Merge pull request #118128 from carlory/fix-issue-118120

remove helper function for unused storage feature in pkg/proxy/util

cmd/kube-controller-manager/app/core.go

@@ -43,7 +43,6 @@ import (
 	servicecontroller "k8s.io/cloud-provider/controllers/service"
 	"k8s.io/controller-manager/controller"
 	csitrans "k8s.io/csi-translation-lib"
-	"k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
 	pkgcontroller "k8s.io/kubernetes/pkg/controller"
 	endpointcontroller "k8s.io/kubernetes/pkg/controller/endpoint"
 	"k8s.io/kubernetes/pkg/controller/garbagecollector"
@@ -255,12 +254,7 @@ func startPersistentVolumeBinderController(ctx context.Context, controllerContex
 	if err != nil {
 		return nil, true, fmt.Errorf("failed to probe volume plugins when starting persistentvolume controller: %v", err)
 	}
-	filteredDialOptions, err := options.ParseVolumeHostFilters(
+
-		controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostCIDRDenylist,
-		controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostAllowLocalLoopback)
-	if err != nil {
-		return nil, true, err
-	}
 	params := persistentvolumecontroller.ControllerParameters{
 		KubeClient:                controllerContext.ClientBuilder.ClientOrDie("persistent-volume-binder"),
 		SyncPeriod:                controllerContext.ComponentConfig.PersistentVolumeBinderController.PVClaimBinderSyncPeriod.Duration,
@@ -273,7 +267,6 @@ func startPersistentVolumeBinderController(ctx context.Context, controllerContex
 		PodInformer:               controllerContext.InformerFactory.Core().V1().Pods(),
 		NodeInformer:              controllerContext.InformerFactory.Core().V1().Nodes(),
 		EnableDynamicProvisioning: controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeConfiguration.EnableDynamicProvisioning,
-		FilteredDialOptions:       filteredDialOptions,
 	}
 	volumeController, volumeControllerErr := persistentvolumecontroller.NewController(ctx, params)
 	if volumeControllerErr != nil {
@@ -293,13 +286,6 @@ func startAttachDetachController(ctx context.Context, controllerContext Controll
 		return nil, true, fmt.Errorf("failed to probe volume plugins when starting attach/detach controller: %v", err)
 	}
 
-	filteredDialOptions, err := options.ParseVolumeHostFilters(
-		controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostCIDRDenylist,
-		controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostAllowLocalLoopback)
-	if err != nil {
-		return nil, true, err
-	}
-
 	ctx = klog.NewContext(ctx, logger)
 	attachDetachController, attachDetachControllerErr :=
 		attachdetach.NewAttachDetachController(
@@ -318,7 +304,6 @@ func startAttachDetachController(ctx context.Context, controllerContext Controll
 			controllerContext.ComponentConfig.AttachDetachController.DisableAttachDetachReconcilerSync,
 			controllerContext.ComponentConfig.AttachDetachController.ReconcilerSyncLoopPeriod.Duration,
 			attachdetach.DefaultTimerConfig,
-			filteredDialOptions,
 		)
 	if attachDetachControllerErr != nil {
 		return nil, true, fmt.Errorf("failed to start attach/detach controller: %v", attachDetachControllerErr)
@@ -334,12 +319,7 @@ func startVolumeExpandController(ctx context.Context, controllerContext Controll
 		return nil, true, fmt.Errorf("failed to probe volume plugins when starting volume expand controller: %v", err)
 	}
 	csiTranslator := csitrans.New()
-	filteredDialOptions, err := options.ParseVolumeHostFilters(
+
-		controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostCIDRDenylist,
-		controllerContext.ComponentConfig.PersistentVolumeBinderController.VolumeHostAllowLocalLoopback)
-	if err != nil {
-		return nil, true, err
-	}
 	expandController, expandControllerErr := expand.NewExpandController(
 		controllerContext.ClientBuilder.ClientOrDie("expand-controller"),
 		controllerContext.InformerFactory.Core().V1().PersistentVolumeClaims(),
@@ -347,7 +327,6 @@ func startVolumeExpandController(ctx context.Context, controllerContext Controll
 		plugins,
 		csiTranslator,
 		csimigration.NewPluginManager(csiTranslator, utilfeature.DefaultFeatureGate),
-		filteredDialOptions,
 	)
 
 	if expandControllerErr != nil {

cmd/kube-controller-manager/app/options/options_test.go

@@ -1053,30 +1053,6 @@ func TestValidateControllersOptions(t *testing.T) {
 				},
 			}).Validate,
 		},
-		{
-			name:                   "PersistentVolumeBinderControllerOptions bad cidr deny list",
-			expectErrors:           true,
-			expectedErrorSubString: "bad --volume-host-ip-denylist/--volume-host-allow-local-loopback invalid CIDR",
-			validate: (&PersistentVolumeBinderControllerOptions{
-				&persistentvolumeconfig.PersistentVolumeBinderControllerConfiguration{
-					PVClaimBinderSyncPeriod: metav1.Duration{Duration: 30 * time.Second},
-					VolumeConfiguration: persistentvolumeconfig.VolumeConfiguration{
-						EnableDynamicProvisioning:  false,
-						EnableHostPathProvisioning: true,
-						FlexVolumePluginDir:        "/flex-volume-plugin",
-						PersistentVolumeRecyclerConfiguration: persistentvolumeconfig.PersistentVolumeRecyclerConfiguration{
-							MaximumRetry:             3,
-							MinimumTimeoutNFS:        200,
-							IncrementTimeoutNFS:      45,
-							MinimumTimeoutHostPath:   45,
-							IncrementTimeoutHostPath: 45,
-						},
-					},
-					VolumeHostCIDRDenylist:       []string{"127.0.0.1"},
-					VolumeHostAllowLocalLoopback: false,
-				},
-			}).Validate,
-		},
 		{
 			name:                   "StatefulSetControllerOptions ConcurrentStatefulSetSyncs equal 0",
 			expectErrors:           true,

cmd/kube-controller-manager/app/options/persistentvolumebindercontroller.go

@@ -17,13 +17,9 @@ limitations under the License.
 package options
 
 import (
-	"fmt"
-
 	"github.com/spf13/pflag"
 
 	persistentvolumeconfig "k8s.io/kubernetes/pkg/controller/volume/persistentvolume/config"
-	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
-	netutils "k8s.io/utils/net"
 )
 
 // PersistentVolumeBinderControllerOptions holds the PersistentVolumeBinderController options.
@@ -48,7 +44,9 @@ func (o *PersistentVolumeBinderControllerOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.BoolVar(&o.VolumeConfiguration.EnableDynamicProvisioning, "enable-dynamic-provisioning", o.VolumeConfiguration.EnableDynamicProvisioning, "Enable dynamic provisioning for environments that support it.")
 	fs.StringVar(&o.VolumeConfiguration.FlexVolumePluginDir, "flex-volume-plugin-dir", o.VolumeConfiguration.FlexVolumePluginDir, "Full path of the directory in which the flex volume plugin should search for additional third party volume plugins.")
 	fs.StringSliceVar(&o.VolumeHostCIDRDenylist, "volume-host-cidr-denylist", o.VolumeHostCIDRDenylist, "A comma-separated list of CIDR ranges to avoid from volume plugins.")
+	fs.MarkDeprecated("volume-host-cidr-denylist", "This flag is currently no-op and will be deleted.")
 	fs.BoolVar(&o.VolumeHostAllowLocalLoopback, "volume-host-allow-local-loopback", o.VolumeHostAllowLocalLoopback, "If false, deny local loopback IPs in addition to any CIDR ranges in --volume-host-cidr-denylist")
+	fs.MarkDeprecated("volume-host-allow-local-loopback", "This flag is currently no-op and will be deleted.")
 }
 
 // ApplyTo fills up PersistentVolumeBinderController config with options.
@@ -72,17 +70,5 @@ func (o *PersistentVolumeBinderControllerOptions) Validate() []error {
 	}
 
 	errs := []error{}
-	if _, err := ParseVolumeHostFilters(o.VolumeHostCIDRDenylist, o.VolumeHostAllowLocalLoopback); err != nil {
-		errs = append(errs, fmt.Errorf("bad --volume-host-ip-denylist/--volume-host-allow-local-loopback %w", err))
-	}
 	return errs
 }
-
-// ParseVolumeHostFilters process the --volume-host-ip-denylist and --volume-host-allow-local-loopback flags.
-func ParseVolumeHostFilters(denylist []string, allowLocalLoopback bool) (*proxyutil.FilteredDialOptions, error) {
-	denyCIDRs, err := netutils.ParseCIDRs(denylist)
-	if err != nil {
-		return nil, err
-	}
-	return &proxyutil.FilteredDialOptions{DialHostCIDRDenylist: denyCIDRs, AllowLocalLoopback: allowLocalLoopback}, nil
-}

pkg/controller/volume/attachdetach/attach_detach_controller.go

@@ -55,7 +55,6 @@ import (
 	"k8s.io/kubernetes/pkg/controller/volume/attachdetach/statusupdater"
 	"k8s.io/kubernetes/pkg/controller/volume/attachdetach/util"
 	"k8s.io/kubernetes/pkg/controller/volume/common"
-	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
 	"k8s.io/kubernetes/pkg/volume"
 	"k8s.io/kubernetes/pkg/volume/csi"
 	"k8s.io/kubernetes/pkg/volume/csimigration"
@@ -120,23 +119,21 @@ func NewAttachDetachController(
 	prober volume.DynamicPluginProber,
 	disableReconciliationSync bool,
 	reconcilerSyncDuration time.Duration,
-	timerConfig TimerConfig,
+	timerConfig TimerConfig) (AttachDetachController, error) {
-	filteredDialOptions *proxyutil.FilteredDialOptions) (AttachDetachController, error) {
 
 	adc := &attachDetachController{
-		kubeClient:          kubeClient,
+		kubeClient:  kubeClient,
-		pvcLister:           pvcInformer.Lister(),
+		pvcLister:   pvcInformer.Lister(),
-		pvcsSynced:          pvcInformer.Informer().HasSynced,
+		pvcsSynced:  pvcInformer.Informer().HasSynced,
-		pvLister:            pvInformer.Lister(),
+		pvLister:    pvInformer.Lister(),
-		pvsSynced:           pvInformer.Informer().HasSynced,
+		pvsSynced:   pvInformer.Informer().HasSynced,
-		podLister:           podInformer.Lister(),
+		podLister:   podInformer.Lister(),
-		podsSynced:          podInformer.Informer().HasSynced,
+		podsSynced:  podInformer.Informer().HasSynced,
-		podIndexer:          podInformer.Informer().GetIndexer(),
+		podIndexer:  podInformer.Informer().GetIndexer(),
-		nodeLister:          nodeInformer.Lister(),
+		nodeLister:  nodeInformer.Lister(),
-		nodesSynced:         nodeInformer.Informer().HasSynced,
+		nodesSynced: nodeInformer.Informer().HasSynced,
-		cloud:               cloud,
+		cloud:       cloud,
-		pvcQueue:            workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "pvcs"),
+		pvcQueue:    workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "pvcs"),
-		filteredDialOptions: filteredDialOptions,
 	}
 
 	adc.csiNodeLister = csiNodeInformer.Lister()
@@ -325,9 +322,6 @@ type attachDetachController struct {
 
 	// intreeToCSITranslator translates from in-tree volume specs to CSI
 	intreeToCSITranslator csimigration.InTreeToCSITranslator
-
-	// filteredDialOptions configures any dialing done by the controller.
-	filteredDialOptions *proxyutil.FilteredDialOptions
 }
 
 func (adc *attachDetachController) Run(ctx context.Context) {
@@ -919,10 +913,6 @@ func (adc *attachDetachController) GetSubpather() subpath.Interface {
 	return nil
 }
 
-func (adc *attachDetachController) GetFilteredDialOptions() *proxyutil.FilteredDialOptions {
-	return adc.filteredDialOptions
-}
-
 func (adc *attachDetachController) GetCSIDriverLister() storagelistersv1.CSIDriverLister {
 	return adc.csiDriverLister
 }

pkg/controller/volume/attachdetach/attach_detach_controller_test.go

@@ -65,7 +65,6 @@ func Test_NewAttachDetachController_Positive(t *testing.T) {
 		false,
 		5*time.Second,
 		DefaultTimerConfig,
-		nil, /* filteredDialOptions */
 	)
 
 	// Assert
@@ -195,7 +194,6 @@ func attachDetachRecoveryTestCase(t *testing.T, extraPods1 []*v1.Pod, extraPods2
 		false,
 		1*time.Second,
 		DefaultTimerConfig,
-		nil, /* filteredDialOptions */
 	)
 
 	if err != nil {
@@ -461,7 +459,6 @@ func volumeAttachmentRecoveryTestCase(t *testing.T, tc vaTest) {
 		false,
 		1*time.Second,
 		DefaultTimerConfig,
-		nil, /* filteredDialOptions */
 	)
 	if err != nil {
 		t.Fatalf("NewAttachDetachController failed with error. Expected: <no error> Actual: <%v>", err)

pkg/controller/volume/expand/expand_controller.go

@@ -45,7 +45,6 @@ import (
 	cloudprovider "k8s.io/cloud-provider"
 	"k8s.io/kubernetes/pkg/controller/volume/events"
 	"k8s.io/kubernetes/pkg/features"
-	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
 	"k8s.io/kubernetes/pkg/volume"
 	"k8s.io/kubernetes/pkg/volume/csimigration"
 	"k8s.io/kubernetes/pkg/volume/util"
@@ -97,8 +96,6 @@ type expandController struct {
 	translator CSINameTranslator
 
 	csiMigratedPluginManager csimigration.PluginManager
-
-	filteredDialOptions *proxyutil.FilteredDialOptions
 }
 
 // NewExpandController expands the pvs
@@ -108,8 +105,7 @@ func NewExpandController(
 	cloud cloudprovider.Interface,
 	plugins []volume.VolumePlugin,
 	translator CSINameTranslator,
-	csiMigratedPluginManager csimigration.PluginManager,
+	csiMigratedPluginManager csimigration.PluginManager) (ExpandController, error) {
-	filteredDialOptions *proxyutil.FilteredDialOptions) (ExpandController, error) {
 
 	expc := &expandController{
 		kubeClient:               kubeClient,
@@ -119,7 +115,6 @@ func NewExpandController(
 		queue:                    workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "volume_expand"),
 		translator:               translator,
 		csiMigratedPluginManager: csiMigratedPluginManager,
-		filteredDialOptions:      filteredDialOptions,
 	}
 
 	if err := expc.volumePluginMgr.InitPlugins(plugins, nil, expc); err != nil {
@@ -479,7 +474,3 @@ func (expc *expandController) GetSubpather() subpath.Interface {
 	// not needed for expand controller
 	return nil
 }
-
-func (expc *expandController) GetFilteredDialOptions() *proxyutil.FilteredDialOptions {
-	return expc.filteredDialOptions
-}

pkg/controller/volume/expand/expand_controller_test.go

@@ -106,7 +106,7 @@ func TestSyncHandler(t *testing.T) {
 		}
 		allPlugins := []volume.VolumePlugin{}
 		translator := csitrans.New()
-		expc, err := NewExpandController(fakeKubeClient, pvcInformer, nil, allPlugins, translator, csimigration.NewPluginManager(translator, utilfeature.DefaultFeatureGate), nil)
+		expc, err := NewExpandController(fakeKubeClient, pvcInformer, nil, allPlugins, translator, csimigration.NewPluginManager(translator, utilfeature.DefaultFeatureGate))
 		if err != nil {
 			t.Fatalf("error creating expand controller : %v", err)
 		}

pkg/controller/volume/persistentvolume/config/types.go

@@ -28,10 +28,10 @@ type PersistentVolumeBinderControllerConfiguration struct {
 	PVClaimBinderSyncPeriod metav1.Duration
 	// volumeConfiguration holds configuration for volume related features.
 	VolumeConfiguration VolumeConfiguration
-	// VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the
+	// DEPRECATED: VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the
 	// controller from plugins.
 	VolumeHostCIDRDenylist []string
-	// VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc)
+	// DEPRECATED: VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc)
 	// should be allowed from plugins.
 	VolumeHostAllowLocalLoopback bool
 }

pkg/controller/volume/persistentvolume/pv_controller.go

@@ -47,7 +47,6 @@ import (
 	"k8s.io/kubernetes/pkg/controller/volume/common"
 	"k8s.io/kubernetes/pkg/controller/volume/events"
 	"k8s.io/kubernetes/pkg/controller/volume/persistentvolume/metrics"
-	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
 	"k8s.io/kubernetes/pkg/util/goroutinemap"
 	"k8s.io/kubernetes/pkg/util/goroutinemap/exponentialbackoff"
 	vol "k8s.io/kubernetes/pkg/volume"
@@ -240,9 +239,6 @@ type PersistentVolumeController struct {
 
 	translator               CSINameTranslator
 	csiMigratedPluginManager CSIMigratedPluginManager
-
-	// filteredDialOptions configures any dialing done by the controller.
-	filteredDialOptions *proxyutil.FilteredDialOptions
 }
 
 // syncClaim is the main controller method to decide what to do with a claim.

pkg/controller/volume/persistentvolume/pv_controller_base.go

@@ -47,7 +47,6 @@ import (
 	"k8s.io/kubernetes/pkg/controller/volume/common"
 	"k8s.io/kubernetes/pkg/controller/volume/persistentvolume/metrics"
 	"k8s.io/kubernetes/pkg/features"
-	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
 	"k8s.io/kubernetes/pkg/util/goroutinemap"
 	"k8s.io/kubernetes/pkg/util/slice"
 	vol "k8s.io/kubernetes/pkg/volume"
@@ -75,7 +74,6 @@ type ControllerParameters struct {
 	NodeInformer              coreinformers.NodeInformer
 	EventRecorder             record.EventRecorder
 	EnableDynamicProvisioning bool
-	FilteredDialOptions       *proxyutil.FilteredDialOptions
 }
 
 // NewController creates a new PersistentVolume controller
@@ -148,8 +146,6 @@ func NewController(ctx context.Context, p ControllerParameters) (*PersistentVolu
 	controller.translator = csiTranslator
 	controller.csiMigratedPluginManager = csimigration.NewPluginManager(csiTranslator, utilfeature.DefaultFeatureGate)
 
-	controller.filteredDialOptions = p.FilteredDialOptions
-
 	return controller, nil
 }
 

pkg/controller/volume/persistentvolume/volume_host.go

@@ -30,7 +30,6 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/record"
 	cloudprovider "k8s.io/cloud-provider"
-	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
 	vol "k8s.io/kubernetes/pkg/volume"
 	"k8s.io/kubernetes/pkg/volume/util/subpath"
 )
@@ -143,7 +142,3 @@ func (ctrl *PersistentVolumeController) GetSubpather() subpath.Interface {
 	// No volume plugin needs Subpaths in PV controller.
 	return nil
 }
-
-func (ctrl *PersistentVolumeController) GetFilteredDialOptions() *proxyutil.FilteredDialOptions {
-	return ctrl.filteredDialOptions
-}

pkg/generated/openapi/zz_generated.openapi.go

@@ -53332,7 +53332,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeBinder
 					},
 					"VolumeHostCIDRDenylist": {
 						SchemaProps: spec.SchemaProps{
-							Description: "VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the controller from plugins.",
+							Description: "DEPRECATED: VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the controller from plugins.",
 							Type:        []string{"array"},
 							Items: &spec.SchemaOrArray{
 								Schema: &spec.Schema{
@@ -53347,7 +53347,7 @@ func schema_k8sio_kube_controller_manager_config_v1alpha1_PersistentVolumeBinder
 					},
 					"VolumeHostAllowLocalLoopback": {
 						SchemaProps: spec.SchemaProps{
-							Description: "VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc) should be allowed from plugins.",
+							Description: "DEPRECATED: VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc) should be allowed from plugins.",
 							Type:        []string{"boolean"},
 							Format:      "",
 						},

pkg/kubelet/volume_host.go

@@ -38,7 +38,6 @@ import (
 	"k8s.io/kubernetes/pkg/kubelet/configmap"
 	"k8s.io/kubernetes/pkg/kubelet/secret"
 	"k8s.io/kubernetes/pkg/kubelet/token"
-	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
 	"k8s.io/kubernetes/pkg/volume"
 	"k8s.io/kubernetes/pkg/volume/util"
 	"k8s.io/kubernetes/pkg/volume/util/hostutil"
@@ -152,11 +151,6 @@ func (kvh *kubeletVolumeHost) GetSubpather() subpath.Interface {
 	return kvh.kubelet.subpather
 }
 
-func (kvh *kubeletVolumeHost) GetFilteredDialOptions() *proxyutil.FilteredDialOptions {
-	// FilteredDial is not needed in the kubelet.
-	return nil
-}
-
 func (kvh *kubeletVolumeHost) GetHostUtil() hostutil.HostUtils {
 	return kvh.kubelet.hostutil
 }

pkg/proxy/util/utils.go

@@ -22,7 +22,6 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"net/http"
 	"strconv"
 	"strings"
 
@@ -136,16 +135,6 @@ func IsProxyableHostname(ctx context.Context, resolv Resolver, hostname string)
 	return nil
 }
 
-// IsAllowedHost checks if the given IP host address is in a network in the denied list.
-func IsAllowedHost(host net.IP, denied []*net.IPNet) error {
-	for _, ipNet := range denied {
-		if ipNet.Contains(host) {
-			return ErrAddressNotAllowed
-		}
-	}
-	return nil
-}
-
 // GetLocalAddrs returns a list of all network addresses on the local system
 func GetLocalAddrs() ([]net.IP, error) {
 	var localAddrs []net.IP
@@ -347,66 +336,6 @@ func EnsureSysctl(sysctl utilsysctl.Interface, name string, newVal int) error {
 	return nil
 }
 
-// DialContext is a dial function matching the signature of net.Dialer.DialContext.
-type DialContext = func(context.Context, string, string) (net.Conn, error)
-
-// FilteredDialOptions configures how a DialContext is wrapped by NewFilteredDialContext.
-type FilteredDialOptions struct {
-	// DialHostIPDenylist restricts hosts from being dialed.
-	DialHostCIDRDenylist []*net.IPNet
-	// AllowLocalLoopback controls connections to local loopback hosts (as defined by
-	// IsProxyableIP).
-	AllowLocalLoopback bool
-}
-
-// NewFilteredDialContext returns a DialContext function that filters connections based on a FilteredDialOptions.
-func NewFilteredDialContext(wrapped DialContext, resolv Resolver, opts *FilteredDialOptions) DialContext {
-	if wrapped == nil {
-		wrapped = http.DefaultTransport.(*http.Transport).DialContext
-	}
-	if opts == nil {
-		// Do no filtering
-		return wrapped
-	}
-	if resolv == nil {
-		resolv = net.DefaultResolver
-	}
-	if len(opts.DialHostCIDRDenylist) == 0 && opts.AllowLocalLoopback {
-		// Do no filtering.
-		return wrapped
-	}
-	return func(ctx context.Context, network, address string) (net.Conn, error) {
-		// DialContext is given host:port. LookupIPAddress expects host.
-		addressToResolve, _, err := net.SplitHostPort(address)
-		if err != nil {
-			addressToResolve = address
-		}
-
-		resp, err := resolv.LookupIPAddr(ctx, addressToResolve)
-		if err != nil {
-			return nil, err
-		}
-
-		if len(resp) == 0 {
-			return nil, ErrNoAddresses
-		}
-
-		for _, host := range resp {
-			if !opts.AllowLocalLoopback {
-				if err := isProxyableIP(host.IP); err != nil {
-					return nil, err
-				}
-			}
-			if opts.DialHostCIDRDenylist != nil {
-				if err := IsAllowedHost(host.IP, opts.DialHostCIDRDenylist); err != nil {
-					return nil, err
-				}
-			}
-		}
-		return wrapped(ctx, network, address)
-	}
-}
-
 // GetClusterIPByFamily returns a service clusterip by family
 func GetClusterIPByFamily(ipFamily v1.IPFamily, service *v1.Service) string {
 	// allowing skew

pkg/proxy/util/utils_test.go

@@ -166,39 +166,6 @@ func TestIsProxyableHostname(t *testing.T) {
 	}
 }
 
-func TestIsAllowedHost(t *testing.T) {
-	testCases := []struct {
-		ip     string
-		denied []string
-		want   error
-	}{
-		{"8.8.8.8", []string{}, nil},
-		{"169.254.169.254", []string{"169.0.0.0/8"}, ErrAddressNotAllowed},
-		{"169.254.169.254", []string{"fce8::/15", "169.254.169.0/24"}, ErrAddressNotAllowed},
-		{"fce9:beef::", []string{"fce8::/15", "169.254.169.0/24"}, ErrAddressNotAllowed},
-		{"127.0.0.1", []string{"127.0.0.1/32"}, ErrAddressNotAllowed},
-		{"34.107.204.206", []string{"fce8::/15"}, nil},
-		{"fce9:beef::", []string{"127.0.0.1/32"}, nil},
-		{"34.107.204.206", []string{"127.0.0.1/32"}, nil},
-		{"127.0.0.1", []string{}, nil},
-	}
-
-	for i := range testCases {
-		var denyList []*net.IPNet
-		for _, cidrStr := range testCases[i].denied {
-			_, ipNet, err := netutils.ParseCIDRSloppy(cidrStr)
-			if err != nil {
-				t.Fatalf("bad IP for test case: %v: %v", cidrStr, err)
-			}
-			denyList = append(denyList, ipNet)
-		}
-		got := IsAllowedHost(netutils.ParseIPSloppy(testCases[i].ip), denyList)
-		if testCases[i].want != got {
-			t.Errorf("case %d: expected %v, got %v", i, testCases[i].want, got)
-		}
-	}
-}
-
 func TestShouldSkipService(t *testing.T) {
 	testCases := []struct {
 		service    *v1.Service
@@ -278,125 +245,6 @@ func TestShouldSkipService(t *testing.T) {
 	}
 }
 
-func TestNewFilteredDialContext(t *testing.T) {
-
-	_, cidr, _ := netutils.ParseCIDRSloppy("1.1.1.1/28")
-
-	testCases := []struct {
-		name string
-
-		// opts passed to NewFilteredDialContext
-		opts *FilteredDialOptions
-
-		// value passed to dial
-		dial string
-
-		// value expected to be passed to resolve
-		expectResolve string
-		// result from resolver
-		resolveTo  []net.IPAddr
-		resolveErr error
-
-		// expect the wrapped dialer to be called
-		expectWrappedDial bool
-		// expect an error result
-		expectErr string
-	}{
-		{
-			name:              "allow with nil opts",
-			opts:              nil,
-			dial:              "127.0.0.1:8080",
-			expectResolve:     "", // resolver not called, no-op opts
-			expectWrappedDial: true,
-			expectErr:         "",
-		},
-		{
-			name:              "allow localhost",
-			opts:              &FilteredDialOptions{AllowLocalLoopback: true},
-			dial:              "127.0.0.1:8080",
-			expectResolve:     "", // resolver not called, no-op opts
-			expectWrappedDial: true,
-			expectErr:         "",
-		},
-		{
-			name:              "disallow localhost",
-			opts:              &FilteredDialOptions{AllowLocalLoopback: false},
-			dial:              "127.0.0.1:8080",
-			expectResolve:     "127.0.0.1",
-			resolveTo:         []net.IPAddr{{IP: netutils.ParseIPSloppy("127.0.0.1")}},
-			expectWrappedDial: false,
-			expectErr:         "address not allowed",
-		},
-		{
-			name:              "disallow IP",
-			opts:              &FilteredDialOptions{AllowLocalLoopback: false, DialHostCIDRDenylist: []*net.IPNet{cidr}},
-			dial:              "foo.com:8080",
-			expectResolve:     "foo.com",
-			resolveTo:         []net.IPAddr{{IP: netutils.ParseIPSloppy("1.1.1.1")}},
-			expectWrappedDial: false,
-			expectErr:         "address not allowed",
-		},
-		{
-			name:              "allow IP",
-			opts:              &FilteredDialOptions{AllowLocalLoopback: false, DialHostCIDRDenylist: []*net.IPNet{cidr}},
-			dial:              "foo.com:8080",
-			expectResolve:     "foo.com",
-			resolveTo:         []net.IPAddr{{IP: netutils.ParseIPSloppy("2.2.2.2")}},
-			expectWrappedDial: true,
-			expectErr:         "",
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			wrappedDialer := &testDialer{}
-			testResolver := &testResolver{addrs: tc.resolveTo, err: tc.resolveErr}
-			dialer := NewFilteredDialContext(wrappedDialer.DialContext, testResolver, tc.opts)
-			_, err := dialer(context.TODO(), "tcp", tc.dial)
-
-			if tc.expectResolve != testResolver.resolveAddress {
-				t.Fatalf("expected to resolve %s, got %s", tc.expectResolve, testResolver.resolveAddress)
-			}
-			if tc.expectWrappedDial != wrappedDialer.called {
-				t.Fatalf("expected wrapped dialer called %v, got %v", tc.expectWrappedDial, wrappedDialer.called)
-			}
-
-			if err != nil {
-				if len(tc.expectErr) == 0 {
-					t.Fatalf("unexpected error: %v", err)
-				} else if !strings.Contains(err.Error(), tc.expectErr) {
-					t.Fatalf("expected error containing %q, got %v", tc.expectErr, err)
-				}
-			} else {
-				if len(tc.expectErr) > 0 {
-					t.Fatalf("expected error, got none")
-				}
-			}
-		})
-	}
-}
-
-type testDialer struct {
-	called bool
-}
-
-func (t *testDialer) DialContext(_ context.Context, network, address string) (net.Conn, error) {
-	t.called = true
-	return nil, nil
-}
-
-type testResolver struct {
-	addrs []net.IPAddr
-	err   error
-
-	resolveAddress string
-}
-
-func (t *testResolver) LookupIPAddr(_ context.Context, address string) ([]net.IPAddr, error) {
-	t.resolveAddress = address
-	return t.addrs, t.err
-}
-
 func TestAppendPortIfNeeded(t *testing.T) {
 	testCases := []struct {
 		name   string

pkg/volume/plugins.go

@@ -40,7 +40,6 @@ import (
 	"k8s.io/client-go/tools/cache"
 	"k8s.io/client-go/tools/record"
 	cloudprovider "k8s.io/cloud-provider"
-	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
 	"k8s.io/kubernetes/pkg/volume/util/hostutil"
 	"k8s.io/kubernetes/pkg/volume/util/recyclerclient"
 	"k8s.io/kubernetes/pkg/volume/util/subpath"
@@ -443,9 +442,6 @@ type VolumeHost interface {
 
 	// Returns an interface that should be used to execute subpath operations
 	GetSubpather() subpath.Interface
-
-	// Returns options to pass for proxyutil filtered dialers.
-	GetFilteredDialOptions() *proxyutil.FilteredDialOptions
 }
 
 // VolumePluginMgr tracks registered plugins.

pkg/volume/testing/volume_host.go

@@ -41,7 +41,6 @@ import (
 	"k8s.io/client-go/tools/record"
 	cloudprovider "k8s.io/cloud-provider"
 	csilibplugins "k8s.io/csi-translation-lib/plugins"
-	proxyutil "k8s.io/kubernetes/pkg/proxy/util"
 	. "k8s.io/kubernetes/pkg/volume"
 	"k8s.io/kubernetes/pkg/volume/util/hostutil"
 	"k8s.io/kubernetes/pkg/volume/util/subpath"
@@ -75,7 +74,6 @@ type fakeVolumeHost struct {
 	informerFactory        informers.SharedInformerFactory
 	kubeletErr             error
 	mux                    sync.Mutex
-	filteredDialOptions    *proxyutil.FilteredDialOptions
 }
 
 var _ VolumeHost = &fakeVolumeHost{}
@@ -151,10 +149,6 @@ func (f *fakeVolumeHost) GetSubpather() subpath.Interface {
 	return f.subpather
 }
 
-func (f *fakeVolumeHost) GetFilteredDialOptions() *proxyutil.FilteredDialOptions {
-	return f.filteredDialOptions
-}
-
 func (f *fakeVolumeHost) GetPluginMgr() *VolumePluginMgr {
 	return f.pluginMgr
 }

staging/src/k8s.io/kube-controller-manager/config/v1alpha1/types.go

@@ -419,10 +419,10 @@ type PersistentVolumeBinderControllerConfiguration struct {
 	PVClaimBinderSyncPeriod metav1.Duration
 	// volumeConfiguration holds configuration for volume related features.
 	VolumeConfiguration VolumeConfiguration
-	// VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the
+	// DEPRECATED: VolumeHostCIDRDenylist is a list of CIDRs that should not be reachable by the
 	// controller from plugins.
 	VolumeHostCIDRDenylist []string
-	// VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc)
+	// DEPRECATED: VolumeHostAllowLocalLoopback indicates if local loopback hosts (127.0.0.1, etc)
 	// should be allowed from plugins.
 	VolumeHostAllowLocalLoopback *bool
 }

test/integration/volume/attach_detach_test.go

@@ -442,7 +442,6 @@ func createAdClients(t *testing.T, server *kubeapiservertesting.TestServer, sync
 		false,
 		5*time.Second,
 		timers,
-		nil, /* filteredDialOptions */
 	)
 
 	if err != nil {