Teach the kubelet about --hairpin-mode=promiscuous-bridge.

2026-01-04 23:17:50 +00:00 · 2016-02-16 10:23:58 -08:00
parent 0f1043d6df
commit 2e8ff81de1
13 changed files with 100 additions and 32 deletions
--- a/pkg/apis/componentconfig/types.generated.go
+++ b/pkg/apis/componentconfig/types.generated.go
@@ -1094,6 +1094,32 @@ func (x *ProxyMode) CodecDecodeSelf(d *codec1978.Decoder) {
 	}
 }

+func (x HairpinMode) CodecEncodeSelf(e *codec1978.Encoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperEncoder(e)
+	_, _, _ = h, z, r
+	yym1 := z.EncBinary()
+	_ = yym1
+	if false {
+	} else if z.HasExtensions() && z.EncExt(x) {
+	} else {
+		r.EncodeString(codecSelferC_UTF81234, string(x))
+	}
+}
+
+func (x *HairpinMode) CodecDecodeSelf(d *codec1978.Decoder) {
+	var h codecSelfer1234
+	z, r := codec1978.GenHelperDecoder(d)
+	_, _, _ = h, z, r
+	yym1 := z.DecBinary()
+	_ = yym1
+	if false {
+	} else if z.HasExtensions() && z.DecExt(x) {
+	} else {
+		*((*string)(x)) = r.DecodeString()
+	}
+}
+
 func (x *KubeletConfiguration) CodecEncodeSelf(e *codec1978.Encoder) {
 	var h codecSelfer1234
 	z, r := codec1978.GenHelperEncoder(e)
@@ -2354,17 +2380,17 @@ func (x *KubeletConfiguration) CodecEncodeSelf(e *codec1978.Encoder) {
 				_ = yym194
 				if false {
 				} else {
-					r.EncodeBool(bool(x.HairpinMode))
+					r.EncodeString(codecSelferC_UTF81234, string(x.HairpinMode))
 				}
 			} else {
 				z.EncSendContainerState(codecSelfer_containerMapKey1234)
-				r.EncodeString(codecSelferC_UTF81234, string("configureHairpinMode"))
+				r.EncodeString(codecSelferC_UTF81234, string("hairpinMode"))
 				z.EncSendContainerState(codecSelfer_containerMapValue1234)
 				yym195 := z.EncBinary()
 				_ = yym195
 				if false {
 				} else {
-					r.EncodeBool(bool(x.HairpinMode))
+					r.EncodeString(codecSelferC_UTF81234, string(x.HairpinMode))
 				}
 			}
 			if yyr2 || yy2arr2 {
@@ -3218,11 +3244,11 @@ func (x *KubeletConfiguration) codecDecodeSelfFromMap(l int, d *codec1978.Decode
 			} else {
 				x.ConfigureCBR0 = bool(r.DecodeBool())
 			}
-		case "configureHairpinMode":
+		case "hairpinMode":
 			if r.TryDecodeAsNil() {
-				x.HairpinMode = false
+				x.HairpinMode = ""
 			} else {
-				x.HairpinMode = bool(r.DecodeBool())
+				x.HairpinMode = string(r.DecodeString())
 			}
 		case "maxPods":
 			if r.TryDecodeAsNil() {
@@ -4373,9 +4399,9 @@ func (x *KubeletConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.Deco
 	}
 	z.DecSendContainerState(codecSelfer_containerArrayElem1234)
 	if r.TryDecodeAsNil() {
-		x.HairpinMode = false
+		x.HairpinMode = ""
 	} else {
-		x.HairpinMode = bool(r.DecodeBool())
+		x.HairpinMode = string(r.DecodeString())
 	}
 	yyj91++
 	if yyhl91 {
--- a/pkg/apis/componentconfig/types.go
+++ b/pkg/apis/componentconfig/types.go
@@ -78,6 +78,24 @@ const (
 	ProxyModeIPTables  ProxyMode = "iptables"
 )

+// HairpinMode denotes how the kubelet should configure networking to handle
+// hairpin packets.
+type HairpinMode string
+
+// Enum settings for different ways to handle hairpin packets.
+const (
+	// Set the hairpin flag on the veth of containers in the respective
+	// container runtime.
+	HairpinVeth = "hairpin-veth"
+	// Make the container bridge promiscuous. This will force it to accept
+	// hairpin packets, even if the flag isn't set on ports of the bridge.
+	PromiscuousBridge = "promiscuous-bridge"
+	// Neither of the above. If the kubelet is started in this hairpin mode
+	// and kube-proxy is running in iptables mode, hairpin packets will be
+	// dropped by the container bridge.
+	HairpinNone = "none"
+)
+
 // TODO: curate the ordering and structure of this config object
 type KubeletConfiguration struct {
 	// config is the path to the config file or directory of files
@@ -252,11 +270,16 @@ type KubeletConfiguration struct {
 	// configureCBR0 enables the kublet to configure cbr0 based on
 	// Node.Spec.PodCIDR.
 	ConfigureCBR0 bool `json:"configureCbr0"`
-	// Should the kubelet set the hairpin flag on veth interfaces for containers
-	// it creates? Setting this flag allows endpoints in a Service to
-	// loadbalance back to themselves if they should try to access their own
-	// Service.
-	HairpinMode bool `json:"configureHairpinMode"`
+	// How should the kubelet configure the container bridge for hairpin packets.
+	// Setting this flag allows endpoints in a Service to loadbalance back to
+	// themselves if they should try to access their own Service. Values:
+	//   "promiscuous-bridge": make the container bridge promiscuous.
+	//   "hairpin-veth":       set the hairpin flag on container veth interfaces.
+	//   "none":               do nothing.
+	// Setting --configure-cbr0 to false implies that to achieve hairpin NAT
+	// one must set --hairpin-mode=veth-flag, because bridge assumes the
+	// existence of a container bridge named cbr0.
+	HairpinMode string `json:"hairpinMode"`
 	// maxPods is the number of pods that can run on this Kubelet.
 	MaxPods int `json:"maxPods"`
 	// dockerExecHandlerName is the handler to use when executing a command