Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What does userspace mode means in kube-proxy's proxy mode?

Tags:

kubernetes

kube-proxy

kube-proxy has an option called --proxy-mode,and according to the help message, this option can be userspace or iptables.(See below)

# kube-proxy -h
Usage of kube-proxy:
...
      --proxy-mode="": Which proxy mode to use: 'userspace' (older, stable) or 'iptables' (experimental). If blank, look at the Node object on the Kubernetes API and respect the 'net.experimental.kubernetes.io/proxy-mode' annotation if provided.  Otherwise use the best-available proxy (currently userspace, but may change in future versions).  If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.
...

I can't figure out what does userspace mode means here.

Anyone can tell me what the working principle is when kube-proxy runs under userspace mode?

like image 951
ax003d Avatar asked Mar 18 '16 15:03

ax003d

People also ask

What are the three modes of kube proxy?

Kube-proxy runs in three modes: userspace, iptables, and ipvs.

What is default mode kube proxy?

kube-proxy can run in three different modes: iptables (default mode) ipvs. userspace (“legacy” mode, not recommended anymore)

What is IPVS mode?

IPVS (IP Virtual Server) is a beta feature in Kubernetes 1.9. 1. kube-proxy ipvs mode provides benefits such as performance enhancement to kube-proxy, when compared with traditional methods of using iptables and userspace mode. IPVS running on a host acts as a load balancer at the front of a cluster of real servers.

What happens if kube proxy goes down?

kube-proxy plays a kind of enforcer whereby it takes charge of checking with master, syncing the information and enforcing the rules on the list. If the master node(API server) is down, the cluster will not be able to respond to API commands or deploy nodes.

1 Answers

Userspace and iptables refer to what actually handles the connection forwarding. In both cases, local iptables rules are installed to intercept outbound TCP connections that have a destination IP address associated with a service.

In the userspace mode, the iptables rule forwards to a local port where a go binary (kube-proxy) is listening for connections. The binary (running in userspace) terminates the connection, establishes a new connection to a backend for the service, and then forwards requests to the backend and responses back to the local process. An advantage of the userspace mode is that because the connections are created from an application, if the connection is refused, the application can retry to a different backend.

In iptables mode, the iptables rules are installed to directly forward packets that are destined for a service to a backend for the service. This is more efficient than moving the packets from the kernel to kube-proxy and then back to the kernel so it results in higher throughput and better tail latency. The main downside is that it is more difficult to debug, because instead of a local binary that writes a log to /var/log/kube-proxy you have to inspect logs from the kernel processing iptables rules.

In both cases there will be a kube-proxy binary running on your machine. In userspace mode it inserts itself as the proxy; in iptables mode it will configure iptables rather than to proxy connections itself. The same binary works in both modes, and the behavior is switched via a flag or by setting an annotation in the apiserver for the node.

like image 77
Robert Bailey Avatar answered Sep 20 '22 13:09

Robert Bailey
Sign in to Comment

Related questions

Kubernetes: --image-pull-policy always does not work
Logs complaining "extensions/v1beta1 Ingress is deprecated"
Kubectl exec command to write contents to a file in the pod
Pods stuck in PodInitializing state indefinitely
How to connect MySQL running on Kubernetes
Populate ConfigMap by importing data from file in k8s
Difference between Kubernetes prometheues operator vs helm chart
Call endpoint from Kubernetes Cron Job
Avoiding kubernetes scheduler to run all pods in single node of kubernetes cluster
Can not delete pods in Kubernetes
How to delete kubernetes pods (and other resources) in the system namespace
kubectl attach: Unable to use a TTY - container es-node did not allocate one
How to pass all values from multiple Secrets to env variables in Kubernetes?
kubelet fails to get cgroup stats for docker and kubelet services
Container port pods vs container port service
How to use basic authentication in a HTTP liveness probe in Kubernetes?
Java Kubernetes client SSLHandshakeException extension (5) should not be presented in certificate_request
Kubernetes namespace default service account
GKE clusterrolebinding for cluster-admin fails with permission error
How to create Kubernetes Namespace if it does not Exist?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!