From bf077b19d4d93a4ff90c8bc5eb88a486c37b30cd Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Thu, 25 Jul 2019 10:20:15 -0400 Subject: [PATCH] hostport: Don't masquerade localhost-to-localhost traffic --- pkg/kubelet/dockershim/network/hostport/hostport.go | 10 ++++++---- .../dockershim/network/hostport/hostport_manager.go | 2 +- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/pkg/kubelet/dockershim/network/hostport/hostport.go b/pkg/kubelet/dockershim/network/hostport/hostport.go index 4f9f7751b3f..95339cdea81 100644 --- a/pkg/kubelet/dockershim/network/hostport/hostport.go +++ b/pkg/kubelet/dockershim/network/hostport/hostport.go @@ -134,10 +134,12 @@ func ensureKubeHostportChains(iptables utiliptables.Interface, natInterfaceName return fmt.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", tc.table, tc.chain, kubeHostportsChain, err) } } - // Need to SNAT traffic from localhost - args = []string{"-m", "comment", "--comment", "SNAT for localhost access to hostports", "-o", natInterfaceName, "-s", "127.0.0.0/8", "-j", "MASQUERADE"} - if _, err := iptables.EnsureRule(utiliptables.Append, utiliptables.TableNAT, utiliptables.ChainPostrouting, args...); err != nil { - return fmt.Errorf("Failed to ensure that %s chain %s jumps to MASQUERADE: %v", utiliptables.TableNAT, utiliptables.ChainPostrouting, err) + if natInterfaceName != "" && natInterfaceName != "lo" { + // Need to SNAT traffic from localhost + args = []string{"-m", "comment", "--comment", "SNAT for localhost access to hostports", "-o", natInterfaceName, "-s", "127.0.0.0/8", "-j", "MASQUERADE"} + if _, err := iptables.EnsureRule(utiliptables.Append, utiliptables.TableNAT, utiliptables.ChainPostrouting, args...); err != nil { + return fmt.Errorf("Failed to ensure that %s chain %s jumps to MASQUERADE: %v", utiliptables.TableNAT, utiliptables.ChainPostrouting, err) + } } return nil } diff --git a/pkg/kubelet/dockershim/network/hostport/hostport_manager.go b/pkg/kubelet/dockershim/network/hostport/hostport_manager.go index f210ab5da20..11482a50774 100644 --- a/pkg/kubelet/dockershim/network/hostport/hostport_manager.go +++ b/pkg/kubelet/dockershim/network/hostport/hostport_manager.go @@ -40,7 +40,7 @@ type HostPortManager interface { // Add implements port mappings. // id should be a unique identifier for a pod, e.g. podSandboxID. // podPortMapping is the associated port mapping information for the pod. - // natInterfaceName is the interface that localhost used to talk to the given pod. + // natInterfaceName is the interface that localhost uses to talk to the given pod, if known. Add(id string, podPortMapping *PodPortMapping, natInterfaceName string) error // Remove cleans up matching port mappings // Remove must be able to clean up port mappings without pod IP