github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-16 15:20:17 +00:00
Code Issues Projects Releases Wiki Activity

Clarify localhost nodeport comments/errors

Browse Source
This commit is contained in:
Dan Winship 2023-05-15 11:05:17 -04:00
parent a744a186b6
commit 0e456dcf86
1 changed files with 11 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
pkg/proxy/iptables/proxier.go
View File

@ -1417,17 +1417,11 @@ func (proxier *Proxier) syncProxyRules() {
// other service portal rules. // other service portal rules.
if proxier.nodePortAddresses.MatchAll() { if proxier.nodePortAddresses.MatchAll() {
destinations := []string{"-m", "addrtype", "--dst-type", "LOCAL"} destinations := []string{"-m", "addrtype", "--dst-type", "LOCAL"}
// Block localhost nodePorts if they are not supported. (For IPv6 they never
// work, and for IPv4 they only work if we previously set `route_localnet`.)
if isIPv6 { if isIPv6 {
// For IPv6, Regardless of the value of localhostNodePorts is true
// or false, we should disable access to the nodePort via localhost. Since it never works and always
// cause kernel warnings.
destinations = append(destinations, "!", "-d", "::1/128") destinations = append(destinations, "!", "-d", "::1/128")
} } else if !proxier.localhostNodePorts {
if !proxier.localhostNodePorts && !isIPv6 {
// If set localhostNodePorts to "false"(route_localnet=0), We should generate iptables rules that
// disable NodePort services to be accessed via localhost. Since it doesn't work and causes
// the kernel to log warnings if anyone tries.
destinations = append(destinations, "!", "-d", "127.0.0.0/8") destinations = append(destinations, "!", "-d", "127.0.0.0/8")
} }
@ -1442,17 +1436,14 @@ func (proxier *Proxier) syncProxyRules() {
klog.ErrorS(err, "Failed to get node ip address matching nodeport cidrs, services with nodeport may not work as intended", "CIDRs", proxier.nodePortAddresses) klog.ErrorS(err, "Failed to get node ip address matching nodeport cidrs, services with nodeport may not work as intended", "CIDRs", proxier.nodePortAddresses)
} }
for _, ip := range nodeIPs { for _, ip := range nodeIPs {
// For ipv6, Regardless of the value of localhostNodePorts is true or false, we should disallow access if ip.IsLoopback() {
// to the nodePort via lookBack address. if isIPv6 {
if isIPv6 && ip.IsLoopback() { klog.ErrorS(nil, "--nodeport-addresses includes localhost but localhost NodePorts are not supported on IPv6", "address", ip.String())
klog.ErrorS(nil, "disallow nodePort services to be accessed via ipv6 localhost address", "IP", ip.String()) continue
continue } else if !proxier.localhostNodePorts {
} klog.ErrorS(nil, "--nodeport-addresses includes localhost but --iptables-localhost-nodeports=false was passed", "address", ip.String())
continue
// For ipv4, When localhostNodePorts is set to false, Ignore ipv4 lookBack address }
if !isIPv6 && ip.IsLoopback() && !proxier.localhostNodePorts {
klog.ErrorS(nil, "disallow nodePort services to be accessed via ipv4 localhost address", "IP", ip.String())
continue
} }
// create nodeport rules for each IP one by one // create nodeport rules for each IP one by one