Kube-proxy facing locking timeout in large clusters during load test with services enabled

[shyamjvs]

Follows from discussion in #48052

We noticed this while performing load test on 4000 node clusters with services enabled. The iptables restore step in the proxier fails with:

E0625 09:03:14.873338       5 proxier.go:1574] Failed to execute iptables-restore: failed to acquire old iptables lock: timed out waiting for the condition

And the reason quite likely is because of "huge" size of iptables (tens of MBs) as we run 30 pods per node and each pod is part of exactly one service
=> 30 * 4000 = 120k service endpoints (and these updates happen on all 4000 nodes)

cc @kubernetes/sig-network-misc @kubernetes/sig-scalability-misc @danwinship @wojtek-t

[shyamjvs]

fyi, the logs for the run are here - http://gcsweb.k8s.io/gcs/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-enormous-cluster/10/

[freehan]

I suspect other components are holding the lock and fail to release.
Is kube-proxy able to have successful iptables-restore after first occurence?

[shyamjvs]

@freehan It's failing continuously (https://storage.googleapis.com/kubernetes-jenkins/logs/ci-kubernetes-e2e-gce-enormous-cluster/10/artifacts/e2e-enormous-cluster-minion-group-01nl/kube-proxy.log)

[shyamjvs]

Linking issue #47344 for tracking.

[shyamjvs]

cc @wojtek-t

[freehan]

Are the nodes running on CVM or COS? It looks like it is running on CVM, right?

[freehan]

Is there anyway we can execute lsof on a node in the bad state?

[freehan]

It looks like iptables util cannot open a specific linux domain socket. I suspect kube-proxy failed to close it during one run. Not sure why. I will send a PR to expose the error soon.

[shyamjvs]

@freehan The nodes were running on gci (which I guess is the same as cos). Ref: https://github.com/kubernetes/test-infra/blob/master/jobs/ci-kubernetes-e2e-gce-enormous-cluster.env#L33