github.com/cilium/cilium@v1.16.2/pkg/datapath/iptables/ipset/cell.go

github.com/cilium/cilium@v1.16.2/pkg/datapath/iptables/ipset/cell.go (about)

     1  // SPDX-License-Identifier: Apache-2.0
     2  // Copyright Authors of Cilium
     3  
     4  package ipset
     5  
     6  import (
     7  	"context"
     8  	"os/exec"
     9  	"strings"
    10  
    11  	"github.com/cilium/hive/cell"
    12  	"github.com/cilium/statedb"
    13  	"github.com/cilium/statedb/reconciler"
    14  	"github.com/sirupsen/logrus"
    15  	"golang.org/x/time/rate"
    16  
    17  	"github.com/cilium/cilium/pkg/datapath/tables"
    18  	"github.com/cilium/cilium/pkg/option"
    19  	"github.com/cilium/cilium/pkg/time"
    20  )
    21  
    22  // Cell exposes methods to add and remove node IPs from the kernel IP sets.
    23  // The sets are in turn referenced by iptables rules to exclude traffic
    24  // to cluster nodes from being masqueraded.
    25  // There are two distinct sets, one for IPv4 addresses and one for IPv6
    26  // addresses.
    27  // Internally, the cell stores the desired IP sets state in a StateDB table
    28  // and uses a reconciler to update the realized state (that is, the actual
    29  // kernel IP sets).
    30  // Other sets that do not pertain to Cilium configuration are not changed
    31  // in any way.
    32  var Cell = cell.Module(
    33  	"ipset",
    34  	"Handle kernel IP sets configuration for Cilium",
    35  
    36  	cell.Provide(newIPSetManager),
    37  
    38  	cell.ProvidePrivate(
    39  		tables.NewIPSetTable,
    40  		newOps,
    41  		newReconciler,
    42  
    43  		func(logger logrus.FieldLogger) *ipset {
    44  			return &ipset{
    45  				executable: funcExecutable(func(ctx context.Context, name string, stdin string, arg ...string) ([]byte, error) {
    46  					cmd := exec.CommandContext(ctx, name, arg...)
    47  					cmd.Stdin = strings.NewReader(stdin)
    48  					return cmd.Output()
    49  				}),
    50  				log: logger,
    51  			}
    52  		},
    53  
    54  		func(cfg *option.DaemonConfig) config {
    55  			return config{NodeIPSetNeeded: cfg.NodeIpsetNeeded()}
    56  		},
    57  	),
    58  )
    59  
    60  type config struct {
    61  	NodeIPSetNeeded bool
    62  }
    63  
    64  func newReconciler(params reconciler.Params, ops *ops, tbl statedb.RWTable[*tables.IPSetEntry]) (reconciler.Reconciler[*tables.IPSetEntry], error) {
    65  	return reconciler.Register(
    66  		params,
    67  		tbl,
    68  		(*tables.IPSetEntry).Clone,
    69  		(*tables.IPSetEntry).SetStatus,
    70  		(*tables.IPSetEntry).GetStatus,
    71  		ops,
    72  		ops,
    73  
    74  		reconciler.WithRoundLimits(
    75  			// Set the maximum batch size to 100, and limit the incremental
    76  			// reconciliation to once every 10ms, giving us maximum throughput
    77  			// of 1000/10 * 100 = 10000 per second.
    78  			100,
    79  
    80  			// Set the rate limiter to accumulate a batch of entries to reconcile.
    81  			rate.NewLimiter(rate.Every(10*time.Millisecond), 1),
    82  		),
    83  	)
    84  }