We are having problems on kube-proxy loading iptables. It locks docker when there's a large number of services. Is there a way to tune this with its parameters?
From its documentation, I can only find --iptables-min-sync-period and --iptables-sync-period might be related? What's the recommended values for these in a large network?
We spent the last few weeks looking at this, too. I assume you are also also seeing big CPU spikes (or even a constant 100% iptables) in networks with large amounts of ingress rules/routes.
That was identified a few releases ago and in the 1.5 cycle we got a few patches in that would reduce the number of iptables calls being made. In addition to that, we have introduced the min-sync-period flag which guarantees iptables will only run every X period.
Our tests set iptables-min-sync-interval=30s but we haven't yet decided yet what to do by default in OpenShift. Hope to have some more formal position soon.