This topic describes how to optimize the network configurations of a cluster that runs Terway in Datapath V2 mode. The network configurations include the conntrack parameters and identity management settings. You can optimize the preceding configurations to improve cluster performance and stability.
Optimize conntrack parameters
Conntrack is a Linux kernel module that tracks connections and their status. In container networks built by Terway in Datapath V2 mode, conntrack is implemented by using Extended Berkeley Packet Filter (eBPF). For more information about how to optimize the conntrack parameters, see Optimize conntrack configurations in Terway. This topic describes how to adjust the conntrack table size, modify the timeout period for conntrack entries for TCP connections, and configure high concurrency.
Limit the number of identities
If you use Terway in Datapath V2 mode, the NetworkPolicy feature is implemented by using eBPF. Unlike the traditional Netfilter-based implementation, eBPF-based implementation assigns an identity to each pod for fine-grained network permission management.
An identity consists of a pod label and a namespace label. The system assigns an identity to a group of pods that have the same label to facilitate network access management for the pods.
The system determines whether traffic matches the rules in NetworkPolicies before distributing traffic. The system determines whether traffic to a pod is allowed based on the IP address and identity of the pod.
If the NetworkPolicy feature is disabled, identities do not take effect. In this case, Terway automatically limits the number of identities.
After you enable the NetworkPolicy feature, make sure that the pods with the same identity have the same labels. If the pods with the same identity have different labels, a large number of new identities will be generated, which may increase the workload of the control plane of the cluster and slow down IP allocation.
To prevent excess identities that are generated due to invalid labels, we recommend that you configure filtering rules based on labels.
Configure filtering rules based on labels
This section involves important operations. Exercise caution.
If you modify label-based filtering rules, new identities will be created within a short period of time. In this case, the overhead of the API server also increases.
Invalid label-based filtering rules may lead to NetworkPolicy failures.
Do not filter out all labels. When you create a filtering rule, you must add at least one label (pod label or namespace label) of each group of pods to the rule. Otherwise, the system cannot identify the group of pods.
Labels that are added to a filtering rule cannot be added to a NetworkPolicy. Make sure that you configure rules to filter out only invalid labels.
For more information about how to configure label-based filtering rules, see Cilium.
For more information about how to configure Cilium in Terway configurations, see the cilium_args parameter in the Customize the Terway ConfigMap topic.