mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-07 19:23:40 +00:00
Merge pull request #118128 from carlory/fix-issue-118120
remove helper function for unused storage feature in pkg/proxy/util
This commit is contained in:
Kubernetes Prow Robot
GitHub
commit
173a473803
@ -43,7 +43,6 @@ import (
|
||||
servicecontroller "k8s.io/cloud-provider/controllers/service"
|
||||
"k8s.io/controller-manager/controller"
|
||||
csitrans "k8s.io/csi-translation-lib"
|
||||
"k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
|
||||
pkgcontroller "k8s.io/kubernetes/pkg/controller"
|
||||
endpointcontroller "k8s.io/kubernetes/pkg/controller/endpoint"
|
||||
"k8s.io/kubernetes/pkg/controller/garbagecollector"
|
||||
@ -255,12 +254,7 @@ func startPersistentVolumeBinderController(ctx context.Context, controllerContex
|
||||
if err != nil {
|
||||
return nil, true, fmt.Errorf("failed to probe volume plugins when starting persistentvolume controller: %v", err)
|
||||
}
|
||||
filteredDialOptions, err := options.ParseVolumeHostFilters(
|
||||
controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostCIDRDenylist,
|
||||
controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostAllowLocalLoopback)
|
||||
if err != nil {
|
||||
return nil, true, err
|
||||
}
|
||||
|
||||
params := persistentvolumecontroller.ControllerParameters{
|
||||
KubeClient: controllerContext.ClientBuilder.ClientOrDie("persistent-volume-binder"),
|
||||
SyncPeriod: controllerContext.ComponentConfig.PersistentVolumeBinderController.PVClaimBinderSyncPeriod.Duration,
|
||||
@ -273,7 +267,6 @@ func startPersistentVolumeBinderController(ctx context.Context, controllerContex
|
||||
PodInformer: controllerContext.InformerFactory.Core().V1().Pods(),
|
||||
NodeInformer: controllerContext.InformerFactory.Core().V1().Nodes(),
|
||||
EnableDynamicProvisioning: controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration.EnableDynamicProvisioning,
|
||||
FilteredDialOptions: filteredDialOptions,
|
||||
}
|
||||
volumeController, volumeControllerErr := persistentvolumecontroller.NewController(ctx, params)
|
||||
if volumeControllerErr != nil {
|
||||
@ -293,13 +286,6 @@ func startAttachDetachController(ctx context.Context, controllerContext Controll
|
||||
return nil, true, fmt.Errorf("failed to probe volume plugins when starting attach/detach controller: %v", err)
|
||||
}
|
||||
|
||||
filteredDialOptions, err := options.ParseVolumeHostFilters(
|
||||
controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostCIDRDenylist,
|
||||
controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostAllowLocalLoopback)
|
||||
if err != nil {
|
||||
return nil, true, err
|
||||
}
|
||||
|
||||
ctx = klog.NewContext(ctx, logger)
|
||||
attachDetachController, attachDetachControllerErr :=
|
||||
attachdetach.NewAttachDetachController(
|
||||
@ -318,7 +304,6 @@ func startAttachDetachController(ctx context.Context, controllerContext Controll
|
||||
controllerContext.ComponentConfig.AttachDetachController.DisableAttachDetachReconcilerSync,
|
||||
controllerContext.ComponentConfig.AttachDetachController.ReconcilerSyncLoopPeriod.Duration,
|
||||
attachdetach.DefaultTimerConfig,
|
||||
filteredDialOptions,
|
||||
)
|
||||
if attachDetachControllerErr != nil {
|
||||
return nil, true, fmt.Errorf("failed to start attach/detach controller: %v", attachDetachControllerErr)
|
||||
@ -334,12 +319,7 @@ func startVolumeExpandController(ctx context.Context, controllerContext Controll
|
||||
return nil, true, fmt.Errorf("failed to probe volume plugins when starting volume expand controller: %v", err)
|
||||
}
|
||||
csiTranslator := csitrans.New()
|
||||
filteredDialOptions, err := options.ParseVolumeHostFilters(
|
||||
controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostCIDRDenylist,
|
||||
controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostAllowLocalLoopback)
|
||||
if err != nil {
|
||||
return nil, true, err
|
||||
}
|
||||
|
||||
expandController, expandControllerErr := expand.NewExpandController(
|
||||
controllerContext.ClientBuilder.ClientOrDie("expand-controller"),
|
||||
controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
|
||||
@ -347,7 +327,6 @@ func startVolumeExpandController(ctx context.Context, controllerContext Controll
|
||||
plugins,
|
||||
csiTranslator,
|
||||
csimigration.NewPluginManager(csiTranslator, utilfeature.DefaultFeatureGate),
|
||||
filteredDialOptions,
|
||||
)
|
||||
|
||||
if expandControllerErr != nil {
|
||||
|
||||
@ -1053,30 +1053,6 @@ func TestValidateControllersOptions(t *testing.T) {
|
||||
},
|
||||
}).Validate,
|
||||
},
|
||||
{
|
||||
name: "PersistentVolumeBinderControllerOptions bad cidr deny list",
|
||||
expectErrors: true,
|
||||
expectedErrorSubString: "bad --volume-host-ip-denylist/--volume-host-allow-local-loopback invalid CIDR",
|
||||
validate: (&PersistentVolumeBinderControllerOptions{
|
||||
&persistentvolumeconfig.PersistentVolumeBinderControllerConfiguration{
|
||||
PVClaimBinderSyncPeriod: metav1.Duration{Duration: 30 * time.Second},
|
||||
VolumeConfiguration: persistentvolumeconfig.VolumeConfiguration{
|
||||
EnableDynamicProvisioning: false,
|
||||
EnableHostPathProvisioning: true,
|
||||
FlexVolumePluginDir: "/flex-volume-plugin",
|
||||
PersistentVolumeRecyclerConfiguration: persistentvolumeconfig.PersistentVolumeRecyclerConfiguration{
|
||||
MaximumRetry: 3,
|
||||
MinimumTimeoutNFS: 200,
|
||||
IncrementTimeoutNFS: 45,
|
||||
MinimumTimeoutHostPath: 45,
|
||||
IncrementTimeoutHostPath: 45,
|
||||
},
|
||||
},
|
||||
VolumeHostCIDRDenylist: []string{"127.0.0.1"},
|
||||
VolumeHostAllowLocalLoopback: false,
|
||||
},
|
||||
}).Validate,
|
||||
},
|
||||
{
|
||||
name: "StatefulSetControllerOptions ConcurrentStatefulSetSyncs equal 0",
|
||||
expectErrors: true,
|
||||
|
||||
@ -17,13 +17,9 @@ limitations under the License.
|
||||
package options
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/spf13/pflag"
|
||||
|
||||
persistentvolumeconfig "k8s.io/kubernetes/pkg/controller/volume/persistentvolume/config"
|
||||
proxyutil "k8s.io/kubernetes/pkg/proxy/util"
|
||||
netutils "k8s.io/utils/net"
|
||||
)
|
||||
|
||||
// PersistentVolumeBinderControllerOptions holds the PersistentVolumeBinderController options.
|
||||
@ -48,7 +44,9 @@ func (o *PersistentVolumeBinderControllerOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
fs.BoolVar(&o.VolumeConfiguration.EnableDynamicProvisioning, "enable-dynamic-provisioning", o.VolumeConfiguration.EnableDynamicProvisioning, "Enable dynamic provisioning for environments that support it.")
|
||||
fs.StringVar(&o.VolumeConfiguration.FlexVolumePluginDir, "flex-volume-plugin-dir", o.VolumeConfiguration.FlexVolumePluginDir, "Full path of the directory in which the flex volume plugin should search for additional third party volume plugins.")
|
||||
fs.StringSliceVar(&o.VolumeHostCIDRDenylist, "volume-host-cidr-denylist", o.VolumeHostCIDRDenylist, "A comma-separated list of CIDR ranges to avoid from volume plugins.")
|
||||
fs.MarkDeprecated("volume-host-cidr-denylist", "This flag is currently no-op and will be deleted.")
|
||||
fs.BoolVar(&o.VolumeHostAllowLocalLoopback, "volume-host-allow-local-loopback", o.VolumeHostAllowLocalLoopback, "If false, deny local loopback IPs in addition to any CIDR ranges in --volume-host-cidr-denylist")
|
||||
fs.MarkDeprecated("volume-host-allow-local-loopback", "This flag is currently no-op and will be deleted.")
|
||||
}
|
||||
|
||||
// ApplyTo fills up PersistentVolumeBinderController config with options.
|
||||
@ -72,17 +70,5 @@ func (o *PersistentVolumeBinderControllerOptions) Validate() []error {
|
||||
}
|
||||
|
||||
errs := []error{}
|
||||
if _, err := ParseVolumeHostFilters(o.VolumeHostCIDRDenylist, o.VolumeHostAllowLocalLoopback); err != nil {
|
||||
errs = append(errs, fmt.Errorf("bad --volume-host-ip-denylist/--volume-host-allow-local-loopback %w", err))
|
||||
}
|
||||
return errs
|
||||
}
|
||||
|
||||
// ParseVolumeHostFilters process the --volume-host-ip-denylist and --volume-host-allow-local-loopback flags.
|
||||
func ParseVolumeHostFilters(denylist []string, allowLocalLoopback bool) (*proxyutil.FilteredDialOptions, error) {
|
||||
denyCIDRs, err := netutils.ParseCIDRs(denylist)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return &proxyutil.FilteredDialOptions{DialHostCIDRDenylist: denyCIDRs, AllowLocalLoopback: allowLocalLoopback}, nil
|
||||
}
|
||||
|
||||
@ -55,7 +55,6 @@ import (
|
||||
"k8s.io/kubernetes/pkg/controller/volume/attachdetach/statusupdater"
|
||||
"k8s.io/kubernetes/pkg/controller/volume/attachdetach/util"
|
||||
"k8s.io/kubernetes/pkg/controller/volume/common"
|
||||
proxyutil "k8s.io/kubernetes/pkg/proxy/util"
|
||||
"k8s.io/kubernetes/pkg/volume"
|
||||
"k8s.io/kubernetes/pkg/volume/csi"
|
||||
"k8s.io/kubernetes/pkg/volume/csimigration"
|
||||
@ -120,23 +119,21 @@ func NewAttachDetachController(
|
||||
prober volume.DynamicPluginProber,
|
||||
disableReconciliationSync bool,
|
||||
reconcilerSyncDuration time.Duration,
|
||||
timerConfig TimerConfig,
|
||||
filteredDialOptions *proxyutil.FilteredDialOptions) (AttachDetachController, error) {
|
||||
timerConfig TimerConfig) (AttachDetachController, error) {
|
||||
|
||||
adc := &attachDetachController{
|
||||
kubeClient: kubeClient,
|
||||
pvcLister: pvcInformer.Lister(),
|
||||
pvcsSynced: pvcInformer.Informer().HasSynced,
|
||||
pvLister: pvInformer.Lister(),
|
||||
pvsSynced: pvInformer.Informer().HasSynced,
|
||||
podLister: podInformer.Lister(),
|
||||
podsSynced: podInformer.Informer().HasSynced,
|
||||
podIndexer: podInformer.Informer().GetIndexer(),
|
||||
nodeLister: nodeInformer.Lister(),
|
||||
nodesSynced: nodeInformer.Informer().HasSynced,
|
||||
cloud: cloud,
|
||||
pvcQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "pvcs"),
|
||||
filteredDialOptions: filteredDialOptions,
|
||||
kubeClient: kubeClient,
|
||||
pvcLister: pvcInformer.Lister(),
|
||||
pvcsSynced: pvcInformer.Informer().HasSynced,
|
||||
pvLister: pvInformer.Lister(),
|
||||
pvsSynced: pvInformer.Informer().HasSynced,
|
||||
podLister: podInformer.Lister(),
|
||||
podsSynced: podInformer.Informer().HasSynced,
|
||||
podIndexer: podInformer.Informer().GetIndexer(),
|
||||
nodeLister: nodeInformer.Lister(),
|
||||
nodesSynced: nodeInformer.Informer().HasSynced,
|
||||
cloud: cloud,
|
||||
pvcQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "pvcs"),
|
||||
}
|
||||
|
||||
adc.csiNodeLister = csiNodeInformer.Lister()
|
||||
@ -325,9 +322,6 @@ type attachDetachController struct {
|
||||
|
||||
// intreeToCSITranslator translates from in-tree volume specs to CSI
|
||||
intreeToCSITranslator csimigration.InTreeToCSITranslator
|
||||
|
||||
// filteredDialOptions configures any dialing done by the controller.
|
||||
filteredDialOptions *proxyutil.FilteredDialOptions
|
||||
}
|
||||
|
||||
func (adc *attachDetachController) Run(ctx context.Context) {
|
||||
@ -919,10 +913,6 @@ func (adc *attachDetachController) GetSubpather() subpath.Interface {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (adc *attachDetachController) GetFilteredDialOptions() *proxyutil.FilteredDialOptions {
|
||||
return adc.filteredDialOptions
|
||||
}
|
||||
|
||||
func (adc *attachDetachController) GetCSIDriverLister() storagelistersv1.CSIDriverLister {
|
||||
return adc.csiDriverLister
|
||||
}
|
||||
|
||||
@ -65,7 +65,6 @@ func Test_NewAttachDetachController_Positive(t *testing.T) {
|
||||
false,
|
||||
5*time.Second,
|
||||
DefaultTimerConfig,
|
||||
nil, /* filteredDialOptions */
|
||||
)
|
||||
|
||||
// Assert
|
||||
@ -195,7 +194,6 @@ func attachDetachRecoveryTestCase(t *testing.T, extraPods1 []*v1.Pod, extraPods2
|
||||
false,
|
||||
1*time.Second,
|
||||
DefaultTimerConfig,
|
||||
nil, /* filteredDialOptions */
|
||||
)
|
||||
|
||||
if err != nil {
|
||||
@ -461,7 +459,6 @@ func volumeAttachmentRecoveryTestCase(t *testing.T, tc vaTest) {
|
||||
false,
|
||||
1*time.Second,
|
||||
DefaultTimerConfig,
|
||||
nil, /* filteredDialOptions */
|
||||
)
|
||||
if err != nil {
|
||||
t.Fatalf("NewAttachDetachController failed with error. Expected: <no error> Actual: <%v>", err)
|
||||
|
||||
@ -45,7 +45,6 @@ import (
|
||||
cloudprovider "k8s.io/cloud-provider"
|
||||
"k8s.io/kubernetes/pkg/controller/volume/events"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
proxyutil "k8s.io/kubernetes/pkg/proxy/util"
|
||||
"k8s.io/kubernetes/pkg/volume"
|
||||
"k8s.io/kubernetes/pkg/volume/csimigration"
|
||||
"k8s.io/kubernetes/pkg/volume/util"
|
||||
@ -97,8 +96,6 @@ type expandController struct {
|
||||
translator CSINameTranslator
|
||||
|
||||
csiMigratedPluginManager csimigration.PluginManager
|
||||
|
||||
filteredDialOptions *proxyutil.FilteredDialOptions
|
||||
}
|
||||
|
||||
// NewExpandController expands the pvs
|
||||
@ -108,8 +105,7 @@ func NewExpandController(
|
||||
cloud cloudprovider.Interface,
|
||||
plugins []volume.VolumePlugin,
|
||||
translator CSINameTranslator,
|
||||
csiMigratedPluginManager csimigration.PluginManager,
|
||||
filteredDialOptions *proxyutil.FilteredDialOptions) (ExpandController, error) {
|
||||
csiMigratedPluginManager csimigration.PluginManager) (ExpandController, error) {
|
||||
|
||||
expc := &expandController{
|
||||
kubeClient: kubeClient,
|
||||
@ -119,7 +115,6 @@ func NewExpandController(
|
||||
queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "volume_expand"),
|
||||
translator: translator,
|
||||
csiMigratedPluginManager: csiMigratedPluginManager,
|
||||
filteredDialOptions: filteredDialOptions,
|
||||
}
|
||||
|
||||
if err := expc.volumePluginMgr.InitPlugins(plugins, nil, expc); err != nil {
|
||||
@ -479,7 +474,3 @@ func (expc *expandController) GetSubpather() subpath.Interface {
|
||||
// not needed for expand controller
|
||||
return nil
|
||||
}
|
||||
|
||||
func (expc *expandController) GetFilteredDialOptions() *proxyutil.FilteredDialOptions {
|
||||
return expc.filteredDialOptions
|
||||
}
|
||||
|
||||
@ -106,7 +106,7 @@ func TestSyncHandler(t *testing.T) {
|
||||
}
|
||||
allPlugins := []volume.VolumePlugin{}
|
||||
translator := csitrans.New()
|
||||
expc, err := NewExpandController(fakeKubeClient, pvcInformer, nil, allPlugins, translator, csimigration.NewPluginManager(translator, utilfeature.DefaultFeatureGate), nil)
|
||||
expc, err := NewExpandController(fakeKubeClient, pvcInformer, nil, allPlugins, translator, csimigration.NewPluginManager(translator, utilfeature.DefaultFeatureGate))
|
||||
if err != nil {
|
||||
t.Fatalf("error creating expand controller : %v", err)
|
||||
}
|
||||
|
||||
@ -28,10 +28,10 @@ type PersistentVolumeBinderControllerConfiguration struct {
|
||||
PVClaimBinderSyncPeriod metav1.Duration
|
||||
// volumeConfiguration holds configuration for volume related features.
|
||||
VolumeConfiguration VolumeConfiguration
|
||||
// VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the
|
||||
// DEPRECATED: VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the
|
||||
// controller from plugins.
|
||||
VolumeHostCIDRDenylist []string
|
||||
// VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc)
|
||||
// DEPRECATED: VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc)
|
||||
// should be allowed from plugins.
|
||||
VolumeHostAllowLocalLoopback bool
|
||||
}
|
||||
|
||||
@ -47,7 +47,6 @@ import (
|
||||
"k8s.io/kubernetes/pkg/controller/volume/common"
|
||||
"k8s.io/kubernetes/pkg/controller/volume/events"
|
||||
"k8s.io/kubernetes/pkg/controller/volume/persistentvolume/metrics"
|
||||
proxyutil "k8s.io/kubernetes/pkg/proxy/util"
|
||||
"k8s.io/kubernetes/pkg/util/goroutinemap"
|
||||
"k8s.io/kubernetes/pkg/util/goroutinemap/exponentialbackoff"
|
||||
vol "k8s.io/kubernetes/pkg/volume"
|
||||
@ -240,9 +239,6 @@ type PersistentVolumeController struct {
|
||||
|
||||
translator CSINameTranslator
|
||||
csiMigratedPluginManager CSIMigratedPluginManager
|
||||
|
||||
// filteredDialOptions configures any dialing done by the controller.
|
||||
filteredDialOptions *proxyutil.FilteredDialOptions
|
||||
}
|
||||
|
||||
// syncClaim is the main controller method to decide what to do with a claim.
|
||||
|
||||
@ -47,7 +47,6 @@ import (
|
||||
"k8s.io/kubernetes/pkg/controller/volume/common"
|
||||
"k8s.io/kubernetes/pkg/controller/volume/persistentvolume/metrics"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
proxyutil "k8s.io/kubernetes/pkg/proxy/util"
|
||||
"k8s.io/kubernetes/pkg/util/goroutinemap"
|
||||
"k8s.io/kubernetes/pkg/util/slice"
|
||||
vol "k8s.io/kubernetes/pkg/volume"
|
||||
@ -75,7 +74,6 @@ type ControllerParameters struct {
|
||||
NodeInformer coreinformers.NodeInformer
|
||||
EventRecorder record.EventRecorder
|
||||
EnableDynamicProvisioning bool
|
||||
FilteredDialOptions *proxyutil.FilteredDialOptions
|
||||
}
|
||||
|
||||
// NewController creates a new PersistentVolume controller
|
||||
@ -148,8 +146,6 @@ func NewController(ctx context.Context, p ControllerParameters) (*PersistentVolu
|
||||
controller.translator = csiTranslator
|
||||
controller.csiMigratedPluginManager = csimigration.NewPluginManager(csiTranslator, utilfeature.DefaultFeatureGate)
|
||||
|
||||
controller.filteredDialOptions = p.FilteredDialOptions
|
||||
|
||||
return controller, nil
|
||||
}
|
||||
|
||||
|
||||
@ -30,7 +30,6 @@ import (
|
||||
clientset "k8s.io/client-go/kubernetes"
|
||||
"k8s.io/client-go/tools/record"
|
||||
cloudprovider "k8s.io/cloud-provider"
|
||||
proxyutil "k8s.io/kubernetes/pkg/proxy/util"
|
||||
vol "k8s.io/kubernetes/pkg/volume"
|
||||
"k8s.io/kubernetes/pkg/volume/util/subpath"
|
||||
)
|
||||
@ -143,7 +142,3 @@ func (ctrl *PersistentVolumeController) GetSubpather() subpath.Interface {
|
||||
// No volume plugin needs Subpaths in PV controller.
|
||||
return nil
|
||||
}
|
||||
|
||||
func (ctrl *PersistentVolumeController) GetFilteredDialOptions() *proxyutil.FilteredDialOptions {
|
||||
return ctrl.filteredDialOptions
|
||||
}
|
||||
|
||||
4
pkg/generated/openapi/zz_generated.openapi.go
generated
4
pkg/generated/openapi/zz_generated.openapi.go
generated
@ -53332,7 +53332,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeBinder
|
||||
},
|
||||
"VolumeHostCIDRDenylist": {
|
||||
SchemaProps: spec.SchemaProps{
|
||||
Description: "VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the controller from plugins.",
|
||||
Description: "DEPRECATED: VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the controller from plugins.",
|
||||
Type: []string{"array"},
|
||||
Items: &spec.SchemaOrArray{
|
||||
Schema: &spec.Schema{
|
||||
@ -53347,7 +53347,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeBinder
|
||||
},
|
||||
"VolumeHostAllowLocalLoopback": {
|
||||
SchemaProps: spec.SchemaProps{
|
||||
Description: "VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc) should be allowed from plugins.",
|
||||
Description: "DEPRECATED: VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc) should be allowed from plugins.",
|
||||
Type: []string{"boolean"},
|
||||
Format: "",
|
||||
},
|
||||
|
||||
@ -38,7 +38,6 @@ import (
|
||||
"k8s.io/kubernetes/pkg/kubelet/configmap"
|
||||
"k8s.io/kubernetes/pkg/kubelet/secret"
|
||||
"k8s.io/kubernetes/pkg/kubelet/token"
|
||||
proxyutil "k8s.io/kubernetes/pkg/proxy/util"
|
||||
"k8s.io/kubernetes/pkg/volume"
|
||||
"k8s.io/kubernetes/pkg/volume/util"
|
||||
"k8s.io/kubernetes/pkg/volume/util/hostutil"
|
||||
@ -152,11 +151,6 @@ func (kvh *kubeletVolumeHost) GetSubpather() subpath.Interface {
|
||||
return kvh.kubelet.subpather
|
||||
}
|
||||
|
||||
func (kvh *kubeletVolumeHost) GetFilteredDialOptions() *proxyutil.FilteredDialOptions {
|
||||
// FilteredDial is not needed in the kubelet.
|
||||
return nil
|
||||
}
|
||||
|
||||
func (kvh *kubeletVolumeHost) GetHostUtil() hostutil.HostUtils {
|
||||
return kvh.kubelet.hostutil
|
||||
}
|
||||
|
||||
@ -22,7 +22,6 @@ import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"strings"
|
||||
|
||||
@ -136,16 +135,6 @@ func IsProxyableHostname(ctx context.Context, resolv Resolver, hostname string)
|
||||
return nil
|
||||
}
|
||||
|
||||
// IsAllowedHost checks if the given IP host address is in a network in the denied list.
|
||||
func IsAllowedHost(host net.IP, denied []*net.IPNet) error {
|
||||
for _, ipNet := range denied {
|
||||
if ipNet.Contains(host) {
|
||||
return ErrAddressNotAllowed
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetLocalAddrs returns a list of all network addresses on the local system
|
||||
func GetLocalAddrs() ([]net.IP, error) {
|
||||
var localAddrs []net.IP
|
||||
@ -347,66 +336,6 @@ func EnsureSysctl(sysctl utilsysctl.Interface, name string, newVal int) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DialContext is a dial function matching the signature of net.Dialer.DialContext.
|
||||
type DialContext = func(context.Context, string, string) (net.Conn, error)
|
||||
|
||||
// FilteredDialOptions configures how a DialContext is wrapped by NewFilteredDialContext.
|
||||
type FilteredDialOptions struct {
|
||||
// DialHostIPDenylist restricts hosts from being dialed.
|
||||
DialHostCIDRDenylist []*net.IPNet
|
||||
// AllowLocalLoopback controls connections to local loopback hosts (as defined by
|
||||
// IsProxyableIP).
|
||||
AllowLocalLoopback bool
|
||||
}
|
||||
|
||||
// NewFilteredDialContext returns a DialContext function that filters connections based on a FilteredDialOptions.
|
||||
func NewFilteredDialContext(wrapped DialContext, resolv Resolver, opts *FilteredDialOptions) DialContext {
|
||||
if wrapped == nil {
|
||||
wrapped = http.DefaultTransport.(*http.Transport).DialContext
|
||||
}
|
||||
if opts == nil {
|
||||
// Do no filtering
|
||||
return wrapped
|
||||
}
|
||||
if resolv == nil {
|
||||
resolv = net.DefaultResolver
|
||||
}
|
||||
if len(opts.DialHostCIDRDenylist) == 0 && opts.AllowLocalLoopback {
|
||||
// Do no filtering.
|
||||
return wrapped
|
||||
}
|
||||
return func(ctx context.Context, network, address string) (net.Conn, error) {
|
||||
// DialContext is given host:port. LookupIPAddress expects host.
|
||||
addressToResolve, _, err := net.SplitHostPort(address)
|
||||
if err != nil {
|
||||
addressToResolve = address
|
||||
}
|
||||
|
||||
resp, err := resolv.LookupIPAddr(ctx, addressToResolve)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if len(resp) == 0 {
|
||||
return nil, ErrNoAddresses
|
||||
}
|
||||
|
||||
for _, host := range resp {
|
||||
if !opts.AllowLocalLoopback {
|
||||
if err := isProxyableIP(host.IP); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
if opts.DialHostCIDRDenylist != nil {
|
||||
if err := IsAllowedHost(host.IP, opts.DialHostCIDRDenylist); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
}
|
||||
return wrapped(ctx, network, address)
|
||||
}
|
||||
}
|
||||
|
||||
// GetClusterIPByFamily returns a service clusterip by family
|
||||
func GetClusterIPByFamily(ipFamily v1.IPFamily, service *v1.Service) string {
|
||||
// allowing skew
|
||||
|
||||
@ -166,39 +166,6 @@ func TestIsProxyableHostname(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestIsAllowedHost(t *testing.T) {
|
||||
testCases := []struct {
|
||||
ip string
|
||||
denied []string
|
||||
want error
|
||||
}{
|
||||
{"8.8.8.8", []string{}, nil},
|
||||
{"169.254.169.254", []string{"169.0.0.0/8"}, ErrAddressNotAllowed},
|
||||
{"169.254.169.254", []string{"fce8::/15", "169.254.169.0/24"}, ErrAddressNotAllowed},
|
||||
{"fce9:beef::", []string{"fce8::/15", "169.254.169.0/24"}, ErrAddressNotAllowed},
|
||||
{"127.0.0.1", []string{"127.0.0.1/32"}, ErrAddressNotAllowed},
|
||||
{"34.107.204.206", []string{"fce8::/15"}, nil},
|
||||
{"fce9:beef::", []string{"127.0.0.1/32"}, nil},
|
||||
{"34.107.204.206", []string{"127.0.0.1/32"}, nil},
|
||||
{"127.0.0.1", []string{}, nil},
|
||||
}
|
||||
|
||||
for i := range testCases {
|
||||
var denyList []*net.IPNet
|
||||
for _, cidrStr := range testCases[i].denied {
|
||||
_, ipNet, err := netutils.ParseCIDRSloppy(cidrStr)
|
||||
if err != nil {
|
||||
t.Fatalf("bad IP for test case: %v: %v", cidrStr, err)
|
||||
}
|
||||
denyList = append(denyList, ipNet)
|
||||
}
|
||||
got := IsAllowedHost(netutils.ParseIPSloppy(testCases[i].ip), denyList)
|
||||
if testCases[i].want != got {
|
||||
t.Errorf("case %d: expected %v, got %v", i, testCases[i].want, got)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func TestShouldSkipService(t *testing.T) {
|
||||
testCases := []struct {
|
||||
service *v1.Service
|
||||
@ -278,125 +245,6 @@ func TestShouldSkipService(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestNewFilteredDialContext(t *testing.T) {
|
||||
|
||||
_, cidr, _ := netutils.ParseCIDRSloppy("1.1.1.1/28")
|
||||
|
||||
testCases := []struct {
|
||||
name string
|
||||
|
||||
// opts passed to NewFilteredDialContext
|
||||
opts *FilteredDialOptions
|
||||
|
||||
// value passed to dial
|
||||
dial string
|
||||
|
||||
// value expected to be passed to resolve
|
||||
expectResolve string
|
||||
// result from resolver
|
||||
resolveTo []net.IPAddr
|
||||
resolveErr error
|
||||
|
||||
// expect the wrapped dialer to be called
|
||||
expectWrappedDial bool
|
||||
// expect an error result
|
||||
expectErr string
|
||||
}{
|
||||
{
|
||||
name: "allow with nil opts",
|
||||
opts: nil,
|
||||
dial: "127.0.0.1:8080",
|
||||
expectResolve: "", // resolver not called, no-op opts
|
||||
expectWrappedDial: true,
|
||||
expectErr: "",
|
||||
},
|
||||
{
|
||||
name: "allow localhost",
|
||||
opts: &FilteredDialOptions{AllowLocalLoopback: true},
|
||||
dial: "127.0.0.1:8080",
|
||||
expectResolve: "", // resolver not called, no-op opts
|
||||
expectWrappedDial: true,
|
||||
expectErr: "",
|
||||
},
|
||||
{
|
||||
name: "disallow localhost",
|
||||
opts: &FilteredDialOptions{AllowLocalLoopback: false},
|
||||
dial: "127.0.0.1:8080",
|
||||
expectResolve: "127.0.0.1",
|
||||
resolveTo: []net.IPAddr{{IP: netutils.ParseIPSloppy("127.0.0.1")}},
|
||||
expectWrappedDial: false,
|
||||
expectErr: "address not allowed",
|
||||
},
|
||||
{
|
||||
name: "disallow IP",
|
||||
opts: &FilteredDialOptions{AllowLocalLoopback: false, DialHostCIDRDenylist: []*net.IPNet{cidr}},
|
||||
dial: "foo.com:8080",
|
||||
expectResolve: "foo.com",
|
||||
resolveTo: []net.IPAddr{{IP: netutils.ParseIPSloppy("1.1.1.1")}},
|
||||
expectWrappedDial: false,
|
||||
expectErr: "address not allowed",
|
||||
},
|
||||
{
|
||||
name: "allow IP",
|
||||
opts: &FilteredDialOptions{AllowLocalLoopback: false, DialHostCIDRDenylist: []*net.IPNet{cidr}},
|
||||
dial: "foo.com:8080",
|
||||
expectResolve: "foo.com",
|
||||
resolveTo: []net.IPAddr{{IP: netutils.ParseIPSloppy("2.2.2.2")}},
|
||||
expectWrappedDial: true,
|
||||
expectErr: "",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
wrappedDialer := &testDialer{}
|
||||
testResolver := &testResolver{addrs: tc.resolveTo, err: tc.resolveErr}
|
||||
dialer := NewFilteredDialContext(wrappedDialer.DialContext, testResolver, tc.opts)
|
||||
_, err := dialer(context.TODO(), "tcp", tc.dial)
|
||||
|
||||
if tc.expectResolve != testResolver.resolveAddress {
|
||||
t.Fatalf("expected to resolve %s, got %s", tc.expectResolve, testResolver.resolveAddress)
|
||||
}
|
||||
if tc.expectWrappedDial != wrappedDialer.called {
|
||||
t.Fatalf("expected wrapped dialer called %v, got %v", tc.expectWrappedDial, wrappedDialer.called)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
if len(tc.expectErr) == 0 {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
} else if !strings.Contains(err.Error(), tc.expectErr) {
|
||||
t.Fatalf("expected error containing %q, got %v", tc.expectErr, err)
|
||||
}
|
||||
} else {
|
||||
if len(tc.expectErr) > 0 {
|
||||
t.Fatalf("expected error, got none")
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
type testDialer struct {
|
||||
called bool
|
||||
}
|
||||
|
||||
func (t *testDialer) DialContext(_ context.Context, network, address string) (net.Conn, error) {
|
||||
t.called = true
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
type testResolver struct {
|
||||
addrs []net.IPAddr
|
||||
err error
|
||||
|
||||
resolveAddress string
|
||||
}
|
||||
|
||||
func (t *testResolver) LookupIPAddr(_ context.Context, address string) ([]net.IPAddr, error) {
|
||||
t.resolveAddress = address
|
||||
return t.addrs, t.err
|
||||
}
|
||||
|
||||
func TestAppendPortIfNeeded(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name string
|
||||
|
||||
@ -40,7 +40,6 @@ import (
|
||||
"k8s.io/client-go/tools/cache"
|
||||
"k8s.io/client-go/tools/record"
|
||||
cloudprovider "k8s.io/cloud-provider"
|
||||
proxyutil "k8s.io/kubernetes/pkg/proxy/util"
|
||||
"k8s.io/kubernetes/pkg/volume/util/hostutil"
|
||||
"k8s.io/kubernetes/pkg/volume/util/recyclerclient"
|
||||
"k8s.io/kubernetes/pkg/volume/util/subpath"
|
||||
@ -443,9 +442,6 @@ type VolumeHost interface {
|
||||
|
||||
// Returns an interface that should be used to execute subpath operations
|
||||
GetSubpather() subpath.Interface
|
||||
|
||||
// Returns options to pass for proxyutil filtered dialers.
|
||||
GetFilteredDialOptions() *proxyutil.FilteredDialOptions
|
||||
}
|
||||
|
||||
// VolumePluginMgr tracks registered plugins.
|
||||
|
||||
@ -41,7 +41,6 @@ import (
|
||||
"k8s.io/client-go/tools/record"
|
||||
cloudprovider "k8s.io/cloud-provider"
|
||||
csilibplugins "k8s.io/csi-translation-lib/plugins"
|
||||
proxyutil "k8s.io/kubernetes/pkg/proxy/util"
|
||||
. "k8s.io/kubernetes/pkg/volume"
|
||||
"k8s.io/kubernetes/pkg/volume/util/hostutil"
|
||||
"k8s.io/kubernetes/pkg/volume/util/subpath"
|
||||
@ -75,7 +74,6 @@ type fakeVolumeHost struct {
|
||||
informerFactory informers.SharedInformerFactory
|
||||
kubeletErr error
|
||||
mux sync.Mutex
|
||||
filteredDialOptions *proxyutil.FilteredDialOptions
|
||||
}
|
||||
|
||||
var _ VolumeHost = &fakeVolumeHost{}
|
||||
@ -151,10 +149,6 @@ func (f *fakeVolumeHost) GetSubpather() subpath.Interface {
|
||||
return f.subpather
|
||||
}
|
||||
|
||||
func (f *fakeVolumeHost) GetFilteredDialOptions() *proxyutil.FilteredDialOptions {
|
||||
return f.filteredDialOptions
|
||||
}
|
||||
|
||||
func (f *fakeVolumeHost) GetPluginMgr() *VolumePluginMgr {
|
||||
return f.pluginMgr
|
||||
}
|
||||
|
||||
@ -419,10 +419,10 @@ type PersistentVolumeBinderControllerConfiguration struct {
|
||||
PVClaimBinderSyncPeriod metav1.Duration
|
||||
// volumeConfiguration holds configuration for volume related features.
|
||||
VolumeConfiguration VolumeConfiguration
|
||||
// VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the
|
||||
// DEPRECATED: VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the
|
||||
// controller from plugins.
|
||||
VolumeHostCIDRDenylist []string
|
||||
// VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc)
|
||||
// DEPRECATED: VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc)
|
||||
// should be allowed from plugins.
|
||||
VolumeHostAllowLocalLoopback *bool
|
||||
}
|
||||
|
||||
@ -442,7 +442,6 @@ func createAdClients(t *testing.T, server *kubeapiservertesting.TestServer, sync
|
||||
false,
|
||||
5*time.Second,
|
||||
timers,
|
||||
nil, /* filteredDialOptions */
|
||||
)
|
||||
|
||||
if err != nil {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user