{"id":26459878,"url":"https://github.com/sbezverk/nfproxy","last_synced_at":"2025-03-19T02:11:50.413Z","repository":{"id":50653292,"uuid":"226981057","full_name":"sbezverk/nfproxy","owner":"sbezverk","description":"nftables based proxy for kubernetes","archived":false,"fork":false,"pushed_at":"2021-01-12T15:51:15.000Z","size":4934,"stargazers_count":47,"open_issues_count":3,"forks_count":5,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-11-21T22:20:42.075Z","etag":null,"topics":["go","kubernetes","nftables","proxy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sbezverk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-12-09T22:34:52.000Z","updated_at":"2024-09-01T13:06:09.000Z","dependencies_parsed_at":"2022-09-19T05:20:57.547Z","dependency_job_id":null,"html_url":"https://github.com/sbezverk/nfproxy","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbezverk%2Fnfproxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbezverk%2Fnfproxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbezverk%2Fnfproxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbezverk%2Fnfproxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sbezverk","download_url":"https://codeload.github.com/sbezverk/nfproxy/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244339048,"owners_count":20437171,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","kubernetes","nftables","proxy"],"created_at":"2025-03-19T02:11:49.784Z","updated_at":"2025-03-19T02:11:50.401Z","avatar_url":"https://github.com/sbezverk.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n[![Build Status](https://travis-ci.org/sbezverk/nfproxy.svg?branch=master)](https://travis-ci.org/sbezverk/nfproxy)\n\n\u003cp align=\"left\"\u003e\n  \u003cimg src=\"https://github.com/sbezverk/nfproxy/blob/master/Logo_final.png?raw=true\" width=\"40%\" height=\"40%\"\u003e\n\u003c/p\u003e\n\n## kubernetes proxy functionality based on nftables\n\n## Goal\n\nThe goal of nfproxy is to provide high performance and scalable kubernetes proxy supporting both ipv4 and ipv6. \n**nfproxy** is not a 1:1 copy of kube-proxy (iptables) in terms of features. **nfproxy** is not going to cover all corner\ncases and special features addressed by kube-proxy if these features compromise the design principle of nfproxy which is\n\n**\"There is no rules per service or per endpoint\"**. \n\nMeaning that the number of rules in one chain will not correlate to a number of services or endpoints.\n\nThis principle will limit applications of nfproxy, but on the other hand for the cases where nfproxy\ncan be used, it will offer superior performance and scalability when comparing with kube-proxy (iptables) implementation.\n\n## Build\n\nTo build nfproxy binary execute:\n\n```\nmake nfproxy\n```\nResulting binary will be placed in *./bin* folder.\n\nTo build a container:\n\n```\nmake container IMAGE_VERSION=X.X.X REGISTRY_NAME=docker.io/somename\n```\nThis command will compile nfproxy binary and then will build a docker container tagged with\n**REGISTRY_NAME/nfproxy:IMAGE_VERSION** and placed it in a local docker image store.\n\n## Deployment\n\n1. Find a way to save kube-proxy's daemonset yaml, once you tired of playing with nfproxy,\nthis yaml will allow you to restore the default kube-proxy functionality.\n\n2. Delete kube-proxy daemonset and clean up iptables entries if kube-proxy ran in iptables mode\n\n```\nkubectl delete daemonset -n kube-system kube-proxy\n\nsudo iptables -F -t nat\n\nsudo iptables -F -t filter\n```\n\n3. Modify nfproxy deployment yaml file to specify your cluster's CIDR and location of nfproxy image if not default\nis used. \n**nfproxy** deployment file is located at ./deployment/nfproxy.yaml.\n\nChange:\n```\n- \"57.112.0.0/12\"\n```\n\nFor your cluster's cidr range.\n```\n- \"X.Y.Z.0/L\"\n```\nWhere *L* is length in bits of your cluster's cidr.\n\nSpecify Api server public endpoint for **API_PUBLIC_ENDPOINT** variable, for example:\n```\n- name: API_PUBLIC_ENDPOINT\n  value: \"https://192.168.80.221:6443\"\n```\n\nTo use EndpointSlice controller instead of Endpoints controller add:\n```\n- --endpointslice\n- \"true\"\n```\n\n4. Deploy nfproxy\n\n```\nkubectl create -f ./deployment/nfproxy.yaml\n```\n\n5. Check nfproxy pod's log\n\n```\nkubectl logs -n kube-system nfproxy-blah\n```\nIf nfproxy started successfully, pod's log will contain messages about discovered services.\n\n6. To delete nfproxy\n\n```\nkubectl delete -f ./deployment/nfproxy.yaml\n```\n\n## Status\n\n**nfproxy** testing is done by running SIG-Network E2E tests in a 2 and 5 nodes clusters. \nThe command line to run tests is the following:\n```\n ./bazel-bin/test/e2e/e2e.test  -ginkgo.focus=\"\\[sig-network\\].*Service\" -kubeconfig={location of kubeconfig file} -dns-domain={cluster's domain name}\n```\nBelow is the summary of results:\n\n**2 and 5 nodes clusters, Calico CNI, Endpoints Controller**\n\nSummarizing 2 Failures:\n```\n[Fail] [sig-network] EndpointSlice [Feature:EndpointSlice] version v1 [It] should create Endpoints and EndpointSlices for Pods matching a Service \ntest/e2e/network/endpointslice.go:216\n\n[Fail] [sig-network] Services [It] should handle load balancer cleanup finalizer for service [Slow] \ntest/e2e/framework/service/wait.go:79\n\nRan 28 of 4845 Specs in 2138.719 seconds\nFAIL! -- 26 Passed | 2 Failed | 0 Pending | 4817 Skipped\n```\n\nFirst failure is related to EndpointSlice controller being not enabled. \nSecond failure is not **nfproxy** related as it fails the same way in cases where nfproxy is not used. \n\n**2 and 5 nodes clusters, Calico CNI, EndpointSlice Controller**\n\n```\nSummarizing 1 Failure:\n\n[Fail] [sig-network] Services [It] should handle load balancer cleanup finalizer for service [Slow] \ntest/e2e/framework/service/wait.go:79\n\nRan 28 of 4845 Specs in 2042.535 seconds\nFAIL! -- 27 Passed | 1 Failed | 0 Pending | 4817 Skipped\n--- FAIL: TestE2E (2042.55s)\nFAIL\n```\nFailure is not **nfproxy** related as it fails the same way in cases where nfproxy is not used. \n\n**Contributors, reviewers, testers are welcome!!!**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsbezverk%2Fnfproxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsbezverk%2Fnfproxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsbezverk%2Fnfproxy/lists"}