProfiling enables profiling via web interface on /debug/pprof handler. + // Profiling handlers will be handled by metrics server. + EnableProfiling bool `json:"enableProfiling"` + // clusterCIDR is the CIDR range of the pods in the cluster. It is used to + // bridge traffic coming from outside of the cluster. If not provided, + // no off-cluster bridging will be performed. + ClusterCIDR string `json:"clusterCIDR"` + // hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname. + HostnameOverride string `json:"hostnameOverride"` + // clientConnection specifies the kubeconfig file and client connection settings for the proxy + // server to use when communicating with the apiserver. + ClientConnection apimachineryconfigv1alpha1.ClientConnectionConfiguration `json:"clientConnection"` + // iptables contains iptables-related configuration options. + IPTables KubeProxyIPTablesConfiguration `json:"iptables"` + // ipvs contains ipvs-related configuration options. + IPVS KubeProxyIPVSConfiguration `json:"ipvs"` + // oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within + // the range [-1000, 1000] + OOMScoreAdj *int32 `json:"oomScoreAdj"` + // mode specifies which proxy mode to use. + Mode ProxyMode `json:"mode"` + // portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed + // in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen. + PortRange string `json:"portRange"` + // resourceContainer is the bsolute name of the resource-only container to create and run + // the Kube-proxy in (Default: /kube-proxy). + ResourceContainer string `json:"resourceContainer"` + // udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s'). + // Must be greater than 0. Only applicable for proxyMode=userspace. + UDPIdleTimeout metav1.Duration `json:"udpIdleTimeout"` + // conntrack contains conntrack-related configuration options. + Conntrack KubeProxyConntrackConfiguration `json:"conntrack"` + // configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater + // than 0. + ConfigSyncPeriod metav1.Duration `json:"configSyncPeriod"` + // nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid + // IP blocks. These values are as a parameter to select the interfaces where nodeport works. + // In case someone would like to expose a service on localhost for local visit and some other interfaces for + // particular purpose, a list of IP blocks would do that. + // If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort. + // If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node. + // An empty string slice is meant to select all network interfaces. + NodePortAddresses []string `json:"nodePortAddresses"` +} + +// Currently, three modes of proxy are available in Linux platform: 'userspace' (older, going to be EOL), 'iptables' +// (newer, faster), 'ipvs'(newest, better in performance and scalability). +// +// Two modes of proxy are available in Windows platform: 'userspace'(older, stable) and 'kernelspace' (newer, faster). +// +// In Linux platform, if proxy mode is blank, use the best-available proxy (currently iptables, but may change in the +// future). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are +// insufficient, this always falls back to the userspace proxy. IPVS mode will be enabled when proxy mode is set to 'ipvs', +// and the fall back path is firstly iptables and then userspace. + +// In Windows platform, if proxy mode is blank, use the best-available proxy (currently userspace, but may change in the +// future). If winkernel proxy is selected, regardless of how, but the Windows kernel can't support this mode of proxy, +// this always falls back to the userspace proxy. +type ProxyMode string