github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2026-01-05 23:47:50 +00:00
Code Issues Projects Releases Wiki Activity

Add a comment-only rule to the end of KUBE-FW-* chains

Browse Source 
With the removal of the "-j KUBE-MARK-DROP" rules, the firewall chains
end rather ambiguously. Add a comment-only rule explaining what will
happen.
This commit is contained in:
Dan Winship
2022-12-13 14:02:57 -05:00
parent 00aae4c10c
commit 1870c4cdd7
3 changed files with 17 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/proxy/iptables/proxier.go
View File

@@ -1360,8 +1360,12 @@ func (proxier *Proxier) syncProxyRules() {
}
}
// If the packet was able to reach the end of firewall chain,
// then it did not get DNATed and will be dropped later by the
// then it did not get DNATed, so it will match the
// corresponding KUBE-PROXY-FIREWALL rule.
proxier.natRules.Write(
"-A", string(fwChain),
"-m", "comment", "--comment", fmt.Sprintf(`"other traffic to %s will be dropped by KUBE-PROXY-FIREWALL"`, svcPortNameString),
)
}
// If Cluster policy is in use, create the chain and create rules jumping