github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-06 18:54:06 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #120864 from uablrek/kube-proxy-init

Browse Source 
kube-proxy: Optionally do privileged configs only
This commit is contained in:
Kubernetes Prow Robot 2023-10-25 21:28:47 +02:00 committed by GitHub
commit 06a7febe00
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 43 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
cmd/kube-proxy/app/server.go
View File

@ -108,6 +108,8 @@ type Options struct {
WriteConfigTo string WriteConfigTo string
// CleanupAndExit, when true, makes the proxy server clean up iptables and ipvs rules, then exit. // CleanupAndExit, when true, makes the proxy server clean up iptables and ipvs rules, then exit.
CleanupAndExit bool CleanupAndExit bool
// InitAndExit, when true, makes the proxy server makes configurations that need privileged access, then exit.
InitAndExit bool
// WindowsService should be set to true if kube-proxy is running as a service on Windows. // WindowsService should be set to true if kube-proxy is running as a service on Windows.
// Its corresponding flag only gets registered in Windows builds // Its corresponding flag only gets registered in Windows builds
WindowsService bool WindowsService bool
@ -168,7 +170,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
"The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, "+ "The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, "+
"rather than being surprised when they are permanently removed in the release after that. "+ "rather than being surprised when they are permanently removed in the release after that. "+
"This parameter is ignored if a config file is specified by --config.") "This parameter is ignored if a config file is specified by --config.")
fs.BoolVar(&o.InitAndExit, "init-only", o.InitAndExit, "If true, perform any initialization steps that must be done with full root privileges, and then exit. After doing this, you can run kube-proxy again with only the CAP_NET_ADMIN capability.")
fs.Var(&o.config.Mode, "proxy-mode", "Which proxy mode to use: on Linux this can be 'iptables' (default) or 'ipvs'. On Windows the only supported value is 'kernelspace'."+ fs.Var(&o.config.Mode, "proxy-mode", "Which proxy mode to use: on Linux this can be 'iptables' (default) or 'ipvs'. On Windows the only supported value is 'kernelspace'."+
"This parameter is ignored if a config file is specified by --config.") "This parameter is ignored if a config file is specified by --config.")
@ -376,10 +378,13 @@ func (o *Options) Run() error {
return cleanupAndExit() return cleanupAndExit()
} }
proxyServer, err := newProxyServer(o.config, o.master) proxyServer, err := newProxyServer(o.config, o.master, o.InitAndExit)
if err != nil { if err != nil {
return err return err
} }
if o.InitAndExit {
return nil
}
o.proxyServer = proxyServer o.proxyServer = proxyServer
return o.runLoop() return o.runLoop()
@ -589,7 +594,7 @@ type ProxyServer struct {
} }
// newProxyServer creates a ProxyServer based on the given config // newProxyServer creates a ProxyServer based on the given config
func newProxyServer(config *kubeproxyconfig.KubeProxyConfiguration, master string) (*ProxyServer, error) { func newProxyServer(config *kubeproxyconfig.KubeProxyConfiguration, master string, initOnly bool) (*ProxyServer, error) {
s := &ProxyServer{Config: config} s := &ProxyServer{Config: config}
cz, err := configz.New(kubeproxyconfig.GroupName) cz, err := configz.New(kubeproxyconfig.GroupName)
@ -653,7 +658,7 @@ func newProxyServer(config *kubeproxyconfig.KubeProxyConfiguration, master strin
klog.ErrorS(err, "Kube-proxy configuration may be incomplete or incorrect") klog.ErrorS(err, "Kube-proxy configuration may be incomplete or incorrect")
} }
s.Proxier, err = s.createProxier(config, dualStackSupported) s.Proxier, err = s.createProxier(config, dualStackSupported, initOnly)
if err != nil { if err != nil {
return nil, err return nil, err
} }

6
cmd/kube-proxy/app/server_others.go
View File

@ -125,7 +125,7 @@ func (s *ProxyServer) platformCheckSupported() (ipv4Supported, ipv6Supported, du
} }
// createProxier creates the proxy.Provider // createProxier creates the proxy.Provider
func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStack bool) (proxy.Provider, error) { func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStack, initOnly bool) (proxy.Provider, error) {
var proxier proxy.Provider var proxier proxy.Provider
var err error var err error
@ -175,6 +175,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
s.Recorder, s.Recorder,
s.HealthzServer, s.HealthzServer,
config.NodePortAddresses, config.NodePortAddresses,
initOnly,
) )
} else { } else {
// Create a single-stack proxier if and only if the node does not support dual-stack (i.e, no iptables support). // Create a single-stack proxier if and only if the node does not support dual-stack (i.e, no iptables support).
@ -201,6 +202,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
s.Recorder, s.Recorder,
s.HealthzServer, s.HealthzServer,
config.NodePortAddresses, config.NodePortAddresses,
initOnly,
) )
} }
@ -247,6 +249,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
config.IPVS.Scheduler, config.IPVS.Scheduler,
config.NodePortAddresses, config.NodePortAddresses,
kernelHandler, kernelHandler,
initOnly,
) )
} else { } else {
var localDetector proxyutiliptables.LocalTrafficDetector var localDetector proxyutiliptables.LocalTrafficDetector
@ -279,6 +282,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
config.IPVS.Scheduler, config.IPVS.Scheduler,
config.NodePortAddresses, config.NodePortAddresses,
kernelHandler, kernelHandler,
initOnly,
) )
} }
if err != nil { if err != nil {

5
cmd/kube-proxy/app/server_windows.go
View File

@ -79,7 +79,10 @@ func (s *ProxyServer) platformCheckSupported() (ipv4Supported, ipv6Supported, du
} }
// createProxier creates the proxy.Provider // createProxier creates the proxy.Provider
func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStackMode bool) (proxy.Provider, error) { func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStackMode, initOnly bool) (proxy.Provider, error) {
if initOnly {
return nil, fmt.Errorf("--init-only is not implemented on Windows")
}
var healthzPort int var healthzPort int
if len(config.HealthzBindAddress) > 0 { if len(config.HealthzBindAddress) > 0 {
_, port, _ := net.SplitHostPort(config.HealthzBindAddress) _, port, _ := net.SplitHostPort(config.HealthzBindAddress)

14
pkg/proxy/iptables/proxier.go
View File

@ -233,6 +233,7 @@ func NewProxier(ipFamily v1.IPFamily,
recorder events.EventRecorder, recorder events.EventRecorder,
healthzServer *healthcheck.ProxierHealthServer, healthzServer *healthcheck.ProxierHealthServer,
nodePortAddressStrings []string, nodePortAddressStrings []string,
initOnly bool,
) (*Proxier, error) { ) (*Proxier, error) {
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings) nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings)
@ -257,6 +258,11 @@ func NewProxier(ipFamily v1.IPFamily,
klog.InfoS("nf_conntrack_tcp_be_liberal set, not installing DROP rules for INVALID packets") klog.InfoS("nf_conntrack_tcp_be_liberal set, not installing DROP rules for INVALID packets")
} }
if initOnly {
klog.InfoS("System initialized and --init-only specified")
return nil, nil
}
// Generate the masquerade mark to use for SNAT rules. // Generate the masquerade mark to use for SNAT rules.
masqueradeValue := 1 << uint(masqueradeBit) masqueradeValue := 1 << uint(masqueradeBit)
masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue) masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue)
@ -330,21 +336,25 @@ func NewDualStackProxier(
recorder events.EventRecorder, recorder events.EventRecorder,
healthzServer *healthcheck.ProxierHealthServer, healthzServer *healthcheck.ProxierHealthServer,
nodePortAddresses []string, nodePortAddresses []string,
initOnly bool,
) (proxy.Provider, error) { ) (proxy.Provider, error) {
// Create an ipv4 instance of the single-stack proxier // Create an ipv4 instance of the single-stack proxier
ipv4Proxier, err := NewProxier(v1.IPv4Protocol, ipt[0], sysctl, ipv4Proxier, err := NewProxier(v1.IPv4Protocol, ipt[0], sysctl,
exec, syncPeriod, minSyncPeriod, masqueradeAll, localhostNodePorts, masqueradeBit, localDetectors[0], hostname, exec, syncPeriod, minSyncPeriod, masqueradeAll, localhostNodePorts, masqueradeBit, localDetectors[0], hostname,
nodeIPs[v1.IPv4Protocol], recorder, healthzServer, nodePortAddresses) nodeIPs[v1.IPv4Protocol], recorder, healthzServer, nodePortAddresses, initOnly)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err) return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err)
} }
ipv6Proxier, err := NewProxier(v1.IPv6Protocol, ipt[1], sysctl, ipv6Proxier, err := NewProxier(v1.IPv6Protocol, ipt[1], sysctl,
exec, syncPeriod, minSyncPeriod, masqueradeAll, false, masqueradeBit, localDetectors[1], hostname, exec, syncPeriod, minSyncPeriod, masqueradeAll, false, masqueradeBit, localDetectors[1], hostname,
nodeIPs[v1.IPv6Protocol], recorder, healthzServer, nodePortAddresses) nodeIPs[v1.IPv6Protocol], recorder, healthzServer, nodePortAddresses, initOnly)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err) return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err)
} }
if initOnly {
return nil, nil
}
return metaproxier.NewMetaProxier(ipv4Proxier, ipv6Proxier), nil return metaproxier.NewMetaProxier(ipv4Proxier, ipv6Proxier), nil
} }

14
pkg/proxy/ipvs/proxier.go
View File

@ -340,6 +340,7 @@ func NewProxier(ipFamily v1.IPFamily,
scheduler string, scheduler string,
nodePortAddressStrings []string, nodePortAddressStrings []string,
kernelHandler KernelHandler, kernelHandler KernelHandler,
initOnly bool,
) (*Proxier, error) { ) (*Proxier, error) {
// Set the conntrack sysctl we need for // Set the conntrack sysctl we need for
if err := proxyutil.EnsureSysctl(sysctl, sysctlVSConnTrack, 1); err != nil { if err := proxyutil.EnsureSysctl(sysctl, sysctlVSConnTrack, 1); err != nil {
@ -402,6 +403,11 @@ func NewProxier(ipFamily v1.IPFamily,
} }
} }
if initOnly {
klog.InfoS("System initialized and --init-only specified")
return nil, nil
}
// Generate the masquerade mark to use for SNAT rules. // Generate the masquerade mark to use for SNAT rules.
masqueradeValue := 1 << uint(masqueradeBit) masqueradeValue := 1 << uint(masqueradeBit)
masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue) masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue)
@ -490,6 +496,7 @@ func NewDualStackProxier(
scheduler string, scheduler string,
nodePortAddresses []string, nodePortAddresses []string,
kernelHandler KernelHandler, kernelHandler KernelHandler,
initOnly bool,
) (proxy.Provider, error) { ) (proxy.Provider, error) {
safeIpset := newSafeIpset(ipset) safeIpset := newSafeIpset(ipset)
@ -499,7 +506,7 @@ func NewDualStackProxier(
exec, syncPeriod, minSyncPeriod, filterCIDRs(false, excludeCIDRs), strictARP, exec, syncPeriod, minSyncPeriod, filterCIDRs(false, excludeCIDRs), strictARP,
tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit, tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit,
localDetectors[0], hostname, nodeIPs[v1.IPv4Protocol], localDetectors[0], hostname, nodeIPs[v1.IPv4Protocol],
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler) recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler, initOnly)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err) return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err)
} }
@ -508,10 +515,13 @@ func NewDualStackProxier(
exec, syncPeriod, minSyncPeriod, filterCIDRs(true, excludeCIDRs), strictARP, exec, syncPeriod, minSyncPeriod, filterCIDRs(true, excludeCIDRs), strictARP,
tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit, tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit,
localDetectors[1], hostname, nodeIPs[v1.IPv6Protocol], localDetectors[1], hostname, nodeIPs[v1.IPv6Protocol],
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler) recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler, initOnly)
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err) return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err)
} }
if initOnly {
return nil, nil
}
// Return a meta-proxier that dispatch calls between the two // Return a meta-proxier that dispatch calls between the two
// single-stack proxier instances // single-stack proxier instances

1
pkg/proxy/kubemark/hollow_proxy.go
View File

@ -109,6 +109,7 @@ func NewHollowProxyOrDie(
recorder, recorder,
nil, nil,
[]string{}, []string{},
false,
) )
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to create proxier: %v", err) return nil, fmt.Errorf("unable to create proxier: %v", err)