mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-09 12:07:47 +00:00
Simplify nftables/proxier.go by removing localhost nodeport support
and related route_localnet setting / anti-martian-packet rule
This commit is contained in:
Dan Winship
parent
e7c35d27f7
commit
1a6b9b811e
@ -305,7 +305,6 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
|
||||
config.NFTables.SyncPeriod.Duration,
|
||||
config.NFTables.MinSyncPeriod.Duration,
|
||||
config.NFTables.MasqueradeAll,
|
||||
*config.NFTables.LocalhostNodePorts,
|
||||
int(*config.NFTables.MasqueradeBit),
|
||||
localDetectors,
|
||||
s.Hostname,
|
||||
@ -332,7 +331,6 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
|
||||
config.NFTables.SyncPeriod.Duration,
|
||||
config.NFTables.MinSyncPeriod.Duration,
|
||||
config.NFTables.MasqueradeAll,
|
||||
*config.NFTables.LocalhostNodePorts,
|
||||
int(*config.NFTables.MasqueradeBit),
|
||||
localDetector,
|
||||
s.Hostname,
|
||||
|
||||
@ -79,7 +79,6 @@ nftables:
|
||||
masqueradeBit: 18
|
||||
minSyncPeriod: 10s
|
||||
syncPeriod: 60s
|
||||
localhostNodePorts: false
|
||||
kind: KubeProxyConfiguration
|
||||
metricsBindAddress: "%s"
|
||||
mode: "%s"
|
||||
@ -225,11 +224,10 @@ nodePortAddresses:
|
||||
ExcludeCIDRs: []string{"10.20.30.40/16", "fd00:1::0/64"},
|
||||
},
|
||||
NFTables: kubeproxyconfig.KubeProxyNFTablesConfiguration{
|
||||
MasqueradeAll: true,
|
||||
MasqueradeBit: ptr.To[int32](18),
|
||||
LocalhostNodePorts: ptr.To(false),
|
||||
MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second},
|
||||
SyncPeriod: metav1.Duration{Duration: 60 * time.Second},
|
||||
MasqueradeAll: true,
|
||||
MasqueradeBit: ptr.To[int32](18),
|
||||
MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second},
|
||||
SyncPeriod: metav1.Duration{Duration: 60 * time.Second},
|
||||
},
|
||||
MetricsBindAddress: tc.metricsBindAddress,
|
||||
Mode: kubeproxyconfig.ProxyMode(tc.mode),
|
||||
|
||||
9
pkg/generated/openapi/zz_generated.openapi.go
generated
9
pkg/generated/openapi/zz_generated.openapi.go
generated
@ -54716,13 +54716,6 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyNFTablesConfiguration(ref
|
||||
Format: "",
|
||||
},
|
||||
},
|
||||
"localhostNodePorts": {
|
||||
SchemaProps: spec.SchemaProps{
|
||||
Description: "localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior of allowing NodePort services to be accessed via localhost. FIXME: remove.",
|
||||
Type: []string{"boolean"},
|
||||
Format: "",
|
||||
},
|
||||
},
|
||||
"syncPeriod": {
|
||||
SchemaProps: spec.SchemaProps{
|
||||
Description: "syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently various re-synchronizing and cleanup operations are performed. Must be greater than 0.",
|
||||
@ -54736,7 +54729,7 @@ func schema_k8sio_kube_proxy_config_v1alpha1_KubeProxyNFTablesConfiguration(ref
|
||||
},
|
||||
},
|
||||
},
|
||||
Required: []string{"masqueradeBit", "masqueradeAll", "localhostNodePorts", "syncPeriod", "minSyncPeriod"},
|
||||
Required: []string{"masqueradeBit", "masqueradeAll", "syncPeriod", "minSyncPeriod"},
|
||||
},
|
||||
},
|
||||
Dependencies: []string{
|
||||
|
||||
@ -44,7 +44,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
|
||||
obj.IPTables.MasqueradeBit = ptr.To(c.Int31())
|
||||
obj.IPTables.LocalhostNodePorts = ptr.To(c.RandBool())
|
||||
obj.NFTables.MasqueradeBit = ptr.To(c.Int31())
|
||||
obj.NFTables.LocalhostNodePorts = ptr.To(c.RandBool())
|
||||
obj.MetricsBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536))
|
||||
obj.OOMScoreAdj = ptr.To(c.Int31())
|
||||
obj.ClientConnection.ContentType = "bar"
|
||||
|
||||
@ -50,7 +50,6 @@ logging:
|
||||
metricsBindAddress: 127.0.0.1:10249
|
||||
mode: ""
|
||||
nftables:
|
||||
localhostNodePorts: true
|
||||
masqueradeAll: false
|
||||
masqueradeBit: 14
|
||||
minSyncPeriod: 1s
|
||||
|
||||
@ -50,7 +50,6 @@ logging:
|
||||
metricsBindAddress: 127.0.0.1:10249
|
||||
mode: ""
|
||||
nftables:
|
||||
localhostNodePorts: true
|
||||
masqueradeAll: false
|
||||
masqueradeBit: 14
|
||||
minSyncPeriod: 1s
|
||||
|
||||
@ -90,9 +90,6 @@ type KubeProxyNFTablesConfiguration struct {
|
||||
// masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs,
|
||||
// when using the nftables mode. This may be required with some CNI plugins.
|
||||
MasqueradeAll bool
|
||||
// localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior
|
||||
// of allowing NodePort services to be accessed via localhost. FIXME: remove.
|
||||
LocalhostNodePorts *bool
|
||||
// syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
|
||||
// various re-synchronizing and cleanup operations are performed. Must be greater
|
||||
// than 0.
|
||||
|
||||
@ -77,9 +77,6 @@ func SetDefaults_KubeProxyConfiguration(obj *kubeproxyconfigv1alpha1.KubeProxyCo
|
||||
if obj.NFTables.MinSyncPeriod.Duration == 0 {
|
||||
obj.NFTables.MinSyncPeriod = metav1.Duration{Duration: 1 * time.Second}
|
||||
}
|
||||
if obj.NFTables.LocalhostNodePorts == nil {
|
||||
obj.NFTables.LocalhostNodePorts = ptr.To(true)
|
||||
}
|
||||
|
||||
if obj.Conntrack.MaxPerCore == nil {
|
||||
obj.Conntrack.MaxPerCore = ptr.To[int32](32 * 1024)
|
||||
|
||||
@ -63,11 +63,10 @@ func TestDefaultsKubeProxyConfiguration(t *testing.T) {
|
||||
SyncPeriod: metav1.Duration{Duration: 30 * time.Second},
|
||||
},
|
||||
NFTables: kubeproxyconfigv1alpha1.KubeProxyNFTablesConfiguration{
|
||||
MasqueradeBit: ptr.To[int32](14),
|
||||
MasqueradeAll: false,
|
||||
LocalhostNodePorts: ptr.To(true),
|
||||
SyncPeriod: metav1.Duration{Duration: 30 * time.Second},
|
||||
MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second},
|
||||
MasqueradeBit: ptr.To[int32](14),
|
||||
MasqueradeAll: false,
|
||||
SyncPeriod: metav1.Duration{Duration: 30 * time.Second},
|
||||
MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second},
|
||||
},
|
||||
OOMScoreAdj: &oomScore,
|
||||
Conntrack: kubeproxyconfigv1alpha1.KubeProxyConntrackConfiguration{
|
||||
@ -110,11 +109,10 @@ func TestDefaultsKubeProxyConfiguration(t *testing.T) {
|
||||
SyncPeriod: metav1.Duration{Duration: 30 * time.Second},
|
||||
},
|
||||
NFTables: kubeproxyconfigv1alpha1.KubeProxyNFTablesConfiguration{
|
||||
MasqueradeBit: ptr.To[int32](14),
|
||||
MasqueradeAll: false,
|
||||
LocalhostNodePorts: ptr.To(true),
|
||||
SyncPeriod: metav1.Duration{Duration: 30 * time.Second},
|
||||
MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second},
|
||||
MasqueradeBit: ptr.To[int32](14),
|
||||
MasqueradeAll: false,
|
||||
SyncPeriod: metav1.Duration{Duration: 30 * time.Second},
|
||||
MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second},
|
||||
},
|
||||
OOMScoreAdj: &oomScore,
|
||||
Conntrack: kubeproxyconfigv1alpha1.KubeProxyConntrackConfiguration{
|
||||
|
||||
@ -323,7 +323,6 @@ func Convert_config_KubeProxyIPVSConfiguration_To_v1alpha1_KubeProxyIPVSConfigur
|
||||
func autoConvert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTablesConfiguration(in *v1alpha1.KubeProxyNFTablesConfiguration, out *config.KubeProxyNFTablesConfiguration, s conversion.Scope) error {
|
||||
out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit))
|
||||
out.MasqueradeAll = in.MasqueradeAll
|
||||
out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts))
|
||||
out.SyncPeriod = in.SyncPeriod
|
||||
out.MinSyncPeriod = in.MinSyncPeriod
|
||||
return nil
|
||||
@ -337,7 +336,6 @@ func Convert_v1alpha1_KubeProxyNFTablesConfiguration_To_config_KubeProxyNFTables
|
||||
func autoConvert_config_KubeProxyNFTablesConfiguration_To_v1alpha1_KubeProxyNFTablesConfiguration(in *config.KubeProxyNFTablesConfiguration, out *v1alpha1.KubeProxyNFTablesConfiguration, s conversion.Scope) error {
|
||||
out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit))
|
||||
out.MasqueradeAll = in.MasqueradeAll
|
||||
out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts))
|
||||
out.SyncPeriod = in.SyncPeriod
|
||||
out.MinSyncPeriod = in.MinSyncPeriod
|
||||
return nil
|
||||
|
||||
5
pkg/proxy/apis/config/zz_generated.deepcopy.go
generated
5
pkg/proxy/apis/config/zz_generated.deepcopy.go
generated
@ -215,11 +215,6 @@ func (in *KubeProxyNFTablesConfiguration) DeepCopyInto(out *KubeProxyNFTablesCon
|
||||
*out = new(int32)
|
||||
**out = **in
|
||||
}
|
||||
if in.LocalhostNodePorts != nil {
|
||||
in, out := &in.LocalhostNodePorts, &out.LocalhostNodePorts
|
||||
*out = new(bool)
|
||||
**out = **in
|
||||
}
|
||||
out.SyncPeriod = in.SyncPeriod
|
||||
out.MinSyncPeriod = in.MinSyncPeriod
|
||||
return
|
||||
|
||||
@ -77,14 +77,8 @@ const (
|
||||
|
||||
// kube proxy canary chain is used for monitoring rule reload
|
||||
kubeProxyCanaryChain utiliptables.Chain = "KUBE-PROXY-CANARY"
|
||||
|
||||
// kubeletFirewallChain is a duplicate of kubelet's firewall containing
|
||||
// the anti-martian-packet rule. It should not be used for any other
|
||||
// rules.
|
||||
kubeletFirewallChain utiliptables.Chain = "KUBE-FIREWALL"
|
||||
)
|
||||
|
||||
const sysctlRouteLocalnet = "net/ipv4/conf/all/route_localnet"
|
||||
const sysctlNFConntrackTCPBeLiberal = "net/netfilter/nf_conntrack_tcp_be_liberal"
|
||||
|
||||
// internal struct for string service information
|
||||
@ -183,10 +177,6 @@ type Proxier struct {
|
||||
natChains proxyutil.LineBuffer
|
||||
natRules proxyutil.LineBuffer
|
||||
|
||||
// localhostNodePorts indicates whether we allow NodePort services to be accessed
|
||||
// via localhost.
|
||||
localhostNodePorts bool
|
||||
|
||||
// conntrackTCPLiberal indicates whether the system sets the kernel nf_conntrack_tcp_be_liberal
|
||||
conntrackTCPLiberal bool
|
||||
|
||||
@ -212,7 +202,6 @@ func NewProxier(ipFamily v1.IPFamily,
|
||||
syncPeriod time.Duration,
|
||||
minSyncPeriod time.Duration,
|
||||
masqueradeAll bool,
|
||||
localhostNodePorts bool,
|
||||
masqueradeBit int,
|
||||
localDetector proxyutiliptables.LocalTrafficDetector,
|
||||
hostname string,
|
||||
@ -224,18 +213,6 @@ func NewProxier(ipFamily v1.IPFamily,
|
||||
) (*Proxier, error) {
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings)
|
||||
|
||||
if !nodePortAddresses.ContainsIPv4Loopback() {
|
||||
localhostNodePorts = false
|
||||
}
|
||||
if localhostNodePorts {
|
||||
// Set the route_localnet sysctl we need for exposing NodePorts on loopback addresses
|
||||
// Refer to https://issues.k8s.io/90259
|
||||
klog.InfoS("Setting route_localnet=1 to allow node-ports on localhost; to change this either disable iptables.localhostNodePorts (--iptables-localhost-nodeports) or set nodePortAddresses (--nodeport-addresses) to filter loopback addresses")
|
||||
if err := proxyutil.EnsureSysctl(sysctl, sysctlRouteLocalnet, 1); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
// Be conservative in what you do, be liberal in what you accept from others.
|
||||
// If it's non-zero, we mark only out of window RST segments as INVALID.
|
||||
// Ref: https://docs.kernel.org/networking/nf_conntrack-sysctl.html
|
||||
@ -281,7 +258,6 @@ func NewProxier(ipFamily v1.IPFamily,
|
||||
filterRules: proxyutil.NewLineBuffer(),
|
||||
natChains: proxyutil.NewLineBuffer(),
|
||||
natRules: proxyutil.NewLineBuffer(),
|
||||
localhostNodePorts: localhostNodePorts,
|
||||
nodePortAddresses: nodePortAddresses,
|
||||
networkInterfacer: proxyutil.RealNetwork{},
|
||||
conntrackTCPLiberal: conntrackTCPLiberal,
|
||||
@ -314,7 +290,6 @@ func NewDualStackProxier(
|
||||
syncPeriod time.Duration,
|
||||
minSyncPeriod time.Duration,
|
||||
masqueradeAll bool,
|
||||
localhostNodePorts bool,
|
||||
masqueradeBit int,
|
||||
localDetectors [2]proxyutiliptables.LocalTrafficDetector,
|
||||
hostname string,
|
||||
@ -326,14 +301,14 @@ func NewDualStackProxier(
|
||||
) (proxy.Provider, error) {
|
||||
// Create an ipv4 instance of the single-stack proxier
|
||||
ipv4Proxier, err := NewProxier(v1.IPv4Protocol, ipt[0], sysctl,
|
||||
exec, syncPeriod, minSyncPeriod, masqueradeAll, localhostNodePorts, masqueradeBit, localDetectors[0], hostname,
|
||||
exec, syncPeriod, minSyncPeriod, masqueradeAll, masqueradeBit, localDetectors[0], hostname,
|
||||
nodeIPs[v1.IPv4Protocol], recorder, healthzServer, nodePortAddresses, initOnly)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err)
|
||||
}
|
||||
|
||||
ipv6Proxier, err := NewProxier(v1.IPv6Protocol, ipt[1], sysctl,
|
||||
exec, syncPeriod, minSyncPeriod, masqueradeAll, false, masqueradeBit, localDetectors[1], hostname,
|
||||
exec, syncPeriod, minSyncPeriod, masqueradeAll, masqueradeBit, localDetectors[1], hostname,
|
||||
nodeIPs[v1.IPv6Protocol], recorder, healthzServer, nodePortAddresses, initOnly)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err)
|
||||
@ -367,13 +342,6 @@ var iptablesJumpChains = []iptablesJumpChain{
|
||||
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
|
||||
}
|
||||
|
||||
// Duplicates of chains created in pkg/kubelet/kubelet_network_linux.go; we create these
|
||||
// on startup but do not delete them in CleanupLeftovers.
|
||||
var iptablesKubeletJumpChains = []iptablesJumpChain{
|
||||
{utiliptables.TableFilter, kubeletFirewallChain, utiliptables.ChainInput, "", nil},
|
||||
{utiliptables.TableFilter, kubeletFirewallChain, utiliptables.ChainOutput, "", nil},
|
||||
}
|
||||
|
||||
// When chains get removed from iptablesJumpChains, add them here so they get cleaned up
|
||||
// on upgrade.
|
||||
var iptablesCleanupOnlyChains = []iptablesJumpChain{}
|
||||
@ -761,7 +729,7 @@ func (proxier *Proxier) syncProxyRules() {
|
||||
// Ensure that our jump rules (eg from PREROUTING to KUBE-SERVICES) exist.
|
||||
// We can't do this as part of the iptables-restore because we don't want
|
||||
// to specify/replace *all* of the rules in PREROUTING, etc.
|
||||
for _, jump := range append(iptablesJumpChains, iptablesKubeletJumpChains...) {
|
||||
for _, jump := range iptablesJumpChains {
|
||||
if _, err := proxier.iptables.EnsureChain(jump.table, jump.dstChain); err != nil {
|
||||
klog.ErrorS(err, "Failed to ensure chain exists", "table", jump.table, "chain", jump.dstChain)
|
||||
return
|
||||
@ -828,30 +796,6 @@ func (proxier *Proxier) syncProxyRules() {
|
||||
"-j", "MARK", "--or-mark", proxier.masqueradeMark,
|
||||
)
|
||||
|
||||
isIPv6 := proxier.iptables.IsIPv6()
|
||||
if !isIPv6 && proxier.localhostNodePorts {
|
||||
// Kube-proxy's use of `route_localnet` to enable NodePorts on localhost
|
||||
// creates a security hole (https://issue.k8s.io/90259) which this
|
||||
// iptables rule mitigates.
|
||||
|
||||
// NOTE: kubelet creates an identical copy of this rule. If you want to
|
||||
// change this rule in the future, you MUST do so in a way that will
|
||||
// interoperate correctly with skewed versions of the rule created by
|
||||
// kubelet. (Actually, kubelet uses "--dst"/"--src" rather than "-d"/"-s"
|
||||
// but that's just a command-line thing and results in the same rule being
|
||||
// created in the kernel.)
|
||||
proxier.filterChains.Write(utiliptables.MakeChainLine(kubeletFirewallChain))
|
||||
proxier.filterRules.Write(
|
||||
"-A", string(kubeletFirewallChain),
|
||||
"-m", "comment", "--comment", `"block incoming localnet connections"`,
|
||||
"-d", "127.0.0.0/8",
|
||||
"!", "-s", "127.0.0.0/8",
|
||||
"-m", "conntrack",
|
||||
"!", "--ctstate", "RELATED,ESTABLISHED,DNAT",
|
||||
"-j", "DROP",
|
||||
)
|
||||
}
|
||||
|
||||
// Accumulate NAT chains to keep.
|
||||
activeNATChains := map[utiliptables.Chain]bool{} // use a map as a set
|
||||
|
||||
@ -1330,12 +1274,13 @@ func (proxier *Proxier) syncProxyRules() {
|
||||
// Finally, tail-call to the nodePorts chain. This needs to be after all
|
||||
// other service portal rules.
|
||||
if proxier.nodePortAddresses.MatchAll() {
|
||||
isIPv6 := proxier.iptables.IsIPv6()
|
||||
|
||||
destinations := []string{"-m", "addrtype", "--dst-type", "LOCAL"}
|
||||
// Block localhost nodePorts if they are not supported. (For IPv6 they never
|
||||
// work, and for IPv4 they only work if we previously set `route_localnet`.)
|
||||
// Block localhost nodePorts
|
||||
if isIPv6 {
|
||||
destinations = append(destinations, "!", "-d", "::1/128")
|
||||
} else if !proxier.localhostNodePorts {
|
||||
} else {
|
||||
destinations = append(destinations, "!", "-d", "127.0.0.0/8")
|
||||
}
|
||||
|
||||
@ -1351,13 +1296,8 @@ func (proxier *Proxier) syncProxyRules() {
|
||||
}
|
||||
for _, ip := range nodeIPs {
|
||||
if ip.IsLoopback() {
|
||||
if isIPv6 {
|
||||
klog.ErrorS(nil, "--nodeport-addresses includes localhost but localhost NodePorts are not supported on IPv6", "address", ip.String())
|
||||
continue
|
||||
} else if !proxier.localhostNodePorts {
|
||||
klog.ErrorS(nil, "--nodeport-addresses includes localhost but --iptables-localhost-nodeports=false was passed", "address", ip.String())
|
||||
continue
|
||||
}
|
||||
klog.ErrorS(nil, "--nodeport-addresses includes localhost but localhost NodePorts are not supported", "address", ip.String())
|
||||
continue
|
||||
}
|
||||
|
||||
// create nodeport rules for each IP one by one
|
||||
|
||||
@ -338,7 +338,6 @@ func NewFakeProxier(ipt utiliptables.Interface) *Proxier {
|
||||
natChains: proxyutil.NewLineBuffer(),
|
||||
natRules: proxyutil.NewLineBuffer(),
|
||||
nodeIP: netutils.ParseIPSloppy(testNodeIP),
|
||||
localhostNodePorts: true,
|
||||
nodePortAddresses: proxyutil.NewNodePortAddresses(ipfamily, nil),
|
||||
networkInterfacer: networkInterfacer,
|
||||
}
|
||||
@ -694,7 +693,7 @@ func checkIPTablesRuleJumps(ruleData string) error {
|
||||
// Find cases where we have ":BAR" but no "-A FOO ... -j BAR", meaning
|
||||
// that we are creating an empty chain but not using it for anything.
|
||||
extraChains := createdChains.Difference(jumpedChains)
|
||||
extraChains.Delete(string(kubeServicesChain), string(kubeExternalServicesChain), string(kubeNodePortsChain), string(kubePostroutingChain), string(kubeForwardChain), string(kubeMarkMasqChain), string(kubeProxyFirewallChain), string(kubeletFirewallChain))
|
||||
extraChains.Delete(string(kubeServicesChain), string(kubeExternalServicesChain), string(kubeNodePortsChain), string(kubePostroutingChain), string(kubeForwardChain), string(kubeMarkMasqChain), string(kubeProxyFirewallChain))
|
||||
if len(extraChains) > 0 {
|
||||
return fmt.Errorf("some chains in %s are created but not used: %v", tableName, extraChains.UnsortedList())
|
||||
}
|
||||
@ -1913,7 +1912,6 @@ func TestOverallIPTablesRules(t *testing.T) {
|
||||
:KUBE-NODEPORTS - [0:0]
|
||||
:KUBE-SERVICES - [0:0]
|
||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||
:KUBE-FIREWALL - [0:0]
|
||||
:KUBE-FORWARD - [0:0]
|
||||
:KUBE-PROXY-FIREWALL - [0:0]
|
||||
-A KUBE-NODEPORTS -m comment --comment "ns2/svc2:p80 health check node port" -m tcp -p tcp --dport 30000 -j ACCEPT
|
||||
@ -1921,7 +1919,6 @@ func TestOverallIPTablesRules(t *testing.T) {
|
||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 192.168.99.22 --dport 80 -j DROP
|
||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m tcp -p tcp -d 1.2.3.4 --dport 80 -j DROP
|
||||
-A KUBE-EXTERNAL-SERVICES -m comment --comment "ns2/svc2:p80 has no local endpoints" -m addrtype --dst-type LOCAL -m tcp -p tcp --dport 3001 -j DROP
|
||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
@ -1960,7 +1957,7 @@ func TestOverallIPTablesRules(t *testing.T) {
|
||||
-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 external IP" -m tcp -p tcp -d 192.168.99.33 --dport 80 -j KUBE-EXT-4SW47YFZTEDKD3PK
|
||||
-A KUBE-SERVICES -m comment --comment "ns5/svc5:p80 cluster IP" -m tcp -p tcp -d 172.30.0.45 --dport 80 -j KUBE-SVC-NUKIZ6OKUXPJNT4C
|
||||
-A KUBE-SERVICES -m comment --comment "ns5/svc5:p80 loadbalancer IP" -m tcp -p tcp -d 5.6.7.8 --dport 80 -j KUBE-FW-NUKIZ6OKUXPJNT4C
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
|
||||
-A KUBE-EXT-4SW47YFZTEDKD3PK -m comment --comment "masquerade traffic for ns4/svc4:p80 external destinations" -j KUBE-MARK-MASQ
|
||||
-A KUBE-EXT-4SW47YFZTEDKD3PK -j KUBE-SVC-4SW47YFZTEDKD3PK
|
||||
-A KUBE-EXT-GNZBNJ2PO5MGZ6GT -m comment --comment "pod traffic for ns2/svc2:p80 external destinations" -s 10.0.0.0/8 -j KUBE-SVC-GNZBNJ2PO5MGZ6GT
|
||||
@ -2431,9 +2428,8 @@ func TestNodePorts(t *testing.T) {
|
||||
testCases := []struct {
|
||||
name string
|
||||
|
||||
family v1.IPFamily
|
||||
localhostNodePorts bool
|
||||
nodePortAddresses []string
|
||||
family v1.IPFamily
|
||||
nodePortAddresses []string
|
||||
|
||||
// allowAltNodeIP is true if we expect NodePort traffic on the alternate
|
||||
// node IP to be accepted
|
||||
@ -2444,71 +2440,37 @@ func TestNodePorts(t *testing.T) {
|
||||
expectFirewall bool
|
||||
}{
|
||||
{
|
||||
name: "ipv4, localhost-nodeports enabled",
|
||||
name: "ipv4",
|
||||
|
||||
family: v1.IPv4Protocol,
|
||||
localhostNodePorts: true,
|
||||
nodePortAddresses: nil,
|
||||
family: v1.IPv4Protocol,
|
||||
nodePortAddresses: nil,
|
||||
|
||||
allowAltNodeIP: true,
|
||||
expectFirewall: true,
|
||||
},
|
||||
{
|
||||
name: "ipv4, localhost-nodeports disabled",
|
||||
name: "ipv4, multiple nodeport-addresses",
|
||||
|
||||
family: v1.IPv4Protocol,
|
||||
localhostNodePorts: false,
|
||||
nodePortAddresses: nil,
|
||||
family: v1.IPv4Protocol,
|
||||
nodePortAddresses: []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"},
|
||||
|
||||
allowAltNodeIP: true,
|
||||
expectFirewall: false,
|
||||
},
|
||||
{
|
||||
name: "ipv4, localhost-nodeports disabled, localhost in nodeport-addresses",
|
||||
name: "ipv6",
|
||||
|
||||
family: v1.IPv4Protocol,
|
||||
localhostNodePorts: false,
|
||||
nodePortAddresses: []string{"192.168.0.0/24", "127.0.0.1/32"},
|
||||
|
||||
allowAltNodeIP: false,
|
||||
expectFirewall: false,
|
||||
},
|
||||
{
|
||||
name: "ipv4, localhost-nodeports enabled, multiple nodeport-addresses",
|
||||
|
||||
family: v1.IPv4Protocol,
|
||||
localhostNodePorts: false,
|
||||
nodePortAddresses: []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"},
|
||||
family: v1.IPv6Protocol,
|
||||
nodePortAddresses: nil,
|
||||
|
||||
allowAltNodeIP: true,
|
||||
expectFirewall: false,
|
||||
},
|
||||
{
|
||||
name: "ipv6, localhost-nodeports enabled",
|
||||
name: "ipv6, multiple nodeport-addresses",
|
||||
|
||||
family: v1.IPv6Protocol,
|
||||
localhostNodePorts: true,
|
||||
nodePortAddresses: nil,
|
||||
|
||||
allowAltNodeIP: true,
|
||||
expectFirewall: false,
|
||||
},
|
||||
{
|
||||
name: "ipv6, localhost-nodeports disabled",
|
||||
|
||||
family: v1.IPv6Protocol,
|
||||
localhostNodePorts: false,
|
||||
nodePortAddresses: nil,
|
||||
|
||||
allowAltNodeIP: true,
|
||||
expectFirewall: false,
|
||||
},
|
||||
{
|
||||
name: "ipv6, localhost-nodeports disabled, multiple nodeport-addresses",
|
||||
|
||||
family: v1.IPv6Protocol,
|
||||
localhostNodePorts: false,
|
||||
nodePortAddresses: []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"},
|
||||
family: v1.IPv6Protocol,
|
||||
nodePortAddresses: []string{"192.168.0.0/24", "192.168.1.0/24", "2001:db8::/64"},
|
||||
|
||||
allowAltNodeIP: false,
|
||||
expectFirewall: false,
|
||||
@ -2531,7 +2493,6 @@ func TestNodePorts(t *testing.T) {
|
||||
epIP2 = "fd00:10:180::2:1"
|
||||
}
|
||||
fp := NewFakeProxier(ipt)
|
||||
fp.localhostNodePorts = tc.localhostNodePorts
|
||||
if tc.nodePortAddresses != nil {
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(tc.family, tc.nodePortAddresses)
|
||||
}
|
||||
@ -2573,19 +2534,17 @@ func TestNodePorts(t *testing.T) {
|
||||
|
||||
fp.syncProxyRules()
|
||||
|
||||
var podIP, externalClientIP, nodeIP, altNodeIP, localhostIP string
|
||||
var podIP, externalClientIP, nodeIP, altNodeIP string
|
||||
if tc.family == v1.IPv4Protocol {
|
||||
podIP = "10.0.0.2"
|
||||
externalClientIP = testExternalClient
|
||||
nodeIP = testNodeIP
|
||||
altNodeIP = testNodeIPAlt
|
||||
localhostIP = "127.0.0.1"
|
||||
} else {
|
||||
podIP = "fd00:10::2"
|
||||
externalClientIP = "2600:5200::1"
|
||||
nodeIP = testNodeIPv6
|
||||
altNodeIP = testNodeIPv6Alt
|
||||
localhostIP = "::1"
|
||||
}
|
||||
output := net.JoinHostPort(epIP1, "80") + ", " + net.JoinHostPort(epIP2, "80")
|
||||
|
||||
@ -2617,30 +2576,6 @@ func TestNodePorts(t *testing.T) {
|
||||
},
|
||||
})
|
||||
|
||||
// localhost to NodePort is only allowed in IPv4, and only if not disabled
|
||||
if tc.family == v1.IPv4Protocol && tc.localhostNodePorts {
|
||||
runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
|
||||
{
|
||||
name: "localhost to nodePort gets masqueraded",
|
||||
sourceIP: localhostIP,
|
||||
destIP: localhostIP,
|
||||
destPort: 3001,
|
||||
output: output,
|
||||
masq: true,
|
||||
},
|
||||
})
|
||||
} else {
|
||||
runPacketFlowTests(t, getLine(), ipt, testNodeIPs, []packetFlowTest{
|
||||
{
|
||||
name: "localhost to nodePort is ignored",
|
||||
sourceIP: localhostIP,
|
||||
destIP: localhostIP,
|
||||
destPort: 3001,
|
||||
output: "",
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
// NodePort on altNodeIP should be allowed, unless
|
||||
// nodePortAddressess excludes altNodeIP
|
||||
if tc.allowAltNodeIP {
|
||||
@ -2665,15 +2600,6 @@ func TestNodePorts(t *testing.T) {
|
||||
},
|
||||
})
|
||||
}
|
||||
|
||||
// We have to check the firewall rule manually rather than via
|
||||
// runPacketFlowTests(), because the packet tracer doesn't
|
||||
// implement conntrack states.
|
||||
var expected string
|
||||
if tc.expectFirewall {
|
||||
expected = "-A KUBE-FIREWALL -m comment --comment \"block incoming localnet connections\" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP\n"
|
||||
}
|
||||
assertIPTablesChainEqual(t, getLine(), utiliptables.TableFilter, kubeletFirewallChain, expected, fp.iptablesData.String())
|
||||
})
|
||||
}
|
||||
}
|
||||
@ -5526,14 +5452,6 @@ func TestInternalExternalMasquerade(t *testing.T) {
|
||||
output: "10.180.0.1:80, 10.180.1.1:80",
|
||||
masq: true,
|
||||
},
|
||||
{
|
||||
name: "localhost to NodePort",
|
||||
sourceIP: "127.0.0.1",
|
||||
destIP: "127.0.0.1",
|
||||
destPort: 3001,
|
||||
output: "10.180.0.1:80, 10.180.1.1:80",
|
||||
masq: true,
|
||||
},
|
||||
{
|
||||
name: "node to LB",
|
||||
sourceIP: testNodeIP,
|
||||
@ -5630,17 +5548,6 @@ func TestInternalExternalMasquerade(t *testing.T) {
|
||||
output: "10.180.0.1:80, 10.180.1.1:80",
|
||||
masq: true,
|
||||
},
|
||||
{
|
||||
name: "localhost to NodePort with eTP:Local",
|
||||
sourceIP: "127.0.0.1",
|
||||
destIP: "127.0.0.1",
|
||||
destPort: 3002,
|
||||
|
||||
// The traffic gets short-circuited, ignoring externalTrafficPolicy, so
|
||||
// same as "localhost to NodePort" above.
|
||||
output: "10.180.0.2:80, 10.180.1.2:80",
|
||||
masq: true,
|
||||
},
|
||||
{
|
||||
name: "node to LB with eTP:Local",
|
||||
sourceIP: testNodeIP,
|
||||
@ -5741,17 +5648,6 @@ func TestInternalExternalMasquerade(t *testing.T) {
|
||||
output: "10.180.0.3:80, 10.180.1.3:80",
|
||||
masq: true,
|
||||
},
|
||||
{
|
||||
name: "localhost to NodePort with iTP:Local",
|
||||
sourceIP: "127.0.0.1",
|
||||
destIP: "127.0.0.1",
|
||||
destPort: 3003,
|
||||
|
||||
// internalTrafficPolicy does not apply to NodePort traffic, so same as
|
||||
// "localhost to NodePort" above.
|
||||
output: "10.180.0.3:80, 10.180.1.3:80",
|
||||
masq: true,
|
||||
},
|
||||
{
|
||||
name: "node to LB with iTP:Local",
|
||||
sourceIP: testNodeIP,
|
||||
@ -6005,10 +5901,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
:KUBE-NODEPORTS - [0:0]
|
||||
:KUBE-SERVICES - [0:0]
|
||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||
:KUBE-FIREWALL - [0:0]
|
||||
:KUBE-FORWARD - [0:0]
|
||||
:KUBE-PROXY-FIREWALL - [0:0]
|
||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
@ -6024,7 +5918,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
:KUBE-SVC-XPGD46QRK7WJZT7O - [0:0]
|
||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
|
||||
-A KUBE-SERVICES -m comment --comment "ns2/svc2:p8080 cluster IP" -m tcp -p tcp -d 172.30.0.42 --dport 8080 -j KUBE-SVC-2VJB64SDSIJUP5T6
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
|
||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
||||
@ -6081,10 +5975,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
:KUBE-NODEPORTS - [0:0]
|
||||
:KUBE-SERVICES - [0:0]
|
||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||
:KUBE-FIREWALL - [0:0]
|
||||
:KUBE-FORWARD - [0:0]
|
||||
:KUBE-PROXY-FIREWALL - [0:0]
|
||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
@ -6103,7 +5995,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
|
||||
-A KUBE-SERVICES -m comment --comment "ns2/svc2:p8080 cluster IP" -m tcp -p tcp -d 172.30.0.42 --dport 8080 -j KUBE-SVC-2VJB64SDSIJUP5T6
|
||||
-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
|
||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
||||
@ -6141,10 +6033,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
:KUBE-NODEPORTS - [0:0]
|
||||
:KUBE-SERVICES - [0:0]
|
||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||
:KUBE-FIREWALL - [0:0]
|
||||
:KUBE-FORWARD - [0:0]
|
||||
:KUBE-PROXY-FIREWALL - [0:0]
|
||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
@ -6162,7 +6052,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
:KUBE-SVC-XPGD46QRK7WJZT7O - [0:0]
|
||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
|
||||
-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
|
||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
||||
@ -6207,11 +6097,9 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
:KUBE-NODEPORTS - [0:0]
|
||||
:KUBE-SERVICES - [0:0]
|
||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||
:KUBE-FIREWALL - [0:0]
|
||||
:KUBE-FORWARD - [0:0]
|
||||
:KUBE-PROXY-FIREWALL - [0:0]
|
||||
-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 has no endpoints" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j REJECT
|
||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
@ -6227,7 +6115,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
:KUBE-SVC-XPGD46QRK7WJZT7O - [0:0]
|
||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
|
||||
-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
|
||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
||||
@ -6270,10 +6158,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
:KUBE-NODEPORTS - [0:0]
|
||||
:KUBE-SERVICES - [0:0]
|
||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||
:KUBE-FIREWALL - [0:0]
|
||||
:KUBE-FORWARD - [0:0]
|
||||
:KUBE-PROXY-FIREWALL - [0:0]
|
||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
@ -6292,7 +6178,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
|
||||
-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
|
||||
-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
|
||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
||||
@ -6332,10 +6218,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
:KUBE-NODEPORTS - [0:0]
|
||||
:KUBE-SERVICES - [0:0]
|
||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||
:KUBE-FIREWALL - [0:0]
|
||||
:KUBE-FORWARD - [0:0]
|
||||
:KUBE-PROXY-FIREWALL - [0:0]
|
||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
@ -6355,7 +6239,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
|
||||
-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
|
||||
-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
|
||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
||||
@ -6394,10 +6278,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
:KUBE-NODEPORTS - [0:0]
|
||||
:KUBE-SERVICES - [0:0]
|
||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||
:KUBE-FIREWALL - [0:0]
|
||||
:KUBE-FORWARD - [0:0]
|
||||
:KUBE-PROXY-FIREWALL - [0:0]
|
||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
@ -6417,7 +6299,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
|
||||
-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
|
||||
-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
|
||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
||||
@ -6458,10 +6340,8 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
:KUBE-NODEPORTS - [0:0]
|
||||
:KUBE-SERVICES - [0:0]
|
||||
:KUBE-EXTERNAL-SERVICES - [0:0]
|
||||
:KUBE-FIREWALL - [0:0]
|
||||
:KUBE-FORWARD - [0:0]
|
||||
:KUBE-PROXY-FIREWALL - [0:0]
|
||||
-A KUBE-FIREWALL -m comment --comment "block incoming localnet connections" -d 127.0.0.0/8 ! -s 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP
|
||||
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
|
||||
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding conntrack rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
@ -6481,7 +6361,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
-A KUBE-SERVICES -m comment --comment "ns1/svc1:p80 cluster IP" -m tcp -p tcp -d 172.30.0.41 --dport 80 -j KUBE-SVC-XPGD46QRK7WJZT7O
|
||||
-A KUBE-SERVICES -m comment --comment "ns3/svc3:p80 cluster IP" -m tcp -p tcp -d 172.30.0.43 --dport 80 -j KUBE-SVC-X27LE4BHSL4DOUIK
|
||||
-A KUBE-SERVICES -m comment --comment "ns4/svc4:p80 cluster IP" -m tcp -p tcp -d 172.30.0.44 --dport 80 -j KUBE-SVC-4SW47YFZTEDKD3PK
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
|
||||
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL ! -d 127.0.0.0/8 -j KUBE-NODEPORTS
|
||||
-A KUBE-MARK-MASQ -j MARK --or-mark 0x4000
|
||||
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
|
||||
-A KUBE-POSTROUTING -j MARK --xor-mark 0x4000
|
||||
|
||||
@ -86,9 +86,6 @@ type KubeProxyNFTablesConfiguration struct {
|
||||
// masqueradeAll tells kube-proxy to SNAT all traffic sent to Service cluster IPs,
|
||||
// when using the nftables mode. This may be required with some CNI plugins.
|
||||
MasqueradeAll bool `json:"masqueradeAll"`
|
||||
// localhostNodePorts, if false, tells kube-proxy to disable the legacy behavior
|
||||
// of allowing NodePort services to be accessed via localhost. FIXME: remove.
|
||||
LocalhostNodePorts *bool `json:"localhostNodePorts"`
|
||||
// syncPeriod is an interval (e.g. '5s', '1m', '2h22m') indicating how frequently
|
||||
// various re-synchronizing and cleanup operations are performed. Must be greater
|
||||
// than 0.
|
||||
|
||||
@ -193,11 +193,6 @@ func (in *KubeProxyNFTablesConfiguration) DeepCopyInto(out *KubeProxyNFTablesCon
|
||||
*out = new(int32)
|
||||
**out = **in
|
||||
}
|
||||
if in.LocalhostNodePorts != nil {
|
||||
in, out := &in.LocalhostNodePorts, &out.LocalhostNodePorts
|
||||
*out = new(bool)
|
||||
**out = **in
|
||||
}
|
||||
out.SyncPeriod = in.SyncPeriod
|
||||
out.MinSyncPeriod = in.MinSyncPeriod
|
||||
return
|
||||
|
||||
Loading…
Reference in New Issue
Block a user