diff --git a/hack/.golint_failures b/hack/.golint_failures index c30c4d59e6b..f65ca6ce32b 100644 --- a/hack/.golint_failures +++ b/hack/.golint_failures @@ -183,7 +183,6 @@ pkg/security/podsecuritypolicy/util pkg/serviceaccount pkg/ssh pkg/util/config -pkg/util/ebtables pkg/util/goroutinemap/exponentialbackoff pkg/util/labels # See previous effort in PR #80685 pkg/util/oom diff --git a/pkg/kubelet/dockershim/network/kubenet/BUILD b/pkg/kubelet/dockershim/network/kubenet/BUILD index 6597874820e..8ce97c31d3b 100644 --- a/pkg/kubelet/dockershim/network/kubenet/BUILD +++ b/pkg/kubelet/dockershim/network/kubenet/BUILD @@ -27,7 +27,6 @@ go_library( "//pkg/kubelet/dockershim/network:go_default_library", "//pkg/kubelet/dockershim/network/hostport:go_default_library", "//pkg/util/bandwidth:go_default_library", - "//pkg/util/ebtables:go_default_library", "//pkg/util/iptables:go_default_library", "//pkg/util/sysctl:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library", @@ -42,6 +41,7 @@ go_library( "//vendor/k8s.io/klog/v2:go_default_library", "//vendor/k8s.io/utils/exec:go_default_library", "//vendor/k8s.io/utils/net:go_default_library", + "//vendor/k8s.io/utils/net/ebtables:go_default_library", ], "@io_bazel_rules_go//go/platform:darwin": [ "//pkg/kubelet/apis/config:go_default_library", @@ -80,7 +80,6 @@ go_library( "//pkg/kubelet/dockershim/network:go_default_library", "//pkg/kubelet/dockershim/network/hostport:go_default_library", "//pkg/util/bandwidth:go_default_library", - "//pkg/util/ebtables:go_default_library", "//pkg/util/iptables:go_default_library", "//pkg/util/sysctl:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/errors:go_default_library", @@ -95,6 +94,7 @@ go_library( "//vendor/k8s.io/klog/v2:go_default_library", "//vendor/k8s.io/utils/exec:go_default_library", "//vendor/k8s.io/utils/net:go_default_library", + "//vendor/k8s.io/utils/net/ebtables:go_default_library", ], "@io_bazel_rules_go//go/platform:nacl": [ "//pkg/kubelet/apis/config:go_default_library", diff --git a/pkg/kubelet/dockershim/network/kubenet/kubenet_linux.go b/pkg/kubelet/dockershim/network/kubenet/kubenet_linux.go index 40158ea619b..0752e796e59 100644 --- a/pkg/kubelet/dockershim/network/kubenet/kubenet_linux.go +++ b/pkg/kubelet/dockershim/network/kubenet/kubenet_linux.go @@ -41,10 +41,10 @@ import ( "k8s.io/kubernetes/pkg/kubelet/dockershim/network" "k8s.io/kubernetes/pkg/kubelet/dockershim/network/hostport" "k8s.io/kubernetes/pkg/util/bandwidth" - utilebtables "k8s.io/kubernetes/pkg/util/ebtables" utiliptables "k8s.io/kubernetes/pkg/util/iptables" utilsysctl "k8s.io/kubernetes/pkg/util/sysctl" utilexec "k8s.io/utils/exec" + utilebtables "k8s.io/utils/net/ebtables" utilfeature "k8s.io/apiserver/pkg/util/feature" kubefeatures "k8s.io/kubernetes/pkg/features" diff --git a/pkg/util/BUILD b/pkg/util/BUILD index 3ec7967094f..53fd073fd98 100644 --- a/pkg/util/BUILD +++ b/pkg/util/BUILD @@ -16,7 +16,6 @@ filegroup( "//pkg/util/config:all-srcs", "//pkg/util/conntrack:all-srcs", "//pkg/util/coverage:all-srcs", - "//pkg/util/ebtables:all-srcs", "//pkg/util/env:all-srcs", "//pkg/util/filesystem:all-srcs", "//pkg/util/flag:all-srcs", diff --git a/pkg/util/ebtables/BUILD b/pkg/util/ebtables/BUILD deleted file mode 100644 index 89f51a6db6d..00000000000 --- a/pkg/util/ebtables/BUILD +++ /dev/null @@ -1,37 +0,0 @@ -package(default_visibility = ["//visibility:public"]) - -load( - "@io_bazel_rules_go//go:def.bzl", - "go_library", - "go_test", -) - -go_library( - name = "go_default_library", - srcs = ["ebtables.go"], - importpath = "k8s.io/kubernetes/pkg/util/ebtables", - deps = ["//vendor/k8s.io/utils/exec:go_default_library"], -) - -go_test( - name = "go_default_test", - srcs = ["ebtables_test.go"], - embed = [":go_default_library"], - deps = [ - "//vendor/k8s.io/utils/exec:go_default_library", - "//vendor/k8s.io/utils/exec/testing:go_default_library", - ], -) - -filegroup( - name = "package-srcs", - srcs = glob(["**"]), - tags = ["automanaged"], - visibility = ["//visibility:private"], -) - -filegroup( - name = "all-srcs", - srcs = [":package-srcs"], - tags = ["automanaged"], -) diff --git a/pkg/util/ebtables/OWNERS b/pkg/util/ebtables/OWNERS deleted file mode 100644 index 37bfd526680..00000000000 --- a/pkg/util/ebtables/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs at https://go.k8s.io/owners - -reviewers: -- sig-network-reviewers -approvers: -- sig-network-approvers -labels: -- sig/network diff --git a/pkg/util/ebtables/ebtables_test.go b/pkg/util/ebtables/ebtables_test.go deleted file mode 100644 index 9933493f6ec..00000000000 --- a/pkg/util/ebtables/ebtables_test.go +++ /dev/null @@ -1,169 +0,0 @@ -/* -Copyright 2016 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package ebtables - -import ( - "strings" - "testing" - - "k8s.io/utils/exec" - fakeexec "k8s.io/utils/exec/testing" -) - -func TestEnsureChain(t *testing.T) { - fcmd := fakeexec.FakeCmd{ - CombinedOutputScript: []fakeexec.FakeAction{ - // Does not Exists - func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 1} }, - // Success - func() ([]byte, []byte, error) { return []byte{}, nil, nil }, - // Exists - func() ([]byte, []byte, error) { return nil, nil, nil }, - // Does not Exists - func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 1} }, - // Fail to create chain - func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 2} }, - }, - } - fexec := fakeexec.FakeExec{ - CommandScript: []fakeexec.FakeCommandAction{ - func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, - func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, - func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, - func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, - func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, - }, - } - - runner := New(&fexec) - exists, err := runner.EnsureChain(TableFilter, "TEST-CHAIN") - if exists { - t.Errorf("expected exists = false") - } - if err != nil { - t.Errorf("expected err = nil") - } - - exists, err = runner.EnsureChain(TableFilter, "TEST-CHAIN") - if !exists { - t.Errorf("expected exists = true") - } - if err != nil { - t.Errorf("expected err = nil") - } - - exists, err = runner.EnsureChain(TableFilter, "TEST-CHAIN") - if exists { - t.Errorf("expected exists = false") - } - errStr := "Failed to ensure TEST-CHAIN chain: exit 2, output:" - if err == nil || !strings.Contains(err.Error(), errStr) { - t.Errorf("expected error: %q", errStr) - } -} - -func TestEnsureRule(t *testing.T) { - fcmd := fakeexec.FakeCmd{ - CombinedOutputScript: []fakeexec.FakeAction{ - // Exists - func() ([]byte, []byte, error) { - return []byte(`Bridge table: filter - -Bridge chain: OUTPUT, entries: 4, policy: ACCEPT --j TEST -`), nil, nil - }, - // Does not Exists. - func() ([]byte, []byte, error) { - return []byte(`Bridge table: filter - -Bridge chain: TEST, entries: 0, policy: ACCEPT`), nil, nil - }, - // Fail to create - func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 2} }, - }, - } - fexec := fakeexec.FakeExec{ - CommandScript: []fakeexec.FakeCommandAction{ - func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, - func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, - func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, - }, - } - - runner := New(&fexec) - - exists, err := runner.EnsureRule(Append, TableFilter, ChainOutput, "-j", "TEST") - if !exists { - t.Errorf("expected exists = true") - } - if err != nil { - t.Errorf("expected err = nil") - } - - exists, err = runner.EnsureRule(Append, TableFilter, ChainOutput, "-j", "NEXT-TEST") - if exists { - t.Errorf("expected exists = false") - } - errStr := "Failed to ensure rule: exit 2, output: " - if err == nil || err.Error() != errStr { - t.Errorf("expected error: %q", errStr) - } -} - -func TestDeleteRule(t *testing.T) { - fcmd := fakeexec.FakeCmd{ - CombinedOutputScript: []fakeexec.FakeAction{ - // Exists - func() ([]byte, []byte, error) { - return []byte(`Bridge table: filter - -Bridge chain: OUTPUT, entries: 4, policy: ACCEPT --j TEST -`), nil, nil - }, - // Fail to delete - func() ([]byte, []byte, error) { return nil, nil, &fakeexec.FakeExitError{Status: 2} }, - // Does not Exists. - func() ([]byte, []byte, error) { - return []byte(`Bridge table: filter - -Bridge chain: TEST, entries: 0, policy: ACCEPT`), nil, nil - }, - }, - } - fexec := fakeexec.FakeExec{ - CommandScript: []fakeexec.FakeCommandAction{ - func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, - func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, - func(cmd string, args ...string) exec.Cmd { return fakeexec.InitFakeCmd(&fcmd, cmd, args...) }, - }, - } - - runner := New(&fexec) - - err := runner.DeleteRule(TableFilter, ChainOutput, "-j", "TEST") - errStr := "Failed to delete rule: exit 2, output: " - if err == nil || err.Error() != errStr { - t.Errorf("expected error: %q", errStr) - } - - err = runner.DeleteRule(TableFilter, ChainOutput, "-j", "TEST") - if err != nil { - t.Errorf("expected err = nil") - } -} diff --git a/test/e2e/framework/.import-restrictions b/test/e2e/framework/.import-restrictions index 207dc8f8c15..a5521e3a3e6 100644 --- a/test/e2e/framework/.import-restrictions +++ b/test/e2e/framework/.import-restrictions @@ -206,7 +206,6 @@ rules: - k8s.io/kubernetes/pkg/util/config - k8s.io/kubernetes/pkg/util/configz - k8s.io/kubernetes/pkg/util/conntrack - - k8s.io/kubernetes/pkg/util/ebtables - k8s.io/kubernetes/pkg/util/env - k8s.io/kubernetes/pkg/util/filesystem - k8s.io/kubernetes/pkg/util/flag diff --git a/vendor/k8s.io/utils/net/BUILD b/vendor/k8s.io/utils/net/BUILD index 704e873064a..0c06e4cf6da 100644 --- a/vendor/k8s.io/utils/net/BUILD +++ b/vendor/k8s.io/utils/net/BUILD @@ -21,7 +21,10 @@ filegroup( filegroup( name = "all-srcs", - srcs = [":package-srcs"], + srcs = [ + ":package-srcs", + "//vendor/k8s.io/utils/net/ebtables:all-srcs", + ], tags = ["automanaged"], visibility = ["//visibility:public"], ) diff --git a/vendor/k8s.io/utils/net/ebtables/BUILD b/vendor/k8s.io/utils/net/ebtables/BUILD new file mode 100644 index 00000000000..30a92c3c4b1 --- /dev/null +++ b/vendor/k8s.io/utils/net/ebtables/BUILD @@ -0,0 +1,24 @@ +load("@io_bazel_rules_go//go:def.bzl", "go_library") + +go_library( + name = "go_default_library", + srcs = ["ebtables.go"], + importmap = "k8s.io/kubernetes/vendor/k8s.io/utils/net/ebtables", + importpath = "k8s.io/utils/net/ebtables", + visibility = ["//visibility:public"], + deps = ["//vendor/k8s.io/utils/exec:go_default_library"], +) + +filegroup( + name = "package-srcs", + srcs = glob(["**"]), + tags = ["automanaged"], + visibility = ["//visibility:private"], +) + +filegroup( + name = "all-srcs", + srcs = [":package-srcs"], + tags = ["automanaged"], + visibility = ["//visibility:public"], +) diff --git a/pkg/util/ebtables/ebtables.go b/vendor/k8s.io/utils/net/ebtables/ebtables.go similarity index 92% rename from pkg/util/ebtables/ebtables.go rename to vendor/k8s.io/utils/net/ebtables/ebtables.go index 4ff25b0b242..3e984a27ee4 100644 --- a/pkg/util/ebtables/ebtables.go +++ b/vendor/k8s.io/utils/net/ebtables/ebtables.go @@ -14,6 +14,9 @@ See the License for the specific language governing permissions and limitations under the License. */ +// Package ebtables allows to control the ebtables Linux-based bridging firewall. +// Both chains and rules can be added, deleted and modified. +// For ebtables specific documentation see: http://ebtables.netfilter.org/ package ebtables import ( @@ -31,23 +34,29 @@ const ( fullMac = "--Lmac2" ) +// RulePosition is the rule position within a table type RulePosition string +// Relative position for a new rule const ( Prepend RulePosition = "-I" Append RulePosition = "-A" ) +// Table is an Ebtables table type type Table string +// Tables available in ebtables by default const ( TableNAT Table = "nat" TableFilter Table = "filter" TableBroute Table = "broute" ) +// Chain is an Ebtables chain type type Chain string +// Chains that are built-in in ebtables const ( ChainPostrouting Chain = "POSTROUTING" ChainPrerouting Chain = "PREROUTING" @@ -68,7 +77,7 @@ const ( opDeleteRule operation = "-D" ) -// An injectable interface for running ebtables commands. Implementations must be goroutine-safe. +// Interface for running ebtables commands. Implementations must be goroutine-safe. type Interface interface { // GetVersion returns the "X.Y.Z" semver string for ebtables. GetVersion() (string, error) @@ -125,7 +134,7 @@ func (runner *runner) GetVersion() (string, error) { } func (runner *runner) EnsureRule(position RulePosition, table Table, chain Chain, args ...string) (bool, error) { - exist := true + var exist bool fullArgs := makeFullArgs(table, opListChain, chain, fullMac) out, err := runner.exec.Command(cmdebtables, fullArgs...).CombinedOutput() if err != nil { @@ -144,7 +153,7 @@ func (runner *runner) EnsureRule(position RulePosition, table Table, chain Chain } func (runner *runner) DeleteRule(table Table, chain Chain, args ...string) error { - exist := true + var exist bool fullArgs := makeFullArgs(table, opListChain, chain, fullMac) out, err := runner.exec.Command(cmdebtables, fullArgs...).CombinedOutput() if err != nil { diff --git a/vendor/modules.txt b/vendor/modules.txt index 3ed2f8ea144..91416e22766 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -2459,6 +2459,7 @@ k8s.io/utils/io k8s.io/utils/keymutex k8s.io/utils/mount k8s.io/utils/net +k8s.io/utils/net/ebtables k8s.io/utils/nsenter k8s.io/utils/path k8s.io/utils/pointer