This is a proof-of-concept PR for implementing nftables flowtable support in Calico. flowtables allow bypassing of large parts of the Linux networking stack for established connections, which should theoretically substantially improve the performance especially for longer lived connections.
Some key things to consider here:
How does this interact with a potential equivalent implemention in kube-proxy?
How does this perform in clusters with larger numbers of short-lived connections?
Does flowtable overhead actually hurt those environments?
Do we need to be able to include / exclude certain endpoints or flows from this optimization?
Description
This is a proof-of-concept PR for implementing nftables flowtable support in Calico. flowtables allow bypassing of large parts of the Linux networking stack for established connections, which should theoretically substantially improve the performance especially for longer lived connections.
Some key things to consider here:
Related issues/PRs
Kube-proxy implementation: https://github.com/kubernetes/kubernetes/pull/128392
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*label.docs-pr-required: This change requires a change to the documentation that has not been completed yet.docs-completed: This change has all necessary documentation completed.docs-not-required: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*label.release-note-required: This PR has user-facing changes. Most PRs should have this label.release-note-not-required: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.