The simple answer is to change the limit. The more robust answer would be toake the limit more dynamic, but that can fail at runtime if, for example, kernel memory is fragmented. Also I am not sure that tunable can be live-adjusted.
:( We have ideas about how to be more frugal with conntrack records, but have not had anyone follow up on that work. So much to do. On Wed, Mar 28, 2018, 8:44 AM Rodrigo Campos <rodrig...@gmail.com> wrote: > Just curious, but why not change the contrack limit? > > On Wednesday, March 28, 2018, <jtron...@gmail.com> wrote: > >> Is there anything similar to a network policy that limits x open >> connections per pod? >> >> During a 100k TPS load test, a subset of pods had errors connecting to a >> downstream service and we maxed out the nf_conntrack table (500k) which >> affected the rest of the pods on each node that had this issue - which >> happened to be 55% of the cluster. >> >> Besides handling this at the application level, I wanted to protect the >> cluster as a whole so that not one deployment can affect the entire cluster >> in this manner. >> >> Thanks for any help. >> >> -Jonathan >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Kubernetes user discussion and Q&A" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to kubernetes-users+unsubscr...@googlegroups.com. >> To post to this group, send email to kubernetes-users@googlegroups.com. >> Visit this group at https://groups.google.com/group/kubernetes-users. >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "Kubernetes user discussion and Q&A" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to kubernetes-users+unsubscr...@googlegroups.com. > To post to this group, send email to kubernetes-users@googlegroups.com. > Visit this group at https://groups.google.com/group/kubernetes-users. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
