github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 19:01:49 +00:00
Code Issues Projects Releases Wiki Activity

Validate single-stack --nodeport-addresses sooner

Browse Source 
In the dual-stack case, iptables.NewDualStackProxier and
ipvs.NewDualStackProxier filtered the nodeport addresses values by IP
family before creating the single-stack proxiers. But in the
single-stack case, the kube-proxy startup code just passed the value
to the single-stack proxiers without validation, so they had to
re-check it themselves. Fix that.
This commit is contained in:
Dan Winship 2022-12-22 14:59:57 -05:00
parent e7ed7220eb
commit 169604d906
4 changed files with 19 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
cmd/kube-proxy/app/server_others.go
View File

@ -54,6 +54,7 @@ import (
"k8s.io/kubernetes/pkg/proxy/iptables" "k8s.io/kubernetes/pkg/proxy/iptables"
"k8s.io/kubernetes/pkg/proxy/ipvs" "k8s.io/kubernetes/pkg/proxy/ipvs"
proxymetrics "k8s.io/kubernetes/pkg/proxy/metrics" proxymetrics "k8s.io/kubernetes/pkg/proxy/metrics"
proxyutil "k8s.io/kubernetes/pkg/proxy/util"
proxyutiliptables "k8s.io/kubernetes/pkg/proxy/util/iptables" proxyutiliptables "k8s.io/kubernetes/pkg/proxy/util/iptables"
utilipset "k8s.io/kubernetes/pkg/util/ipset" utilipset "k8s.io/kubernetes/pkg/util/ipset"
utiliptables "k8s.io/kubernetes/pkg/util/iptables" utiliptables "k8s.io/kubernetes/pkg/util/iptables"
@ -167,11 +168,22 @@ func newProxyServer(
ipt[1] = iptInterface ipt[1] = iptInterface
} }
nodePortAddresses := config.NodePortAddresses
if !ipt[0].Present() { if !ipt[0].Present() {
return nil, fmt.Errorf("iptables is not supported for primary IP family %q", primaryProtocol) return nil, fmt.Errorf("iptables is not supported for primary IP family %q", primaryProtocol)
} else if !ipt[1].Present() { } else if !ipt[1].Present() {
klog.InfoS("kube-proxy running in single-stack mode: secondary ipFamily is not supported", "ipFamily", ipt[1].Protocol()) klog.InfoS("kube-proxy running in single-stack mode: secondary ipFamily is not supported", "ipFamily", ipt[1].Protocol())
dualStack = false dualStack = false
// Validate NodePortAddresses is single-stack
npaByFamily := proxyutil.MapCIDRsByIPFamily(config.NodePortAddresses)
secondaryFamily := proxyutil.OtherIPFamily(primaryFamily)
badAddrs := npaByFamily[secondaryFamily]
if len(badAddrs) > 0 {
klog.InfoS("Ignoring --nodeport-addresses of the wrong family", "ipFamily", secondaryFamily, "addresses", badAddrs)
nodePortAddresses = npaByFamily[primaryFamily]
}
} }
if proxyMode == proxyconfigapi.ProxyModeIPTables { if proxyMode == proxyconfigapi.ProxyModeIPTables {
@ -206,7 +218,7 @@ func newProxyServer(
nodeIPTuple(config.BindAddress), nodeIPTuple(config.BindAddress),
recorder, recorder,
healthzServer, healthzServer,
config.NodePortAddresses, nodePortAddresses,
) )
} else { } else {
// Create a single-stack proxier if and only if the node does not support dual-stack (i.e, no iptables support). // Create a single-stack proxier if and only if the node does not support dual-stack (i.e, no iptables support).
@ -232,7 +244,7 @@ func newProxyServer(
nodeIP, nodeIP,
recorder, recorder,
healthzServer, healthzServer,
config.NodePortAddresses, nodePortAddresses,
) )
} }
@ -282,7 +294,7 @@ func newProxyServer(
recorder, recorder,
healthzServer, healthzServer,
config.IPVS.Scheduler, config.IPVS.Scheduler,
config.NodePortAddresses, nodePortAddresses,
kernelHandler, kernelHandler,
) )
} else { } else {
@ -314,7 +326,7 @@ func newProxyServer(
recorder, recorder,
healthzServer, healthzServer,
config.IPVS.Scheduler, config.IPVS.Scheduler,
config.NodePortAddresses, nodePortAddresses,
kernelHandler, kernelHandler,
) )
} }

7
pkg/proxy/iptables/proxier.go
View File

@ -260,13 +260,6 @@ func NewProxier(ipFamily v1.IPFamily,
serviceHealthServer := healthcheck.NewServiceHealthServer(hostname, recorder, nodePortAddresses) serviceHealthServer := healthcheck.NewServiceHealthServer(hostname, recorder, nodePortAddresses)
ipFamilyMap := utilproxy.MapCIDRsByIPFamily(nodePortAddresses)
nodePortAddresses = ipFamilyMap[ipFamily]
// Log the IPs not matching the ipFamily
if ips, ok := ipFamilyMap[utilproxy.OtherIPFamily(ipFamily)]; ok && len(ips) > 0 {
klog.InfoS("Found node IPs of the wrong family", "ipFamily", ipFamily, "IPs", strings.Join(ips, ","))
}
proxier := &Proxier{ proxier := &Proxier{
svcPortMap: make(proxy.ServicePortMap), svcPortMap: make(proxy.ServicePortMap),
serviceChanges: proxy.NewServiceChangeTracker(newServiceInfo, ipFamily, recorder, nil), serviceChanges: proxy.NewServiceChangeTracker(newServiceInfo, ipFamily, recorder, nil),

7
pkg/proxy/ipvs/proxier.go
View File

@ -459,13 +459,6 @@ func NewProxier(ipFamily v1.IPFamily,
serviceHealthServer := healthcheck.NewServiceHealthServer(hostname, recorder, nodePortAddresses) serviceHealthServer := healthcheck.NewServiceHealthServer(hostname, recorder, nodePortAddresses)
ipFamilyMap := utilproxy.MapCIDRsByIPFamily(nodePortAddresses)
nodePortAddresses = ipFamilyMap[ipFamily]
// Log the IPs not matching the ipFamily
if ips, ok := ipFamilyMap[utilproxy.OtherIPFamily(ipFamily)]; ok && len(ips) > 0 {
klog.InfoS("Found node IPs of the wrong family", "ipFamily", ipFamily, "IPs", ips)
}
// excludeCIDRs has been validated before, here we just parse it to IPNet list // excludeCIDRs has been validated before, here we just parse it to IPNet list
parsedExcludeCIDRs, _ := netutils.ParseCIDRs(excludeCIDRs) parsedExcludeCIDRs, _ := netutils.ParseCIDRs(excludeCIDRs)

6
pkg/proxy/ipvs/proxier_test.go
View File

@ -2117,11 +2117,11 @@ func TestOnlyLocalNodePorts(t *testing.T) {
addrs1 := []net.Addr{&net.IPNet{IP: netutils.ParseIPSloppy("2001:db8::"), Mask: net.CIDRMask(64, 128)}} addrs1 := []net.Addr{&net.IPNet{IP: netutils.ParseIPSloppy("2001:db8::"), Mask: net.CIDRMask(64, 128)}}
fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf, addrs) fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf, addrs)
fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf1, addrs1) fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf1, addrs1)
fp.nodePortAddresses = []string{"100.101.102.0/24", "2001:db8::0/64"} fp.nodePortAddresses = []string{"100.101.102.0/24"}
fp.syncProxyRules() fp.syncProxyRules()
// Expect 2 (matching ipvs IPFamily field) services and 1 destination // Expect 2 services and 1 destination
epVS := &netlinktest.ExpectedVirtualServer{ epVS := &netlinktest.ExpectedVirtualServer{
VSNum: 2, IP: nodeIP.String(), Port: uint16(svcNodePort), Protocol: string(v1.ProtocolTCP), VSNum: 2, IP: nodeIP.String(), Port: uint16(svcNodePort), Protocol: string(v1.ProtocolTCP),
RS: []netlinktest.ExpectedRealServer{{ RS: []netlinktest.ExpectedRealServer{{
@ -2205,7 +2205,7 @@ func TestHealthCheckNodePort(t *testing.T) {
addrs1 := []net.Addr{&net.IPNet{IP: netutils.ParseIPSloppy("2001:db8::"), Mask: net.CIDRMask(64, 128)}} addrs1 := []net.Addr{&net.IPNet{IP: netutils.ParseIPSloppy("2001:db8::"), Mask: net.CIDRMask(64, 128)}}
fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf, addrs) fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf, addrs)
fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf1, addrs1) fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf1, addrs1)
fp.nodePortAddresses = []string{"100.101.102.0/24", "2001:db8::0/64"} fp.nodePortAddresses = []string{"100.101.102.0/24"}
fp.syncProxyRules() fp.syncProxyRules()