Merge pull request #44547 from ketkulka/icmp-reject

Automatic merge from submit-queue Reject Rules for ExternalIP and svc port if no ep - Install ICMP Reject Rules for externalIP and svc port if no endpoints are present - Includes Unit Test case - Fixes #44516 **What this PR does / why we need it**: Explained in issue #44516 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # `Fixes #44516` **Special notes for your reviewer**: Similar to #43415 Feedback welcome. Will be happy to improve the patch. Unit Test done and passing. **Release note**: ```release-note ```
2025-07-25 12:43:23 +00:00 · 2017-04-21 18:58:38 -07:00 · 2017-04-21 18:58:38 -07:00 · 12c6b0c23b
commit 12c6b0c23b
parent 20dd848e7c ac7c026ee7
2 changed files with 47 additions and 0 deletions
--- a/pkg/proxy/iptables/proxier.go
+++ b/pkg/proxy/iptables/proxier.go
@ -1169,6 +1169,19 @@ func (proxier *Proxier) syncProxyRules(reason syncReason) {
 			// Allow traffic bound for external IPs that happen to be recognized as local IPs to stay local.
 			// This covers cases like GCE load-balancers which get added to the local routing table.
 			writeLine(natRules, append(dstLocalOnlyArgs, "-j", string(svcChain))...)
+
+			// If the service has no endpoints then reject packets coming via externalIP
+			// Install ICMP Reject rule in filter table for destination=externalIP and dport=svcport
+			if len(proxier.endpointsMap[svcName]) == 0 {
+				writeLine(filterRules,
+					"-A", string(kubeServicesChain),
+					"-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints"`, svcNameString),
+					"-m", protocol, "-p", protocol,
+					"-d", fmt.Sprintf("%s/32", externalIP),
+					"--dport", fmt.Sprintf("%d", svcInfo.port),
+					"-j", "REJECT",
+				)
+			}
 		}

 		// Capture load-balancer ingress.
--- a/pkg/proxy/iptables/proxier_test.go
+++ b/pkg/proxy/iptables/proxier_test.go
@ -760,6 +760,40 @@ func TestNodePort(t *testing.T) {
 	}
 }

+func TestExternalIPsReject(t *testing.T) {
+	ipt := iptablestest.NewFake()
+	fp := NewFakeProxier(ipt)
+	svcIP := "10.20.30.41"
+	svcPort := 80
+	svcExternalIPs := "50.60.70.81"
+	svcPortName := proxy.ServicePortName{
+		NamespacedName: makeNSN("ns1", "svc1"),
+		Port:           "p80",
+	}
+
+	makeServiceMap(fp,
+		makeTestService(svcPortName.Namespace, svcPortName.Name, func(svc *api.Service) {
+			svc.Spec.Type = "ClusterIP"
+			svc.Spec.ClusterIP = svcIP
+			svc.Spec.ExternalIPs = []string{svcExternalIPs}
+			svc.Spec.Ports = []api.ServicePort{{
+				Name:       svcPortName.Port,
+				Port:       int32(svcPort),
+				Protocol:   api.ProtocolTCP,
+				TargetPort: intstr.FromInt(svcPort),
+			}}
+		}),
+	)
+	makeEndpointsMap(fp)
+
+	fp.syncProxyRules(syncReasonForce)
+
+	kubeSvcRules := ipt.GetRules(string(kubeServicesChain))
+	if !hasJump(kubeSvcRules, iptablestest.Reject, svcExternalIPs, svcPort) {
+		errorf(fmt.Sprintf("Failed to a %v rule for externalIP %v with no endpoints", iptablestest.Reject, svcPortName), kubeSvcRules, t)
+	}
+}
+
 func TestNodePortReject(t *testing.T) {
 	ipt := iptablestest.NewFake()
 	fp := NewFakeProxier(ipt)