(kenieevan@github) Zhiguohong (honkiko@github) Bypassing conntrack: Optimizing K8s Service By Enhancing IPVS with eBPF Agenda 目录 01 Problems with K8s Service How to optimize 02 Comparison with industry provides in-cluster access • NodePort provides out-of-cluster access • Major modes • Iptables • IPVS Iptables mode • How it works • DNAT at PREROUTING chain • SNAT at POSTROUTING chain • Pros • • Poor in scheduling algorithm • Iptables rules are difficult to debug IPVS mode • Services are organized in hash table • IPVS DNAT • conntrack/iptables SNAT • Pros • O(1) time complexity in control/data