Merge pull request #12986 from BenTheElder/masquerade_all_flag

Add flag to masquerade all in kube-proxy when using iptables proxier

cmd/kube-proxy/app/server.go

@@ -61,6 +61,7 @@ type ProxyServer struct {
 	ForceUserspaceProxy bool
 	SyncPeriod          time.Duration
 	nodeRef             *api.ObjectReference // Reference to this node.
+	MasqueradeAll       bool
 }
 
 // NewProxyServer creates a new ProxyServer object with default parameters
@@ -88,6 +89,7 @@ func (s *ProxyServer) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.HostnameOverride, "hostname-override", s.HostnameOverride, "If non-empty, will use this string as identification instead of the actual hostname.")
 	fs.BoolVar(&s.ForceUserspaceProxy, "legacy-userspace-proxy", true, "Use the legacy userspace proxy (instead of the pure iptables proxy).")
 	fs.DurationVar(&s.SyncPeriod, "iptables-sync-period", 5*time.Second, "How often iptables rules are refreshed (e.g. '5s', '1m', '2h22m').  Must be greater than 0.")
+	fs.BoolVar(&s.MasqueradeAll, "masquerade-all", false, "If using the pure iptables proxy, SNAT everything")
 }
 
 // Run runs the specified ProxyServer.  This should never exit.
@@ -160,7 +162,7 @@ func (s *ProxyServer) Run(_ []string) error {
 		glog.V(2).Info("Using iptables Proxier.")
 
 		execer := exec.New()
-		proxierIptables, err := iptables.NewProxier(utiliptables.New(execer, protocol), execer, s.SyncPeriod)
+		proxierIptables, err := iptables.NewProxier(utiliptables.New(execer, protocol), execer, s.SyncPeriod, s.MasqueradeAll)
 		if err != nil {
 			glog.Fatalf("Unable to create proxier: %v", err)
 		}

hack/verify-flags/known-flags.txt

@@ -132,6 +132,7 @@ long-running-request-regexp
 low-diskspace-threshold-mb
 manifest-url
 manifest-url-header
+masquerade-all
 master-service-namespace
 max-concurrency
 max-connection-bytes-per-sec

pkg/proxy/iptables/proxier.go

@@ -150,6 +150,7 @@ type Proxier struct {
 	iptables                    utiliptables.Interface
 	haveReceivedServiceUpdate   bool // true once we've seen an OnServiceUpdate event
 	haveReceivedEndpointsUpdate bool // true once we've seen an OnEndpointsUpdate event
+	MasqueradeAll               bool
 }
 
 // Proxier implements ProxyProvider
@@ -160,7 +161,7 @@ var _ proxy.ProxyProvider = &Proxier{}
 // An error will be returned if iptables fails to update or acquire the initial lock.
 // Once a proxier is created, it will keep iptables up to date in the background and
 // will not terminate if a particular iptables call fails.
-func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod time.Duration) (*Proxier, error) {
+func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod time.Duration, MasqueradeAll bool) (*Proxier, error) {
 
 	// Set the route_localnet sysctl we need for
 	if err := setSysctl(sysctlRouteLocalnet, 1); err != nil {
@@ -183,6 +184,7 @@ func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod
 		serviceMap:    make(map[proxy.ServicePortName]*serviceInfo),
 		syncPeriod:    syncPeriod,
 		iptables:      ipt,
+		MasqueradeAll: MasqueradeAll,
 	}, nil
 }
 
@@ -547,13 +549,19 @@ func (proxier *Proxier) syncProxyRules() error {
 		activeChains[svcChain] = true
 
 		// Capture the clusterIP.
-		writeLine(rulesLines,
+		args := []string{
 			"-A", string(iptablesServicesChain),
 			"-m", "comment", "--comment", fmt.Sprintf("\"%s cluster IP\"", name.String()),
 			"-m", protocol, "-p", protocol,
 			"-d", fmt.Sprintf("%s/32", info.clusterIP.String()),
 			"--dport", fmt.Sprintf("%d", info.port),
-			"-j", string(svcChain))
+		}
+		if proxier.MasqueradeAll {
+			writeLine(rulesLines, append(args,
+				"-j", "MARK", "--set-xmark", fmt.Sprintf("%s/0xffffffff", iptablesMasqueradeMark))...)
+		}
+		writeLine(rulesLines, append(args,
+			"-j", string(svcChain))...)
 
 		// Capture externalIPs.
 		for _, externalIP := range info.externalIPs {