Kube Proxy

apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration

https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/apis/kubeadm/v1beta3/types.go

// KubeProxyConfiguration contains everything necessary to configure the
// Kubernetes proxy server.
type KubeProxyConfiguration struct {
    metav1.TypeMeta `json:",inline"`

    // featureGates is a map of feature names to bools that enable or disable alpha/experimental features.
    FeatureGates map[string]bool `json:"featureGates,omitempty"`

    // bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0
    // for all interfaces)
    BindAddress string `json:"bindAddress"`
    // healthzBindAddress is the IP address and port for the health check server to serve on,
    // defaulting to 0.0.0.0:10256
    HealthzBindAddress string `json:"healthzBindAddress"`
    // metricsBindAddress is the IP address and port for the metrics server to serve on,
    // defaulting to 127.0.0.1:10249 (set to 0.0.0.0 for all interfaces)
    MetricsBindAddress string `json:"metricsBindAddress"`
    // bindAddressHardFail, if true, kube-proxy will treat failure to bind to a port as fatal and exit
    BindAddressHardFail bool `json:"bindAddressHardFail"`
    // enableProfiling enables profiling via web interface on /debug/pprof handler.
    // Profiling handlers will be handled by metrics server.
    EnableProfiling bool `json:"enableProfiling"`
    // clusterCIDR is the CIDR range of the pods in the cluster. It is used to
    // bridge traffic coming from outside of the cluster. If not provided,
    // no off-cluster bridging will be performed.
    ClusterCIDR string `json:"clusterCIDR"`
    // hostnameOverride, if non-empty, will be used as the identity instead of the actual hostname.
    HostnameOverride string `json:"hostnameOverride"`
    // clientConnection specifies the kubeconfig file and client connection settings for the proxy
    // server to use when communicating with the apiserver.
    ClientConnection componentbaseconfigv1alpha1.ClientConnectionConfiguration `json:"clientConnection"`
    // iptables contains iptables-related configuration options.
    IPTables KubeProxyIPTablesConfiguration `json:"iptables"`
    // ipvs contains ipvs-related configuration options.
    IPVS KubeProxyIPVSConfiguration `json:"ipvs"`
    // oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within
    // the range [-1000, 1000]
    OOMScoreAdj *int32 `json:"oomScoreAdj"`
    // mode specifies which proxy mode to use.
    Mode ProxyMode `json:"mode"`
    // portRange is the range of host ports (beginPort-endPort, inclusive) that may be consumed
    // in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.
    PortRange string `json:"portRange"`
    // udpIdleTimeout is how long an idle UDP connection will be kept open (e.g. '250ms', '2s').
    // Must be greater than 0. Only applicable for proxyMode=userspace.
    UDPIdleTimeout metav1.Duration `json:"udpIdleTimeout"`
    // conntrack contains conntrack-related configuration options.
    Conntrack KubeProxyConntrackConfiguration `json:"conntrack"`
    // configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater
    // than 0.
    ConfigSyncPeriod metav1.Duration `json:"configSyncPeriod"`
    // nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid
    // IP blocks. These values are as a parameter to select the interfaces where nodeport works.
    // In case someone would like to expose a service on localhost for local visit and some other interfaces for
    // particular purpose, a list of IP blocks would do that.
    // If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort.
    // If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node.
    // An empty string slice is meant to select all network interfaces.
    NodePortAddresses []string `json:"nodePortAddresses"`
    // winkernel contains winkernel-related configuration options.
    Winkernel KubeProxyWinkernelConfiguration `json:"winkernel"`
    // ShowHiddenMetricsForVersion is the version for which you want to show hidden metrics.
    ShowHiddenMetricsForVersion string `json:"showHiddenMetricsForVersion"`
    // DetectLocalMode determines mode to use for detecting local traffic, defaults to LocalModeClusterCIDR
    DetectLocalMode LocalMode `json:"detectLocalMode"`
}

// ClientConnectionConfiguration contains details for constructing a client.
type ClientConnectionConfiguration struct {
    // kubeconfig is the path to a KubeConfig file.
    Kubeconfig string
    // acceptContentTypes defines the Accept header sent by clients when connecting to a server, overriding the
    // default value of 'application/json'. This field will control all connections to the server used by a particular
    // client.
    AcceptContentTypes string
    // contentType is the content type used when sending data to the server from this client.
    ContentType string
    // qps controls the number of queries per second allowed for this connection.
    QPS float32
    // burst allows extra queries to accumulate when a client is exceeding its rate.
    Burst int32
}

// KubeProxyIPTablesConfiguration contains iptables-related configuration
// details for the Kubernetes proxy server.
type KubeProxyIPTablesConfiguration struct {
    // masqueradeBit is the bit of the iptables fwmark space to use for SNAT if using
    // the pure iptables proxy mode. Values must be within the range [0, 31].
    MasqueradeBit *int32 `json:"masqueradeBit"`
    // masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode.
    MasqueradeAll bool `json:"masqueradeAll"`
    // syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m',
    // '2h22m').  Must be greater than 0.
    SyncPeriod metav1.Duration `json:"syncPeriod"`
    // minSyncPeriod is the minimum period that iptables rules are refreshed (e.g. '5s', '1m',
    // '2h22m').
    MinSyncPeriod metav1.Duration `json:"minSyncPeriod"`
}

// ProxyMode represents modes used by the Kubernetes proxy server.
//
// Currently, three modes of proxy are available in Linux platform: 'userspace' (older, going to be EOL), 'iptables'
// (newer, faster), 'ipvs'(newest, better in performance and scalability).
//
// Two modes of proxy are available in Windows platform: 'userspace'(older, stable) and 'kernelspace' (newer, faster).
//
// In Linux platform, if proxy mode is blank, use the best-available proxy (currently iptables, but may change in the
// future). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are
// insufficient, this always falls back to the userspace proxy. IPVS mode will be enabled when proxy mode is set to 'ipvs',
// and the fall back path is firstly iptables and then userspace.
//
// In Windows platform, if proxy mode is blank, use the best-available proxy (currently userspace, but may change in the
// future). If winkernel proxy is selected, regardless of how, but the Windows kernel can't support this mode of proxy,
// this always falls back to the userspace proxy.
type ProxyMode string

// KubeProxyConntrackConfiguration contains conntrack settings for
// the Kubernetes proxy server.
type KubeProxyConntrackConfiguration struct {
    // maxPerCore is the maximum number of NAT connections to track
    // per CPU core (0 to leave the limit as-is and ignore min).
    MaxPerCore *int32 `json:"maxPerCore"`
    // min is the minimum value of connect-tracking records to allocate,
    // regardless of conntrackMaxPerCore (set maxPerCore=0 to leave the limit as-is).
    Min *int32 `json:"min"`
    // tcpEstablishedTimeout is how long an idle TCP connection will be kept open
    // (e.g. '2s').  Must be greater than 0 to set.
    TCPEstablishedTimeout *metav1.Duration `json:"tcpEstablishedTimeout"`
    // tcpCloseWaitTimeout is how long an idle conntrack entry
    // in CLOSE_WAIT state will remain in the conntrack
    // table. (e.g. '60s'). Must be greater than 0 to set.
    TCPCloseWaitTimeout *metav1.Duration `json:"tcpCloseWaitTimeout"`
}

// KubeProxyWinkernelConfiguration contains Windows/HNS settings for
// the Kubernetes proxy server.
type KubeProxyWinkernelConfiguration struct {
    // networkName is the name of the network kube-proxy will use
    // to create endpoints and policies
    NetworkName string `json:"networkName"`
    // sourceVip is the IP address of the source VIP endoint used for
    // NAT when loadbalancing
    SourceVip string `json:"sourceVip"`
    // enableDSR tells kube-proxy whether HNS policies should be created
    // with DSR
    EnableDSR bool `json:"enableDSR"`
}

// LocalMode represents modes to detect local traffic from the node
type LocalMode string