Switch to github.com/golang/dep for vendoring

Signed-off-by: Mrunal Patel <mrunalp@gmail.com>

vendor/k8s.io/kubernetes/cmd/kube-proxy/BUILD

@@ -0,0 +1,48 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_binary",
+    "go_library",
+)
+
+go_binary(
+    name = "kube-proxy",
+    library = ":go_default_library",
+    tags = ["automanaged"],
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["proxy.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//cmd/kube-proxy/app:go_default_library",
+        "//cmd/kube-proxy/app/options:go_default_library",
+        "//pkg/client/metrics/prometheus:go_default_library",
+        "//pkg/util/flag:go_default_library",
+        "//pkg/util/logs:go_default_library",
+        "//pkg/version/prometheus:go_default_library",
+        "//pkg/version/verflag:go_default_library",
+        "//vendor:github.com/spf13/pflag",
+        "//vendor:k8s.io/apiserver/pkg/healthz",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [
+        ":package-srcs",
+        "//cmd/kube-proxy/app:all-srcs",
+    ],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/cmd/kube-proxy/app/BUILD

@@ -0,0 +1,81 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+    "go_test",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "conntrack.go",
+        "server.go",
+    ],
+    tags = ["automanaged"],
+    deps = [
+        "//cmd/kube-proxy/app/options:go_default_library",
+        "//pkg/api:go_default_library",
+        "//pkg/api/v1:go_default_library",
+        "//pkg/client/clientset_generated/internalclientset:go_default_library",
+        "//pkg/client/clientset_generated/internalclientset/typed/core/internalversion:go_default_library",
+        "//pkg/client/record:go_default_library",
+        "//pkg/client/unversioned/clientcmd:go_default_library",
+        "//pkg/client/unversioned/clientcmd/api:go_default_library",
+        "//pkg/proxy:go_default_library",
+        "//pkg/proxy/config:go_default_library",
+        "//pkg/proxy/iptables:go_default_library",
+        "//pkg/proxy/userspace:go_default_library",
+        "//pkg/proxy/winuserspace:go_default_library",
+        "//pkg/util/configz:go_default_library",
+        "//pkg/util/dbus:go_default_library",
+        "//pkg/util/exec:go_default_library",
+        "//pkg/util/iptables:go_default_library",
+        "//pkg/util/mount:go_default_library",
+        "//pkg/util/netsh:go_default_library",
+        "//pkg/util/node:go_default_library",
+        "//pkg/util/oom:go_default_library",
+        "//pkg/util/resourcecontainer:go_default_library",
+        "//pkg/util/sysctl:go_default_library",
+        "//vendor:github.com/golang/glog",
+        "//vendor:github.com/spf13/cobra",
+        "//vendor:github.com/spf13/pflag",
+        "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
+        "//vendor:k8s.io/apimachinery/pkg/types",
+        "//vendor:k8s.io/apimachinery/pkg/util/net",
+        "//vendor:k8s.io/apimachinery/pkg/util/wait",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["server_test.go"],
+    library = ":go_default_library",
+    tags = ["automanaged"],
+    deps = [
+        "//cmd/kube-proxy/app/options:go_default_library",
+        "//pkg/api:go_default_library",
+        "//pkg/apis/componentconfig:go_default_library",
+        "//pkg/util/iptables:go_default_library",
+        "//vendor:github.com/stretchr/testify/assert",
+        "//vendor:k8s.io/apimachinery/pkg/apis/meta/v1",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [
+        ":package-srcs",
+        "//cmd/kube-proxy/app/options:all-srcs",
+    ],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/cmd/kube-proxy/app/conntrack.go

@@ -0,0 +1,117 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"errors"
+	"io/ioutil"
+	"strconv"
+
+	"github.com/golang/glog"
+
+	"k8s.io/kubernetes/pkg/util/mount"
+	"k8s.io/kubernetes/pkg/util/sysctl"
+)
+
+// Conntracker is an interface to the global sysctl. Descriptions of the various
+// sysctl fields can be found here:
+//
+// https://www.kernel.org/doc/Documentation/networking/nf_conntrack-sysctl.txt
+type Conntracker interface {
+	// SetMax adjusts nf_conntrack_max.
+	SetMax(max int) error
+	// SetTCPEstablishedTimeout adjusts nf_conntrack_tcp_timeout_established.
+	SetTCPEstablishedTimeout(seconds int) error
+	// SetTCPCloseWaitTimeout nf_conntrack_tcp_timeout_close_wait.
+	SetTCPCloseWaitTimeout(seconds int) error
+}
+
+type realConntracker struct{}
+
+var readOnlySysFSError = errors.New("readOnlySysFS")
+
+func (rct realConntracker) SetMax(max int) error {
+	if err := rct.setIntSysCtl("nf_conntrack_max", max); err != nil {
+		return err
+	}
+	// sysfs is expected to be mounted as 'rw'. However, it may be
+	// unexpectedly mounted as 'ro' by docker because of a known docker
+	// issue (https://github.com/docker/docker/issues/24000). Setting
+	// conntrack will fail when sysfs is readonly. When that happens, we
+	// don't set conntrack hashsize and return a special error
+	// readOnlySysFSError here. The caller should deal with
+	// readOnlySysFSError differently.
+	writable, err := isSysFSWritable()
+	if err != nil {
+		return err
+	}
+	if !writable {
+		return readOnlySysFSError
+	}
+	// TODO: generify this and sysctl to a new sysfs.WriteInt()
+	glog.Infof("Setting conntrack hashsize to %d", max/4)
+	return writeIntStringFile("/sys/module/nf_conntrack/parameters/hashsize", max/4)
+}
+
+func (rct realConntracker) SetTCPEstablishedTimeout(seconds int) error {
+	return rct.setIntSysCtl("nf_conntrack_tcp_timeout_established", seconds)
+}
+
+func (rct realConntracker) SetTCPCloseWaitTimeout(seconds int) error {
+	return rct.setIntSysCtl("nf_conntrack_tcp_timeout_close_wait", seconds)
+}
+
+func (realConntracker) setIntSysCtl(name string, value int) error {
+	entry := "net/netfilter/" + name
+
+	glog.Infof("Set sysctl '%v' to %v", entry, value)
+	if err := sysctl.New().SetSysctl(entry, value); err != nil {
+		return err
+	}
+	return nil
+}
+
+// isSysFSWritable checks /proc/mounts to see whether sysfs is 'rw' or not.
+func isSysFSWritable() (bool, error) {
+	const permWritable = "rw"
+	const sysfsDevice = "sysfs"
+	m := mount.New("" /* default mount path */)
+	mountPoints, err := m.List()
+	if err != nil {
+		glog.Errorf("failed to list mount points: %v", err)
+		return false, err
+	}
+
+	for _, mountPoint := range mountPoints {
+		if mountPoint.Type != sysfsDevice {
+			continue
+		}
+		// Check whether sysfs is 'rw'
+		if len(mountPoint.Opts) > 0 && mountPoint.Opts[0] == permWritable {
+			return true, nil
+		}
+		glog.Errorf("sysfs is not writable: %+v (mount options are %v)",
+			mountPoint, mountPoint.Opts)
+		return false, readOnlySysFSError
+	}
+
+	return false, errors.New("No sysfs mounted")
+}
+
+func writeIntStringFile(filename string, value int) error {
+	return ioutil.WriteFile(filename, []byte(strconv.Itoa(value)), 0640)
+}

vendor/k8s.io/kubernetes/cmd/kube-proxy/app/options/BUILD

@@ -0,0 +1,37 @@
+package(default_visibility = ["//visibility:public"])
+
+licenses(["notice"])
+
+load(
+    "@io_bazel_rules_go//go:def.bzl",
+    "go_library",
+)
+
+go_library(
+    name = "go_default_library",
+    srcs = ["options.go"],
+    tags = ["automanaged"],
+    deps = [
+        "//pkg/api:go_default_library",
+        "//pkg/api/v1:go_default_library",
+        "//pkg/apis/componentconfig:go_default_library",
+        "//pkg/apis/componentconfig/v1alpha1:go_default_library",
+        "//pkg/kubelet/qos:go_default_library",
+        "//pkg/util:go_default_library",
+        "//pkg/util/config:go_default_library",
+        "//vendor:github.com/spf13/pflag",
+    ],
+)
+
+filegroup(
+    name = "package-srcs",
+    srcs = glob(["**"]),
+    tags = ["automanaged"],
+    visibility = ["//visibility:private"],
+)
+
+filegroup(
+    name = "all-srcs",
+    srcs = [":package-srcs"],
+    tags = ["automanaged"],
+)

vendor/k8s.io/kubernetes/cmd/kube-proxy/app/options/options.go

@@ -0,0 +1,105 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package options contains flags for initializing a proxy.
+package options
+
+import (
+	_ "net/http/pprof"
+	"time"
+
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/v1"
+	"k8s.io/kubernetes/pkg/apis/componentconfig"
+	"k8s.io/kubernetes/pkg/apis/componentconfig/v1alpha1"
+	"k8s.io/kubernetes/pkg/kubelet/qos"
+	"k8s.io/kubernetes/pkg/util"
+	"k8s.io/kubernetes/pkg/util/config"
+
+	"github.com/spf13/pflag"
+)
+
+const (
+	ExperimentalProxyModeAnnotation = "net.experimental.kubernetes.io/proxy-mode"
+)
+
+// ProxyServerConfig configures and runs a Kubernetes proxy server
+type ProxyServerConfig struct {
+	componentconfig.KubeProxyConfiguration
+	ResourceContainer string
+	ContentType       string
+	KubeAPIQPS        float32
+	KubeAPIBurst      int32
+	ConfigSyncPeriod  time.Duration
+	CleanupAndExit    bool
+	NodeRef           *v1.ObjectReference
+	Master            string
+	Kubeconfig        string
+}
+
+func NewProxyConfig() *ProxyServerConfig {
+	versioned := &v1alpha1.KubeProxyConfiguration{}
+	api.Scheme.Default(versioned)
+	cfg := componentconfig.KubeProxyConfiguration{}
+	api.Scheme.Convert(versioned, &cfg, nil)
+	return &ProxyServerConfig{
+		KubeProxyConfiguration: cfg,
+		ContentType:            "application/vnd.kubernetes.protobuf",
+		KubeAPIQPS:             5.0,
+		KubeAPIBurst:           10,
+		ConfigSyncPeriod:       15 * time.Minute,
+	}
+}
+
+// AddFlags adds flags for a specific ProxyServer to the specified FlagSet
+func (s *ProxyServerConfig) AddFlags(fs *pflag.FlagSet) {
+	fs.Var(componentconfig.IPVar{Val: &s.BindAddress}, "bind-address", "The IP address for the proxy server to serve on (set to 0.0.0.0 for all interfaces)")
+	fs.StringVar(&s.Master, "master", s.Master, "The address of the Kubernetes API server (overrides any value in kubeconfig)")
+	fs.Int32Var(&s.HealthzPort, "healthz-port", s.HealthzPort, "The port to bind the health check server. Use 0 to disable.")
+	fs.Var(componentconfig.IPVar{Val: &s.HealthzBindAddress}, "healthz-bind-address", "The IP address for the health check server to serve on, defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces)")
+	fs.Int32Var(s.OOMScoreAdj, "oom-score-adj", util.Int32PtrDerefOr(s.OOMScoreAdj, int32(qos.KubeProxyOOMScoreAdj)), "The oom-score-adj value for kube-proxy process. Values must be within the range [-1000, 1000]")
+	fs.StringVar(&s.ResourceContainer, "resource-container", s.ResourceContainer, "Absolute name of the resource-only container to create and run the Kube-proxy in (Default: /kube-proxy).")
+	fs.MarkDeprecated("resource-container", "This feature will be removed in a later release.")
+	fs.StringVar(&s.Kubeconfig, "kubeconfig", s.Kubeconfig, "Path to kubeconfig file with authorization information (the master location is set by the master flag).")
+	fs.Var(componentconfig.PortRangeVar{Val: &s.PortRange}, "proxy-port-range", "Range of host ports (beginPort-endPort, inclusive) that may be consumed in order to proxy service traffic. If unspecified (0-0) then ports will be randomly chosen.")
+	fs.StringVar(&s.HostnameOverride, "hostname-override", s.HostnameOverride, "If non-empty, will use this string as identification instead of the actual hostname.")
+	fs.Var(&s.Mode, "proxy-mode", "Which proxy mode to use: 'userspace' (older) or 'iptables' (faster). If blank, look at the Node object on the Kubernetes API and respect the '"+ExperimentalProxyModeAnnotation+"' annotation if provided.  Otherwise use the best-available proxy (currently iptables).  If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.")
+	fs.Int32Var(s.IPTablesMasqueradeBit, "iptables-masquerade-bit", util.Int32PtrDerefOr(s.IPTablesMasqueradeBit, 14), "If using the pure iptables proxy, the bit of the fwmark space to mark packets requiring SNAT with.  Must be within the range [0, 31].")
+	fs.DurationVar(&s.IPTablesSyncPeriod.Duration, "iptables-sync-period", s.IPTablesSyncPeriod.Duration, "The maximum interval of how often iptables rules are refreshed (e.g. '5s', '1m', '2h22m').  Must be greater than 0.")
+	fs.DurationVar(&s.IPTablesMinSyncPeriod.Duration, "iptables-min-sync-period", s.IPTablesMinSyncPeriod.Duration, "The minimum interval of how often the iptables rules can be refreshed as endpoints and services change (e.g. '5s', '1m', '2h22m').")
+	fs.DurationVar(&s.ConfigSyncPeriod, "config-sync-period", s.ConfigSyncPeriod, "How often configuration from the apiserver is refreshed.  Must be greater than 0.")
+	fs.BoolVar(&s.MasqueradeAll, "masquerade-all", s.MasqueradeAll, "If using the pure iptables proxy, SNAT everything")
+	fs.StringVar(&s.ClusterCIDR, "cluster-cidr", s.ClusterCIDR, "The CIDR range of pods in the cluster. It is used to bridge traffic coming from outside of the cluster. If not provided, no off-cluster bridging will be performed.")
+	fs.BoolVar(&s.CleanupAndExit, "cleanup-iptables", s.CleanupAndExit, "If true cleanup iptables rules and exit.")
+	fs.StringVar(&s.ContentType, "kube-api-content-type", s.ContentType, "Content type of requests sent to apiserver.")
+	fs.Float32Var(&s.KubeAPIQPS, "kube-api-qps", s.KubeAPIQPS, "QPS to use while talking with kubernetes apiserver")
+	fs.Int32Var(&s.KubeAPIBurst, "kube-api-burst", s.KubeAPIBurst, "Burst to use while talking with kubernetes apiserver")
+	fs.DurationVar(&s.UDPIdleTimeout.Duration, "udp-timeout", s.UDPIdleTimeout.Duration, "How long an idle UDP connection will be kept open (e.g. '250ms', '2s').  Must be greater than 0. Only applicable for proxy-mode=userspace")
+	fs.Int32Var(&s.ConntrackMax, "conntrack-max", s.ConntrackMax,
+		"Maximum number of NAT connections to track (0 to leave as-is). This overrides conntrack-max-per-core and conntrack-min.")
+	fs.MarkDeprecated("conntrack-max", "This feature will be removed in a later release.")
+	fs.Int32Var(&s.ConntrackMaxPerCore, "conntrack-max-per-core", s.ConntrackMaxPerCore,
+		"Maximum number of NAT connections to track per CPU core (0 to leave the limit as-is and ignore conntrack-min).")
+	fs.Int32Var(&s.ConntrackMin, "conntrack-min", s.ConntrackMin,
+		"Minimum number of conntrack entries to allocate, regardless of conntrack-max-per-core (set conntrack-max-per-core=0 to leave the limit as-is).")
+	fs.DurationVar(&s.ConntrackTCPEstablishedTimeout.Duration, "conntrack-tcp-timeout-established", s.ConntrackTCPEstablishedTimeout.Duration, "Idle timeout for established TCP connections (0 to leave as-is)")
+	fs.DurationVar(
+		&s.ConntrackTCPCloseWaitTimeout.Duration, "conntrack-tcp-timeout-close-wait",
+		s.ConntrackTCPCloseWaitTimeout.Duration,
+		"NAT timeout for TCP connections in the CLOSE_WAIT state")
+
+	config.DefaultFeatureGate.AddFlag(fs)
+}

vendor/k8s.io/kubernetes/cmd/kube-proxy/app/server.go

@@ -0,0 +1,491 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package app does all of the work necessary to configure and run a
+// Kubernetes app process.
+package app
+
+import (
+	"errors"
+	"fmt"
+	"net"
+	"net/http"
+	_ "net/http/pprof"
+	"runtime"
+	"strconv"
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	utilnet "k8s.io/apimachinery/pkg/util/net"
+	"k8s.io/apimachinery/pkg/util/wait"
+	"k8s.io/kubernetes/cmd/kube-proxy/app/options"
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/api/v1"
+	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
+	unversionedcore "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset/typed/core/internalversion"
+	"k8s.io/kubernetes/pkg/client/record"
+	"k8s.io/kubernetes/pkg/client/unversioned/clientcmd"
+	clientcmdapi "k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api"
+	"k8s.io/kubernetes/pkg/proxy"
+	proxyconfig "k8s.io/kubernetes/pkg/proxy/config"
+	"k8s.io/kubernetes/pkg/proxy/iptables"
+	"k8s.io/kubernetes/pkg/proxy/userspace"
+	"k8s.io/kubernetes/pkg/proxy/winuserspace"
+	"k8s.io/kubernetes/pkg/util/configz"
+	utildbus "k8s.io/kubernetes/pkg/util/dbus"
+	"k8s.io/kubernetes/pkg/util/exec"
+	utiliptables "k8s.io/kubernetes/pkg/util/iptables"
+	utilnetsh "k8s.io/kubernetes/pkg/util/netsh"
+	nodeutil "k8s.io/kubernetes/pkg/util/node"
+	"k8s.io/kubernetes/pkg/util/oom"
+	"k8s.io/kubernetes/pkg/util/resourcecontainer"
+	utilsysctl "k8s.io/kubernetes/pkg/util/sysctl"
+
+	"github.com/golang/glog"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+type ProxyServer struct {
+	Client       clientset.Interface
+	Config       *options.ProxyServerConfig
+	IptInterface utiliptables.Interface
+	Proxier      proxy.ProxyProvider
+	Broadcaster  record.EventBroadcaster
+	Recorder     record.EventRecorder
+	Conntracker  Conntracker // if nil, ignored
+	ProxyMode    string
+}
+
+const (
+	proxyModeUserspace              = "userspace"
+	proxyModeIPTables               = "iptables"
+	experimentalProxyModeAnnotation = options.ExperimentalProxyModeAnnotation
+	betaProxyModeAnnotation         = "net.beta.kubernetes.io/proxy-mode"
+)
+
+func checkKnownProxyMode(proxyMode string) bool {
+	switch proxyMode {
+	case "", proxyModeUserspace, proxyModeIPTables:
+		return true
+	}
+	return false
+}
+
+func NewProxyServer(
+	client clientset.Interface,
+	config *options.ProxyServerConfig,
+	iptInterface utiliptables.Interface,
+	proxier proxy.ProxyProvider,
+	broadcaster record.EventBroadcaster,
+	recorder record.EventRecorder,
+	conntracker Conntracker,
+	proxyMode string,
+) (*ProxyServer, error) {
+	return &ProxyServer{
+		Client:       client,
+		Config:       config,
+		IptInterface: iptInterface,
+		Proxier:      proxier,
+		Broadcaster:  broadcaster,
+		Recorder:     recorder,
+		Conntracker:  conntracker,
+		ProxyMode:    proxyMode,
+	}, nil
+}
+
+// NewProxyCommand creates a *cobra.Command object with default parameters
+func NewProxyCommand() *cobra.Command {
+	s := options.NewProxyConfig()
+	s.AddFlags(pflag.CommandLine)
+	cmd := &cobra.Command{
+		Use: "kube-proxy",
+		Long: `The Kubernetes network proxy runs on each node. This
+reflects services as defined in the Kubernetes API on each node and can do simple
+TCP,UDP stream forwarding or round robin TCP,UDP forwarding across a set of backends.
+Service cluster ips and ports are currently found through Docker-links-compatible
+environment variables specifying ports opened by the service proxy. There is an optional
+addon that provides cluster DNS for these cluster IPs. The user must create a service
+with the apiserver API to configure the proxy.`,
+		Run: func(cmd *cobra.Command, args []string) {
+		},
+	}
+
+	return cmd
+}
+
+// NewProxyServerDefault creates a new ProxyServer object with default parameters.
+func NewProxyServerDefault(config *options.ProxyServerConfig) (*ProxyServer, error) {
+	if c, err := configz.New("componentconfig"); err == nil {
+		c.Set(config.KubeProxyConfiguration)
+	} else {
+		glog.Errorf("unable to register configz: %s", err)
+	}
+	protocol := utiliptables.ProtocolIpv4
+	if net.ParseIP(config.BindAddress).To4() == nil {
+		protocol = utiliptables.ProtocolIpv6
+	}
+
+	var netshInterface utilnetsh.Interface
+	var iptInterface utiliptables.Interface
+	var dbus utildbus.Interface
+
+	// Create a iptables utils.
+	execer := exec.New()
+
+	if runtime.GOOS == "windows" {
+		netshInterface = utilnetsh.New(execer)
+	} else {
+		dbus = utildbus.New()
+		iptInterface = utiliptables.New(execer, dbus, protocol)
+	}
+
+	// We omit creation of pretty much everything if we run in cleanup mode
+	if config.CleanupAndExit {
+		return &ProxyServer{
+			Config:       config,
+			IptInterface: iptInterface,
+		}, nil
+	}
+
+	// TODO(vmarmol): Use container config for this.
+	var oomAdjuster *oom.OOMAdjuster
+	if config.OOMScoreAdj != nil {
+		oomAdjuster = oom.NewOOMAdjuster()
+		if err := oomAdjuster.ApplyOOMScoreAdj(0, int(*config.OOMScoreAdj)); err != nil {
+			glog.V(2).Info(err)
+		}
+	}
+
+	if config.ResourceContainer != "" {
+		// Run in its own container.
+		if err := resourcecontainer.RunInResourceContainer(config.ResourceContainer); err != nil {
+			glog.Warningf("Failed to start in resource-only container %q: %v", config.ResourceContainer, err)
+		} else {
+			glog.V(2).Infof("Running in resource-only container %q", config.ResourceContainer)
+		}
+	}
+
+	// Create a Kube Client
+	// define api config source
+	if config.Kubeconfig == "" && config.Master == "" {
+		glog.Warningf("Neither --kubeconfig nor --master was specified.  Using default API client.  This might not work.")
+	}
+	// This creates a client, first loading any specified kubeconfig
+	// file, and then overriding the Master flag, if non-empty.
+	kubeconfig, err := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(
+		&clientcmd.ClientConfigLoadingRules{ExplicitPath: config.Kubeconfig},
+		&clientcmd.ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: config.Master}}).ClientConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	kubeconfig.ContentType = config.ContentType
+	// Override kubeconfig qps/burst settings from flags
+	kubeconfig.QPS = config.KubeAPIQPS
+	kubeconfig.Burst = int(config.KubeAPIBurst)
+
+	client, err := clientset.NewForConfig(kubeconfig)
+	if err != nil {
+		glog.Fatalf("Invalid API configuration: %v", err)
+	}
+
+	// Create event recorder
+	hostname := nodeutil.GetHostname(config.HostnameOverride)
+	eventBroadcaster := record.NewBroadcaster()
+	recorder := eventBroadcaster.NewRecorder(v1.EventSource{Component: "kube-proxy", Host: hostname})
+
+	var proxier proxy.ProxyProvider
+	var endpointsHandler proxyconfig.EndpointsConfigHandler
+
+	proxyMode := getProxyMode(string(config.Mode), client.Core().Nodes(), hostname, iptInterface, iptables.LinuxKernelCompatTester{})
+	if proxyMode == proxyModeIPTables {
+		glog.V(0).Info("Using iptables Proxier.")
+		if config.IPTablesMasqueradeBit == nil {
+			// IPTablesMasqueradeBit must be specified or defaulted.
+			return nil, fmt.Errorf("Unable to read IPTablesMasqueradeBit from config")
+		}
+		proxierIPTables, err := iptables.NewProxier(
+			iptInterface,
+			utilsysctl.New(),
+			execer,
+			config.IPTablesSyncPeriod.Duration,
+			config.IPTablesMinSyncPeriod.Duration,
+			config.MasqueradeAll,
+			int(*config.IPTablesMasqueradeBit),
+			config.ClusterCIDR,
+			hostname,
+			getNodeIP(client, hostname),
+			recorder,
+		)
+		if err != nil {
+			glog.Fatalf("Unable to create proxier: %v", err)
+		}
+		proxier = proxierIPTables
+		endpointsHandler = proxierIPTables
+		// No turning back. Remove artifacts that might still exist from the userspace Proxier.
+		glog.V(0).Info("Tearing down userspace rules.")
+		userspace.CleanupLeftovers(iptInterface)
+	} else {
+		glog.V(0).Info("Using userspace Proxier.")
+		// This is a proxy.LoadBalancer which NewProxier needs but has methods we don't need for
+		// our config.EndpointsConfigHandler.
+		loadBalancer := userspace.NewLoadBalancerRR()
+		// set EndpointsConfigHandler to our loadBalancer
+		endpointsHandler = loadBalancer
+
+		var proxierUserspace proxy.ProxyProvider
+
+		if runtime.GOOS == "windows" {
+			proxierUserspace, err = winuserspace.NewProxier(
+				loadBalancer,
+				net.ParseIP(config.BindAddress),
+				netshInterface,
+				*utilnet.ParsePortRangeOrDie(config.PortRange),
+				// TODO @pires replace below with default values, if applicable
+				config.IPTablesSyncPeriod.Duration,
+				config.UDPIdleTimeout.Duration,
+			)
+		} else {
+			proxierUserspace, err = userspace.NewProxier(
+				loadBalancer,
+				net.ParseIP(config.BindAddress),
+				iptInterface,
+				*utilnet.ParsePortRangeOrDie(config.PortRange),
+				config.IPTablesSyncPeriod.Duration,
+				config.IPTablesMinSyncPeriod.Duration,
+				config.UDPIdleTimeout.Duration,
+			)
+		}
+		if err != nil {
+			glog.Fatalf("Unable to create proxier: %v", err)
+		}
+		proxier = proxierUserspace
+		// Remove artifacts from the pure-iptables Proxier, if not on Windows.
+		if runtime.GOOS != "windows" {
+			glog.V(0).Info("Tearing down pure-iptables proxy rules.")
+			iptables.CleanupLeftovers(iptInterface)
+		}
+	}
+
+	// Add iptables reload function, if not on Windows.
+	if runtime.GOOS != "windows" {
+		iptInterface.AddReloadFunc(proxier.Sync)
+	}
+
+	// Create configs (i.e. Watches for Services and Endpoints)
+	// Note: RegisterHandler() calls need to happen before creation of Sources because sources
+	// only notify on changes, and the initial update (on process start) may be lost if no handlers
+	// are registered yet.
+	serviceConfig := proxyconfig.NewServiceConfig()
+	serviceConfig.RegisterHandler(proxier)
+
+	endpointsConfig := proxyconfig.NewEndpointsConfig()
+	endpointsConfig.RegisterHandler(endpointsHandler)
+
+	proxyconfig.NewSourceAPI(
+		client.Core().RESTClient(),
+		config.ConfigSyncPeriod,
+		serviceConfig.Channel("api"),
+		endpointsConfig.Channel("api"),
+	)
+
+	config.NodeRef = &v1.ObjectReference{
+		Kind:      "Node",
+		Name:      hostname,
+		UID:       types.UID(hostname),
+		Namespace: "",
+	}
+
+	conntracker := realConntracker{}
+
+	return NewProxyServer(client, config, iptInterface, proxier, eventBroadcaster, recorder, conntracker, proxyMode)
+}
+
+// Run runs the specified ProxyServer.  This should never exit (unless CleanupAndExit is set).
+func (s *ProxyServer) Run() error {
+	// remove iptables rules and exit
+	if s.Config.CleanupAndExit {
+		encounteredError := userspace.CleanupLeftovers(s.IptInterface)
+		encounteredError = iptables.CleanupLeftovers(s.IptInterface) || encounteredError
+		if encounteredError {
+			return errors.New("Encountered an error while tearing down rules.")
+		}
+		return nil
+	}
+
+	s.Broadcaster.StartRecordingToSink(&unversionedcore.EventSinkImpl{Interface: s.Client.Core().Events("")})
+
+	// Start up a webserver if requested
+	if s.Config.HealthzPort > 0 {
+		http.HandleFunc("/proxyMode", func(w http.ResponseWriter, r *http.Request) {
+			fmt.Fprintf(w, "%s", s.ProxyMode)
+		})
+		configz.InstallHandler(http.DefaultServeMux)
+		go wait.Until(func() {
+			err := http.ListenAndServe(s.Config.HealthzBindAddress+":"+strconv.Itoa(int(s.Config.HealthzPort)), nil)
+			if err != nil {
+				glog.Errorf("Starting health server failed: %v", err)
+			}
+		}, 5*time.Second, wait.NeverStop)
+	}
+
+	// Tune conntrack, if requested
+	if s.Conntracker != nil && runtime.GOOS != "windows" {
+		max, err := getConntrackMax(s.Config)
+		if err != nil {
+			return err
+		}
+		if max > 0 {
+			err := s.Conntracker.SetMax(max)
+			if err != nil {
+				if err != readOnlySysFSError {
+					return err
+				}
+				// readOnlySysFSError is caused by a known docker issue (https://github.com/docker/docker/issues/24000),
+				// the only remediation we know is to restart the docker daemon.
+				// Here we'll send an node event with specific reason and message, the
+				// administrator should decide whether and how to handle this issue,
+				// whether to drain the node and restart docker.
+				// TODO(random-liu): Remove this when the docker bug is fixed.
+				const message = "DOCKER RESTART NEEDED (docker issue #24000): /sys is read-only: " +
+					"cannot modify conntrack limits, problems may arise later."
+				s.Recorder.Eventf(s.Config.NodeRef, api.EventTypeWarning, err.Error(), message)
+			}
+		}
+
+		if s.Config.ConntrackTCPEstablishedTimeout.Duration > 0 {
+			timeout := int(s.Config.ConntrackTCPEstablishedTimeout.Duration / time.Second)
+			if err := s.Conntracker.SetTCPEstablishedTimeout(timeout); err != nil {
+				return err
+			}
+		}
+
+		if s.Config.ConntrackTCPCloseWaitTimeout.Duration > 0 {
+			timeout := int(s.Config.ConntrackTCPCloseWaitTimeout.Duration / time.Second)
+			if err := s.Conntracker.SetTCPCloseWaitTimeout(timeout); err != nil {
+				return err
+			}
+		}
+	}
+
+	// Birth Cry after the birth is successful
+	s.birthCry()
+
+	// Just loop forever for now...
+	s.Proxier.SyncLoop()
+	return nil
+}
+
+func getConntrackMax(config *options.ProxyServerConfig) (int, error) {
+	if config.ConntrackMax > 0 {
+		if config.ConntrackMaxPerCore > 0 {
+			return -1, fmt.Errorf("invalid config: ConntrackMax and ConntrackMaxPerCore are mutually exclusive")
+		}
+		glog.V(3).Infof("getConntrackMax: using absolute conntrack-max (deprecated)")
+		return int(config.ConntrackMax), nil
+	}
+	if config.ConntrackMaxPerCore > 0 {
+		floor := int(config.ConntrackMin)
+		scaled := int(config.ConntrackMaxPerCore) * runtime.NumCPU()
+		if scaled > floor {
+			glog.V(3).Infof("getConntrackMax: using scaled conntrack-max-per-core")
+			return scaled, nil
+		}
+		glog.V(3).Infof("getConntrackMax: using conntrack-min")
+		return floor, nil
+	}
+	return 0, nil
+}
+
+type nodeGetter interface {
+	Get(hostname string, options metav1.GetOptions) (*api.Node, error)
+}
+
+func getProxyMode(proxyMode string, client nodeGetter, hostname string, iptver iptables.IPTablesVersioner, kcompat iptables.KernelCompatTester) string {
+	if proxyMode == proxyModeUserspace {
+		return proxyModeUserspace
+	} else if proxyMode == proxyModeIPTables {
+		return tryIPTablesProxy(iptver, kcompat)
+	} else if proxyMode != "" {
+		glog.Warningf("Flag proxy-mode=%q unknown, assuming iptables proxy", proxyMode)
+		return tryIPTablesProxy(iptver, kcompat)
+	}
+	// proxyMode == "" - choose the best option.
+	if client == nil {
+		glog.Errorf("nodeGetter is nil: assuming iptables proxy")
+		return tryIPTablesProxy(iptver, kcompat)
+	}
+	node, err := client.Get(hostname, metav1.GetOptions{})
+	if err != nil {
+		glog.Errorf("Can't get Node %q, assuming iptables proxy, err: %v", hostname, err)
+		return tryIPTablesProxy(iptver, kcompat)
+	}
+	if node == nil {
+		glog.Errorf("Got nil Node %q, assuming iptables proxy", hostname)
+		return tryIPTablesProxy(iptver, kcompat)
+	}
+	proxyMode, found := node.Annotations[betaProxyModeAnnotation]
+	if found {
+		glog.V(1).Infof("Found beta annotation %q = %q", betaProxyModeAnnotation, proxyMode)
+	} else {
+		// We already published some information about this annotation with the "experimental" name, so we will respect it.
+		proxyMode, found = node.Annotations[experimentalProxyModeAnnotation]
+		if found {
+			glog.V(1).Infof("Found experimental annotation %q = %q", experimentalProxyModeAnnotation, proxyMode)
+		}
+	}
+	if proxyMode == proxyModeUserspace {
+		glog.V(1).Infof("Annotation demands userspace proxy")
+		return proxyModeUserspace
+	}
+	return tryIPTablesProxy(iptver, kcompat)
+}
+
+func tryIPTablesProxy(iptver iptables.IPTablesVersioner, kcompat iptables.KernelCompatTester) string {
+	// guaranteed false on error, error only necessary for debugging
+	useIPTablesProxy, err := iptables.CanUseIPTablesProxier(iptver, kcompat)
+	if err != nil {
+		glog.Errorf("Can't determine whether to use iptables proxy, using userspace proxier: %v", err)
+		return proxyModeUserspace
+	}
+	if useIPTablesProxy {
+		return proxyModeIPTables
+	}
+	// Fallback.
+	glog.V(1).Infof("Can't use iptables proxy, using userspace proxier")
+	return proxyModeUserspace
+}
+
+func (s *ProxyServer) birthCry() {
+	s.Recorder.Eventf(s.Config.NodeRef, api.EventTypeNormal, "Starting", "Starting kube-proxy.")
+}
+
+func getNodeIP(client clientset.Interface, hostname string) net.IP {
+	var nodeIP net.IP
+	node, err := client.Core().Nodes().Get(hostname, metav1.GetOptions{})
+	if err != nil {
+		glog.Warningf("Failed to retrieve node info: %v", err)
+		return nil
+	}
+	nodeIP, err = nodeutil.InternalGetNodeHostIP(node)
+	if err != nil {
+		glog.Warningf("Failed to retrieve node IP: %v", err)
+		return nil
+	}
+	return nodeIP
+}

vendor/k8s.io/kubernetes/cmd/kube-proxy/app/server_test.go

@@ -0,0 +1,351 @@
+/*
+Copyright 2015 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package app
+
+import (
+	"fmt"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/kubernetes/cmd/kube-proxy/app/options"
+	"k8s.io/kubernetes/pkg/api"
+	"k8s.io/kubernetes/pkg/apis/componentconfig"
+	"k8s.io/kubernetes/pkg/util/iptables"
+)
+
+type fakeNodeInterface struct {
+	node api.Node
+}
+
+func (fake *fakeNodeInterface) Get(hostname string, options metav1.GetOptions) (*api.Node, error) {
+	return &fake.node, nil
+}
+
+type fakeIPTablesVersioner struct {
+	version string // what to return
+	err     error  // what to return
+}
+
+func (fake *fakeIPTablesVersioner) GetVersion() (string, error) {
+	return fake.version, fake.err
+}
+
+type fakeKernelCompatTester struct {
+	ok bool
+}
+
+func (fake *fakeKernelCompatTester) IsCompatible() error {
+	if !fake.ok {
+		return fmt.Errorf("error")
+	}
+	return nil
+}
+
+func Test_getProxyMode(t *testing.T) {
+	if runtime.GOOS != "linux" {
+		t.Skip("skipping on non-Linux")
+	}
+	var cases = []struct {
+		flag            string
+		annotationKey   string
+		annotationVal   string
+		iptablesVersion string
+		kernelCompat    bool
+		iptablesError   error
+		expected        string
+	}{
+		{ // flag says userspace
+			flag:     "userspace",
+			expected: proxyModeUserspace,
+		},
+		{ // flag says iptables, error detecting version
+			flag:          "iptables",
+			iptablesError: fmt.Errorf("oops!"),
+			expected:      proxyModeUserspace,
+		},
+		{ // flag says iptables, version too low
+			flag:            "iptables",
+			iptablesVersion: "0.0.0",
+			expected:        proxyModeUserspace,
+		},
+		{ // flag says iptables, version ok, kernel not compatible
+			flag:            "iptables",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    false,
+			expected:        proxyModeUserspace,
+		},
+		{ // flag says iptables, version ok, kernel is compatible
+			flag:            "iptables",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    true,
+			expected:        proxyModeIPTables,
+		},
+		{ // detect, error
+			flag:          "",
+			iptablesError: fmt.Errorf("oops!"),
+			expected:      proxyModeUserspace,
+		},
+		{ // detect, version too low
+			flag:            "",
+			iptablesVersion: "0.0.0",
+			expected:        proxyModeUserspace,
+		},
+		{ // detect, version ok, kernel not compatible
+			flag:            "",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    false,
+			expected:        proxyModeUserspace,
+		},
+		{ // detect, version ok, kernel is compatible
+			flag:            "",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    true,
+			expected:        proxyModeIPTables,
+		},
+		{ // annotation says userspace
+			flag:          "",
+			annotationKey: "net.experimental.kubernetes.io/proxy-mode",
+			annotationVal: "userspace",
+			expected:      proxyModeUserspace,
+		},
+		{ // annotation says iptables, error detecting
+			flag:          "",
+			annotationKey: "net.experimental.kubernetes.io/proxy-mode",
+			annotationVal: "iptables",
+			iptablesError: fmt.Errorf("oops!"),
+			expected:      proxyModeUserspace,
+		},
+		{ // annotation says iptables, version too low
+			flag:            "",
+			annotationKey:   "net.experimental.kubernetes.io/proxy-mode",
+			annotationVal:   "iptables",
+			iptablesVersion: "0.0.0",
+			expected:        proxyModeUserspace,
+		},
+		{ // annotation says iptables, version ok, kernel not compatible
+			flag:            "",
+			annotationKey:   "net.experimental.kubernetes.io/proxy-mode",
+			annotationVal:   "iptables",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    false,
+			expected:        proxyModeUserspace,
+		},
+		{ // annotation says iptables, version ok, kernel is compatible
+			flag:            "",
+			annotationKey:   "net.experimental.kubernetes.io/proxy-mode",
+			annotationVal:   "iptables",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    true,
+			expected:        proxyModeIPTables,
+		},
+		{ // annotation says something else, version ok
+			flag:            "",
+			annotationKey:   "net.experimental.kubernetes.io/proxy-mode",
+			annotationVal:   "other",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    true,
+			expected:        proxyModeIPTables,
+		},
+		{ // annotation says nothing, version ok
+			flag:            "",
+			annotationKey:   "net.experimental.kubernetes.io/proxy-mode",
+			annotationVal:   "",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    true,
+			expected:        proxyModeIPTables,
+		},
+		{ // annotation says userspace
+			flag:          "",
+			annotationKey: "net.beta.kubernetes.io/proxy-mode",
+			annotationVal: "userspace",
+			expected:      proxyModeUserspace,
+		},
+		{ // annotation says iptables, error detecting
+			flag:          "",
+			annotationKey: "net.beta.kubernetes.io/proxy-mode",
+			annotationVal: "iptables",
+			iptablesError: fmt.Errorf("oops!"),
+			expected:      proxyModeUserspace,
+		},
+		{ // annotation says iptables, version too low
+			flag:            "",
+			annotationKey:   "net.beta.kubernetes.io/proxy-mode",
+			annotationVal:   "iptables",
+			iptablesVersion: "0.0.0",
+			expected:        proxyModeUserspace,
+		},
+		{ // annotation says iptables, version ok, kernel not compatible
+			flag:            "",
+			annotationKey:   "net.beta.kubernetes.io/proxy-mode",
+			annotationVal:   "iptables",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    false,
+			expected:        proxyModeUserspace,
+		},
+		{ // annotation says iptables, version ok, kernel is compatible
+			flag:            "",
+			annotationKey:   "net.beta.kubernetes.io/proxy-mode",
+			annotationVal:   "iptables",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    true,
+			expected:        proxyModeIPTables,
+		},
+		{ // annotation says something else, version ok
+			flag:            "",
+			annotationKey:   "net.beta.kubernetes.io/proxy-mode",
+			annotationVal:   "other",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    true,
+			expected:        proxyModeIPTables,
+		},
+		{ // annotation says nothing, version ok
+			flag:            "",
+			annotationKey:   "net.beta.kubernetes.io/proxy-mode",
+			annotationVal:   "",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    true,
+			expected:        proxyModeIPTables,
+		},
+		{ // flag says userspace, annotation disagrees
+			flag:            "userspace",
+			annotationKey:   "net.experimental.kubernetes.io/proxy-mode",
+			annotationVal:   "iptables",
+			iptablesVersion: iptables.MinCheckVersion,
+			expected:        proxyModeUserspace,
+		},
+		{ // flag says iptables, annotation disagrees
+			flag:            "iptables",
+			annotationKey:   "net.experimental.kubernetes.io/proxy-mode",
+			annotationVal:   "userspace",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    true,
+			expected:        proxyModeIPTables,
+		},
+		{ // flag says userspace, annotation disagrees
+			flag:            "userspace",
+			annotationKey:   "net.beta.kubernetes.io/proxy-mode",
+			annotationVal:   "iptables",
+			iptablesVersion: iptables.MinCheckVersion,
+			expected:        proxyModeUserspace,
+		},
+		{ // flag says iptables, annotation disagrees
+			flag:            "iptables",
+			annotationKey:   "net.beta.kubernetes.io/proxy-mode",
+			annotationVal:   "userspace",
+			iptablesVersion: iptables.MinCheckVersion,
+			kernelCompat:    true,
+			expected:        proxyModeIPTables,
+		},
+	}
+	for i, c := range cases {
+		getter := &fakeNodeInterface{}
+		getter.node.Annotations = map[string]string{c.annotationKey: c.annotationVal}
+		versioner := &fakeIPTablesVersioner{c.iptablesVersion, c.iptablesError}
+		kcompater := &fakeKernelCompatTester{c.kernelCompat}
+		r := getProxyMode(c.flag, getter, "host", versioner, kcompater)
+		if r != c.expected {
+			t.Errorf("Case[%d] Expected %q, got %q", i, c.expected, r)
+		}
+	}
+}
+
+// This test verifies that Proxy Server does not crash that means
+// Config and iptinterface are not nil when CleanupAndExit is true.
+// To avoid proxy crash: https://github.com/kubernetes/kubernetes/pull/14736
+func TestProxyServerWithCleanupAndExit(t *testing.T) {
+	// creates default config
+	config := options.NewProxyConfig()
+
+	// sets CleanupAndExit manually
+	config.CleanupAndExit = true
+
+	// creates new proxy server
+	proxyserver, err := NewProxyServerDefault(config)
+
+	// verifies that nothing is nill except error
+	assert.Nil(t, err)
+	assert.NotNil(t, proxyserver)
+	assert.NotNil(t, proxyserver.Config)
+	assert.NotNil(t, proxyserver.IptInterface)
+}
+
+func TestGetConntrackMax(t *testing.T) {
+	ncores := runtime.NumCPU()
+	testCases := []struct {
+		config   componentconfig.KubeProxyConfiguration
+		expected int
+		err      string
+	}{
+		{
+			config:   componentconfig.KubeProxyConfiguration{},
+			expected: 0,
+		},
+		{
+			config: componentconfig.KubeProxyConfiguration{
+				ConntrackMax: 12345,
+			},
+			expected: 12345,
+		},
+		{
+			config: componentconfig.KubeProxyConfiguration{
+				ConntrackMax:        12345,
+				ConntrackMaxPerCore: 67890,
+			},
+			expected: -1,
+			err:      "mutually exclusive",
+		},
+		{
+			config: componentconfig.KubeProxyConfiguration{
+				ConntrackMaxPerCore: 67890, // use this if Max is 0
+				ConntrackMin:        1,     // avoid 0 default
+			},
+			expected: 67890 * ncores,
+		},
+		{
+			config: componentconfig.KubeProxyConfiguration{
+				ConntrackMaxPerCore: 1, // ensure that Min is considered
+				ConntrackMin:        123456,
+			},
+			expected: 123456,
+		},
+		{
+			config: componentconfig.KubeProxyConfiguration{
+				ConntrackMaxPerCore: 0, // leave system setting
+				ConntrackMin:        123456,
+			},
+			expected: 0,
+		},
+	}
+
+	for i, tc := range testCases {
+		cfg := options.ProxyServerConfig{KubeProxyConfiguration: tc.config}
+		x, e := getConntrackMax(&cfg)
+		if e != nil {
+			if tc.err == "" {
+				t.Errorf("[%d] unexpected error: %v", i, e)
+			} else if !strings.Contains(e.Error(), tc.err) {
+				t.Errorf("[%d] expected an error containing %q: %v", i, tc.err, e)
+			}
+		} else if x != tc.expected {
+			t.Errorf("[%d] expected %d, got %d", i, tc.expected, x)
+		}
+	}
+}

vendor/k8s.io/kubernetes/cmd/kube-proxy/proxy.go

@@ -0,0 +1,59 @@
+/*
+Copyright 2014 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import (
+	"fmt"
+	"os"
+
+	"k8s.io/apiserver/pkg/healthz"
+	"k8s.io/kubernetes/cmd/kube-proxy/app"
+	"k8s.io/kubernetes/cmd/kube-proxy/app/options"
+	_ "k8s.io/kubernetes/pkg/client/metrics/prometheus" // for client metric registration
+	"k8s.io/kubernetes/pkg/util/flag"
+	"k8s.io/kubernetes/pkg/util/logs"
+	_ "k8s.io/kubernetes/pkg/version/prometheus" // for version metric registration
+	"k8s.io/kubernetes/pkg/version/verflag"
+
+	"github.com/spf13/pflag"
+)
+
+func init() {
+	healthz.DefaultHealthz()
+}
+
+func main() {
+	config := options.NewProxyConfig()
+	config.AddFlags(pflag.CommandLine)
+
+	flag.InitFlags()
+	logs.InitLogs()
+	defer logs.FlushLogs()
+
+	verflag.PrintAndExitIfRequested()
+
+	s, err := app.NewProxyServerDefault(config)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "%v\n", err)
+		os.Exit(1)
+	}
+
+	if err = s.Run(); err != nil {
+		fmt.Fprintf(os.Stderr, "%v\n", err)
+		os.Exit(1)
+	}
+}