Jianmingfan (kenieevan@github) Zhiguohong (honkiko@github) Bypassing conntrack: Optimizing K8s Service By Enhancing IPVS with eBPF Agenda 目录 01 Problems with K8s Service How to optimize 02 Comparison Iptables rules are difficult to debug IPVS mode • Services are organized in hash table • IPVS DNAT • conntrack/iptables SNAT • Pros • O(1) time complexity in control/data plane • Stably runs for two decades decades • Support rich scheduling algorithm • Cons • Performance cost caused by conntrack • Some bugs How to optimize • Guidelines • Use less CPU instructions to process each packet • Don’t monopolize