GKE 的 kube-proxy

组件 YAML

以 DaemonSet 方式部署了一个 kube-proxy:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  annotations:
    deprecated.daemonset.template.generation: "1"
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
    k8s-app: kube-proxy
  name: kube-proxy
  namespace: kube-system
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kube-proxy
  template:
    metadata:
      labels:
        k8s-app: kube-proxy
    spec:
      containers:
      - command:
        - /bin/sh
        - -c
        - kube-proxy --cluster-cidr=10.44.0.0/14 --oom-score-adj=-998 --v=2 --feature-gates=UnauthenticatedHTTP2DOSMitigation=true,KMSv1=true,WatchCacheInitializationPostStartHook=true
          --iptables-sync-period=1m --iptables-min-sync-period=10s --ipvs-sync-period=1m
          --ipvs-min-sync-period=10s --detect-local-mode=NodeCIDR 1>>/var/log/kube-proxy.log
          2>&1
        env:
        - name: KUBERNETES_SERVICE_HOST
          value: 10.142.0.7
        image: us-east1-artifactregistry.gcr.io/gke-release/gke-release/kube-proxy-amd64:v1.34.0-gke.1662000
        imagePullPolicy: IfNotPresent
        name: kube-proxy
        resources:
          requests:
            cpu: 100m
        securityContext:
          privileged: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /var/log
          name: varlog
        - mountPath: /run/xtables.lock
          name: xtables-lock
        - mountPath: /lib/modules
          name: lib-modules
          readOnly: true
      dnsPolicy: ClusterFirst
      hostNetwork: true
      nodeSelector:
        kubernetes.io/os: linux
        node.kubernetes.io/kube-proxy-ds-ready: "true"
      priorityClassName: system-node-critical
      restartPolicy: Always
      schedulerName: default-scheduler
      serviceAccount: kube-proxy
      serviceAccountName: kube-proxy
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoExecute
        operator: Exists
      - effect: NoSchedule
        operator: Exists
      - key: components.gke.io/gke-managed-components
        operator: Exists
      volumes:
      - hostPath:
          path: /var/log
          type: ""
        name: varlog
      - hostPath:
          path: /run/xtables.lock
          type: FileOrCreate
        name: xtables-lock
      - hostPath:
          path: /lib/modules
          type: ""
        name: lib-modules
  updateStrategy:
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 10%
    type: RollingUpdate

但有 nodeSelector，默认不会部署到节点，不过节点上还是会有 kube-proxy 的 Pod 启动，只是不是来自这个 DeamonSet，而是通过 static pod 方式部署：

/etc/kubernetes/manifests/kube-proxy.manifest

apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubernetes.io/config.hash: 3a2c77f7e2c9fa3a03323fe214e8ddd0
    kubernetes.io/config.mirror: 3a2c77f7e2c9fa3a03323fe214e8ddd0
    kubernetes.io/config.seen: "2025-09-23T07:49:22.570407571Z"
    kubernetes.io/config.source: file
  labels:
    component: kube-proxy
    tier: node
  name: kube-proxy-gke-gke-test-default-pool-e5de334e-i8hi
  namespace: kube-system
spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/autopilot-managed-node
            operator: DoesNotExist
  containers:
  - command:
    - /bin/sh
    - -c
    - exec kube-proxy --master=https://10.142.0.7 --kubeconfig=/var/lib/kube-proxy/kubeconfig
      --cluster-cidr=10.44.0.0/14 --oom-score-adj=-998 --v=2 --feature-gates=RotateKubeletServerCertificate=true,ExecProbeTimeout=false
      --iptables-sync-period=1m --iptables-min-sync-period=10s --ipvs-sync-period=1m
      --ipvs-min-sync-period=10s --detect-local-mode=NodeCIDR 1>>/var/log/kube-proxy.log
      2>&1
    image: us-east1-artifactregistry.gcr.io/gke-release/gke-release/kube-proxy-amd64:v1.34.0-gke.1662000
    name: kube-proxy
    resources:
      requests:
        cpu: 100m
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /etc/ssl/certs
      name: etc-ssl-certs
      readOnly: true
    - mountPath: /usr/share/ca-certificates
      name: usr-ca-certs
      readOnly: true
    - mountPath: /var/log
      name: varlog
    - mountPath: /var/lib/kube-proxy/kubeconfig
      name: kubeconfig
    - mountPath: /run/xtables.lock
      name: iptableslock
    - mountPath: /lib/modules
      name: lib-modules
      readOnly: true
  hostNetwork: true
  preemptionPolicy: PreemptLowerPriority
  priority: 2000001000
  priorityClassName: system-node-critical
  tolerations:
  - effect: NoExecute
    operator: Exists
  - effect: NoSchedule
    operator: Exists
  volumes:
  - hostPath:
      path: /usr/share/ca-certificates
    name: usr-ca-certs
  - hostPath:
      path: /etc/ssl/certs
    name: etc-ssl-certs
  - hostPath:
      path: /var/lib/kube-proxy/kubeconfig
      type: FileOrCreate
    name: kubeconfig
  - hostPath:
      path: /var/log
    name: varlog
  - hostPath:
      path: /run/xtables.lock
      type: FileOrCreate
    name: iptableslock
  - hostPath:
      path: /lib/modules
    name: lib-modules

转发模式

从 YAML 中可以看出，没有设置 mode，也没有挂载 config，所以为 kube-proxy 的默认 mode，为 iptables 模式。

节点 iptables 版本

$ iptables --version
iptables v1.8.10 (nf_tables)