How to enable IPVS proxy mode for kube-proxy

Follow
Table of Contents

Task

The default proxy mode for kube-proxy in Kubernetes and clusters is iptables, this is also the case for clusters created with Rancher 2.x and the Rancher Kubernetes Engine (RKE) CLI.

This article aims to provide all the needed steps and configuration to deploy or update a cluster to use IPVS proxy mode.

Please note, IPVS provides load balancing functionality, with this in mind it does not cover all of the traffic handling maintained by kube-proxy. Some scenarios will still utilise iptables, such as services that require NAT, like NodePort and LoadBalancer services.

Pre-requisites

  • A cluster managed using Rancher v2.3.3 or greater

Or

  • A cluster managed using Rancher Kubernetes Engine (RKE) CLI v1.1.0 or greater

Resolution

The --proxy-mode flag for kube-proxy is used to override the default iptables mode, using the below steps for Rancher or RKE the --proxy-mode flag can be provided to enable IPVS.

Note: Enabling IPVS is best done when creating a cluster, the process to update an existing cluster does include some follow-up steps at the end of this article, please ensure to read these beforehand, and complete these when migrating to IPVS on an existing cluster.

Rancher v2.x

Log into the Rancher UI:

  • From the Global view click on the cluster
  • Click the Edit Cluster button, and Edit as YAML
  • Locate or create the services.kubeproxy field under rancher_kubernetes_engine_config

Add extra_args under kubeproxy to apply the IPVS changes to the kube-proxy component when it is started as a container on all nodes.

This example uses the lc (least connection) load balancing algorithm, rr (round-robin) is the default.

    kubeproxy:
      extra_args:
        ipvs-scheduler: lc
        proxy-mode: ipvs
  • Click Save, the above changes will be applied to the cluster

Rancher Kubernetes Engine (RKE) CLI

Edit the cluster.yaml configuration file for your cluster:

  • Locate or create the services.kubeproxy field

Add extra_args under kubeproxy to apply the IPVS changes to the kube-proxy component when it is started as a container on all nodes.

This example uses the lc (least connection) load balancing algorithm, rr (round-robin) is the default.

    kubeproxy:
      extra_args:
        ipvs-scheduler: lc
        proxy-mode: ipvs
  • Use the rke up command to apply the changes to the cluster

Migrating to IPVS on an existing cluster

In recent Kubernetes versions when a proxy-mode is changed the managed iptables rules are not cleaned. To avoid inconsistency and unpredictable outcomes it is recommended to restart nodes that are in an existing cluster to ensure all service connectivity is accurate.

If using using an immutable approach in your environment, replacing each node is also an option instead of restarting.

Once the cluster has applied the above arguments to kube-proxy successfully and returned to the Active state, plan to drain, restart and/or replace each node during a maintenance period.

This can be done on one node initially, and performed on one or more nodes at a time once tested.

Further reading

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.