diff --git a/pkg/kubelet/kubelet_network_linux.go b/pkg/kubelet/kubelet_network_linux.go index 8f767817a0f..9d03adf1499 100644 --- a/pkg/kubelet/kubelet_network_linux.go +++ b/pkg/kubelet/kubelet_network_linux.go @@ -87,6 +87,12 @@ func (kl *Kubelet) syncIPTablesRules(iptClient utiliptables.Interface) bool { if !iptClient.IsIPv6() { // ipv6 doesn't have this issue // Set up the KUBE-FIREWALL chain and martian packet protection rule. // (See below.) + + // NOTE: kube-proxy (in iptables mode) creates an identical copy of this + // rule. If you want to change this rule in the future, you MUST do so in + // a way that will interoperate correctly with skewed versions of the rule + // created by kube-proxy. + if _, err := iptClient.EnsureChain(utiliptables.TableFilter, KubeFirewallChain); err != nil { klog.ErrorS(err, "Failed to ensure that filter table KUBE-FIREWALL chain exists") return false @@ -178,8 +184,12 @@ func (kl *Kubelet) syncIPTablesRulesDeprecated(iptClient utiliptables.Interface) } // Set up KUBE-POSTROUTING to unmark and masquerade marked packets - // NB: THIS MUST MATCH the corresponding code in the iptables and ipvs - // modes of kube-proxy + + // NOTE: kube-proxy (in iptables and ipvs modes) creates identical copies of these + // rules. If you want to change these rules in the future, you MUST do so in a way + // that will interoperate correctly with skewed versions of the rules created by + // kube-proxy. + if _, err := iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubePostroutingChain, "-m", "mark", "!", "--mark", fmt.Sprintf("%s/%s", masqueradeMark, masqueradeMark), "-j", "RETURN"); err != nil { diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 937441ecaac..4e5b7cb0791 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -922,7 +922,12 @@ func (proxier *Proxier) syncProxyRules() { // Install the kubernetes-specific postrouting rules. We use a whole chain for // this so that it is easier to flush and change, for example if the mark // value should ever change. - // NB: THIS MUST MATCH the corresponding code in the kubelet + + // NOTE: kubelet creates identical copies of these rules. If you want to change + // these rules in the future, you MUST do so in a way that will interoperate + // correctly with skewed versions of the rules created by kubelet. (Remove this + // comment once IPTablesOwnershipCleanup is GA.) + proxier.natRules.Write( "-A", string(kubePostroutingChain), "-m", "mark", "!", "--mark", fmt.Sprintf("%s/%s", proxier.masqueradeMark, proxier.masqueradeMark), @@ -956,9 +961,13 @@ func (proxier *Proxier) syncProxyRules() { // Kube-proxy's use of `route_localnet` to enable NodePorts on localhost // creates a security hole (https://issue.k8s.io/90259) which this // iptables rule mitigates. - // NB: THIS MUST MATCH the corresponding code in the kubelet. (Actually, - // kubelet uses "--dst"/"--src" rather than "-d"/"-s" but that's just a - // command-line thing and results in the same rule being created.) + + // NOTE: kubelet creates an identical copy of this rule. If you want to + // change this rule in the future, you MUST do so in a way that will + // interoperate correctly with skewed versions of the rule created by + // kubelet. (Actually, kubelet uses "--dst"/"--src" rather than "-d"/"-s" + // but that's just a command-line thing and results in the same rule being + // created in the kernel.) proxier.filterChains.Write(utiliptables.MakeChainLine(kubeletFirewallChain)) proxier.filterRules.Write( "-A", string(kubeletFirewallChain), diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go index cf52b2fcdce..7d40b4c91d7 100644 --- a/pkg/proxy/ipvs/proxier.go +++ b/pkg/proxy/ipvs/proxier.go @@ -1734,7 +1734,12 @@ func (proxier *Proxier) writeIptablesRules() { // Install the kubernetes-specific postrouting rules. We use a whole chain for // this so that it is easier to flush and change, for example if the mark // value should ever change. - // NB: THIS MUST MATCH the corresponding code in the kubelet + + // NOTE: kubelet creates identical copies of these rules. If you want to change + // these rules in the future, you MUST do so in a way that will interoperate + // correctly with skewed versions of the rules created by kubelet. (Remove this + // comment once IPTablesOwnershipCleanup is GA.) + proxier.natRules.Write( "-A", string(kubePostroutingChain), "-m", "mark", "!", "--mark", fmt.Sprintf("%s/%s", proxier.masqueradeMark, proxier.masqueradeMark),