github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 09:22:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #110628 from danwinship/kep-3178-ipvs-mark-drop

Browse Source 
don't use KUBE-MARK-DROP in ipvs proxy
This commit is contained in:
Kubernetes Prow Robot 2022-06-23 07:59:55 -07:00 committed by GitHub
commit 1e3c973e72
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 40 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
pkg/proxy/ipvs/proxier.go
View File

@ -63,8 +63,11 @@ const (
// kubeServicesChain is the services portal chain // kubeServicesChain is the services portal chain
kubeServicesChain utiliptables.Chain = "KUBE-SERVICES" kubeServicesChain utiliptables.Chain = "KUBE-SERVICES"
// kubeFirewallChain is the kubernetes firewall chain. // kubeProxyFirewallChain is the kube-proxy firewall chain.
kubeFirewallChain utiliptables.Chain = "KUBE-FIREWALL" kubeProxyFirewallChain utiliptables.Chain = "KUBE-PROXY-FIREWALL"
// kubeSourceRangesFirewallChain is the firewall subchain for LoadBalancerSourceRanges.
kubeSourceRangesFirewallChain utiliptables.Chain = "KUBE-SOURCE-RANGES-FIREWALL"
// kubePostroutingChain is the kubernetes postrouting chain // kubePostroutingChain is the kubernetes postrouting chain
kubePostroutingChain utiliptables.Chain = "KUBE-POSTROUTING" kubePostroutingChain utiliptables.Chain = "KUBE-POSTROUTING"
@ -75,9 +78,6 @@ const (
// kubeNodePortChain is the kubernetes node port chain // kubeNodePortChain is the kubernetes node port chain
kubeNodePortChain utiliptables.Chain = "KUBE-NODE-PORT" kubeNodePortChain utiliptables.Chain = "KUBE-NODE-PORT"
// KubeMarkDropChain is the mark-for-drop chain
kubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP"
// kubeForwardChain is the kubernetes forward chain // kubeForwardChain is the kubernetes forward chain
kubeForwardChain utiliptables.Chain = "KUBE-FORWARD" kubeForwardChain utiliptables.Chain = "KUBE-FORWARD"
@ -110,6 +110,8 @@ var iptablesJumpChain = []struct {
{utiliptables.TableNAT, utiliptables.ChainPostrouting, kubePostroutingChain, "kubernetes postrouting rules"}, {utiliptables.TableNAT, utiliptables.ChainPostrouting, kubePostroutingChain, "kubernetes postrouting rules"},
{utiliptables.TableFilter, utiliptables.ChainForward, kubeForwardChain, "kubernetes forwarding rules"}, {utiliptables.TableFilter, utiliptables.ChainForward, kubeForwardChain, "kubernetes forwarding rules"},
{utiliptables.TableFilter, utiliptables.ChainInput, kubeNodePortChain, "kubernetes health check rules"}, {utiliptables.TableFilter, utiliptables.ChainInput, kubeNodePortChain, "kubernetes health check rules"},
{utiliptables.TableFilter, utiliptables.ChainInput, kubeProxyFirewallChain, "kube-proxy firewall rules"},
{utiliptables.TableFilter, utiliptables.ChainForward, kubeProxyFirewallChain, "kube-proxy firewall rules"},
} }
var iptablesChains = []struct { var iptablesChains = []struct {
@ -118,19 +120,13 @@ var iptablesChains = []struct {
}{ }{
{utiliptables.TableNAT, kubeServicesChain}, {utiliptables.TableNAT, kubeServicesChain},
{utiliptables.TableNAT, kubePostroutingChain}, {utiliptables.TableNAT, kubePostroutingChain},
{utiliptables.TableNAT, kubeFirewallChain},
{utiliptables.TableNAT, kubeNodePortChain}, {utiliptables.TableNAT, kubeNodePortChain},
{utiliptables.TableNAT, kubeLoadBalancerChain}, {utiliptables.TableNAT, kubeLoadBalancerChain},
{utiliptables.TableNAT, kubeMarkMasqChain}, {utiliptables.TableNAT, kubeMarkMasqChain},
{utiliptables.TableFilter, kubeForwardChain}, {utiliptables.TableFilter, kubeForwardChain},
{utiliptables.TableFilter, kubeNodePortChain}, {utiliptables.TableFilter, kubeNodePortChain},
} {utiliptables.TableFilter, kubeProxyFirewallChain},
{utiliptables.TableFilter, kubeSourceRangesFirewallChain},
var iptablesEnsureChains = []struct {
table utiliptables.Table
chain utiliptables.Chain
}{
{utiliptables.TableNAT, kubeMarkDropChain},
} }
var iptablesCleanupChains = []struct { var iptablesCleanupChains = []struct {
@ -139,11 +135,12 @@ var iptablesCleanupChains = []struct {
}{ }{
{utiliptables.TableNAT, kubeServicesChain}, {utiliptables.TableNAT, kubeServicesChain},
{utiliptables.TableNAT, kubePostroutingChain}, {utiliptables.TableNAT, kubePostroutingChain},
{utiliptables.TableNAT, kubeFirewallChain},
{utiliptables.TableNAT, kubeNodePortChain}, {utiliptables.TableNAT, kubeNodePortChain},
{utiliptables.TableNAT, kubeLoadBalancerChain}, {utiliptables.TableNAT, kubeLoadBalancerChain},
{utiliptables.TableFilter, kubeForwardChain}, {utiliptables.TableFilter, kubeForwardChain},
{utiliptables.TableFilter, kubeNodePortChain}, {utiliptables.TableFilter, kubeNodePortChain},
{utiliptables.TableFilter, kubeProxyFirewallChain},
{utiliptables.TableFilter, kubeSourceRangesFirewallChain},
} }
// ipsetInfo is all ipset we needed in ipvs proxier // ipsetInfo is all ipset we needed in ipvs proxier
@ -177,23 +174,25 @@ var ipsetInfo = []struct {
// Note: kubeNodePortLocalSetTCP must be prior to kubeNodePortSetTCP, the same for UDP. // Note: kubeNodePortLocalSetTCP must be prior to kubeNodePortSetTCP, the same for UDP.
var ipsetWithIptablesChain = []struct { var ipsetWithIptablesChain = []struct {
name string name string
table utiliptables.Table
from string from string
to string to string
matchType string matchType string
protocolMatch string protocolMatch string
}{ }{
{kubeLoopBackIPSet, string(kubePostroutingChain), "MASQUERADE", "dst,dst,src", ""}, {kubeLoopBackIPSet, utiliptables.TableNAT, string(kubePostroutingChain), "MASQUERADE", "dst,dst,src", ""},
{kubeLoadBalancerSet, string(kubeServicesChain), string(kubeLoadBalancerChain), "dst,dst", ""}, {kubeLoadBalancerSet, utiliptables.TableNAT, string(kubeServicesChain), string(kubeLoadBalancerChain), "dst,dst", ""},
{kubeLoadBalancerFWSet, string(kubeLoadBalancerChain), string(kubeFirewallChain), "dst,dst", ""}, {kubeLoadBalancerLocalSet, utiliptables.TableNAT, string(kubeLoadBalancerChain), "RETURN", "dst,dst", ""},
{kubeLoadBalancerSourceCIDRSet, string(kubeFirewallChain), "RETURN", "dst,dst,src", ""}, {kubeNodePortLocalSetTCP, utiliptables.TableNAT, string(kubeNodePortChain), "RETURN", "dst", utilipset.ProtocolTCP},
{kubeLoadBalancerSourceIPSet, string(kubeFirewallChain), "RETURN", "dst,dst,src", ""}, {kubeNodePortSetTCP, utiliptables.TableNAT, string(kubeNodePortChain), string(kubeMarkMasqChain), "dst", utilipset.ProtocolTCP},
{kubeLoadBalancerLocalSet, string(kubeLoadBalancerChain), "RETURN", "dst,dst", ""}, {kubeNodePortLocalSetUDP, utiliptables.TableNAT, string(kubeNodePortChain), "RETURN", "dst", utilipset.ProtocolUDP},
{kubeNodePortLocalSetTCP, string(kubeNodePortChain), "RETURN", "dst", utilipset.ProtocolTCP}, {kubeNodePortSetUDP, utiliptables.TableNAT, string(kubeNodePortChain), string(kubeMarkMasqChain), "dst", utilipset.ProtocolUDP},
{kubeNodePortSetTCP, string(kubeNodePortChain), string(kubeMarkMasqChain), "dst", utilipset.ProtocolTCP}, {kubeNodePortLocalSetSCTP, utiliptables.TableNAT, string(kubeNodePortChain), "RETURN", "dst,dst", utilipset.ProtocolSCTP},
{kubeNodePortLocalSetUDP, string(kubeNodePortChain), "RETURN", "dst", utilipset.ProtocolUDP}, {kubeNodePortSetSCTP, utiliptables.TableNAT, string(kubeNodePortChain), string(kubeMarkMasqChain), "dst,dst", utilipset.ProtocolSCTP},
{kubeNodePortSetUDP, string(kubeNodePortChain), string(kubeMarkMasqChain), "dst", utilipset.ProtocolUDP},
{kubeNodePortLocalSetSCTP, string(kubeNodePortChain), "RETURN", "dst,dst", utilipset.ProtocolSCTP}, {kubeLoadBalancerFWSet, utiliptables.TableFilter, string(kubeProxyFirewallChain), string(kubeSourceRangesFirewallChain), "dst,dst", ""},
{kubeNodePortSetSCTP, string(kubeNodePortChain), string(kubeMarkMasqChain), "dst,dst", utilipset.ProtocolSCTP}, {kubeLoadBalancerSourceCIDRSet, utiliptables.TableFilter, string(kubeSourceRangesFirewallChain), "RETURN", "dst,dst,src", ""},
{kubeLoadBalancerSourceIPSet, utiliptables.TableFilter, string(kubeSourceRangesFirewallChain), "RETURN", "dst,dst,src", ""},
} }
// In IPVS proxy mode, the following flags need to be set // In IPVS proxy mode, the following flags need to be set
@ -1648,9 +1647,13 @@ func (proxier *Proxier) writeIptablesRules() {
"-m", "set", "--match-set", proxier.ipsetList[set.name].Name, "-m", "set", "--match-set", proxier.ipsetList[set.name].Name,
set.matchType, set.matchType,
) )
if set.table == utiliptables.TableFilter {
proxier.filterRules.Write(args, "-j", set.to)
} else {
proxier.natRules.Write(args, "-j", set.to) proxier.natRules.Write(args, "-j", set.to)
} }
} }
}
if !proxier.ipsetList[kubeClusterIPSet].isEmpty() { if !proxier.ipsetList[kubeClusterIPSet].isEmpty() {
args = append(args[:0], args = append(args[:0],
@ -1737,10 +1740,10 @@ func (proxier *Proxier) writeIptablesRules() {
"-j", string(kubeMarkMasqChain), "-j", string(kubeMarkMasqChain),
) )
// mark drop for KUBE-FIREWALL // drop packets filtered by KUBE-SOURCE-RANGES-FIREWALL
proxier.natRules.Write( proxier.filterRules.Write(
"-A", string(kubeFirewallChain), "-A", string(kubeSourceRangesFirewallChain),
"-j", string(kubeMarkDropChain), "-j", "DROP",
) )
// Accept all traffic with destination of ipvs virtual service, in case other iptables rules // Accept all traffic with destination of ipvs virtual service, in case other iptables rules
@ -1839,14 +1842,6 @@ func (proxier *Proxier) createAndLinkKubeChain() {
existingFilterChains := proxier.getExistingChains(proxier.filterChainsData, utiliptables.TableFilter) existingFilterChains := proxier.getExistingChains(proxier.filterChainsData, utiliptables.TableFilter)
existingNATChains := proxier.getExistingChains(proxier.iptablesData, utiliptables.TableNAT) existingNATChains := proxier.getExistingChains(proxier.iptablesData, utiliptables.TableNAT)
// ensure KUBE-MARK-DROP chain exist but do not change any rules
for _, ch := range iptablesEnsureChains {
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
klog.ErrorS(err, "Failed to ensure chain exists", "table", ch.table, "chain", ch.chain)
return
}
}
// Make sure we keep stats for the top-level chains // Make sure we keep stats for the top-level chains
for _, ch := range iptablesChains { for _, ch := range iptablesChains {
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil { if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {

13
pkg/proxy/ipvs/proxier_test.go
View File

@ -2243,15 +2243,13 @@ func TestLoadBalancerSourceRanges(t *testing.T) {
}, { }, {
JumpChain: "ACCEPT", MatchSet: kubeLoadBalancerSet, JumpChain: "ACCEPT", MatchSet: kubeLoadBalancerSet,
}}, }},
string(kubeLoadBalancerChain): {{ string(kubeProxyFirewallChain): {{
JumpChain: string(kubeFirewallChain), MatchSet: kubeLoadBalancerFWSet, JumpChain: string(kubeSourceRangesFirewallChain), MatchSet: kubeLoadBalancerFWSet,
}, {
JumpChain: string(kubeMarkMasqChain), MatchSet: "",
}}, }},
string(kubeFirewallChain): {{ string(kubeSourceRangesFirewallChain): {{
JumpChain: "RETURN", MatchSet: kubeLoadBalancerSourceCIDRSet, JumpChain: "RETURN", MatchSet: kubeLoadBalancerSourceCIDRSet,
}, { }, {
JumpChain: string(kubeMarkDropChain), MatchSet: "", JumpChain: "DROP", MatchSet: "",
}}, }},
} }
checkIptables(t, ipt, epIpt) checkIptables(t, ipt, epIpt)
@ -4675,13 +4673,14 @@ func TestCreateAndLinkKubeChain(t *testing.T) {
fp.createAndLinkKubeChain() fp.createAndLinkKubeChain()
expectedNATChains := `:KUBE-SERVICES - [0:0] expectedNATChains := `:KUBE-SERVICES - [0:0]
:KUBE-POSTROUTING - [0:0] :KUBE-POSTROUTING - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-NODE-PORT - [0:0] :KUBE-NODE-PORT - [0:0]
:KUBE-LOAD-BALANCER - [0:0] :KUBE-LOAD-BALANCER - [0:0]
:KUBE-MARK-MASQ - [0:0] :KUBE-MARK-MASQ - [0:0]
` `
expectedFilterChains := `:KUBE-FORWARD - [0:0] expectedFilterChains := `:KUBE-FORWARD - [0:0]
:KUBE-NODE-PORT - [0:0] :KUBE-NODE-PORT - [0:0]
:KUBE-PROXY-FIREWALL - [0:0]
:KUBE-SOURCE-RANGES-FIREWALL - [0:0]
` `
assert.Equal(t, expectedNATChains, string(fp.natChains.Bytes())) assert.Equal(t, expectedNATChains, string(fp.natChains.Bytes()))
assert.Equal(t, expectedFilterChains, string(fp.filterChains.Bytes())) assert.Equal(t, expectedFilterChains, string(fp.filterChains.Bytes()))