mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Merge pull request #52569 from tmjd/add-proxy-forward-rules
Automatic merge from submit-queue (batch tested with PRs 55009, 55532, 55601, 52569, 55533). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Kube-proxy adds forward rules to ensure NodePorts work **What this PR does / why we need it**: Updates kube-proxy to set up proper forwarding so that NodePorts work with docker 1.13 without depending on iptables FORWARD being changed manually/externally. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #39823 **Special notes for your reviewer**: @thockin I used option number 2 that I mentioned in the #39823 issue, please let me know what you think about this change. If you are happy with the change then I can try to add tests but may need a little direction about what and where to add them. **Release note**: ```release-note Add iptables rules to allow Pod traffic even when default iptables policy is to reject. ```
This commit is contained in:
Kubernetes Submit Queue
GitHub
commit
2f622b2a28
@ -80,6 +80,9 @@ const (
|
||||
|
||||
// the mark-for-drop chain
|
||||
KubeMarkDropChain utiliptables.Chain = "KUBE-MARK-DROP"
|
||||
|
||||
// the kubernetes forward chain
|
||||
kubeForwardChain utiliptables.Chain = "KUBE-FORWARD"
|
||||
)
|
||||
|
||||
// IPTablesVersioner can query the current iptables version.
|
||||
@ -543,6 +546,18 @@ func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
|
||||
}
|
||||
}
|
||||
|
||||
// Unlink the forwarding chain.
|
||||
args = []string{
|
||||
"-m", "comment", "--comment", "kubernetes forwarding rules",
|
||||
"-j", string(kubeForwardChain),
|
||||
}
|
||||
if err := ipt.DeleteRule(utiliptables.TableFilter, utiliptables.ChainForward, args...); err != nil {
|
||||
if !utiliptables.IsNotFoundError(err) {
|
||||
glog.Errorf("Error removing pure-iptables proxy rule: %v", err)
|
||||
encounteredError = true
|
||||
}
|
||||
}
|
||||
|
||||
// Flush and remove all of our chains.
|
||||
iptablesData := bytes.NewBuffer(nil)
|
||||
if err := ipt.SaveInto(utiliptables.TableNAT, iptablesData); err != nil {
|
||||
@ -578,14 +593,28 @@ func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
|
||||
encounteredError = true
|
||||
}
|
||||
}
|
||||
{
|
||||
filterBuf := bytes.NewBuffer(nil)
|
||||
writeLine(filterBuf, "*filter")
|
||||
writeLine(filterBuf, fmt.Sprintf(":%s - [0:0]", kubeServicesChain))
|
||||
writeLine(filterBuf, fmt.Sprintf("-X %s", kubeServicesChain))
|
||||
writeLine(filterBuf, "COMMIT")
|
||||
|
||||
// Flush and remove all of our chains.
|
||||
iptablesData = bytes.NewBuffer(nil)
|
||||
if err := ipt.SaveInto(utiliptables.TableFilter, iptablesData); err != nil {
|
||||
glog.Errorf("Failed to execute iptables-save for %s: %v", utiliptables.TableFilter, err)
|
||||
encounteredError = true
|
||||
} else {
|
||||
existingFilterChains := utiliptables.GetChainLines(utiliptables.TableFilter, iptablesData.Bytes())
|
||||
filterChains := bytes.NewBuffer(nil)
|
||||
filterRules := bytes.NewBuffer(nil)
|
||||
writeLine(filterChains, "*filter")
|
||||
for _, chain := range []utiliptables.Chain{kubeServicesChain, kubeForwardChain} {
|
||||
if _, found := existingFilterChains[chain]; found {
|
||||
chainString := string(chain)
|
||||
writeLine(filterChains, existingFilterChains[chain])
|
||||
writeLine(filterRules, "-X", chainString)
|
||||
}
|
||||
}
|
||||
writeLine(filterRules, "COMMIT")
|
||||
filterLines := append(filterChains.Bytes(), filterRules.Bytes()...)
|
||||
// Write it.
|
||||
if err := ipt.Restore(utiliptables.TableFilter, filterBuf.Bytes(), utiliptables.NoFlushTables, utiliptables.RestoreCounters); err != nil {
|
||||
if err := ipt.Restore(utiliptables.TableFilter, filterLines, utiliptables.NoFlushTables, utiliptables.RestoreCounters); err != nil {
|
||||
glog.Errorf("Failed to execute iptables-restore for %s: %v", utiliptables.TableFilter, err)
|
||||
encounteredError = true
|
||||
}
|
||||
@ -1027,6 +1056,21 @@ func (proxier *Proxier) syncProxyRules() {
|
||||
}
|
||||
}
|
||||
|
||||
// Create and link the kube forward chain.
|
||||
{
|
||||
if _, err := proxier.iptables.EnsureChain(utiliptables.TableFilter, kubeForwardChain); err != nil {
|
||||
glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableFilter, kubeForwardChain, err)
|
||||
return
|
||||
}
|
||||
|
||||
comment := "kubernetes forward rules"
|
||||
args := []string{"-m", "comment", "--comment", comment, "-j", string(kubeForwardChain)}
|
||||
if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainForward, args...); err != nil {
|
||||
glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainForward, kubeForwardChain, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
//
|
||||
// Below this point we will not return until we try to write the iptables rules.
|
||||
//
|
||||
@ -1069,6 +1113,11 @@ func (proxier *Proxier) syncProxyRules() {
|
||||
} else {
|
||||
writeLine(proxier.filterChains, utiliptables.MakeChainLine(kubeServicesChain))
|
||||
}
|
||||
if chain, ok := existingFilterChains[kubeForwardChain]; ok {
|
||||
writeLine(proxier.filterChains, chain)
|
||||
} else {
|
||||
writeLine(proxier.filterChains, utiliptables.MakeChainLine(kubeForwardChain))
|
||||
}
|
||||
if chain, ok := existingNATChains[kubeServicesChain]; ok {
|
||||
writeLine(proxier.natChains, chain)
|
||||
} else {
|
||||
@ -1574,6 +1623,40 @@ func (proxier *Proxier) syncProxyRules() {
|
||||
"-m", "addrtype", "--dst-type", "LOCAL",
|
||||
"-j", string(kubeNodePortsChain))
|
||||
|
||||
// If the masqueradeMark has been added then we want to forward that same
|
||||
// traffic, this allows NodePort traffic to be forwarded even if the default
|
||||
// FORWARD policy is not accept.
|
||||
writeLine(proxier.filterRules,
|
||||
"-A", string(kubeForwardChain),
|
||||
"-m", "comment", "--comment", `"kubernetes forwarding rules"`,
|
||||
"-m", "mark", "--mark", proxier.masqueradeMark,
|
||||
"-j", "ACCEPT",
|
||||
)
|
||||
|
||||
// The following rules can only be set if clusterCIDR has been defined.
|
||||
if len(proxier.clusterCIDR) != 0 {
|
||||
// The following two rules ensure the traffic after the initial packet
|
||||
// accepted by the "kubernetes forwarding rules" rule above will be
|
||||
// accepted, to be as specific as possible the traffic must be sourced
|
||||
// or destined to the clusterCIDR (to/from a pod).
|
||||
writeLine(proxier.filterRules,
|
||||
"-A", string(kubeForwardChain),
|
||||
"-s", proxier.clusterCIDR,
|
||||
"-m", "comment", "--comment", `"kubernetes forwarding conntrack pod source rule"`,
|
||||
"-m", "conntrack",
|
||||
"--ctstate", "RELATED,ESTABLISHED",
|
||||
"-j", "ACCEPT",
|
||||
)
|
||||
writeLine(proxier.filterRules,
|
||||
"-A", string(kubeForwardChain),
|
||||
"-m", "comment", "--comment", `"kubernetes forwarding conntrack pod destination rule"`,
|
||||
"-d", proxier.clusterCIDR,
|
||||
"-m", "conntrack",
|
||||
"--ctstate", "RELATED,ESTABLISHED",
|
||||
"-j", "ACCEPT",
|
||||
)
|
||||
}
|
||||
|
||||
// Write the end-of-table markers.
|
||||
writeLine(proxier.filterRules, "COMMIT")
|
||||
writeLine(proxier.natRules, "COMMIT")
|
||||
|
||||
@ -91,6 +91,7 @@ const (
|
||||
ChainPrerouting Chain = "PREROUTING"
|
||||
ChainOutput Chain = "OUTPUT"
|
||||
ChainInput Chain = "INPUT"
|
||||
ChainForward Chain = "FORWARD"
|
||||
)
|
||||
|
||||
const (
|
||||
|
||||
Loading…
Reference in New Issue
Block a user