mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #65803 from honkiko/ipvs-add-addrtype-match
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. ipvs: add addrtype match for nodeport **What this PR does / why we need it**: before this PR: ``` -A KUBE-SERVICES -m comment --comment "Kubernetes nodeport TCP port for masquerade purpose" -m set --match-set KUBE-NODE-PORT-TCP dst -j KUBE-NODE-PORT -A KUBE-SERVICES -m comment --comment "Kubernetes service cluster ip + port for masquerade purpose" -m set --match-set KUBE-CLUSTER-IP dst,dst -j KUBE-MARK-MASQ -A KUBE-SERVICES -m set --match-set KUBE-CLUSTER-IP dst,dst -j ACCEPT -A KUBE-NODE-PORT -p tcp -m comment --comment "Kubernetes nodeport TCP port with externalTrafficPolicy=local" -m set --match-set KUBE-NODE-PORT-LOCAL-TCP dst -j RETURN -A KUBE-NODE-PORT -j KUBE-MARK-MASQ ``` after this PR: ``` -A KUBE-NODE-PORT -p tcp -m comment --comment "Kubernetes nodeport TCP port with externalTrafficPolicy=local" -m set --match-set KUBE-NODE-PORT-LOCAL-TCP dst -j RETURN -A KUBE-NODE-PORT -p tcp -m comment --comment "Kubernetes nodeport TCP port for masquerade purpose" -m set --match-set KUBE-NODE-PORT-TCP dst -j KUBE-MARK-MASQ -A KUBE-SERVICES -m comment --comment "Kubernetes service cluster ip + port for masquerade purpose" -m set --match-set KUBE-CLUSTER-IP dst,dst -j KUBE-MARK-MASQ -A KUBE-SERVICES -m set --match-set KUBE-CLUSTER-IP dst,dst -j ACCEPT -A KUBE-SERVICES -m addrtype --dst-type LOCAL -j KUBE-NODE-PORT ``` **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes #65459 **Special notes for your reviewer**: manually tested cases: - ClusterIP distributed to pod on same node - ClusterIP distributed to pod on other node - NodePort distributed to pod on same node - NodePort distributed to pod on other node **Release note**: ```release-note ```
This commit is contained in:
commit
4492337dbf
@ -135,6 +135,7 @@ var ipsetInfo = []struct {
|
||||
// `iptables -t nat -A <from> -m set --match-set <name> <matchType> -j <to>`
|
||||
// example: iptables -t nat -A KUBE-SERVICES -m set --match-set KUBE-NODE-PORT-TCP dst -j KUBE-NODE-PORT
|
||||
// ipsets with other match rules will be created Individually.
|
||||
// Note: kubeNodePortLocalSetTCP must be prior to kubeNodePortSetTCP, the same for UDP.
|
||||
var ipsetWithIptablesChain = []struct {
|
||||
name string
|
||||
from string
|
||||
@ -148,10 +149,10 @@ var ipsetWithIptablesChain = []struct {
|
||||
{kubeLoadBalancerSourceCIDRSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""},
|
||||
{kubeLoadBalancerSourceIPSet, string(KubeFireWallChain), "RETURN", "dst,dst,src", ""},
|
||||
{kubeLoadBalancerLocalSet, string(KubeLoadBalancerChain), "RETURN", "dst,dst", ""},
|
||||
{kubeNodePortSetTCP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "tcp"},
|
||||
{kubeNodePortLocalSetTCP, string(KubeNodePortChain), "RETURN", "dst", "tcp"},
|
||||
{kubeNodePortSetUDP, string(kubeServicesChain), string(KubeNodePortChain), "dst", "udp"},
|
||||
{kubeNodePortSetTCP, string(KubeNodePortChain), string(KubeMarkMasqChain), "dst", "tcp"},
|
||||
{kubeNodePortLocalSetUDP, string(KubeNodePortChain), "RETURN", "dst", "udp"},
|
||||
{kubeNodePortSetUDP, string(KubeNodePortChain), string(KubeMarkMasqChain), "dst", "udp"},
|
||||
}
|
||||
|
||||
var ipvsModules = []string{
|
||||
@ -1280,11 +1281,12 @@ func (proxier *Proxier) writeIptablesRules() {
|
||||
writeLine(proxier.natRules, append(dstLocalOnlyArgs, "-j", "ACCEPT")...)
|
||||
}
|
||||
|
||||
// mark masq for KUBE-NODE-PORT
|
||||
writeLine(proxier.natRules, []string{
|
||||
"-A", string(KubeNodePortChain),
|
||||
"-j", string(KubeMarkMasqChain),
|
||||
}...)
|
||||
// -A KUBE-SERVICES -m addrtype --dst-type LOCAL -j KUBE-NODE-PORT
|
||||
args = append(args[:0],
|
||||
"-A", string(kubeServicesChain),
|
||||
"-m", "addrtype", "--dst-type", "LOCAL",
|
||||
)
|
||||
writeLine(proxier.natRules, append(args, "-j", string(KubeNodePortChain))...)
|
||||
|
||||
// mark drop for KUBE-LOAD-BALANCER
|
||||
writeLine(proxier.natRules, []string{
|
||||
|
@ -477,11 +477,11 @@ func TestNodePortUDP(t *testing.T) {
|
||||
|
||||
// Check iptables chain and rules
|
||||
epIpt := netlinktest.ExpectedIptablesChain{
|
||||
string(kubeServicesChain): {{
|
||||
JumpChain: string(KubeNodePortChain), MatchSet: kubeNodePortSetUDP,
|
||||
}},
|
||||
string(KubeNodePortChain): {{
|
||||
JumpChain: string(KubeMarkMasqChain), MatchSet: "",
|
||||
JumpChain: string(KubeMarkMasqChain), MatchSet: kubeNodePortSetUDP,
|
||||
}},
|
||||
string(kubeServicesChain): {{
|
||||
JumpChain: string(KubeNodePortChain), MatchSet: "",
|
||||
}},
|
||||
}
|
||||
checkIptables(t, ipt, epIpt)
|
||||
@ -1063,12 +1063,12 @@ func TestOnlyLocalNodePorts(t *testing.T) {
|
||||
// Check iptables chain and rules
|
||||
epIpt := netlinktest.ExpectedIptablesChain{
|
||||
string(kubeServicesChain): {{
|
||||
JumpChain: string(KubeNodePortChain), MatchSet: kubeNodePortSetTCP,
|
||||
JumpChain: string(KubeNodePortChain), MatchSet: "",
|
||||
}},
|
||||
string(KubeNodePortChain): {{
|
||||
JumpChain: "RETURN", MatchSet: kubeNodePortLocalSetTCP,
|
||||
}, {
|
||||
JumpChain: string(KubeMarkMasqChain), MatchSet: "",
|
||||
JumpChain: string(KubeMarkMasqChain), MatchSet: kubeNodePortSetTCP,
|
||||
}},
|
||||
}
|
||||
checkIptables(t, ipt, epIpt)
|
||||
|
Loading…
Reference in New Issue
Block a user