mirror of
https://github.com/kubernetes/kubernetes.git
synced 2026-06-17 13:31:19 -04:00
fd81afe040
The conntrack reconciler skips services without serving endpoints, so conntrack entries established while endpoints existed are never removed when a UDP service scales down to zero. The REJECT (iptables) / reject (nftables) rule installed for such services does not cover those flows: they are DNATed to the deleted endpoint IP before the rule, which matches on the service IP, can be evaluated. One-way UDP senders (e.g. statsd clients) refresh the 30s conntrack timeout with every packet, so the stale flows blackhole traffic to the deleted pod IP indefinitely; recovery only happens when the service gets an endpoint again. This was handled before the reconciler rewrite (kubernetes#127318): the event-based cleanup cleared entries for every deleted UDP endpoint regardless of how many endpoints remained. Process services with an empty endpoints set instead of skipping them, so every entry directed to their ClusterIP, LoadBalancer IP and ExternalIP frontends is treated as stale and deleted. NodePort cleanup is still skipped for services without serving endpoints: NodePort entries are matched on the destination port only, and with an empty endpoints set that would also remove UDP flows not owned by kube-proxy (e.g. traffic to an unrelated host on the same port). |
||
|---|---|---|
| .. | ||
| cleanup.go | ||
| cleanup_test.go | ||
| conntrack.go | ||
| conntrack_test.go | ||
| doc.go | ||
| fake.go | ||
| filter.go | ||
| filter_test.go | ||
| sysctls.go | ||
| sysctls_test.go | ||