diff --git a/cmd/kube-controller-manager/app/core.go b/cmd/kube-controller-manager/app/core.go index 10a6a05c418..baad5543262 100644 --- a/cmd/kube-controller-manager/app/core.go +++ b/cmd/kube-controller-manager/app/core.go @@ -43,7 +43,6 @@ import ( servicecontroller "k8s.io/cloud-provider/controllers/service" "k8s.io/controller-manager/controller" csitrans "k8s.io/csi-translation-lib" - "k8s.io/kubernetes/cmd/kube-controller-manager/app/options" pkgcontroller "k8s.io/kubernetes/pkg/controller" endpointcontroller "k8s.io/kubernetes/pkg/controller/endpoint" "k8s.io/kubernetes/pkg/controller/garbagecollector" @@ -255,12 +254,7 @@ func startPersistentVolumeBinderController(ctx context.Context, controllerContex if err != nil { return nil, true, fmt.Errorf("failed to probe volume plugins when starting persistentvolume controller: %v", err) } - filteredDialOptions, err := options.ParseVolumeHostFilters( - controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostCIDRDenylist, - controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostAllowLocalLoopback) - if err != nil { - return nil, true, err - } + params := persistentvolumecontroller.ControllerParameters{ KubeClient: controllerContext.ClientBuilder.ClientOrDie("persistent-volume-binder"), SyncPeriod: controllerContext.ComponentConfig.PersistentVolumeBinderController.PVClaimBinderSyncPeriod.Duration, @@ -273,7 +267,6 @@ func startPersistentVolumeBinderController(ctx context.Context, controllerContex PodInformer: controllerContext.InformerFactory.Core().V1().Pods(), NodeInformer: controllerContext.InformerFactory.Core().V1().Nodes(), EnableDynamicProvisioning: controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration.EnableDynamicProvisioning, - FilteredDialOptions: filteredDialOptions, } volumeController, volumeControllerErr := persistentvolumecontroller.NewController(ctx, params) if volumeControllerErr != nil { @@ -293,13 +286,6 @@ func startAttachDetachController(ctx context.Context, controllerContext Controll return nil, true, fmt.Errorf("failed to probe volume plugins when starting attach/detach controller: %v", err) } - filteredDialOptions, err := options.ParseVolumeHostFilters( - controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostCIDRDenylist, - controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostAllowLocalLoopback) - if err != nil { - return nil, true, err - } - ctx = klog.NewContext(ctx, logger) attachDetachController, attachDetachControllerErr := attachdetach.NewAttachDetachController( @@ -318,7 +304,6 @@ func startAttachDetachController(ctx context.Context, controllerContext Controll controllerContext.ComponentConfig.AttachDetachController.DisableAttachDetachReconcilerSync, controllerContext.ComponentConfig.AttachDetachController.ReconcilerSyncLoopPeriod.Duration, attachdetach.DefaultTimerConfig, - filteredDialOptions, ) if attachDetachControllerErr != nil { return nil, true, fmt.Errorf("failed to start attach/detach controller: %v", attachDetachControllerErr) @@ -334,12 +319,7 @@ func startVolumeExpandController(ctx context.Context, controllerContext Controll return nil, true, fmt.Errorf("failed to probe volume plugins when starting volume expand controller: %v", err) } csiTranslator := csitrans.New() - filteredDialOptions, err := options.ParseVolumeHostFilters( - controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostCIDRDenylist, - controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostAllowLocalLoopback) - if err != nil { - return nil, true, err - } + expandController, expandControllerErr := expand.NewExpandController( controllerContext.ClientBuilder.ClientOrDie("expand-controller"), controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(), @@ -347,7 +327,6 @@ func startVolumeExpandController(ctx context.Context, controllerContext Controll plugins, csiTranslator, csimigration.NewPluginManager(csiTranslator, utilfeature.DefaultFeatureGate), - filteredDialOptions, ) if expandControllerErr != nil { diff --git a/cmd/kube-controller-manager/app/options/options_test.go b/cmd/kube-controller-manager/app/options/options_test.go index f4ac4fd71b1..9940b9fe532 100644 --- a/cmd/kube-controller-manager/app/options/options_test.go +++ b/cmd/kube-controller-manager/app/options/options_test.go @@ -1053,30 +1053,6 @@ func TestValidateControllersOptions(t *testing.T) { }, }).Validate, }, - { - name: "PersistentVolumeBinderControllerOptions bad cidr deny list", - expectErrors: true, - expectedErrorSubString: "bad --volume-host-ip-denylist/--volume-host-allow-local-loopback invalid CIDR", - validate: (&PersistentVolumeBinderControllerOptions{ - &persistentvolumeconfig.PersistentVolumeBinderControllerConfiguration{ - PVClaimBinderSyncPeriod: metav1.Duration{Duration: 30 * time.Second}, - VolumeConfiguration: persistentvolumeconfig.VolumeConfiguration{ - EnableDynamicProvisioning: false, - EnableHostPathProvisioning: true, - FlexVolumePluginDir: "/flex-volume-plugin", - PersistentVolumeRecyclerConfiguration: persistentvolumeconfig.PersistentVolumeRecyclerConfiguration{ - MaximumRetry: 3, - MinimumTimeoutNFS: 200, - IncrementTimeoutNFS: 45, - MinimumTimeoutHostPath: 45, - IncrementTimeoutHostPath: 45, - }, - }, - VolumeHostCIDRDenylist: []string{"127.0.0.1"}, - VolumeHostAllowLocalLoopback: false, - }, - }).Validate, - }, { name: "StatefulSetControllerOptions ConcurrentStatefulSetSyncs equal 0", expectErrors: true, diff --git a/cmd/kube-controller-manager/app/options/persistentvolumebindercontroller.go b/cmd/kube-controller-manager/app/options/persistentvolumebindercontroller.go index c3c82c726a8..13e178a4ec0 100644 --- a/cmd/kube-controller-manager/app/options/persistentvolumebindercontroller.go +++ b/cmd/kube-controller-manager/app/options/persistentvolumebindercontroller.go @@ -17,13 +17,9 @@ limitations under the License. package options import ( - "fmt" - "github.com/spf13/pflag" persistentvolumeconfig "k8s.io/kubernetes/pkg/controller/volume/persistentvolume/config" - proxyutil "k8s.io/kubernetes/pkg/proxy/util" - netutils "k8s.io/utils/net" ) // PersistentVolumeBinderControllerOptions holds the PersistentVolumeBinderController options. @@ -48,7 +44,9 @@ func (o *PersistentVolumeBinderControllerOptions) AddFlags(fs *pflag.FlagSet) { fs.BoolVar(&o.VolumeConfiguration.EnableDynamicProvisioning, "enable-dynamic-provisioning", o.VolumeConfiguration.EnableDynamicProvisioning, "Enable dynamic provisioning for environments that support it.") fs.StringVar(&o.VolumeConfiguration.FlexVolumePluginDir, "flex-volume-plugin-dir", o.VolumeConfiguration.FlexVolumePluginDir, "Full path of the directory in which the flex volume plugin should search for additional third party volume plugins.") fs.StringSliceVar(&o.VolumeHostCIDRDenylist, "volume-host-cidr-denylist", o.VolumeHostCIDRDenylist, "A comma-separated list of CIDR ranges to avoid from volume plugins.") + fs.MarkDeprecated("volume-host-cidr-denylist", "This flag is currently no-op and will be deleted.") fs.BoolVar(&o.VolumeHostAllowLocalLoopback, "volume-host-allow-local-loopback", o.VolumeHostAllowLocalLoopback, "If false, deny local loopback IPs in addition to any CIDR ranges in --volume-host-cidr-denylist") + fs.MarkDeprecated("volume-host-allow-local-loopback", "This flag is currently no-op and will be deleted.") } // ApplyTo fills up PersistentVolumeBinderController config with options. @@ -72,17 +70,5 @@ func (o *PersistentVolumeBinderControllerOptions) Validate() []error { } errs := []error{} - if _, err := ParseVolumeHostFilters(o.VolumeHostCIDRDenylist, o.VolumeHostAllowLocalLoopback); err != nil { - errs = append(errs, fmt.Errorf("bad --volume-host-ip-denylist/--volume-host-allow-local-loopback %w", err)) - } return errs } - -// ParseVolumeHostFilters process the --volume-host-ip-denylist and --volume-host-allow-local-loopback flags. -func ParseVolumeHostFilters(denylist []string, allowLocalLoopback bool) (*proxyutil.FilteredDialOptions, error) { - denyCIDRs, err := netutils.ParseCIDRs(denylist) - if err != nil { - return nil, err - } - return &proxyutil.FilteredDialOptions{DialHostCIDRDenylist: denyCIDRs, AllowLocalLoopback: allowLocalLoopback}, nil -} diff --git a/pkg/controller/volume/attachdetach/attach_detach_controller.go b/pkg/controller/volume/attachdetach/attach_detach_controller.go index 63ea1b97000..fc8e55fb5cc 100644 --- a/pkg/controller/volume/attachdetach/attach_detach_controller.go +++ b/pkg/controller/volume/attachdetach/attach_detach_controller.go @@ -55,7 +55,6 @@ import ( "k8s.io/kubernetes/pkg/controller/volume/attachdetach/statusupdater" "k8s.io/kubernetes/pkg/controller/volume/attachdetach/util" "k8s.io/kubernetes/pkg/controller/volume/common" - proxyutil "k8s.io/kubernetes/pkg/proxy/util" "k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume/csi" "k8s.io/kubernetes/pkg/volume/csimigration" @@ -120,23 +119,21 @@ func NewAttachDetachController( prober volume.DynamicPluginProber, disableReconciliationSync bool, reconcilerSyncDuration time.Duration, - timerConfig TimerConfig, - filteredDialOptions *proxyutil.FilteredDialOptions) (AttachDetachController, error) { + timerConfig TimerConfig) (AttachDetachController, error) { adc := &attachDetachController{ - kubeClient: kubeClient, - pvcLister: pvcInformer.Lister(), - pvcsSynced: pvcInformer.Informer().HasSynced, - pvLister: pvInformer.Lister(), - pvsSynced: pvInformer.Informer().HasSynced, - podLister: podInformer.Lister(), - podsSynced: podInformer.Informer().HasSynced, - podIndexer: podInformer.Informer().GetIndexer(), - nodeLister: nodeInformer.Lister(), - nodesSynced: nodeInformer.Informer().HasSynced, - cloud: cloud, - pvcQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "pvcs"), - filteredDialOptions: filteredDialOptions, + kubeClient: kubeClient, + pvcLister: pvcInformer.Lister(), + pvcsSynced: pvcInformer.Informer().HasSynced, + pvLister: pvInformer.Lister(), + pvsSynced: pvInformer.Informer().HasSynced, + podLister: podInformer.Lister(), + podsSynced: podInformer.Informer().HasSynced, + podIndexer: podInformer.Informer().GetIndexer(), + nodeLister: nodeInformer.Lister(), + nodesSynced: nodeInformer.Informer().HasSynced, + cloud: cloud, + pvcQueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "pvcs"), } adc.csiNodeLister = csiNodeInformer.Lister() @@ -325,9 +322,6 @@ type attachDetachController struct { // intreeToCSITranslator translates from in-tree volume specs to CSI intreeToCSITranslator csimigration.InTreeToCSITranslator - - // filteredDialOptions configures any dialing done by the controller. - filteredDialOptions *proxyutil.FilteredDialOptions } func (adc *attachDetachController) Run(ctx context.Context) { @@ -919,10 +913,6 @@ func (adc *attachDetachController) GetSubpather() subpath.Interface { return nil } -func (adc *attachDetachController) GetFilteredDialOptions() *proxyutil.FilteredDialOptions { - return adc.filteredDialOptions -} - func (adc *attachDetachController) GetCSIDriverLister() storagelistersv1.CSIDriverLister { return adc.csiDriverLister } diff --git a/pkg/controller/volume/attachdetach/attach_detach_controller_test.go b/pkg/controller/volume/attachdetach/attach_detach_controller_test.go index 5fa92094d42..3bb584dde47 100644 --- a/pkg/controller/volume/attachdetach/attach_detach_controller_test.go +++ b/pkg/controller/volume/attachdetach/attach_detach_controller_test.go @@ -65,7 +65,6 @@ func Test_NewAttachDetachController_Positive(t *testing.T) { false, 5*time.Second, DefaultTimerConfig, - nil, /* filteredDialOptions */ ) // Assert @@ -195,7 +194,6 @@ func attachDetachRecoveryTestCase(t *testing.T, extraPods1 []*v1.Pod, extraPods2 false, 1*time.Second, DefaultTimerConfig, - nil, /* filteredDialOptions */ ) if err != nil { @@ -461,7 +459,6 @@ func volumeAttachmentRecoveryTestCase(t *testing.T, tc vaTest) { false, 1*time.Second, DefaultTimerConfig, - nil, /* filteredDialOptions */ ) if err != nil { t.Fatalf("NewAttachDetachController failed with error. Expected: Actual: <%v>", err) diff --git a/pkg/controller/volume/expand/expand_controller.go b/pkg/controller/volume/expand/expand_controller.go index b5ed53042d8..140ce01cbb3 100644 --- a/pkg/controller/volume/expand/expand_controller.go +++ b/pkg/controller/volume/expand/expand_controller.go @@ -45,7 +45,6 @@ import ( cloudprovider "k8s.io/cloud-provider" "k8s.io/kubernetes/pkg/controller/volume/events" "k8s.io/kubernetes/pkg/features" - proxyutil "k8s.io/kubernetes/pkg/proxy/util" "k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume/csimigration" "k8s.io/kubernetes/pkg/volume/util" @@ -97,8 +96,6 @@ type expandController struct { translator CSINameTranslator csiMigratedPluginManager csimigration.PluginManager - - filteredDialOptions *proxyutil.FilteredDialOptions } // NewExpandController expands the pvs @@ -108,8 +105,7 @@ func NewExpandController( cloud cloudprovider.Interface, plugins []volume.VolumePlugin, translator CSINameTranslator, - csiMigratedPluginManager csimigration.PluginManager, - filteredDialOptions *proxyutil.FilteredDialOptions) (ExpandController, error) { + csiMigratedPluginManager csimigration.PluginManager) (ExpandController, error) { expc := &expandController{ kubeClient: kubeClient, @@ -119,7 +115,6 @@ func NewExpandController( queue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "volume_expand"), translator: translator, csiMigratedPluginManager: csiMigratedPluginManager, - filteredDialOptions: filteredDialOptions, } if err := expc.volumePluginMgr.InitPlugins(plugins, nil, expc); err != nil { @@ -479,7 +474,3 @@ func (expc *expandController) GetSubpather() subpath.Interface { // not needed for expand controller return nil } - -func (expc *expandController) GetFilteredDialOptions() *proxyutil.FilteredDialOptions { - return expc.filteredDialOptions -} diff --git a/pkg/controller/volume/expand/expand_controller_test.go b/pkg/controller/volume/expand/expand_controller_test.go index 143738d7c83..180923dd9e4 100644 --- a/pkg/controller/volume/expand/expand_controller_test.go +++ b/pkg/controller/volume/expand/expand_controller_test.go @@ -106,7 +106,7 @@ func TestSyncHandler(t *testing.T) { } allPlugins := []volume.VolumePlugin{} translator := csitrans.New() - expc, err := NewExpandController(fakeKubeClient, pvcInformer, nil, allPlugins, translator, csimigration.NewPluginManager(translator, utilfeature.DefaultFeatureGate), nil) + expc, err := NewExpandController(fakeKubeClient, pvcInformer, nil, allPlugins, translator, csimigration.NewPluginManager(translator, utilfeature.DefaultFeatureGate)) if err != nil { t.Fatalf("error creating expand controller : %v", err) } diff --git a/pkg/controller/volume/persistentvolume/config/types.go b/pkg/controller/volume/persistentvolume/config/types.go index c840bd0b293..78e135dd223 100644 --- a/pkg/controller/volume/persistentvolume/config/types.go +++ b/pkg/controller/volume/persistentvolume/config/types.go @@ -28,10 +28,10 @@ type PersistentVolumeBinderControllerConfiguration struct { PVClaimBinderSyncPeriod metav1.Duration // volumeConfiguration holds configuration for volume related features. VolumeConfiguration VolumeConfiguration - // VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the + // DEPRECATED: VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the // controller from plugins. VolumeHostCIDRDenylist []string - // VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc) + // DEPRECATED: VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc) // should be allowed from plugins. VolumeHostAllowLocalLoopback bool } diff --git a/pkg/controller/volume/persistentvolume/pv_controller.go b/pkg/controller/volume/persistentvolume/pv_controller.go index 562b2e0ab80..a1c8c43968a 100644 --- a/pkg/controller/volume/persistentvolume/pv_controller.go +++ b/pkg/controller/volume/persistentvolume/pv_controller.go @@ -47,7 +47,6 @@ import ( "k8s.io/kubernetes/pkg/controller/volume/common" "k8s.io/kubernetes/pkg/controller/volume/events" "k8s.io/kubernetes/pkg/controller/volume/persistentvolume/metrics" - proxyutil "k8s.io/kubernetes/pkg/proxy/util" "k8s.io/kubernetes/pkg/util/goroutinemap" "k8s.io/kubernetes/pkg/util/goroutinemap/exponentialbackoff" vol "k8s.io/kubernetes/pkg/volume" @@ -240,9 +239,6 @@ type PersistentVolumeController struct { translator CSINameTranslator csiMigratedPluginManager CSIMigratedPluginManager - - // filteredDialOptions configures any dialing done by the controller. - filteredDialOptions *proxyutil.FilteredDialOptions } // syncClaim is the main controller method to decide what to do with a claim. diff --git a/pkg/controller/volume/persistentvolume/pv_controller_base.go b/pkg/controller/volume/persistentvolume/pv_controller_base.go index 7e3827d124d..6c7779d2d58 100644 --- a/pkg/controller/volume/persistentvolume/pv_controller_base.go +++ b/pkg/controller/volume/persistentvolume/pv_controller_base.go @@ -47,7 +47,6 @@ import ( "k8s.io/kubernetes/pkg/controller/volume/common" "k8s.io/kubernetes/pkg/controller/volume/persistentvolume/metrics" "k8s.io/kubernetes/pkg/features" - proxyutil "k8s.io/kubernetes/pkg/proxy/util" "k8s.io/kubernetes/pkg/util/goroutinemap" "k8s.io/kubernetes/pkg/util/slice" vol "k8s.io/kubernetes/pkg/volume" @@ -75,7 +74,6 @@ type ControllerParameters struct { NodeInformer coreinformers.NodeInformer EventRecorder record.EventRecorder EnableDynamicProvisioning bool - FilteredDialOptions *proxyutil.FilteredDialOptions } // NewController creates a new PersistentVolume controller @@ -148,8 +146,6 @@ func NewController(ctx context.Context, p ControllerParameters) (*PersistentVolu controller.translator = csiTranslator controller.csiMigratedPluginManager = csimigration.NewPluginManager(csiTranslator, utilfeature.DefaultFeatureGate) - controller.filteredDialOptions = p.FilteredDialOptions - return controller, nil } diff --git a/pkg/controller/volume/persistentvolume/volume_host.go b/pkg/controller/volume/persistentvolume/volume_host.go index 79794e41cdf..16eeb9c951f 100644 --- a/pkg/controller/volume/persistentvolume/volume_host.go +++ b/pkg/controller/volume/persistentvolume/volume_host.go @@ -30,7 +30,6 @@ import ( clientset "k8s.io/client-go/kubernetes" "k8s.io/client-go/tools/record" cloudprovider "k8s.io/cloud-provider" - proxyutil "k8s.io/kubernetes/pkg/proxy/util" vol "k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume/util/subpath" ) @@ -143,7 +142,3 @@ func (ctrl *PersistentVolumeController) GetSubpather() subpath.Interface { // No volume plugin needs Subpaths in PV controller. return nil } - -func (ctrl *PersistentVolumeController) GetFilteredDialOptions() *proxyutil.FilteredDialOptions { - return ctrl.filteredDialOptions -} diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 9826f26cad7..c58c5ddc714 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -53332,7 +53332,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeBinder }, "VolumeHostCIDRDenylist": { SchemaProps: spec.SchemaProps{ - Description: "VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the controller from plugins.", + Description: "DEPRECATED: VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the controller from plugins.", Type: []string{"array"}, Items: &spec.SchemaOrArray{ Schema: &spec.Schema{ @@ -53347,7 +53347,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeBinder }, "VolumeHostAllowLocalLoopback": { SchemaProps: spec.SchemaProps{ - Description: "VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc) should be allowed from plugins.", + Description: "DEPRECATED: VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc) should be allowed from plugins.", Type: []string{"boolean"}, Format: "", }, diff --git a/pkg/kubelet/volume_host.go b/pkg/kubelet/volume_host.go index ec321b4066e..7a9a9f87122 100644 --- a/pkg/kubelet/volume_host.go +++ b/pkg/kubelet/volume_host.go @@ -38,7 +38,6 @@ import ( "k8s.io/kubernetes/pkg/kubelet/configmap" "k8s.io/kubernetes/pkg/kubelet/secret" "k8s.io/kubernetes/pkg/kubelet/token" - proxyutil "k8s.io/kubernetes/pkg/proxy/util" "k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume/util" "k8s.io/kubernetes/pkg/volume/util/hostutil" @@ -152,11 +151,6 @@ func (kvh *kubeletVolumeHost) GetSubpather() subpath.Interface { return kvh.kubelet.subpather } -func (kvh *kubeletVolumeHost) GetFilteredDialOptions() *proxyutil.FilteredDialOptions { - // FilteredDial is not needed in the kubelet. - return nil -} - func (kvh *kubeletVolumeHost) GetHostUtil() hostutil.HostUtils { return kvh.kubelet.hostutil } diff --git a/pkg/proxy/util/utils.go b/pkg/proxy/util/utils.go index 44140e9fd97..b0bfc2b625c 100644 --- a/pkg/proxy/util/utils.go +++ b/pkg/proxy/util/utils.go @@ -22,7 +22,6 @@ import ( "errors" "fmt" "net" - "net/http" "strconv" "strings" @@ -136,16 +135,6 @@ func IsProxyableHostname(ctx context.Context, resolv Resolver, hostname string) return nil } -// IsAllowedHost checks if the given IP host address is in a network in the denied list. -func IsAllowedHost(host net.IP, denied []*net.IPNet) error { - for _, ipNet := range denied { - if ipNet.Contains(host) { - return ErrAddressNotAllowed - } - } - return nil -} - // GetLocalAddrs returns a list of all network addresses on the local system func GetLocalAddrs() ([]net.IP, error) { var localAddrs []net.IP @@ -347,66 +336,6 @@ func EnsureSysctl(sysctl utilsysctl.Interface, name string, newVal int) error { return nil } -// DialContext is a dial function matching the signature of net.Dialer.DialContext. -type DialContext = func(context.Context, string, string) (net.Conn, error) - -// FilteredDialOptions configures how a DialContext is wrapped by NewFilteredDialContext. -type FilteredDialOptions struct { - // DialHostIPDenylist restricts hosts from being dialed. - DialHostCIDRDenylist []*net.IPNet - // AllowLocalLoopback controls connections to local loopback hosts (as defined by - // IsProxyableIP). - AllowLocalLoopback bool -} - -// NewFilteredDialContext returns a DialContext function that filters connections based on a FilteredDialOptions. -func NewFilteredDialContext(wrapped DialContext, resolv Resolver, opts *FilteredDialOptions) DialContext { - if wrapped == nil { - wrapped = http.DefaultTransport.(*http.Transport).DialContext - } - if opts == nil { - // Do no filtering - return wrapped - } - if resolv == nil { - resolv = net.DefaultResolver - } - if len(opts.DialHostCIDRDenylist) == 0 && opts.AllowLocalLoopback { - // Do no filtering. - return wrapped - } - return func(ctx context.Context, network, address string) (net.Conn, error) { - // DialContext is given host:port. LookupIPAddress expects host. - addressToResolve, _, err := net.SplitHostPort(address) - if err != nil { - addressToResolve = address - } - - resp, err := resolv.LookupIPAddr(ctx, addressToResolve) - if err != nil { - return nil, err - } - - if len(resp) == 0 { - return nil, ErrNoAddresses - } - - for _, host := range resp { - if !opts.AllowLocalLoopback { - if err := isProxyableIP(host.IP); err != nil { - return nil, err - } - } - if opts.DialHostCIDRDenylist != nil { - if err := IsAllowedHost(host.IP, opts.DialHostCIDRDenylist); err != nil { - return nil, err - } - } - } - return wrapped(ctx, network, address) - } -} - // GetClusterIPByFamily returns a service clusterip by family func GetClusterIPByFamily(ipFamily v1.IPFamily, service *v1.Service) string { // allowing skew diff --git a/pkg/proxy/util/utils_test.go b/pkg/proxy/util/utils_test.go index 81468bb2522..49c3528cf20 100644 --- a/pkg/proxy/util/utils_test.go +++ b/pkg/proxy/util/utils_test.go @@ -166,39 +166,6 @@ func TestIsProxyableHostname(t *testing.T) { } } -func TestIsAllowedHost(t *testing.T) { - testCases := []struct { - ip string - denied []string - want error - }{ - {"8.8.8.8", []string{}, nil}, - {"169.254.169.254", []string{"169.0.0.0/8"}, ErrAddressNotAllowed}, - {"169.254.169.254", []string{"fce8::/15", "169.254.169.0/24"}, ErrAddressNotAllowed}, - {"fce9:beef::", []string{"fce8::/15", "169.254.169.0/24"}, ErrAddressNotAllowed}, - {"127.0.0.1", []string{"127.0.0.1/32"}, ErrAddressNotAllowed}, - {"34.107.204.206", []string{"fce8::/15"}, nil}, - {"fce9:beef::", []string{"127.0.0.1/32"}, nil}, - {"34.107.204.206", []string{"127.0.0.1/32"}, nil}, - {"127.0.0.1", []string{}, nil}, - } - - for i := range testCases { - var denyList []*net.IPNet - for _, cidrStr := range testCases[i].denied { - _, ipNet, err := netutils.ParseCIDRSloppy(cidrStr) - if err != nil { - t.Fatalf("bad IP for test case: %v: %v", cidrStr, err) - } - denyList = append(denyList, ipNet) - } - got := IsAllowedHost(netutils.ParseIPSloppy(testCases[i].ip), denyList) - if testCases[i].want != got { - t.Errorf("case %d: expected %v, got %v", i, testCases[i].want, got) - } - } -} - func TestShouldSkipService(t *testing.T) { testCases := []struct { service *v1.Service @@ -278,125 +245,6 @@ func TestShouldSkipService(t *testing.T) { } } -func TestNewFilteredDialContext(t *testing.T) { - - _, cidr, _ := netutils.ParseCIDRSloppy("1.1.1.1/28") - - testCases := []struct { - name string - - // opts passed to NewFilteredDialContext - opts *FilteredDialOptions - - // value passed to dial - dial string - - // value expected to be passed to resolve - expectResolve string - // result from resolver - resolveTo []net.IPAddr - resolveErr error - - // expect the wrapped dialer to be called - expectWrappedDial bool - // expect an error result - expectErr string - }{ - { - name: "allow with nil opts", - opts: nil, - dial: "127.0.0.1:8080", - expectResolve: "", // resolver not called, no-op opts - expectWrappedDial: true, - expectErr: "", - }, - { - name: "allow localhost", - opts: &FilteredDialOptions{AllowLocalLoopback: true}, - dial: "127.0.0.1:8080", - expectResolve: "", // resolver not called, no-op opts - expectWrappedDial: true, - expectErr: "", - }, - { - name: "disallow localhost", - opts: &FilteredDialOptions{AllowLocalLoopback: false}, - dial: "127.0.0.1:8080", - expectResolve: "127.0.0.1", - resolveTo: []net.IPAddr{{IP: netutils.ParseIPSloppy("127.0.0.1")}}, - expectWrappedDial: false, - expectErr: "address not allowed", - }, - { - name: "disallow IP", - opts: &FilteredDialOptions{AllowLocalLoopback: false, DialHostCIDRDenylist: []*net.IPNet{cidr}}, - dial: "foo.com:8080", - expectResolve: "foo.com", - resolveTo: []net.IPAddr{{IP: netutils.ParseIPSloppy("1.1.1.1")}}, - expectWrappedDial: false, - expectErr: "address not allowed", - }, - { - name: "allow IP", - opts: &FilteredDialOptions{AllowLocalLoopback: false, DialHostCIDRDenylist: []*net.IPNet{cidr}}, - dial: "foo.com:8080", - expectResolve: "foo.com", - resolveTo: []net.IPAddr{{IP: netutils.ParseIPSloppy("2.2.2.2")}}, - expectWrappedDial: true, - expectErr: "", - }, - } - - for _, tc := range testCases { - t.Run(tc.name, func(t *testing.T) { - wrappedDialer := &testDialer{} - testResolver := &testResolver{addrs: tc.resolveTo, err: tc.resolveErr} - dialer := NewFilteredDialContext(wrappedDialer.DialContext, testResolver, tc.opts) - _, err := dialer(context.TODO(), "tcp", tc.dial) - - if tc.expectResolve != testResolver.resolveAddress { - t.Fatalf("expected to resolve %s, got %s", tc.expectResolve, testResolver.resolveAddress) - } - if tc.expectWrappedDial != wrappedDialer.called { - t.Fatalf("expected wrapped dialer called %v, got %v", tc.expectWrappedDial, wrappedDialer.called) - } - - if err != nil { - if len(tc.expectErr) == 0 { - t.Fatalf("unexpected error: %v", err) - } else if !strings.Contains(err.Error(), tc.expectErr) { - t.Fatalf("expected error containing %q, got %v", tc.expectErr, err) - } - } else { - if len(tc.expectErr) > 0 { - t.Fatalf("expected error, got none") - } - } - }) - } -} - -type testDialer struct { - called bool -} - -func (t *testDialer) DialContext(_ context.Context, network, address string) (net.Conn, error) { - t.called = true - return nil, nil -} - -type testResolver struct { - addrs []net.IPAddr - err error - - resolveAddress string -} - -func (t *testResolver) LookupIPAddr(_ context.Context, address string) ([]net.IPAddr, error) { - t.resolveAddress = address - return t.addrs, t.err -} - func TestAppendPortIfNeeded(t *testing.T) { testCases := []struct { name string diff --git a/pkg/volume/plugins.go b/pkg/volume/plugins.go index 2b19f97f134..0b7b4e87e1c 100644 --- a/pkg/volume/plugins.go +++ b/pkg/volume/plugins.go @@ -40,7 +40,6 @@ import ( "k8s.io/client-go/tools/cache" "k8s.io/client-go/tools/record" cloudprovider "k8s.io/cloud-provider" - proxyutil "k8s.io/kubernetes/pkg/proxy/util" "k8s.io/kubernetes/pkg/volume/util/hostutil" "k8s.io/kubernetes/pkg/volume/util/recyclerclient" "k8s.io/kubernetes/pkg/volume/util/subpath" @@ -443,9 +442,6 @@ type VolumeHost interface { // Returns an interface that should be used to execute subpath operations GetSubpather() subpath.Interface - - // Returns options to pass for proxyutil filtered dialers. - GetFilteredDialOptions() *proxyutil.FilteredDialOptions } // VolumePluginMgr tracks registered plugins. diff --git a/pkg/volume/testing/volume_host.go b/pkg/volume/testing/volume_host.go index 78c4a70566a..e3557bb1b15 100644 --- a/pkg/volume/testing/volume_host.go +++ b/pkg/volume/testing/volume_host.go @@ -41,7 +41,6 @@ import ( "k8s.io/client-go/tools/record" cloudprovider "k8s.io/cloud-provider" csilibplugins "k8s.io/csi-translation-lib/plugins" - proxyutil "k8s.io/kubernetes/pkg/proxy/util" . "k8s.io/kubernetes/pkg/volume" "k8s.io/kubernetes/pkg/volume/util/hostutil" "k8s.io/kubernetes/pkg/volume/util/subpath" @@ -75,7 +74,6 @@ type fakeVolumeHost struct { informerFactory informers.SharedInformerFactory kubeletErr error mux sync.Mutex - filteredDialOptions *proxyutil.FilteredDialOptions } var _ VolumeHost = &fakeVolumeHost{} @@ -151,10 +149,6 @@ func (f *fakeVolumeHost) GetSubpather() subpath.Interface { return f.subpather } -func (f *fakeVolumeHost) GetFilteredDialOptions() *proxyutil.FilteredDialOptions { - return f.filteredDialOptions -} - func (f *fakeVolumeHost) GetPluginMgr() *VolumePluginMgr { return f.pluginMgr } diff --git a/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/types.go b/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/types.go index d74ca2f4946..952b2c2fc79 100644 --- a/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/types.go +++ b/staging/src/k8s.io/kube-controller-manager/config/v1alpha1/types.go @@ -419,10 +419,10 @@ type PersistentVolumeBinderControllerConfiguration struct { PVClaimBinderSyncPeriod metav1.Duration // volumeConfiguration holds configuration for volume related features. VolumeConfiguration VolumeConfiguration - // VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the + // DEPRECATED: VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the // controller from plugins. VolumeHostCIDRDenylist []string - // VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc) + // DEPRECATED: VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc) // should be allowed from plugins. VolumeHostAllowLocalLoopback *bool } diff --git a/test/integration/volume/attach_detach_test.go b/test/integration/volume/attach_detach_test.go index 56d3bc711db..a974ef64562 100644 --- a/test/integration/volume/attach_detach_test.go +++ b/test/integration/volume/attach_detach_test.go @@ -442,7 +442,6 @@ func createAdClients(t *testing.T, server *kubeapiservertesting.TestServer, sync false, 5*time.Second, timers, - nil, /* filteredDialOptions */ ) if err != nil {