From 1a6b9b811e303c033006e9a3223258582149b69b Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Wed, 17 May 2023 15:48:59 -0400 Subject: [PATCH] Simplify nftables/proxier.go by removing localhost nodeport support and related route_localnet setting / anti-martian-packet rule --- cmd/kube-proxy/app/server_others.go | 2 - cmd/kube-proxy/app/server_test.go | 10 +- pkg/generated/openapi/zz_generated.openapi.go | 9 +- pkg/proxy/apis/config/fuzzer/fuzzer.go | 1 - .../after/v1alpha1.yaml | 1 - .../roundtrip/default/v1alpha1.yaml | 1 - pkg/proxy/apis/config/types.go | 3 - pkg/proxy/apis/config/v1alpha1/defaults.go | 3 - .../apis/config/v1alpha1/defaults_test.go | 18 +- .../v1alpha1/zz_generated.conversion.go | 2 - .../apis/config/zz_generated.deepcopy.go | 5 - pkg/proxy/nftables/proxier.go | 78 +------- pkg/proxy/nftables/proxier_test.go | 170 +++--------------- .../kube-proxy/config/v1alpha1/types.go | 3 - .../config/v1alpha1/zz_generated.deepcopy.go | 5 - 15 files changed, 47 insertions(+), 264 deletions(-) diff --git a/cmd/kube-proxy/app/server_others.go b/cmd/kube-proxy/app/server_others.go index 258bb366ed1..b307ea467fb 100644 --- a/cmd/kube-proxy/app/server_others.go +++ b/cmd/kube-proxy/app/server_others.go @@ -305,7 +305,6 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio config.NFTables.SyncPeriod.Duration, config.NFTables.MinSyncPeriod.Duration, config.NFTables.MasqueradeAll, - *config.NFTables.LocalhostNodePorts, int(*config.NFTables.MasqueradeBit), localDetectors, s.Hostname, @@ -332,7 +331,6 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio config.NFTables.SyncPeriod.Duration, config.NFTables.MinSyncPeriod.Duration, config.NFTables.MasqueradeAll, - *config.NFTables.LocalhostNodePorts, int(*config.NFTables.MasqueradeBit), localDetector, s.Hostname, diff --git a/cmd/kube-proxy/app/server_test.go b/cmd/kube-proxy/app/server_test.go index ec975978ff5..866fdee116b 100644 --- a/cmd/kube-proxy/app/server_test.go +++ b/cmd/kube-proxy/app/server_test.go @@ -79,7 +79,6 @@ nftables: masqueradeBit: 18 minSyncPeriod: 10s syncPeriod: 60s - localhostNodePorts: false kind: KubeProxyConfiguration metricsBindAddress: "%s" mode: "%s" @@ -225,11 +224,10 @@ nodePortAddresses: ExcludeCIDRs: []string{"10.20.30.40/16", "fd00:1::0/64"}, }, NFTables: kubeproxyconfig.KubeProxyNFTablesConfiguration{ - MasqueradeAll: true, - MasqueradeBit: ptr.To[int32](18), - LocalhostNodePorts: ptr.To(false), - MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second}, - SyncPeriod: metav1.Duration{Duration: 60 * time.Second}, + MasqueradeAll: true, + MasqueradeBit: ptr.To[int32](18), + MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second}, + SyncPeriod: metav1.Duration{Duration: 60 * time.Second}, }, MetricsBindAddress: tc.metricsBindAddress, Mode: kubeproxyconfig.ProxyMode(tc.mode), diff --git a/pkg/generated/openapi/zz_generated.openapi.go b/pkg/generated/openapi/zz_generated.openapi.go index 96f1f2c14d1..351ff28986e 100644 --- a/pkg/generated/openapi/zz_generated.openapi.go +++ b/pkg/generated/openapi/zz_generated.openapi.go @@ -54716,13 +54716,6 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyNFTablesConfiguration(ref Format: "", }, }, - "localhostNodePorts": { - SchemaProps: spec.SchemaProps{ - Description: "localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior of allowing NodePort services to be accessed via localhost. FIXME: remove.", - Type: []string{"boolean"}, - Format: "", - }, - }, "syncPeriod": { SchemaProps: spec.SchemaProps{ Description: "syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.", @@ -54736,7 +54729,7 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyNFTablesConfiguration(ref }, }, }, - Required: []string{"masqueradeBit", "masqueradeAll", "localhostNodePorts", "syncPeriod", "minSyncPeriod"}, + Required: []string{"masqueradeBit", "masqueradeAll", "syncPeriod", "minSyncPeriod"}, }, }, Dependencies: []string{ diff --git a/pkg/proxy/apis/config/fuzzer/fuzzer.go b/pkg/proxy/apis/config/fuzzer/fuzzer.go index 1cb9dbe215a..161ab5021aa 100644 --- a/pkg/proxy/apis/config/fuzzer/fuzzer.go +++ b/pkg/proxy/apis/config/fuzzer/fuzzer.go @@ -44,7 +44,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { obj.IPTables.MasqueradeBit = ptr.To(c.Int31()) obj.IPTables.LocalhostNodePorts = ptr.To(c.RandBool()) obj.NFTables.MasqueradeBit = ptr.To(c.Int31()) - obj.NFTables.LocalhostNodePorts = ptr.To(c.RandBool()) obj.MetricsBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536)) obj.OOMScoreAdj = ptr.To(c.Int31()) obj.ClientConnection.ContentType = "bar" diff --git a/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml b/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml index fbfdea5cc31..fdbd9b06af3 100644 --- a/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml +++ b/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml @@ -50,7 +50,6 @@ logging: metricsBindAddress: 127.0.0.1:10249 mode: "" nftables: - localhostNodePorts: true masqueradeAll: false masqueradeBit: 14 minSyncPeriod: 1s diff --git a/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml b/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml index fbfdea5cc31..fdbd9b06af3 100644 --- a/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml +++ b/pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml @@ -50,7 +50,6 @@ logging: metricsBindAddress: 127.0.0.1:10249 mode: "" nftables: - localhostNodePorts: true masqueradeAll: false masqueradeBit: 14 minSyncPeriod: 1s diff --git a/pkg/proxy/apis/config/types.go b/pkg/proxy/apis/config/types.go index e6ca87cd105..cb4100dcc58 100644 --- a/pkg/proxy/apis/config/types.go +++ b/pkg/proxy/apis/config/types.go @@ -90,9 +90,6 @@ type KubeProxyNFTablesConfiguration struct { // masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs, // when using the nftables mode. This may be required with some CNI plugins. MasqueradeAll bool - // localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior - // of allowing NodePort services to be accessed via localhost. FIXME: remove. - LocalhostNodePorts *bool // syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently // various re-synchronizing and cleanup operations are performed. Must be greater // than 0. diff --git a/pkg/proxy/apis/config/v1alpha1/defaults.go b/pkg/proxy/apis/config/v1alpha1/defaults.go index 00d1d8daacd..1c8c555b422 100644 --- a/pkg/proxy/apis/config/v1alpha1/defaults.go +++ b/pkg/proxy/apis/config/v1alpha1/defaults.go @@ -77,9 +77,6 @@ func SetDefaults_KubeProxyConfiguration(obj *kubeproxyconfigv1alpha1.KubeProxyCo if obj.NFTables.MinSyncPeriod.Duration == 0 { obj.NFTables.MinSyncPeriod = metav1.Duration{Duration: 1 * time.Second} } - if obj.NFTables.LocalhostNodePorts == nil { - obj.NFTables.LocalhostNodePorts = ptr.To(true) - } if obj.Conntrack.MaxPerCore == nil { obj.Conntrack.MaxPerCore = ptr.To[int32](32 * 1024) diff --git a/pkg/proxy/apis/config/v1alpha1/defaults_test.go b/pkg/proxy/apis/config/v1alpha1/defaults_test.go index 19496160b05..5d8cbf79e94 100644 --- a/pkg/proxy/apis/config/v1alpha1/defaults_test.go +++ b/pkg/proxy/apis/config/v1alpha1/defaults_test.go @@ -63,11 +63,10 @@ func TestDefaultsKubeProxyConfiguration(t *testing.T) { SyncPeriod: metav1.Duration{Duration: 30 * time.Second}, }, NFTables: kubeproxyconfigv1alpha1.KubeProxyNFTablesConfiguration{ - MasqueradeBit: ptr.To[int32](14), - MasqueradeAll: false, - LocalhostNodePorts: ptr.To(true), - SyncPeriod: metav1.Duration{Duration: 30 * time.Second}, - MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second}, + MasqueradeBit: ptr.To[int32](14), + MasqueradeAll: false, + SyncPeriod: metav1.Duration{Duration: 30 * time.Second}, + MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second}, }, OOMScoreAdj: &oomScore, Conntrack: kubeproxyconfigv1alpha1.KubeProxyConntrackConfiguration{ @@ -110,11 +109,10 @@ func TestDefaultsKubeProxyConfiguration(t *testing.T) { SyncPeriod: metav1.Duration{Duration: 30 * time.Second}, }, NFTables: kubeproxyconfigv1alpha1.KubeProxyNFTablesConfiguration{ - MasqueradeBit: ptr.To[int32](14), - MasqueradeAll: false, - LocalhostNodePorts: ptr.To(true), - SyncPeriod: metav1.Duration{Duration: 30 * time.Second}, - MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second}, + MasqueradeBit: ptr.To[int32](14), + MasqueradeAll: false, + SyncPeriod: metav1.Duration{Duration: 30 * time.Second}, + MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second}, }, OOMScoreAdj: &oomScore, Conntrack: kubeproxyconfigv1alpha1.KubeProxyConntrackConfiguration{ diff --git a/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go b/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go index 4886b08487a..6df45d415e1 100644 --- a/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go +++ b/pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go @@ -323,7 +323,6 @@ func Convert_config_KubeProxyIPVSConfiguration_To_v1alpha1_KubeProxyIPVSConfigur func autoConvert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in *v1alpha1.KubeProxyNFTablesConfiguration, out *config.KubeProxyNFTablesConfiguration, s conversion.Scope) error { out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit)) out.MasqueradeAll = in.MasqueradeAll - out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts)) out.SyncPeriod = in.SyncPeriod out.MinSyncPeriod = in.MinSyncPeriod return nil @@ -337,7 +336,6 @@ func Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTables func autoConvert_config_KubeProxyNFTablesConfiguration_To_v1alpha1_KubeProxyNFTablesConfiguration(in *config.KubeProxyNFTablesConfiguration, out *v1alpha1.KubeProxyNFTablesConfiguration, s conversion.Scope) error { out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit)) out.MasqueradeAll = in.MasqueradeAll - out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts)) out.SyncPeriod = in.SyncPeriod out.MinSyncPeriod = in.MinSyncPeriod return nil diff --git a/pkg/proxy/apis/config/zz_generated.deepcopy.go b/pkg/proxy/apis/config/zz_generated.deepcopy.go index 0777834acef..386cf2465f9 100644 --- a/pkg/proxy/apis/config/zz_generated.deepcopy.go +++ b/pkg/proxy/apis/config/zz_generated.deepcopy.go @@ -215,11 +215,6 @@ func (in *KubeProxyNFTablesConfiguration) DeepCopyInto(out *KubeProxyNFTablesCon *out = new(int32) **out = **in } - if in.LocalhostNodePorts != nil { - in, out := &in.LocalhostNodePorts, &out.LocalhostNodePorts - *out = new(bool) - **out = **in - } out.SyncPeriod = in.SyncPeriod out.MinSyncPeriod = in.MinSyncPeriod return diff --git a/pkg/proxy/nftables/proxier.go b/pkg/proxy/nftables/proxier.go index 1bf2eef2de6..6a0d65b2230 100644 --- a/pkg/proxy/nftables/proxier.go +++ b/pkg/proxy/nftables/proxier.go @@ -77,14 +77,8 @@ const ( // kube proxy canary chain is used for monitoring rule reload kubeProxyCanaryChain utiliptables.Chain = "KUBE-PROXY-CANARY" - - // kubeletFirewallChain is a duplicate of kubelet's firewall containing - // the anti-martian-packet rule. It should not be used for any other - // rules. - kubeletFirewallChain utiliptables.Chain = "KUBE-FIREWALL" ) -const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet" const sysctlNFConntrackTCPBeLiberal = "net/netfilter/nf_conntrack_tcp_be_liberal" // internal struct for string service information @@ -183,10 +177,6 @@ type Proxier struct { natChains proxyutil.LineBuffer natRules proxyutil.LineBuffer - // localhostNodePorts indicates whether we allow NodePort services to be accessed - // via localhost. - localhostNodePorts bool - // conntrackTCPLiberal indicates whether the system sets the kernel nf_conntrack_tcp_be_liberal conntrackTCPLiberal bool @@ -212,7 +202,6 @@ func NewProxier(ipFamily v1.IPFamily, syncPeriod time.Duration, minSyncPeriod time.Duration, masqueradeAll bool, - localhostNodePorts bool, masqueradeBit int, localDetector proxyutiliptables.LocalTrafficDetector, hostname string, @@ -224,18 +213,6 @@ func NewProxier(ipFamily v1.IPFamily, ) (*Proxier, error) { nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings) - if !nodePortAddresses.ContainsIPv4Loopback() { - localhostNodePorts = false - } - if localhostNodePorts { - // Set the route_localnet sysctl we need for exposing NodePorts on loopback addresses - // Refer to https://issues.k8s.io/90259 - klog.InfoS("Setting route_localnet=1 to allow node-ports on localhost; to change this either disable iptables.localhostNodePorts (--iptables-localhost-nodeports) or set nodePortAddresses (--nodeport-addresses) to filter loopback addresses") - if err := proxyutil.EnsureSysctl(sysctl, sysctlRouteLocalnet, 1); err != nil { - return nil, err - } - } - // Be conservative in what you do, be liberal in what you accept from others. // If it's non-zero, we mark only out of window RST segments as INVALID. // Ref: https://docs.kernel.org/networking/nf_conntrack-sysctl.html @@ -281,7 +258,6 @@ func NewProxier(ipFamily v1.IPFamily, filterRules: proxyutil.NewLineBuffer(), natChains: proxyutil.NewLineBuffer(), natRules: proxyutil.NewLineBuffer(), - localhostNodePorts: localhostNodePorts, nodePortAddresses: nodePortAddresses, networkInterfacer: proxyutil.RealNetwork{}, conntrackTCPLiberal: conntrackTCPLiberal, @@ -314,7 +290,6 @@ func NewDualStackProxier( syncPeriod time.Duration, minSyncPeriod time.Duration, masqueradeAll bool, - localhostNodePorts bool, masqueradeBit int, localDetectors [2]proxyutiliptables.LocalTrafficDetector, hostname string, @@ -326,14 +301,14 @@ func NewDualStackProxier( ) (proxy.Provider, error) { // Create an ipv4 instance of the single-stack proxier ipv4Proxier, err := NewProxier(v1.IPv4Protocol, ipt[0], sysctl, - exec, syncPeriod, minSyncPeriod, masqueradeAll, localhostNodePorts, masqueradeBit, localDetectors[0], hostname, + exec, syncPeriod, minSyncPeriod, masqueradeAll, masqueradeBit, localDetectors[0], hostname, nodeIPs[v1.IPv4Protocol], recorder, healthzServer, nodePortAddresses, initOnly) if err != nil { return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err) } ipv6Proxier, err := NewProxier(v1.IPv6Protocol, ipt[1], sysctl, - exec, syncPeriod, minSyncPeriod, masqueradeAll, false, masqueradeBit, localDetectors[1], hostname, + exec, syncPeriod, minSyncPeriod, masqueradeAll, masqueradeBit, localDetectors[1], hostname, nodeIPs[v1.IPv6Protocol], recorder, healthzServer, nodePortAddresses, initOnly) if err != nil { return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err) @@ -367,13 +342,6 @@ var iptablesJumpChains = []iptablesJumpChain{ {utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil}, } -// Duplicates of chains created in pkg/kubelet/kubelet_network_linux.go; we create these -// on startup but do not delete them in CleanupLeftovers. -var iptablesKubeletJumpChains = []iptablesJumpChain{ - {utiliptables.TableFilter, kubeletFirewallChain, utiliptables.ChainInput, "", nil}, - {utiliptables.TableFilter, kubeletFirewallChain, utiliptables.ChainOutput, "", nil}, -} - // When chains get removed from iptablesJumpChains, add them here so they get cleaned up // on upgrade. var iptablesCleanupOnlyChains = []iptablesJumpChain{} @@ -761,7 +729,7 @@ func (proxier *Proxier) syncProxyRules() { // Ensure that our jump rules (eg from PREROUTING to KUBE-SERVICES) exist. // We can't do this as part of the iptables-restore because we don't want // to specify/replace *all* of the rules in PREROUTING, etc. - for _, jump := range append(iptablesJumpChains, iptablesKubeletJumpChains...) { + for _, jump := range iptablesJumpChains { if _, err := proxier.iptables.EnsureChain(jump.table, jump.dstChain); err != nil { klog.ErrorS(err, "Failed to ensure chain exists", "table", jump.table, "chain", jump.dstChain) return @@ -828,30 +796,6 @@ func (proxier *Proxier) syncProxyRules() { "-j", "MARK", "--or-mark", proxier.masqueradeMark, ) - isIPv6 := proxier.iptables.IsIPv6() - if !isIPv6 && proxier.localhostNodePorts { - // Kube-proxy's use of `route_localnet` to enable NodePorts on localhost - // creates a security hole (https://issue.k8s.io/90259) which this - // iptables rule mitigates. - - // NOTE: kubelet creates an identical copy of this rule. If you want to - // change this rule in the future, you MUST do so in a way that will - // interoperate correctly with skewed versions of the rule created by - // kubelet. (Actually, kubelet uses "--dst"/"--src" rather than "-d"/"-s" - // but that's just a command-line thing and results in the same rule being - // created in the kernel.) - proxier.filterChains.Write(utiliptables.MakeChainLine(kubeletFirewallChain)) - proxier.filterRules.Write( - "-A", string(kubeletFirewallChain), - "-m", "comment", "--comment", `"block incoming localnet connections"`, - "-d", "127.0.0.0/8", - "!", "-s", "127.0.0.0/8", - "-m", "conntrack", - "!", "--ctstate", "RELATED,ESTABLISHED,DNAT", - "-j", "DROP", - ) - } - // Accumulate NAT chains to keep. activeNATChains := map[utiliptables.Chain]bool{} // use a map as a set @@ -1330,12 +1274,13 @@ func (proxier *Proxier) syncProxyRules() { // Finally, tail-call to the nodePorts chain. This needs to be after all // other service portal rules. if proxier.nodePortAddresses.MatchAll() { + isIPv6 := proxier.iptables.IsIPv6() + destinations := []string{"-m", "addrtype", "--dst-type", "LOCAL"} - // Block localhost nodePorts if they are not supported. (For IPv6 they never - // work, and for IPv4 they only work if we previously set `route_localnet`.) + // Block localhost nodePorts if isIPv6 { destinations = append(destinations, "!", "-d", "::1/128") - } else if !proxier.localhostNodePorts { + } else { destinations = append(destinations, "!", "-d", "127.0.0.0/8") } @@ -1351,13 +1296,8 @@ func (proxier *Proxier) syncProxyRules() { } for _, ip := range nodeIPs { if ip.IsLoopback() { - if isIPv6 { - klog.ErrorS(nil, "--nodeport-addresses includes localhost but localhost NodePorts are not supported on IPv6", "address", ip.String()) - continue - } else if !proxier.localhostNodePorts { - klog.ErrorS(nil, "--nodeport-addresses includes localhost but --iptables-localhost-nodeports=false was passed", "address", ip.String()) - continue - } + klog.ErrorS(nil, "--nodeport-addresses includes localhost but localhost NodePorts are not supported", "address", ip.String()) + continue } // create nodeport rules for each IP one by one diff --git a/pkg/proxy/nftables/proxier_test.go b/pkg/proxy/nftables/proxier_test.go index a0f290e03e4..3c70d070a80 100644 --- a/pkg/proxy/nftables/proxier_test.go +++ b/pkg/proxy/nftables/proxier_test.go @@ -338,7 +338,6 @@ func NewFakeProxier(ipt utiliptables.Interface) *Proxier { natChains: proxyutil.NewLineBuffer(), natRules: proxyutil.NewLineBuffer(), nodeIP: netutils.ParseIPSloppy(testNodeIP), - localhostNodePorts: true, nodePortAddresses: proxyutil.NewNodePortAddresses(ipfamily, nil), networkInterfacer: networkInterfacer, } @@ -694,7 +693,7 @@ func checkIPTablesRuleJumps(ruleData string) error { // Find cases where we have ":BAR" but no "-A FOO ... -j BAR", meaning // that we are creating an empty chain but not using it for anything. extraChains := createdChains.Difference(jumpedChains) - extraChains.Delete(string(kubeServicesChain), string(kubeExternalServicesChain), string(kubeNodePortsChain), string(kubePostroutingChain), string(kubeForwardChain), string(kubeMarkMasqChain), string(kubeProxyFirewallChain), string(kubeletFirewallChain)) + extraChains.Delete(string(kubeServicesChain), string(kubeExternalServicesChain), string(kubeNodePortsChain), string(kubePostroutingChain), string(kubeForwardChain), string(kubeMarkMasqChain), string(kubeProxyFirewallChain)) if len(extraChains) > 0 { return fmt.Errorf("some chains in %s are created but not used: %v", tableName, extraChains.UnsortedList()) } @@ -1913,7 +1912,6 @@ func TestOverallIPTablesRules(t *testing.T) { :KUBE-NODEPORTS - [0:0] :KUBE-SERVICES - [0:0] :KUBE-EXTERNAL-SERVICES - [0:0] - :KUBE-FIREWALL - [0:0] :KUBE-FORWARD - [0:0] :KUBE-PROXY-FIREWALL - [0:0] -A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT @@ -1921,7 +1919,6 @@ func TestOverallIPTablesRules(t *testing.T) { -A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 192.168.99.22 --dport 80 -j DROP -A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP -A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m addrtype --dst-type LOCAL -m tcp -p tcp --dport 3001 -j DROP - -A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -1960,7 +1957,7 @@ func TestOverallIPTablesRules(t *testing.T) { -A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 external IP" -m tcp -p tcp -d 192.168.99.33 --dport 80 -j KUBE-EXT-4SW47YFZTEDKD3PK -A KUBE-SERVICES -m comment --comment "ns5/svc5:p80 cluster IP" -m tcp -p tcp -d 172.30.0.45 --dport 80 -j KUBE-SVC-NUKIZ6OKUXPJNT4C -A KUBE-SERVICES -m comment --comment "ns5/svc5:p80 loadbalancer IP" -m tcp -p tcp -d 5.6.7.8 --dport 80 -j KUBE-FW-NUKIZ6OKUXPJNT4C - -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS + -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS -A KUBE-EXT-4SW47YFZTEDKD3PK -m comment --comment "masquerade traffic for ns4/svc4:p80 external destinations" -j KUBE-MARK-MASQ -A KUBE-EXT-4SW47YFZTEDKD3PK -j KUBE-SVC-4SW47YFZTEDKD3PK -A KUBE-EXT-GNZBNJ2PO5MGZ6GT -m comment --comment "pod traffic for ns2/svc2:p80 external destinations" -s 10.0.0.0/8 -j KUBE-SVC-GNZBNJ2PO5MGZ6GT @@ -2431,9 +2428,8 @@ func TestNodePorts(t *testing.T) { testCases := []struct { name string - family v1.IPFamily - localhostNodePorts bool - nodePortAddresses []string + family v1.IPFamily + nodePortAddresses []string // allowAltNodeIP is true if we expect NodePort traffic on the alternate // node IP to be accepted @@ -2444,71 +2440,37 @@ func TestNodePorts(t *testing.T) { expectFirewall bool }{ { - name: "ipv4, localhost-nodeports enabled", + name: "ipv4", - family: v1.IPv4Protocol, - localhostNodePorts: true, - nodePortAddresses: nil, + family: v1.IPv4Protocol, + nodePortAddresses: nil, allowAltNodeIP: true, expectFirewall: true, }, { - name: "ipv4, localhost-nodeports disabled", + name: "ipv4, multiple nodeport-addresses", - family: v1.IPv4Protocol, - localhostNodePorts: false, - nodePortAddresses: nil, + family: v1.IPv4Protocol, + nodePortAddresses: []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"}, allowAltNodeIP: true, expectFirewall: false, }, { - name: "ipv4, localhost-nodeports disabled, localhost in nodeport-addresses", + name: "ipv6", - family: v1.IPv4Protocol, - localhostNodePorts: false, - nodePortAddresses: []string{"192.168.0.0/24", "127.0.0.1/32"}, - - allowAltNodeIP: false, - expectFirewall: false, - }, - { - name: "ipv4, localhost-nodeports enabled, multiple nodeport-addresses", - - family: v1.IPv4Protocol, - localhostNodePorts: false, - nodePortAddresses: []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"}, + family: v1.IPv6Protocol, + nodePortAddresses: nil, allowAltNodeIP: true, expectFirewall: false, }, { - name: "ipv6, localhost-nodeports enabled", + name: "ipv6, multiple nodeport-addresses", - family: v1.IPv6Protocol, - localhostNodePorts: true, - nodePortAddresses: nil, - - allowAltNodeIP: true, - expectFirewall: false, - }, - { - name: "ipv6, localhost-nodeports disabled", - - family: v1.IPv6Protocol, - localhostNodePorts: false, - nodePortAddresses: nil, - - allowAltNodeIP: true, - expectFirewall: false, - }, - { - name: "ipv6, localhost-nodeports disabled, multiple nodeport-addresses", - - family: v1.IPv6Protocol, - localhostNodePorts: false, - nodePortAddresses: []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"}, + family: v1.IPv6Protocol, + nodePortAddresses: []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"}, allowAltNodeIP: false, expectFirewall: false, @@ -2531,7 +2493,6 @@ func TestNodePorts(t *testing.T) { epIP2 = "fd00:10:180::2:1" } fp := NewFakeProxier(ipt) - fp.localhostNodePorts = tc.localhostNodePorts if tc.nodePortAddresses != nil { fp.nodePortAddresses = proxyutil.NewNodePortAddresses(tc.family, tc.nodePortAddresses) } @@ -2573,19 +2534,17 @@ func TestNodePorts(t *testing.T) { fp.syncProxyRules() - var podIP, externalClientIP, nodeIP, altNodeIP, localhostIP string + var podIP, externalClientIP, nodeIP, altNodeIP string if tc.family == v1.IPv4Protocol { podIP = "10.0.0.2" externalClientIP = testExternalClient nodeIP = testNodeIP altNodeIP = testNodeIPAlt - localhostIP = "127.0.0.1" } else { podIP = "fd00:10::2" externalClientIP = "2600:5200::1" nodeIP = testNodeIPv6 altNodeIP = testNodeIPv6Alt - localhostIP = "::1" } output := net.JoinHostPort(epIP1, "80") + ", " + net.JoinHostPort(epIP2, "80") @@ -2617,30 +2576,6 @@ func TestNodePorts(t *testing.T) { }, }) - // localhost to NodePort is only allowed in IPv4, and only if not disabled - if tc.family == v1.IPv4Protocol && tc.localhostNodePorts { - runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{ - { - name: "localhost to nodePort gets masqueraded", - sourceIP: localhostIP, - destIP: localhostIP, - destPort: 3001, - output: output, - masq: true, - }, - }) - } else { - runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{ - { - name: "localhost to nodePort is ignored", - sourceIP: localhostIP, - destIP: localhostIP, - destPort: 3001, - output: "", - }, - }) - } - // NodePort on altNodeIP should be allowed, unless // nodePortAddressess excludes altNodeIP if tc.allowAltNodeIP { @@ -2665,15 +2600,6 @@ func TestNodePorts(t *testing.T) { }, }) } - - // We have to check the firewall rule manually rather than via - // runPacketFlowTests(), because the packet tracer doesn't - // implement conntrack states. - var expected string - if tc.expectFirewall { - expected = "-A KUBE-FIREWALL -m comment --comment \"block incoming localnet connections\" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP\n" - } - assertIPTablesChainEqual(t, getLine(), utiliptables.TableFilter, kubeletFirewallChain, expected, fp.iptablesData.String()) }) } } @@ -5526,14 +5452,6 @@ func TestInternalExternalMasquerade(t *testing.T) { output: "10.180.0.1:80, 10.180.1.1:80", masq: true, }, - { - name: "localhost to NodePort", - sourceIP: "127.0.0.1", - destIP: "127.0.0.1", - destPort: 3001, - output: "10.180.0.1:80, 10.180.1.1:80", - masq: true, - }, { name: "node to LB", sourceIP: testNodeIP, @@ -5630,17 +5548,6 @@ func TestInternalExternalMasquerade(t *testing.T) { output: "10.180.0.1:80, 10.180.1.1:80", masq: true, }, - { - name: "localhost to NodePort with eTP:Local", - sourceIP: "127.0.0.1", - destIP: "127.0.0.1", - destPort: 3002, - - // The traffic gets short-circuited, ignoring externalTrafficPolicy, so - // same as "localhost to NodePort" above. - output: "10.180.0.2:80, 10.180.1.2:80", - masq: true, - }, { name: "node to LB with eTP:Local", sourceIP: testNodeIP, @@ -5741,17 +5648,6 @@ func TestInternalExternalMasquerade(t *testing.T) { output: "10.180.0.3:80, 10.180.1.3:80", masq: true, }, - { - name: "localhost to NodePort with iTP:Local", - sourceIP: "127.0.0.1", - destIP: "127.0.0.1", - destPort: 3003, - - // internalTrafficPolicy does not apply to NodePort traffic, so same as - // "localhost to NodePort" above. - output: "10.180.0.3:80, 10.180.1.3:80", - masq: true, - }, { name: "node to LB with iTP:Local", sourceIP: testNodeIP, @@ -6005,10 +5901,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) { :KUBE-NODEPORTS - [0:0] :KUBE-SERVICES - [0:0] :KUBE-EXTERNAL-SERVICES - [0:0] - :KUBE-FIREWALL - [0:0] :KUBE-FORWARD - [0:0] :KUBE-PROXY-FIREWALL - [0:0] - -A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -6024,7 +5918,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) { :KUBE-SVC-XPGD46QRK7WJZT7O - [0:0] -A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O -A KUBE-SERVICES -m comment --comment "ns2/svc2:p8080 cluster IP" -m tcp -p tcp -d 172.30.0.42 --dport 8080 -j KUBE-SVC-2VJB64SDSIJUP5T6 - -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS + -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS -A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN -A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 @@ -6081,10 +5975,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) { :KUBE-NODEPORTS - [0:0] :KUBE-SERVICES - [0:0] :KUBE-EXTERNAL-SERVICES - [0:0] - :KUBE-FIREWALL - [0:0] :KUBE-FORWARD - [0:0] :KUBE-PROXY-FIREWALL - [0:0] - -A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -6103,7 +5995,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) { -A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O -A KUBE-SERVICES -m comment --comment "ns2/svc2:p8080 cluster IP" -m tcp -p tcp -d 172.30.0.42 --dport 8080 -j KUBE-SVC-2VJB64SDSIJUP5T6 -A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK - -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS + -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS -A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN -A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 @@ -6141,10 +6033,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) { :KUBE-NODEPORTS - [0:0] :KUBE-SERVICES - [0:0] :KUBE-EXTERNAL-SERVICES - [0:0] - :KUBE-FIREWALL - [0:0] :KUBE-FORWARD - [0:0] :KUBE-PROXY-FIREWALL - [0:0] - -A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -6162,7 +6052,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) { :KUBE-SVC-XPGD46QRK7WJZT7O - [0:0] -A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O -A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK - -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS + -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS -A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN -A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 @@ -6207,11 +6097,9 @@ func TestSyncProxyRulesRepeated(t *testing.T) { :KUBE-NODEPORTS - [0:0] :KUBE-SERVICES - [0:0] :KUBE-EXTERNAL-SERVICES - [0:0] - :KUBE-FIREWALL - [0:0] :KUBE-FORWARD - [0:0] :KUBE-PROXY-FIREWALL - [0:0] -A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j REJECT - -A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -6227,7 +6115,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) { :KUBE-SVC-XPGD46QRK7WJZT7O - [0:0] -A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O -A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK - -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS + -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS -A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN -A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 @@ -6270,10 +6158,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) { :KUBE-NODEPORTS - [0:0] :KUBE-SERVICES - [0:0] :KUBE-EXTERNAL-SERVICES - [0:0] - :KUBE-FIREWALL - [0:0] :KUBE-FORWARD - [0:0] :KUBE-PROXY-FIREWALL - [0:0] - -A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -6292,7 +6178,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) { -A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O -A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK -A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK - -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS + -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS -A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN -A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 @@ -6332,10 +6218,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) { :KUBE-NODEPORTS - [0:0] :KUBE-SERVICES - [0:0] :KUBE-EXTERNAL-SERVICES - [0:0] - :KUBE-FIREWALL - [0:0] :KUBE-FORWARD - [0:0] :KUBE-PROXY-FIREWALL - [0:0] - -A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -6355,7 +6239,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) { -A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O -A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK -A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK - -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS + -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS -A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN -A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 @@ -6394,10 +6278,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) { :KUBE-NODEPORTS - [0:0] :KUBE-SERVICES - [0:0] :KUBE-EXTERNAL-SERVICES - [0:0] - :KUBE-FIREWALL - [0:0] :KUBE-FORWARD - [0:0] :KUBE-PROXY-FIREWALL - [0:0] - -A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -6417,7 +6299,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) { -A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O -A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK -A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK - -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS + -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS -A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN -A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 @@ -6458,10 +6340,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) { :KUBE-NODEPORTS - [0:0] :KUBE-SERVICES - [0:0] :KUBE-EXTERNAL-SERVICES - [0:0] - :KUBE-FIREWALL - [0:0] :KUBE-FORWARD - [0:0] :KUBE-PROXY-FIREWALL - [0:0] - -A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP -A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT -A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT @@ -6481,7 +6361,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) { -A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O -A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK -A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK - -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS + -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS -A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN -A KUBE-POSTROUTING -j MARK --xor-mark 0x4000 diff --git a/staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go b/staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go index dd69244cdd2..e4382574de3 100644 --- a/staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go +++ b/staging/src/k8s.io/kube-proxy/config/v1alpha1/types.go @@ -86,9 +86,6 @@ type KubeProxyNFTablesConfiguration struct { // masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs, // when using the nftables mode. This may be required with some CNI plugins. MasqueradeAll bool `json:"masqueradeAll"` - // localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior - // of allowing NodePort services to be accessed via localhost. FIXME: remove. - LocalhostNodePorts *bool `json:"localhostNodePorts"` // syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently // various re-synchronizing and cleanup operations are performed. Must be greater // than 0. diff --git a/staging/src/k8s.io/kube-proxy/config/v1alpha1/zz_generated.deepcopy.go b/staging/src/k8s.io/kube-proxy/config/v1alpha1/zz_generated.deepcopy.go index 382e3e7e7f5..ebd5349ae52 100644 --- a/staging/src/k8s.io/kube-proxy/config/v1alpha1/zz_generated.deepcopy.go +++ b/staging/src/k8s.io/kube-proxy/config/v1alpha1/zz_generated.deepcopy.go @@ -193,11 +193,6 @@ func (in *KubeProxyNFTablesConfiguration) DeepCopyInto(out *KubeProxyNFTablesCon *out = new(int32) **out = **in } - if in.LocalhostNodePorts != nil { - in, out := &in.LocalhostNodePorts, &out.LocalhostNodePorts - *out = new(bool) - **out = **in - } out.SyncPeriod = in.SyncPeriod out.MinSyncPeriod = in.MinSyncPeriod return