tsanghan

## README.md

      
              7 files
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                tsanghan
                / README.md
            
            
              Created
              April 15, 2024 04:40
                — forked from aojea/README.md
            
              
                kube-proxy nftables and iptables vs a Service with 100k endpoints
              
          
    kube-proxy nftables and iptables vs a Service with 100k endpoints

Background

Iptables performance is limited mainly by two reasons:

Latency on the first packet of a connection caused by the linear search rule matching
Latency on the programming latency caused by the need to save and restore all the lines to the kernel in each transaction

The kernel community moved to nftables as replacement of iptables, with the goal of removing the existing performance bottlenecks. Kubernetes has decided to implement a new nftables proxy because of this and another reasons explained in more detail in the corresponding KEP and during the Kubernetes Contributor Summit in Chicago 2023 on the session [Iptables, end of

  
## cilium.yaml
---
# Source: cilium/templates/cilium-agent/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: "cilium"
  namespace: kube-system
---
# Source: cilium/templates/cilium-operator/serviceaccount.yaml
apiVersion: v1

## etcdclient.yml
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    component: etcdclient
    tier: debug
  name: etcdclient
  namespace: default
spec:

## get-docker-layers.sh
#! /usr/bin/env bash

set -euo pipefail

api() {
  local type endpoint registry image arg url
  type=$1 endpoint=$2 registry=$3 image=$4 arg=$5
  url="https://$registry/v2/$image/$endpoint/$arg"
  curl --config - <<<"-u $ARTIFACTORY_CREDS" -H "Accept: $type" "$url"
}

## config.toml
disabled_plugins = ["io.containerd.internal.v1.restart"]
imports = []
oom_score = 0
plugin_dir = ""
required_plugins = []
root = "/var/lib/containerd"
state = "/run/containerd"
version = 2

[plugins]

## ca.cnf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
prompt = no
[v3_req]
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[req_distinguished_name]

## get_bat_musl.sh
curl -s https://api.github.com/repos/sharkdp/bat/releases/latest \
| grep "browser_download_url.*tar.gz" \
| grep "musl" | grep "x86_64" \
| cut -d : -f 2,3 \
| tr -d \" \
| sed "s/^\(.*\)$/url = \1/" \
| curl -sSLOK -

## api_backends.conf
upstream warehouse_inventory {
    zone inventory_service 64k;
    server 10.0.0.1:80;
    server 10.0.0.2:80;
    server 10.0.0.3:80;
}

upstream warehouse_pricing {
    zone pricing_service 64k;
    server 10.0.0.7:80;

## zsh-syntax-highlighting paste performance improvement
Add the following in .zshrc:

...
plugins=(osx git zsh-autosuggestions zsh-syntax-highlighting zsh-nvm docker kubectl)
...

### Fix slowness of pastes with zsh-syntax-highlighting.zsh
pasteinit() {
  OLD_SELF_INSERT=${${(s.:.)widgets[self-insert]}[2,3]}
  zle -N self-insert url-quote-magic # I wonder if you'd need `.url-quote-magic`?

## vimrc
colorscheme delek
set nu rnu
autocmd FileType yaml,yml,sh setlocal ts=2 sts=2 sw=2 et ai
set pastetoggle=<F10>
inoremap <Up> <Nop>
inoremap <Down> <Nop>
inoremap <Left> <Nop>
inoremap <Right> <Nop>
nnoremap <Up> <Nop>
nnoremap <Down> <Nop>
	---
	# Source: cilium/templates/cilium-agent/serviceaccount.yaml
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: "cilium"
	namespace: kube-system
	---
	# Source: cilium/templates/cilium-operator/serviceaccount.yaml
	apiVersion: v1
	apiVersion: v1
	kind: Pod
	metadata:
	creationTimestamp: null
	labels:
	component: etcdclient
	tier: debug
	name: etcdclient
	namespace: default
	spec:
	#! /usr/bin/env bash

	set -euo pipefail

	api() {
	local type endpoint registry image arg url
	type=$1 endpoint=$2 registry=$3 image=$4 arg=$5
	url="https://$registry/v2/$image/$endpoint/$arg"
	curl --config - <<<"-u $ARTIFACTORY_CREDS" -H "Accept: $type" "$url"
	}
	disabled_plugins = ["io.containerd.internal.v1.restart"]
	imports = []
	oom_score = 0
	plugin_dir = ""
	required_plugins = []
	root = "/var/lib/containerd"
	state = "/run/containerd"
	version = 2

	[plugins]
	[req]
	distinguished_name = req_distinguished_name
	x509_extensions = v3_req
	authorityKeyIdentifier=keyid,issuer
	basicConstraints=CA:FALSE
	prompt = no
	[v3_req]
	keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
	subjectAltName = @alt_names
	[req_distinguished_name]
	curl -s https://api.github.com/repos/sharkdp/bat/releases/latest \
	\| grep "browser_download_url.*tar.gz" \
	\| grep "musl" \| grep "x86_64" \
	\| cut -d : -f 2,3 \
	\| tr -d \" \
	\| sed "s/^\(.*\)$/url = \1/" \
	\| curl -sSLOK -
	upstream warehouse_inventory {
	zone inventory_service 64k;
	server 10.0.0.1:80;
	server 10.0.0.2:80;
	server 10.0.0.3:80;
	}

	upstream warehouse_pricing {
	zone pricing_service 64k;
	server 10.0.0.7:80;
	Add the following in .zshrc:

	...
	plugins=(osx git zsh-autosuggestions zsh-syntax-highlighting zsh-nvm docker kubectl)
	...

	### Fix slowness of pastes with zsh-syntax-highlighting.zsh
	pasteinit() {
	OLD_SELF_INSERT=${${(s.:.)widgets[self-insert]}[2,3]}
	zle -N self-insert url-quote-magic # I wonder if you'd need `.url-quote-magic`?
	colorscheme delek
	set nu rnu
	autocmd FileType yaml,yml,sh setlocal ts=2 sts=2 sw=2 et ai
	set pastetoggle=<F10>
	inoremap <Up> <Nop>
	inoremap <Down> <Nop>
	inoremap <Left> <Nop>
	inoremap <Right> <Nop>
	nnoremap <Up> <Nop>
	nnoremap <Down> <Nop>