diff --git a/pkg/kubelet/network/hostport/hostport_manager.go b/pkg/kubelet/network/hostport/hostport_manager.go index a31b4da0842..b355dbbb2e0 100644 --- a/pkg/kubelet/network/hostport/hostport_manager.go +++ b/pkg/kubelet/network/hostport/hostport_manager.go @@ -178,8 +178,6 @@ func (hm *hostportManager) Remove(id string, podPortMapping *PodPortMapping) (er chainsToRemove := []utiliptables.Chain{} for _, pm := range hostportMappings { chainsToRemove = append(chainsToRemove, getHostportChain(id, pm)) - // TODO remove this after release 1.9, please refer https://github.com/kubernetes/kubernetes/pull/55153 - chainsToRemove = append(chainsToRemove, getBuggyHostportChain(id, pm)) } // remove rules that consists of target chains @@ -255,16 +253,6 @@ func getHostportChain(id string, pm *PortMapping) utiliptables.Chain { return utiliptables.Chain(kubeHostportChainPrefix + encoded[:16]) } -// This bugy func does bad conversion on HostPort from int32 to string. -// It may generates same chain names for different ports of the same pod, e.g. port 57119/55429/56833. -// `getHostportChain` fixed this bug. In order to cleanup the legacy chains/rules, it is temporarily left. -// TODO remove this after release 1.9, please refer https://github.com/kubernetes/kubernetes/pull/55153 -func getBuggyHostportChain(id string, pm *PortMapping) utiliptables.Chain { - hash := sha256.Sum256([]byte(id + string(pm.HostPort) + string(pm.Protocol))) - encoded := base32.StdEncoding.EncodeToString(hash[:]) - return utiliptables.Chain(kubeHostportChainPrefix + encoded[:16]) -} - // gatherHostportMappings returns all the PortMappings which has hostport for a pod func gatherHostportMappings(podPortMapping *PodPortMapping) []*PortMapping { mappings := []*PortMapping{} diff --git a/pkg/kubelet/network/hostport/hostport_manager_test.go b/pkg/kubelet/network/hostport/hostport_manager_test.go index 1537d274940..289d3b3171a 100644 --- a/pkg/kubelet/network/hostport/hostport_manager_test.go +++ b/pkg/kubelet/network/hostport/hostport_manager_test.go @@ -27,14 +27,6 @@ import ( utiliptables "k8s.io/kubernetes/pkg/util/iptables" ) -func NewFakeHostportManager() HostPortManager { - return &hostportManager{ - hostPortMap: make(map[hostport]closeable), - iptables: NewFakeIPTables(), - portOpener: NewFakeSocketManager().openFakeSocket, - } -} - func TestHostportManager(t *testing.T) { iptables := NewFakeIPTables() portOpener := NewFakeSocketManager() @@ -211,79 +203,3 @@ func TestGetHostportChain(t *testing.T) { t.Fatal(m) } } - -func TestHostPortManagerRemoveLegacyRules(t *testing.T) { - iptables := NewFakeIPTables() - legacyRules := [][]string{ - {"-A", "KUBE-HOSTPORTS", "-m comment --comment \"pod3_ns1 hostport 8443\" -m tcp -p tcp --dport 8443 -j KUBE-HP-5N7UH5JAXCVP5UJR"}, - {"-A", "KUBE-HOSTPORTS", "-m comment --comment \"pod1_ns1 hostport 8081\" -m udp -p udp --dport 8081 -j KUBE-HP-7THKRFSEH4GIIXK7"}, - {"-A", "KUBE-HOSTPORTS", "-m comment --comment \"pod1_ns1 hostport 8080\" -m tcp -p tcp --dport 8080 -j KUBE-HP-4YVONL46AKYWSKS3"}, - {"-A", "OUTPUT", "-m comment --comment \"kube hostport portals\" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS"}, - {"-A", "PREROUTING", "-m comment --comment \"kube hostport portals\" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS"}, - {"-A", "POSTROUTING", "-m comment --comment \"SNAT for localhost access to hostports\" -o cbr0 -s 127.0.0.0/8 -j MASQUERADE"}, - {"-A", "KUBE-HP-4YVONL46AKYWSKS3", "-m comment --comment \"pod1_ns1 hostport 8080\" -s 10.1.1.2/32 -j KUBE-MARK-MASQ"}, - {"-A", "KUBE-HP-4YVONL46AKYWSKS3", "-m comment --comment \"pod1_ns1 hostport 8080\" -m tcp -p tcp -j DNAT --to-destination 10.1.1.2:80"}, - {"-A", "KUBE-HP-7THKRFSEH4GIIXK7", "-m comment --comment \"pod1_ns1 hostport 8081\" -s 10.1.1.2/32 -j KUBE-MARK-MASQ"}, - {"-A", "KUBE-HP-7THKRFSEH4GIIXK7", "-m comment --comment \"pod1_ns1 hostport 8081\" -m udp -p udp -j DNAT --to-destination 10.1.1.2:81"}, - {"-A", "KUBE-HP-5N7UH5JAXCVP5UJR", "-m comment --comment \"pod3_ns1 hostport 8443\" -s 10.1.1.4/32 -j KUBE-MARK-MASQ"}, - {"-A", "KUBE-HP-5N7UH5JAXCVP5UJR", "-m comment --comment \"pod3_ns1 hostport 8443\" -m tcp -p tcp -j DNAT --to-destination 10.1.1.4:443"}, - } - for _, rule := range legacyRules { - _, err := iptables.EnsureChain(utiliptables.TableNAT, utiliptables.Chain(rule[1])) - assert.NoError(t, err) - _, err = iptables.ensureRule(utiliptables.RulePosition(rule[0]), utiliptables.TableNAT, utiliptables.Chain(rule[1]), rule[2]) - assert.NoError(t, err) - } - portOpener := NewFakeSocketManager() - manager := &hostportManager{ - hostPortMap: make(map[hostport]closeable), - iptables: iptables, - portOpener: portOpener.openFakeSocket, - } - err := manager.Remove("id", &PodPortMapping{ - Name: "pod1", - Namespace: "ns1", - IP: net.ParseIP("10.1.1.2"), - HostNetwork: false, - PortMappings: []*PortMapping{ - { - HostPort: 8080, - ContainerPort: 80, - Protocol: v1.ProtocolTCP, - }, - { - HostPort: 8081, - ContainerPort: 81, - Protocol: v1.ProtocolUDP, - }, - }, - }) - assert.NoError(t, err) - - err = manager.Remove("id", &PodPortMapping{ - Name: "pod3", - Namespace: "ns1", - IP: net.ParseIP("10.1.1.4"), - HostNetwork: false, - PortMappings: []*PortMapping{ - { - HostPort: 8443, - ContainerPort: 443, - Protocol: v1.ProtocolTCP, - }, - }, - }) - assert.NoError(t, err) - - natTable, ok := iptables.tables[string(utiliptables.TableNAT)] - assert.True(t, ok) - // check KUBE-HOSTPORTS chain should be cleaned up - hostportChain, ok := natTable.chains["KUBE-HOSTPORTS"] - assert.True(t, ok, string(hostportChain.name)) - assert.Equal(t, 0, len(hostportChain.rules), "%v", hostportChain.rules) - // check KUBE-HP-* chains should be deleted - for _, name := range []string{"KUBE-HP-4YVONL46AKYWSKS3", "KUBE-HP-7THKRFSEH4GIIXK7", "KUBE-HP-5N7UH5JAXCVP5UJR"} { - _, ok := natTable.chains[name] - assert.False(t, ok) - } -}