github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 09:22:44 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #124529 from danwinship/localtraffic-cleanup-1

Browse Source 
LocalTrafficDetector implementation cleanup
This commit is contained in:
Kubernetes Prow Robot 2024-04-26 14:16:03 -07:00 committed by GitHub
commit 4b2d1b6a20
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
11 changed files with 260 additions and 550 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
cmd/kube-proxy/app/server_linux.go
View File

@ -53,7 +53,6 @@ import (
proxymetrics "k8s.io/kubernetes/pkg/proxy/metrics" proxymetrics "k8s.io/kubernetes/pkg/proxy/metrics"
"k8s.io/kubernetes/pkg/proxy/nftables" "k8s.io/kubernetes/pkg/proxy/nftables"
proxyutil "k8s.io/kubernetes/pkg/proxy/util" proxyutil "k8s.io/kubernetes/pkg/proxy/util"
proxyutiliptables "k8s.io/kubernetes/pkg/proxy/util/iptables"
utiliptables "k8s.io/kubernetes/pkg/util/iptables" utiliptables "k8s.io/kubernetes/pkg/util/iptables"
"k8s.io/utils/exec" "k8s.io/utils/exec"
) )
@ -165,8 +164,8 @@ func (s *ProxyServer) platformCheckSupported(ctx context.Context) (ipv4Supported
func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.KubeProxyConfiguration, dualStack, initOnly bool) (proxy.Provider, error) { func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.KubeProxyConfiguration, dualStack, initOnly bool) (proxy.Provider, error) {
logger := klog.FromContext(ctx) logger := klog.FromContext(ctx)
var proxier proxy.Provider var proxier proxy.Provider
var localDetectors [2]proxyutiliptables.LocalTrafficDetector var localDetectors [2]proxyutil.LocalTrafficDetector
var localDetector proxyutiliptables.LocalTrafficDetector var localDetector proxyutil.LocalTrafficDetector
var err error var err error
if config.Mode == proxyconfigapi.ProxyModeIPTables { if config.Mode == proxyconfigapi.ProxyModeIPTables {
@ -175,10 +174,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
if dualStack { if dualStack {
ipt, _ := getIPTables(s.PrimaryIPFamily) ipt, _ := getIPTables(s.PrimaryIPFamily)
localDetectors, err = getDualStackLocalDetectorTuple(logger, config.DetectLocalMode, config, s.podCIDRs) localDetectors = getDualStackLocalDetectorTuple(logger, config.DetectLocalMode, config, s.podCIDRs)
if err != nil {
return nil, fmt.Errorf("unable to create proxier: %v", err)
}
// TODO this has side effects that should only happen when Run() is invoked. // TODO this has side effects that should only happen when Run() is invoked.
proxier, err = iptables.NewDualStackProxier( proxier, err = iptables.NewDualStackProxier(
@ -202,10 +198,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
} else { } else {
// Create a single-stack proxier if and only if the node does not support dual-stack (i.e, no iptables support). // Create a single-stack proxier if and only if the node does not support dual-stack (i.e, no iptables support).
_, iptInterface := getIPTables(s.PrimaryIPFamily) _, iptInterface := getIPTables(s.PrimaryIPFamily)
localDetector, err = getLocalDetector(logger, s.PrimaryIPFamily, config.DetectLocalMode, config, s.podCIDRs) localDetector = getLocalDetector(logger, s.PrimaryIPFamily, config.DetectLocalMode, config, s.podCIDRs)
if err != nil {
return nil, fmt.Errorf("unable to create proxier: %v", err)
}
// TODO this has side effects that should only happen when Run() is invoked. // TODO this has side effects that should only happen when Run() is invoked.
proxier, err = iptables.NewProxier( proxier, err = iptables.NewProxier(
@ -245,10 +238,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
ipt, _ := getIPTables(s.PrimaryIPFamily) ipt, _ := getIPTables(s.PrimaryIPFamily)
// Always ordered to match []ipt // Always ordered to match []ipt
localDetectors, err = getDualStackLocalDetectorTuple(logger, config.DetectLocalMode, config, s.podCIDRs) localDetectors = getDualStackLocalDetectorTuple(logger, config.DetectLocalMode, config, s.podCIDRs)
if err != nil {
return nil, fmt.Errorf("unable to create proxier: %v", err)
}
proxier, err = ipvs.NewDualStackProxier( proxier, err = ipvs.NewDualStackProxier(
ctx, ctx,
@ -277,10 +267,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
) )
} else { } else {
_, iptInterface := getIPTables(s.PrimaryIPFamily) _, iptInterface := getIPTables(s.PrimaryIPFamily)
localDetector, err = getLocalDetector(logger, s.PrimaryIPFamily, config.DetectLocalMode, config, s.podCIDRs) localDetector = getLocalDetector(logger, s.PrimaryIPFamily, config.DetectLocalMode, config, s.podCIDRs)
if err != nil {
return nil, fmt.Errorf("unable to create proxier: %v", err)
}
proxier, err = ipvs.NewProxier( proxier, err = ipvs.NewProxier(
ctx, ctx,
@ -316,10 +303,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
logger.Info("Using nftables Proxier") logger.Info("Using nftables Proxier")
if dualStack { if dualStack {
localDetectors, err = getDualStackLocalDetectorTuple(logger, config.DetectLocalMode, config, s.podCIDRs) localDetectors = getDualStackLocalDetectorTuple(logger, config.DetectLocalMode, config, s.podCIDRs)
if err != nil {
return nil, fmt.Errorf("unable to create proxier: %v", err)
}
// TODO this has side effects that should only happen when Run() is invoked. // TODO this has side effects that should only happen when Run() is invoked.
proxier, err = nftables.NewDualStackProxier( proxier, err = nftables.NewDualStackProxier(
@ -339,10 +323,7 @@ func (s *ProxyServer) createProxier(ctx context.Context, config *proxyconfigapi.
) )
} else { } else {
// Create a single-stack proxier if and only if the node does not support dual-stack // Create a single-stack proxier if and only if the node does not support dual-stack
localDetector, err = getLocalDetector(logger, s.PrimaryIPFamily, config.DetectLocalMode, config, s.podCIDRs) localDetector = getLocalDetector(logger, s.PrimaryIPFamily, config.DetectLocalMode, config, s.podCIDRs)
if err != nil {
return nil, fmt.Errorf("unable to create proxier: %v", err)
}
// TODO this has side effects that should only happen when Run() is invoked. // TODO this has side effects that should only happen when Run() is invoked.
proxier, err = nftables.NewProxier( proxier, err = nftables.NewProxier(
@ -505,7 +486,7 @@ func detectNumCPU() int {
return numCPU return numCPU
} }
func getLocalDetector(logger klog.Logger, ipFamily v1.IPFamily, mode proxyconfigapi.LocalMode, config *proxyconfigapi.KubeProxyConfiguration, nodePodCIDRs []string) (proxyutiliptables.LocalTrafficDetector, error) { func getLocalDetector(logger klog.Logger, ipFamily v1.IPFamily, mode proxyconfigapi.LocalMode, config *proxyconfigapi.KubeProxyConfiguration, nodePodCIDRs []string) proxyutil.LocalTrafficDetector {
switch mode { switch mode {
case proxyconfigapi.LocalModeClusterCIDR: case proxyconfigapi.LocalModeClusterCIDR:
// LocalModeClusterCIDR is the default if --detect-local-mode wasn't passed, // LocalModeClusterCIDR is the default if --detect-local-mode wasn't passed,
@ -518,7 +499,7 @@ func getLocalDetector(logger klog.Logger, ipFamily v1.IPFamily, mode proxyconfig
cidrsByFamily := proxyutil.MapCIDRsByIPFamily(strings.Split(clusterCIDRs, ",")) cidrsByFamily := proxyutil.MapCIDRsByIPFamily(strings.Split(clusterCIDRs, ","))
if len(cidrsByFamily[ipFamily]) != 0 { if len(cidrsByFamily[ipFamily]) != 0 {
return proxyutiliptables.NewDetectLocalByCIDR(cidrsByFamily[ipFamily][0].String()) return proxyutil.NewDetectLocalByCIDR(cidrsByFamily[ipFamily][0].String())
} }
logger.Info("Detect-local-mode set to ClusterCIDR, but no cluster CIDR for family", "ipFamily", ipFamily) logger.Info("Detect-local-mode set to ClusterCIDR, but no cluster CIDR for family", "ipFamily", ipFamily)
@ -526,35 +507,27 @@ func getLocalDetector(logger klog.Logger, ipFamily v1.IPFamily, mode proxyconfig
case proxyconfigapi.LocalModeNodeCIDR: case proxyconfigapi.LocalModeNodeCIDR:
cidrsByFamily := proxyutil.MapCIDRsByIPFamily(nodePodCIDRs) cidrsByFamily := proxyutil.MapCIDRsByIPFamily(nodePodCIDRs)
if len(cidrsByFamily[ipFamily]) != 0 { if len(cidrsByFamily[ipFamily]) != 0 {
return proxyutiliptables.NewDetectLocalByCIDR(cidrsByFamily[ipFamily][0].String()) return proxyutil.NewDetectLocalByCIDR(cidrsByFamily[ipFamily][0].String())
} }
logger.Info("Detect-local-mode set to NodeCIDR, but no PodCIDR defined at node for family", "ipFamily", ipFamily) logger.Info("Detect-local-mode set to NodeCIDR, but no PodCIDR defined at node for family", "ipFamily", ipFamily)
case proxyconfigapi.LocalModeBridgeInterface: case proxyconfigapi.LocalModeBridgeInterface:
return proxyutiliptables.NewDetectLocalByBridgeInterface(config.DetectLocal.BridgeInterface) return proxyutil.NewDetectLocalByBridgeInterface(config.DetectLocal.BridgeInterface)
case proxyconfigapi.LocalModeInterfaceNamePrefix: case proxyconfigapi.LocalModeInterfaceNamePrefix:
return proxyutiliptables.NewDetectLocalByInterfaceNamePrefix(config.DetectLocal.InterfaceNamePrefix) return proxyutil.NewDetectLocalByInterfaceNamePrefix(config.DetectLocal.InterfaceNamePrefix)
} }
logger.Info("Defaulting to no-op detect-local") logger.Info("Defaulting to no-op detect-local")
return proxyutiliptables.NewNoOpLocalDetector(), nil return proxyutil.NewNoOpLocalDetector()
} }
func getDualStackLocalDetectorTuple(logger klog.Logger, mode proxyconfigapi.LocalMode, config *proxyconfigapi.KubeProxyConfiguration, nodePodCIDRs []string) ([2]proxyutiliptables.LocalTrafficDetector, error) { func getDualStackLocalDetectorTuple(logger klog.Logger, mode proxyconfigapi.LocalMode, config *proxyconfigapi.KubeProxyConfiguration, nodePodCIDRs []string) [2]proxyutil.LocalTrafficDetector {
var localDetectors [2]proxyutiliptables.LocalTrafficDetector return [2]proxyutil.LocalTrafficDetector{
var err error getLocalDetector(logger, v1.IPv4Protocol, mode, config, nodePodCIDRs),
getLocalDetector(logger, v1.IPv6Protocol, mode, config, nodePodCIDRs),
localDetectors[0], err = getLocalDetector(logger, v1.IPv4Protocol, mode, config, nodePodCIDRs)
if err != nil {
return localDetectors, err
} }
localDetectors[1], err = getLocalDetector(logger, v1.IPv6Protocol, mode, config, nodePodCIDRs)
if err != nil {
return localDetectors, err
}
return localDetectors, nil
} }
// platformCleanup removes stale kube-proxy rules that can be safely removed. If // platformCleanup removes stale kube-proxy rules that can be safely removed. If

277
cmd/kube-proxy/app/server_linux_test.go
View File

@ -39,7 +39,7 @@ import (
clientsetfake "k8s.io/client-go/kubernetes/fake" clientsetfake "k8s.io/client-go/kubernetes/fake"
clientgotesting "k8s.io/client-go/testing" clientgotesting "k8s.io/client-go/testing"
proxyconfigapi "k8s.io/kubernetes/pkg/proxy/apis/config" proxyconfigapi "k8s.io/kubernetes/pkg/proxy/apis/config"
proxyutiliptables "k8s.io/kubernetes/pkg/proxy/util/iptables" proxyutil "k8s.io/kubernetes/pkg/proxy/util"
"k8s.io/kubernetes/test/utils/ktesting" "k8s.io/kubernetes/test/utils/ktesting"
netutils "k8s.io/utils/net" netutils "k8s.io/utils/net"
"k8s.io/utils/ptr" "k8s.io/utils/ptr"
@ -114,58 +114,51 @@ func Test_getLocalDetector(t *testing.T) {
mode proxyconfigapi.LocalMode mode proxyconfigapi.LocalMode
config *proxyconfigapi.KubeProxyConfiguration config *proxyconfigapi.KubeProxyConfiguration
family v1.IPFamily family v1.IPFamily
expected proxyutiliptables.LocalTrafficDetector expected proxyutil.LocalTrafficDetector
nodePodCIDRs []string nodePodCIDRs []string
errExpected bool
}{ }{
// LocalModeClusterCIDR // LocalModeClusterCIDR
{ {
name: "LocalModeClusterCIDR, IPv4 cluster", name: "LocalModeClusterCIDR, IPv4 cluster",
mode: proxyconfigapi.LocalModeClusterCIDR, mode: proxyconfigapi.LocalModeClusterCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"},
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/14")), expected: proxyutil.NewDetectLocalByCIDR("10.0.0.0/14"),
errExpected: false,
}, },
{ {
name: "LocalModeClusterCIDR, IPv6 cluster", name: "LocalModeClusterCIDR, IPv6 cluster",
mode: proxyconfigapi.LocalModeClusterCIDR, mode: proxyconfigapi.LocalModeClusterCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"},
family: v1.IPv6Protocol, family: v1.IPv6Protocol,
expected: resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002:0:0:1234::/64")), expected: proxyutil.NewDetectLocalByCIDR("2002:0:0:1234::/64"),
errExpected: false,
}, },
{ {
name: "LocalModeClusterCIDR, IPv6 cluster with IPv6 config", name: "LocalModeClusterCIDR, IPv6 cluster with IPv4 config",
mode: proxyconfigapi.LocalModeClusterCIDR, mode: proxyconfigapi.LocalModeClusterCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"},
family: v1.IPv6Protocol, family: v1.IPv6Protocol,
expected: proxyutiliptables.NewNoOpLocalDetector(), expected: proxyutil.NewNoOpLocalDetector(),
errExpected: false,
}, },
{ {
name: "LocalModeClusterCIDR, IPv4 cluster with IPv6 config", name: "LocalModeClusterCIDR, IPv4 cluster with IPv6 config",
mode: proxyconfigapi.LocalModeClusterCIDR, mode: proxyconfigapi.LocalModeClusterCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"},
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: proxyutiliptables.NewNoOpLocalDetector(), expected: proxyutil.NewNoOpLocalDetector(),
errExpected: false,
}, },
{ {
name: "LocalModeClusterCIDR, IPv4 kube-proxy in dual-stack IPv6-primary cluster", name: "LocalModeClusterCIDR, IPv4 kube-proxy in dual-stack IPv6-primary cluster",
mode: proxyconfigapi.LocalModeClusterCIDR, mode: proxyconfigapi.LocalModeClusterCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64,10.0.0.0/14"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64,10.0.0.0/14"},
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/14")), expected: proxyutil.NewDetectLocalByCIDR("10.0.0.0/14"),
errExpected: false,
}, },
{ {
name: "LocalModeClusterCIDR, no ClusterCIDR", name: "LocalModeClusterCIDR, no ClusterCIDR",
mode: proxyconfigapi.LocalModeClusterCIDR, mode: proxyconfigapi.LocalModeClusterCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""},
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: proxyutiliptables.NewNoOpLocalDetector(), expected: proxyutil.NewNoOpLocalDetector(),
errExpected: false,
}, },
// LocalModeNodeCIDR // LocalModeNodeCIDR
{ {
@ -173,63 +166,56 @@ func Test_getLocalDetector(t *testing.T) {
mode: proxyconfigapi.LocalModeNodeCIDR, mode: proxyconfigapi.LocalModeNodeCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"},
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/24")), expected: proxyutil.NewDetectLocalByCIDR("10.0.0.0/24"),
nodePodCIDRs: []string{"10.0.0.0/24"}, nodePodCIDRs: []string{"10.0.0.0/24"},
errExpected: false,
}, },
{ {
name: "LocalModeNodeCIDR, IPv6 cluster", name: "LocalModeNodeCIDR, IPv6 cluster",
mode: proxyconfigapi.LocalModeNodeCIDR, mode: proxyconfigapi.LocalModeNodeCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"},
family: v1.IPv6Protocol, family: v1.IPv6Protocol,
expected: resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:0:0/96")), expected: proxyutil.NewDetectLocalByCIDR("2002::1234:abcd:ffff:0:0/96"),
nodePodCIDRs: []string{"2002::1234:abcd:ffff:0:0/96"}, nodePodCIDRs: []string{"2002::1234:abcd:ffff:0:0/96"},
errExpected: false,
}, },
{ {
name: "LocalModeNodeCIDR, IPv6 cluster with IPv4 config", name: "LocalModeNodeCIDR, IPv6 cluster with IPv4 config",
mode: proxyconfigapi.LocalModeNodeCIDR, mode: proxyconfigapi.LocalModeNodeCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"},
family: v1.IPv6Protocol, family: v1.IPv6Protocol,
expected: proxyutiliptables.NewNoOpLocalDetector(), expected: proxyutil.NewNoOpLocalDetector(),
nodePodCIDRs: []string{"10.0.0.0/24"}, nodePodCIDRs: []string{"10.0.0.0/24"},
errExpected: false,
}, },
{ {
name: "LocalModeNodeCIDR, IPv4 cluster with IPv6 config", name: "LocalModeNodeCIDR, IPv4 cluster with IPv6 config",
mode: proxyconfigapi.LocalModeNodeCIDR, mode: proxyconfigapi.LocalModeNodeCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"},
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: proxyutiliptables.NewNoOpLocalDetector(), expected: proxyutil.NewNoOpLocalDetector(),
nodePodCIDRs: []string{"2002::1234:abcd:ffff:0:0/96"}, nodePodCIDRs: []string{"2002::1234:abcd:ffff:0:0/96"},
errExpected: false,
}, },
{ {
name: "LocalModeNodeCIDR, IPv6 kube-proxy in dual-stack IPv4-primary cluster", name: "LocalModeNodeCIDR, IPv6 kube-proxy in dual-stack IPv4-primary cluster",
mode: proxyconfigapi.LocalModeNodeCIDR, mode: proxyconfigapi.LocalModeNodeCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14,2002:0:0:1234::/64"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14,2002:0:0:1234::/64"},
family: v1.IPv6Protocol, family: v1.IPv6Protocol,
expected: resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:0:0/96")), expected: proxyutil.NewDetectLocalByCIDR("2002::1234:abcd:ffff:0:0/96"),
nodePodCIDRs: []string{"10.0.0.0/24", "2002::1234:abcd:ffff:0:0/96"}, nodePodCIDRs: []string{"10.0.0.0/24", "2002::1234:abcd:ffff:0:0/96"},
errExpected: false,
}, },
{ {
name: "LocalModeNodeCIDR, no PodCIDRs", name: "LocalModeNodeCIDR, no PodCIDRs",
mode: proxyconfigapi.LocalModeNodeCIDR, mode: proxyconfigapi.LocalModeNodeCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""},
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: proxyutiliptables.NewNoOpLocalDetector(), expected: proxyutil.NewNoOpLocalDetector(),
nodePodCIDRs: []string{}, nodePodCIDRs: []string{},
errExpected: false,
}, },
// unknown mode // unknown mode
{ {
name: "unknown LocalMode", name: "unknown LocalMode",
mode: proxyconfigapi.LocalMode("abcd"), mode: proxyconfigapi.LocalMode("abcd"),
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"},
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: proxyutiliptables.NewNoOpLocalDetector(), expected: proxyutil.NewNoOpLocalDetector(),
errExpected: false,
}, },
// LocalModeBridgeInterface // LocalModeBridgeInterface
{ {
@ -238,9 +224,8 @@ func Test_getLocalDetector(t *testing.T) {
config: &proxyconfigapi.KubeProxyConfiguration{ config: &proxyconfigapi.KubeProxyConfiguration{
DetectLocal: proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "eth"}, DetectLocal: proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "eth"},
}, },
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByBridgeInterface("eth")), expected: proxyutil.NewDetectLocalByBridgeInterface("eth"),
errExpected: false,
}, },
{ {
name: "LocalModeBridgeInterface, strange bridge name", name: "LocalModeBridgeInterface, strange bridge name",
@ -248,9 +233,8 @@ func Test_getLocalDetector(t *testing.T) {
config: &proxyconfigapi.KubeProxyConfiguration{ config: &proxyconfigapi.KubeProxyConfiguration{
DetectLocal: proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "1234567890123456789"}, DetectLocal: proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "1234567890123456789"},
}, },
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByBridgeInterface("1234567890123456789")), expected: proxyutil.NewDetectLocalByBridgeInterface("1234567890123456789"),
errExpected: false,
}, },
// LocalModeInterfaceNamePrefix // LocalModeInterfaceNamePrefix
{ {
@ -259,9 +243,8 @@ func Test_getLocalDetector(t *testing.T) {
config: &proxyconfigapi.KubeProxyConfiguration{ config: &proxyconfigapi.KubeProxyConfiguration{
DetectLocal: proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "eth"}, DetectLocal: proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "eth"},
}, },
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByInterfaceNamePrefix("eth")), expected: proxyutil.NewDetectLocalByInterfaceNamePrefix("eth"),
errExpected: false,
}, },
{ {
name: "LocalModeInterfaceNamePrefix, strange interface name", name: "LocalModeInterfaceNamePrefix, strange interface name",
@ -269,25 +252,14 @@ func Test_getLocalDetector(t *testing.T) {
config: &proxyconfigapi.KubeProxyConfiguration{ config: &proxyconfigapi.KubeProxyConfiguration{
DetectLocal: proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "1234567890123456789"}, DetectLocal: proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "1234567890123456789"},
}, },
family: v1.IPv4Protocol, family: v1.IPv4Protocol,
expected: resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByInterfaceNamePrefix("1234567890123456789")), expected: proxyutil.NewDetectLocalByInterfaceNamePrefix("1234567890123456789"),
errExpected: false,
}, },
} }
for _, c := range cases { for _, c := range cases {
t.Run(c.name, func(t *testing.T) { t.Run(c.name, func(t *testing.T) {
logger, _ := ktesting.NewTestContext(t) logger, _ := ktesting.NewTestContext(t)
r, err := getLocalDetector(logger, c.family, c.mode, c.config, c.nodePodCIDRs) r := getLocalDetector(logger, c.family, c.mode, c.config, c.nodePodCIDRs)
if c.errExpected {
if err == nil {
t.Errorf("Expected error, but succeeded with %v", r)
}
return
}
if err != nil {
t.Errorf("Error resolving detect-local: %v", err)
return
}
if !reflect.DeepEqual(r, c.expected) { if !reflect.DeepEqual(r, c.expected) {
t.Errorf("Unexpected detect-local implementation, expected: %q, got: %q", c.expected, r) t.Errorf("Unexpected detect-local implementation, expected: %q, got: %q", c.expected, r)
} }
@ -300,102 +272,105 @@ func Test_getDualStackLocalDetectorTuple(t *testing.T) {
name string name string
mode proxyconfigapi.LocalMode mode proxyconfigapi.LocalMode
config *proxyconfigapi.KubeProxyConfiguration config *proxyconfigapi.KubeProxyConfiguration
expected [2]proxyutiliptables.LocalTrafficDetector expected [2]proxyutil.LocalTrafficDetector
nodePodCIDRs []string nodePodCIDRs []string
errExpected bool
}{ }{
// LocalModeClusterCIDR // LocalModeClusterCIDR
{ {
name: "LocalModeClusterCIDR, dual-stack IPv4-primary cluster", name: "LocalModeClusterCIDR, dual-stack IPv4-primary cluster",
mode: proxyconfigapi.LocalModeClusterCIDR, mode: proxyconfigapi.LocalModeClusterCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14,2002:0:0:1234::/64"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14,2002:0:0:1234::/64"},
expected: resolveDualStackLocalDetectors(t)( expected: [2]proxyutil.LocalTrafficDetector{
proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/14"))( proxyutil.NewDetectLocalByCIDR("10.0.0.0/14"),
proxyutiliptables.NewDetectLocalByCIDR("2002:0:0:1234::/64")), proxyutil.NewDetectLocalByCIDR("2002:0:0:1234::/64"),
errExpected: false, },
}, },
{ {
name: "LocalModeClusterCIDR, dual-stack IPv6-primary cluster", name: "LocalModeClusterCIDR, dual-stack IPv6-primary cluster",
mode: proxyconfigapi.LocalModeClusterCIDR, mode: proxyconfigapi.LocalModeClusterCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64,10.0.0.0/14"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64,10.0.0.0/14"},
expected: resolveDualStackLocalDetectors(t)( expected: [2]proxyutil.LocalTrafficDetector{
proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/14"))( proxyutil.NewDetectLocalByCIDR("10.0.0.0/14"),
proxyutiliptables.NewDetectLocalByCIDR("2002:0:0:1234::/64")), proxyutil.NewDetectLocalByCIDR("2002:0:0:1234::/64"),
errExpected: false, },
}, },
{ {
name: "LocalModeClusterCIDR, single-stack IPv4 cluster", name: "LocalModeClusterCIDR, single-stack IPv4 cluster",
mode: proxyconfigapi.LocalModeClusterCIDR, mode: proxyconfigapi.LocalModeClusterCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"},
expected: [2]proxyutiliptables.LocalTrafficDetector{ expected: [2]proxyutil.LocalTrafficDetector{
resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/14")), proxyutil.NewDetectLocalByCIDR("10.0.0.0/14"),
proxyutiliptables.NewNoOpLocalDetector()}, proxyutil.NewNoOpLocalDetector(),
errExpected: false, },
}, },
{ {
name: "LocalModeClusterCIDR, single-stack IPv6 cluster", name: "LocalModeClusterCIDR, single-stack IPv6 cluster",
mode: proxyconfigapi.LocalModeClusterCIDR, mode: proxyconfigapi.LocalModeClusterCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"},
expected: [2]proxyutiliptables.LocalTrafficDetector{ expected: [2]proxyutil.LocalTrafficDetector{
proxyutiliptables.NewNoOpLocalDetector(), proxyutil.NewNoOpLocalDetector(),
resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002:0:0:1234::/64"))}, proxyutil.NewDetectLocalByCIDR("2002:0:0:1234::/64"),
errExpected: false, },
}, },
{ {
name: "LocalModeClusterCIDR, no ClusterCIDR", name: "LocalModeClusterCIDR, no ClusterCIDR",
mode: proxyconfigapi.LocalModeClusterCIDR, mode: proxyconfigapi.LocalModeClusterCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""},
expected: [2]proxyutiliptables.LocalTrafficDetector{proxyutiliptables.NewNoOpLocalDetector(), proxyutiliptables.NewNoOpLocalDetector()}, expected: [2]proxyutil.LocalTrafficDetector{
errExpected: false, proxyutil.NewNoOpLocalDetector(),
proxyutil.NewNoOpLocalDetector(),
},
}, },
// LocalModeNodeCIDR // LocalModeNodeCIDR
{ {
name: "LocalModeNodeCIDR, dual-stack IPv4-primary cluster", name: "LocalModeNodeCIDR, dual-stack IPv4-primary cluster",
mode: proxyconfigapi.LocalModeNodeCIDR, mode: proxyconfigapi.LocalModeNodeCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14,2002:0:0:1234::/64"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14,2002:0:0:1234::/64"},
expected: resolveDualStackLocalDetectors(t)( expected: [2]proxyutil.LocalTrafficDetector{
proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/24"))( proxyutil.NewDetectLocalByCIDR("10.0.0.0/24"),
proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:0:0/96")), proxyutil.NewDetectLocalByCIDR("2002::1234:abcd:ffff:0:0/96"),
},
nodePodCIDRs: []string{"10.0.0.0/24", "2002::1234:abcd:ffff:0:0/96"}, nodePodCIDRs: []string{"10.0.0.0/24", "2002::1234:abcd:ffff:0:0/96"},
errExpected: false,
}, },
{ {
name: "LocalModeNodeCIDR, dual-stack IPv6-primary cluster", name: "LocalModeNodeCIDR, dual-stack IPv6-primary cluster",
mode: proxyconfigapi.LocalModeNodeCIDR, mode: proxyconfigapi.LocalModeNodeCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64,10.0.0.0/14"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64,10.0.0.0/14"},
expected: resolveDualStackLocalDetectors(t)( expected: [2]proxyutil.LocalTrafficDetector{
proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/24"))( proxyutil.NewDetectLocalByCIDR("10.0.0.0/24"),
proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:0:0/96")), proxyutil.NewDetectLocalByCIDR("2002::1234:abcd:ffff:0:0/96"),
},
nodePodCIDRs: []string{"2002::1234:abcd:ffff:0:0/96", "10.0.0.0/24"}, nodePodCIDRs: []string{"2002::1234:abcd:ffff:0:0/96", "10.0.0.0/24"},
errExpected: false,
}, },
{ {
name: "LocalModeNodeCIDR, single-stack IPv4 cluster", name: "LocalModeNodeCIDR, single-stack IPv4 cluster",
mode: proxyconfigapi.LocalModeNodeCIDR, mode: proxyconfigapi.LocalModeNodeCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "10.0.0.0/14"},
expected: [2]proxyutiliptables.LocalTrafficDetector{ expected: [2]proxyutil.LocalTrafficDetector{
resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("10.0.0.0/24")), proxyutil.NewDetectLocalByCIDR("10.0.0.0/24"),
proxyutiliptables.NewNoOpLocalDetector()}, proxyutil.NewNoOpLocalDetector(),
},
nodePodCIDRs: []string{"10.0.0.0/24"}, nodePodCIDRs: []string{"10.0.0.0/24"},
errExpected: false,
}, },
{ {
name: "LocalModeNodeCIDR, single-stack IPv6 cluster", name: "LocalModeNodeCIDR, single-stack IPv6 cluster",
mode: proxyconfigapi.LocalModeNodeCIDR, mode: proxyconfigapi.LocalModeNodeCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: "2002:0:0:1234::/64"},
expected: [2]proxyutiliptables.LocalTrafficDetector{ expected: [2]proxyutil.LocalTrafficDetector{
proxyutiliptables.NewNoOpLocalDetector(), proxyutil.NewNoOpLocalDetector(),
resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByCIDR("2002::1234:abcd:ffff:0:0/96"))}, proxyutil.NewDetectLocalByCIDR("2002::1234:abcd:ffff:0:0/96"),
},
nodePodCIDRs: []string{"2002::1234:abcd:ffff:0:0/96"}, nodePodCIDRs: []string{"2002::1234:abcd:ffff:0:0/96"},
errExpected: false,
}, },
{ {
name: "LocalModeNodeCIDR, no PodCIDRs", name: "LocalModeNodeCIDR, no PodCIDRs",
mode: proxyconfigapi.LocalModeNodeCIDR, mode: proxyconfigapi.LocalModeNodeCIDR,
config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""}, config: &proxyconfigapi.KubeProxyConfiguration{ClusterCIDR: ""},
expected: [2]proxyutiliptables.LocalTrafficDetector{proxyutiliptables.NewNoOpLocalDetector(), proxyutiliptables.NewNoOpLocalDetector()}, expected: [2]proxyutil.LocalTrafficDetector{
proxyutil.NewNoOpLocalDetector(),
proxyutil.NewNoOpLocalDetector(),
},
nodePodCIDRs: []string{}, nodePodCIDRs: []string{},
errExpected: false,
}, },
// LocalModeBridgeInterface // LocalModeBridgeInterface
{ {
@ -404,10 +379,10 @@ func Test_getDualStackLocalDetectorTuple(t *testing.T) {
config: &proxyconfigapi.KubeProxyConfiguration{ config: &proxyconfigapi.KubeProxyConfiguration{
DetectLocal: proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "eth"}, DetectLocal: proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "eth"},
}, },
expected: resolveDualStackLocalDetectors(t)( expected: [2]proxyutil.LocalTrafficDetector{
proxyutiliptables.NewDetectLocalByBridgeInterface("eth"))( proxyutil.NewDetectLocalByBridgeInterface("eth"),
proxyutiliptables.NewDetectLocalByBridgeInterface("eth")), proxyutil.NewDetectLocalByBridgeInterface("eth"),
errExpected: false, },
}, },
// LocalModeInterfaceNamePrefix // LocalModeInterfaceNamePrefix
{ {
@ -416,26 +391,16 @@ func Test_getDualStackLocalDetectorTuple(t *testing.T) {
config: &proxyconfigapi.KubeProxyConfiguration{ config: &proxyconfigapi.KubeProxyConfiguration{
DetectLocal: proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "veth"}, DetectLocal: proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "veth"},
}, },
expected: resolveDualStackLocalDetectors(t)( expected: [2]proxyutil.LocalTrafficDetector{
proxyutiliptables.NewDetectLocalByInterfaceNamePrefix("veth"))( proxyutil.NewDetectLocalByInterfaceNamePrefix("veth"),
proxyutiliptables.NewDetectLocalByInterfaceNamePrefix("veth")), proxyutil.NewDetectLocalByInterfaceNamePrefix("veth"),
errExpected: false, },
}, },
} }
for _, c := range cases { for _, c := range cases {
t.Run(c.name, func(t *testing.T) { t.Run(c.name, func(t *testing.T) {
logger, _ := ktesting.NewTestContext(t) logger, _ := ktesting.NewTestContext(t)
r, err := getDualStackLocalDetectorTuple(logger, c.mode, c.config, c.nodePodCIDRs) r := getDualStackLocalDetectorTuple(logger, c.mode, c.config, c.nodePodCIDRs)
if c.errExpected {
if err == nil {
t.Errorf("Expected error, but succeeded with %q", r)
}
return
}
if err != nil {
t.Errorf("Error resolving detect-local: %v", err)
return
}
if !reflect.DeepEqual(r, c.expected) { if !reflect.DeepEqual(r, c.expected) {
t.Errorf("Unexpected detect-local implementation, expected: %q, got: %q", c.expected, r) t.Errorf("Unexpected detect-local implementation, expected: %q, got: %q", c.expected, r)
} }
@ -455,32 +420,6 @@ func makeNodeWithPodCIDRs(cidrs ...string) *v1.Node {
} }
} }
func resolveLocalDetector(t *testing.T) func(proxyutiliptables.LocalTrafficDetector, error) proxyutiliptables.LocalTrafficDetector {
return func(localDetector proxyutiliptables.LocalTrafficDetector, err error) proxyutiliptables.LocalTrafficDetector {
t.Helper()
if err != nil {
t.Fatalf("Error resolving detect-local: %v", err)
}
return localDetector
}
}
func resolveDualStackLocalDetectors(t *testing.T) func(localDetector proxyutiliptables.LocalTrafficDetector, err1 error) func(proxyutiliptables.LocalTrafficDetector, error) [2]proxyutiliptables.LocalTrafficDetector {
return func(localDetector proxyutiliptables.LocalTrafficDetector, err error) func(proxyutiliptables.LocalTrafficDetector, error) [2]proxyutiliptables.LocalTrafficDetector {
t.Helper()
if err != nil {
t.Fatalf("Error resolving dual stack detect-local: %v", err)
}
return func(otherLocalDetector proxyutiliptables.LocalTrafficDetector, err1 error) [2]proxyutiliptables.LocalTrafficDetector {
t.Helper()
if err1 != nil {
t.Fatalf("Error resolving dual stack detect-local: %v", err)
}
return [2]proxyutiliptables.LocalTrafficDetector{localDetector, otherLocalDetector}
}
}
}
func TestConfigChange(t *testing.T) { func TestConfigChange(t *testing.T) {
setUp := func() (*os.File, string, error) { setUp := func() (*os.File, string, error) {
tempDir, err := os.MkdirTemp("", "kubeproxy-config-change") tempDir, err := os.MkdirTemp("", "kubeproxy-config-change")

7
pkg/proxy/iptables/proxier.go
View File

@ -51,7 +51,6 @@ import (
"k8s.io/kubernetes/pkg/proxy/metaproxier" "k8s.io/kubernetes/pkg/proxy/metaproxier"
"k8s.io/kubernetes/pkg/proxy/metrics" "k8s.io/kubernetes/pkg/proxy/metrics"
proxyutil "k8s.io/kubernetes/pkg/proxy/util" proxyutil "k8s.io/kubernetes/pkg/proxy/util"
proxyutiliptables "k8s.io/kubernetes/pkg/proxy/util/iptables"
"k8s.io/kubernetes/pkg/util/async" "k8s.io/kubernetes/pkg/util/async"
utiliptables "k8s.io/kubernetes/pkg/util/iptables" utiliptables "k8s.io/kubernetes/pkg/util/iptables"
utilexec "k8s.io/utils/exec" utilexec "k8s.io/utils/exec"
@ -107,7 +106,7 @@ func NewDualStackProxier(
masqueradeAll bool, masqueradeAll bool,
localhostNodePorts bool, localhostNodePorts bool,
masqueradeBit int, masqueradeBit int,
localDetectors [2]proxyutiliptables.LocalTrafficDetector, localDetectors [2]proxyutil.LocalTrafficDetector,
hostname string, hostname string,
nodeIPs map[v1.IPFamily]net.IP, nodeIPs map[v1.IPFamily]net.IP,
recorder events.EventRecorder, recorder events.EventRecorder,
@ -168,7 +167,7 @@ type Proxier struct {
masqueradeAll bool masqueradeAll bool
masqueradeMark string masqueradeMark string
conntrack conntrack.Interface conntrack conntrack.Interface
localDetector proxyutiliptables.LocalTrafficDetector localDetector proxyutil.LocalTrafficDetector
hostname string hostname string
nodeIP net.IP nodeIP net.IP
recorder events.EventRecorder recorder events.EventRecorder
@ -229,7 +228,7 @@ func NewProxier(ctx context.Context,
masqueradeAll bool, masqueradeAll bool,
localhostNodePorts bool, localhostNodePorts bool,
masqueradeBit int, masqueradeBit int,
localDetector proxyutiliptables.LocalTrafficDetector, localDetector proxyutil.LocalTrafficDetector,
hostname string, hostname string,
nodeIP net.IP, nodeIP net.IP,
recorder events.EventRecorder, recorder events.EventRecorder,

5
pkg/proxy/iptables/proxier_test.go
View File

@ -54,7 +54,6 @@ import (
"k8s.io/kubernetes/pkg/proxy/healthcheck" "k8s.io/kubernetes/pkg/proxy/healthcheck"
proxyutil "k8s.io/kubernetes/pkg/proxy/util" proxyutil "k8s.io/kubernetes/pkg/proxy/util"
proxyutiliptables "k8s.io/kubernetes/pkg/proxy/util/iptables"
proxyutiltest "k8s.io/kubernetes/pkg/proxy/util/testing" proxyutiltest "k8s.io/kubernetes/pkg/proxy/util/testing"
"k8s.io/kubernetes/pkg/util/async" "k8s.io/kubernetes/pkg/util/async"
utiliptables "k8s.io/kubernetes/pkg/util/iptables" utiliptables "k8s.io/kubernetes/pkg/util/iptables"
@ -94,7 +93,7 @@ func NewFakeProxier(ipt utiliptables.Interface) *Proxier {
ipfamily = v1.IPv6Protocol ipfamily = v1.IPv6Protocol
podCIDR = "fd00:10::/64" podCIDR = "fd00:10::/64"
} }
detectLocal, _ := proxyutiliptables.NewDetectLocalByCIDR(podCIDR) detectLocal := proxyutil.NewDetectLocalByCIDR(podCIDR)
networkInterfacer := proxyutiltest.NewFakeNetwork() networkInterfacer := proxyutiltest.NewFakeNetwork()
itf := net.Interface{Index: 0, MTU: 0, Name: "lo", HardwareAddr: nil, Flags: 0} itf := net.Interface{Index: 0, MTU: 0, Name: "lo", HardwareAddr: nil, Flags: 0}
@ -5588,7 +5587,7 @@ func TestInternalExternalMasquerade(t *testing.T) {
fp := NewFakeProxier(ipt) fp := NewFakeProxier(ipt)
fp.masqueradeAll = tc.masqueradeAll fp.masqueradeAll = tc.masqueradeAll
if !tc.localDetector { if !tc.localDetector {
fp.localDetector = proxyutiliptables.NewNoOpLocalDetector() fp.localDetector = proxyutil.NewNoOpLocalDetector()
} }
setupTest(fp) setupTest(fp)

7
pkg/proxy/ipvs/proxier.go
View File

@ -53,7 +53,6 @@ import (
"k8s.io/kubernetes/pkg/proxy/metaproxier" "k8s.io/kubernetes/pkg/proxy/metaproxier"
"k8s.io/kubernetes/pkg/proxy/metrics" "k8s.io/kubernetes/pkg/proxy/metrics"
proxyutil "k8s.io/kubernetes/pkg/proxy/util" proxyutil "k8s.io/kubernetes/pkg/proxy/util"
proxyutiliptables "k8s.io/kubernetes/pkg/proxy/util/iptables"
"k8s.io/kubernetes/pkg/util/async" "k8s.io/kubernetes/pkg/util/async"
utiliptables "k8s.io/kubernetes/pkg/util/iptables" utiliptables "k8s.io/kubernetes/pkg/util/iptables"
utilkernel "k8s.io/kubernetes/pkg/util/kernel" utilkernel "k8s.io/kubernetes/pkg/util/kernel"
@ -127,7 +126,7 @@ func NewDualStackProxier(
udpTimeout time.Duration, udpTimeout time.Duration,
masqueradeAll bool, masqueradeAll bool,
masqueradeBit int, masqueradeBit int,
localDetectors [2]proxyutiliptables.LocalTrafficDetector, localDetectors [2]proxyutil.LocalTrafficDetector,
hostname string, hostname string,
nodeIPs map[v1.IPFamily]net.IP, nodeIPs map[v1.IPFamily]net.IP,
recorder events.EventRecorder, recorder events.EventRecorder,
@ -207,7 +206,7 @@ type Proxier struct {
conntrack conntrack.Interface conntrack conntrack.Interface
masqueradeAll bool masqueradeAll bool
masqueradeMark string masqueradeMark string
localDetector proxyutiliptables.LocalTrafficDetector localDetector proxyutil.LocalTrafficDetector
hostname string hostname string
nodeIP net.IP nodeIP net.IP
recorder events.EventRecorder recorder events.EventRecorder
@ -282,7 +281,7 @@ func NewProxier(
udpTimeout time.Duration, udpTimeout time.Duration,
masqueradeAll bool, masqueradeAll bool,
masqueradeBit int, masqueradeBit int,
localDetector proxyutiliptables.LocalTrafficDetector, localDetector proxyutil.LocalTrafficDetector,
hostname string, hostname string,
nodeIP net.IP, nodeIP net.IP,
recorder events.EventRecorder, recorder events.EventRecorder,

3
pkg/proxy/ipvs/proxier_test.go
View File

@ -51,7 +51,6 @@ import (
ipvstest "k8s.io/kubernetes/pkg/proxy/ipvs/util/testing" ipvstest "k8s.io/kubernetes/pkg/proxy/ipvs/util/testing"
"k8s.io/kubernetes/pkg/proxy/metrics" "k8s.io/kubernetes/pkg/proxy/metrics"
proxyutil "k8s.io/kubernetes/pkg/proxy/util" proxyutil "k8s.io/kubernetes/pkg/proxy/util"
proxyutiliptables "k8s.io/kubernetes/pkg/proxy/util/iptables"
proxyutiltest "k8s.io/kubernetes/pkg/proxy/util/testing" proxyutiltest "k8s.io/kubernetes/pkg/proxy/util/testing"
"k8s.io/kubernetes/pkg/util/async" "k8s.io/kubernetes/pkg/util/async"
utiliptables "k8s.io/kubernetes/pkg/util/iptables" utiliptables "k8s.io/kubernetes/pkg/util/iptables"
@ -148,7 +147,7 @@ func NewFakeProxier(ctx context.Context, ipt utiliptables.Interface, ipvs utilip
ipset: ipset, ipset: ipset,
conntrack: conntrack.NewFake(), conntrack: conntrack.NewFake(),
strictARP: false, strictARP: false,
localDetector: proxyutiliptables.NewNoOpLocalDetector(), localDetector: proxyutil.NewNoOpLocalDetector(),
hostname: testHostname, hostname: testHostname,
serviceHealthServer: healthcheck.NewFakeServiceHealthServer(), serviceHealthServer: healthcheck.NewFakeServiceHealthServer(),
ipvsScheduler: defaultScheduler, ipvsScheduler: defaultScheduler,

7
pkg/proxy/nftables/proxier.go
View File

@ -50,7 +50,6 @@ import (
"k8s.io/kubernetes/pkg/proxy/metaproxier" "k8s.io/kubernetes/pkg/proxy/metaproxier"
"k8s.io/kubernetes/pkg/proxy/metrics" "k8s.io/kubernetes/pkg/proxy/metrics"
proxyutil "k8s.io/kubernetes/pkg/proxy/util" proxyutil "k8s.io/kubernetes/pkg/proxy/util"
proxyutiliptables "k8s.io/kubernetes/pkg/proxy/util/iptables"
"k8s.io/kubernetes/pkg/util/async" "k8s.io/kubernetes/pkg/util/async"
utilexec "k8s.io/utils/exec" utilexec "k8s.io/utils/exec"
netutils "k8s.io/utils/net" netutils "k8s.io/utils/net"
@ -111,7 +110,7 @@ func NewDualStackProxier(
minSyncPeriod time.Duration, minSyncPeriod time.Duration,
masqueradeAll bool, masqueradeAll bool,
masqueradeBit int, masqueradeBit int,
localDetectors [2]proxyutiliptables.LocalTrafficDetector, localDetectors [2]proxyutil.LocalTrafficDetector,
hostname string, hostname string,
nodeIPs map[v1.IPFamily]net.IP, nodeIPs map[v1.IPFamily]net.IP,
recorder events.EventRecorder, recorder events.EventRecorder,
@ -170,7 +169,7 @@ type Proxier struct {
masqueradeAll bool masqueradeAll bool
masqueradeMark string masqueradeMark string
conntrack conntrack.Interface conntrack conntrack.Interface
localDetector proxyutiliptables.LocalTrafficDetector localDetector proxyutil.LocalTrafficDetector
hostname string hostname string
nodeIP net.IP nodeIP net.IP
recorder events.EventRecorder recorder events.EventRecorder
@ -207,7 +206,7 @@ func NewProxier(ctx context.Context,
minSyncPeriod time.Duration, minSyncPeriod time.Duration,
masqueradeAll bool, masqueradeAll bool,
masqueradeBit int, masqueradeBit int,
localDetector proxyutiliptables.LocalTrafficDetector, localDetector proxyutil.LocalTrafficDetector,
hostname string, hostname string,
nodeIP net.IP, nodeIP net.IP,
recorder events.EventRecorder, recorder events.EventRecorder,

5
pkg/proxy/nftables/proxier_test.go
View File

@ -44,7 +44,6 @@ import (
"k8s.io/kubernetes/pkg/proxy/healthcheck" "k8s.io/kubernetes/pkg/proxy/healthcheck"
"k8s.io/kubernetes/pkg/proxy/metrics" "k8s.io/kubernetes/pkg/proxy/metrics"
proxyutil "k8s.io/kubernetes/pkg/proxy/util" proxyutil "k8s.io/kubernetes/pkg/proxy/util"
proxyutiliptables "k8s.io/kubernetes/pkg/proxy/util/iptables"
proxyutiltest "k8s.io/kubernetes/pkg/proxy/util/testing" proxyutiltest "k8s.io/kubernetes/pkg/proxy/util/testing"
"k8s.io/kubernetes/pkg/util/async" "k8s.io/kubernetes/pkg/util/async"
netutils "k8s.io/utils/net" netutils "k8s.io/utils/net"
@ -85,7 +84,7 @@ func NewFakeProxier(ipFamily v1.IPFamily) (*knftables.Fake, *Proxier) {
podCIDR = "fd00:10::/64" podCIDR = "fd00:10::/64"
serviceCIDRs = "fd00:10:96::/112" serviceCIDRs = "fd00:10:96::/112"
} }
detectLocal, _ := proxyutiliptables.NewDetectLocalByCIDR(podCIDR) detectLocal := proxyutil.NewDetectLocalByCIDR(podCIDR)
nodePortAddresses := []string{fmt.Sprintf("%s/32", testNodeIP), fmt.Sprintf("%s/128", testNodeIPv6)} nodePortAddresses := []string{fmt.Sprintf("%s/32", testNodeIP), fmt.Sprintf("%s/128", testNodeIPv6)}
networkInterfacer := proxyutiltest.NewFakeNetwork() networkInterfacer := proxyutiltest.NewFakeNetwork()
@ -3905,7 +3904,7 @@ func TestInternalExternalMasquerade(t *testing.T) {
nft, fp := NewFakeProxier(v1.IPv4Protocol) nft, fp := NewFakeProxier(v1.IPv4Protocol)
fp.masqueradeAll = tc.masqueradeAll fp.masqueradeAll = tc.masqueradeAll
if !tc.localDetector { if !tc.localDetector {
fp.localDetector = proxyutiliptables.NewNoOpLocalDetector() fp.localDetector = proxyutil.NewNoOpLocalDetector()
} }
setupTest(fp) setupTest(fp)

200
pkg/proxy/util/iptables/traffic.go
View File

@ -1,200 +0,0 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package iptables
import (
"fmt"
netutils "k8s.io/utils/net"
)
// LocalTrafficDetector in a interface to take action (jump) based on whether traffic originated locally
// at the node or not
type LocalTrafficDetector interface {
// IsImplemented returns true if the implementation does something, false otherwise
IsImplemented() bool
// IfLocal returns iptables arguments that will match traffic from a pod
IfLocal() []string
// IfNotLocal returns iptables arguments that will match traffic that is not from a pod
IfNotLocal() []string
// IfLocalNFT returns nftables arguments that will match traffic from a pod
IfLocalNFT() []string
// IfNotLocalNFT returns nftables arguments that will match traffic that is not from a pod
IfNotLocalNFT() []string
}
type noOpLocalDetector struct{}
// NewNoOpLocalDetector is a no-op implementation of LocalTrafficDetector
func NewNoOpLocalDetector() LocalTrafficDetector {
return &noOpLocalDetector{}
}
func (n *noOpLocalDetector) IsImplemented() bool {
return false
}
func (n *noOpLocalDetector) IfLocal() []string {
return nil // no-op; matches all traffic
}
func (n *noOpLocalDetector) IfNotLocal() []string {
return nil // no-op; matches all traffic
}
func (n *noOpLocalDetector) IfLocalNFT() []string {
return nil // no-op; matches all traffic
}
func (n *noOpLocalDetector) IfNotLocalNFT() []string {
return nil // no-op; matches all traffic
}
type detectLocalByCIDR struct {
ifLocal []string
ifNotLocal []string
ifLocalNFT []string
ifNotLocalNFT []string
}
// NewDetectLocalByCIDR implements the LocalTrafficDetector interface using a CIDR. This can be used when a single CIDR
// range can be used to capture the notion of local traffic.
func NewDetectLocalByCIDR(cidr string) (LocalTrafficDetector, error) {
_, parsed, err := netutils.ParseCIDRSloppy(cidr)
if err != nil {
return nil, err
}
nftFamily := "ip"
if netutils.IsIPv6CIDR(parsed) {
nftFamily = "ip6"
}
return &detectLocalByCIDR{
ifLocal: []string{"-s", cidr},
ifNotLocal: []string{"!", "-s", cidr},
ifLocalNFT: []string{nftFamily, "saddr", cidr},
ifNotLocalNFT: []string{nftFamily, "saddr", "!=", cidr},
}, nil
}
func (d *detectLocalByCIDR) IsImplemented() bool {
return true
}
func (d *detectLocalByCIDR) IfLocal() []string {
return d.ifLocal
}
func (d *detectLocalByCIDR) IfNotLocal() []string {
return d.ifNotLocal
}
func (d *detectLocalByCIDR) IfLocalNFT() []string {
return d.ifLocalNFT
}
func (d *detectLocalByCIDR) IfNotLocalNFT() []string {
return d.ifNotLocalNFT
}
type detectLocalByBridgeInterface struct {
ifLocal []string
ifNotLocal []string
ifLocalNFT []string
ifNotLocalNFT []string
}
// NewDetectLocalByBridgeInterface implements the LocalTrafficDetector interface using a bridge interface name.
// This can be used when a bridge can be used to capture the notion of local traffic from pods.
func NewDetectLocalByBridgeInterface(interfaceName string) (LocalTrafficDetector, error) {
if len(interfaceName) == 0 {
return nil, fmt.Errorf("no bridge interface name set")
}
return &detectLocalByBridgeInterface{
ifLocal: []string{"-i", interfaceName},
ifNotLocal: []string{"!", "-i", interfaceName},
ifLocalNFT: []string{"iif", interfaceName},
ifNotLocalNFT: []string{"iif", "!=", interfaceName},
}, nil
}
func (d *detectLocalByBridgeInterface) IsImplemented() bool {
return true
}
func (d *detectLocalByBridgeInterface) IfLocal() []string {
return d.ifLocal
}
func (d *detectLocalByBridgeInterface) IfNotLocal() []string {
return d.ifNotLocal
}
func (d *detectLocalByBridgeInterface) IfLocalNFT() []string {
return d.ifLocalNFT
}
func (d *detectLocalByBridgeInterface) IfNotLocalNFT() []string {
return d.ifNotLocalNFT
}
type detectLocalByInterfaceNamePrefix struct {
ifLocal []string
ifNotLocal []string
ifLocalNFT []string
ifNotLocalNFT []string
}
// NewDetectLocalByInterfaceNamePrefix implements the LocalTrafficDetector interface using an interface name prefix.
// This can be used when a pod interface name prefix can be used to capture the notion of local traffic. Note
// that this will match on all interfaces that start with the given prefix.
func NewDetectLocalByInterfaceNamePrefix(interfacePrefix string) (LocalTrafficDetector, error) {
if len(interfacePrefix) == 0 {
return nil, fmt.Errorf("no interface prefix set")
}
return &detectLocalByInterfaceNamePrefix{
ifLocal: []string{"-i", interfacePrefix + "+"},
ifNotLocal: []string{"!", "-i", interfacePrefix + "+"},
ifLocalNFT: []string{"iif", interfacePrefix + "*"},
ifNotLocalNFT: []string{"iif", "!=", interfacePrefix + "*"},
}, nil
}
func (d *detectLocalByInterfaceNamePrefix) IsImplemented() bool {
return true
}
func (d *detectLocalByInterfaceNamePrefix) IfLocal() []string {
return d.ifLocal
}
func (d *detectLocalByInterfaceNamePrefix) IfNotLocal() []string {
return d.ifNotLocal
}
func (d *detectLocalByInterfaceNamePrefix) IfLocalNFT() []string {
return d.ifLocalNFT
}
func (d *detectLocalByInterfaceNamePrefix) IfNotLocalNFT() []string {
return d.ifNotLocalNFT
}

116
pkg/proxy/util/localdetector.go Normal file
View File

@ -0,0 +1,116 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package util
import (
netutils "k8s.io/utils/net"
)
// LocalTrafficDetector generates iptables or nftables rules to detect traffic from local pods.
type LocalTrafficDetector interface {
// IsImplemented returns true if the implementation does something, false
// otherwise. You should not call the other methods if IsImplemented() returns
// false.
IsImplemented() bool
// IfLocal returns iptables arguments that will match traffic from a local pod.
IfLocal() []string
// IfNotLocal returns iptables arguments that will match traffic that is not from
// a local pod.
IfNotLocal() []string
// IfLocalNFT returns nftables arguments that will match traffic from a local pod.
IfLocalNFT() []string
// IfNotLocalNFT returns nftables arguments that will match traffic that is not
// from a local pod.
IfNotLocalNFT() []string
}
type detectLocal struct {
ifLocal []string
ifNotLocal []string
ifLocalNFT []string
ifNotLocalNFT []string
}
func (d *detectLocal) IsImplemented() bool {
return len(d.ifLocal) > 0
}
func (d *detectLocal) IfLocal() []string {
return d.ifLocal
}
func (d *detectLocal) IfNotLocal() []string {
return d.ifNotLocal
}
func (d *detectLocal) IfLocalNFT() []string {
return d.ifLocalNFT
}
func (d *detectLocal) IfNotLocalNFT() []string {
return d.ifNotLocalNFT
}
// NewNoOpLocalDetector returns a no-op implementation of LocalTrafficDetector.
func NewNoOpLocalDetector() LocalTrafficDetector {
return &detectLocal{}
}
// NewDetectLocalByCIDR returns a LocalTrafficDetector that considers traffic from the
// provided cidr to be from a local pod, and other traffic to be non-local. cidr is
// assumed to be valid.
func NewDetectLocalByCIDR(cidr string) LocalTrafficDetector {
nftFamily := "ip"
if netutils.IsIPv6CIDRString(cidr) {
nftFamily = "ip6"
}
return &detectLocal{
ifLocal: []string{"-s", cidr},
ifNotLocal: []string{"!", "-s", cidr},
ifLocalNFT: []string{nftFamily, "saddr", cidr},
ifNotLocalNFT: []string{nftFamily, "saddr", "!=", cidr},
}
}
// NewDetectLocalByBridgeInterface returns a LocalTrafficDetector that considers traffic
// from interfaceName to be from a local pod, and traffic from other interfaces to be
// non-local.
func NewDetectLocalByBridgeInterface(interfaceName string) LocalTrafficDetector {
return &detectLocal{
ifLocal: []string{"-i", interfaceName},
ifNotLocal: []string{"!", "-i", interfaceName},
ifLocalNFT: []string{"iif", interfaceName},
ifNotLocalNFT: []string{"iif", "!=", interfaceName},
}
}
// NewDetectLocalByInterfaceNamePrefix returns a LocalTrafficDetector that considers
// traffic from interfaces starting with interfacePrefix to be from a local pod, and
// traffic from other interfaces to be non-local.
func NewDetectLocalByInterfaceNamePrefix(interfacePrefix string) LocalTrafficDetector {
return &detectLocal{
ifLocal: []string{"-i", interfacePrefix + "+"},
ifNotLocal: []string{"!", "-i", interfacePrefix + "+"},
ifLocalNFT: []string{"iif", interfacePrefix + "*"},
ifNotLocalNFT: []string{"iif", "!=", interfacePrefix + "*"},
}
}

120
pkg/proxy/util/iptables/traffic_test.go → pkg/proxy/util/localdetector_test.go
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License. limitations under the License.
*/ */
package iptables package util
import ( import (
"reflect" "reflect"
@ -38,46 +38,6 @@ func TestNoOpLocalDetector(t *testing.T) {
} }
} }
func TestNewDetectLocalByCIDR(t *testing.T) {
cases := []struct {
cidr string
errExpected bool
}{
{
cidr: "10.0.0.0/14",
errExpected: false,
},
{
cidr: "2002:0:0:1234::/64",
errExpected: false,
},
{
cidr: "10.0.0.0",
errExpected: true,
},
{
cidr: "2002:0:0:1234::",
errExpected: true,
},
{
cidr: "",
errExpected: true,
},
}
for i, c := range cases {
r, err := NewDetectLocalByCIDR(c.cidr)
if c.errExpected {
if err == nil {
t.Errorf("Case[%d] expected error, but succeeded with: %q", i, r)
}
continue
}
if err != nil {
t.Errorf("Case[%d] failed with error: %v", i, err)
}
}
}
func TestDetectLocalByCIDR(t *testing.T) { func TestDetectLocalByCIDR(t *testing.T) {
cases := []struct { cases := []struct {
cidr string cidr string
@ -96,11 +56,7 @@ func TestDetectLocalByCIDR(t *testing.T) {
}, },
} }
for _, c := range cases { for _, c := range cases {
localDetector, err := NewDetectLocalByCIDR(c.cidr) localDetector := NewDetectLocalByCIDR(c.cidr)
if err != nil {
t.Errorf("Error initializing localDetector: %v", err)
continue
}
if !localDetector.IsImplemented() { if !localDetector.IsImplemented() {
t.Error("DetectLocalByCIDR returns false for IsImplemented") t.Error("DetectLocalByCIDR returns false for IsImplemented")
} }
@ -118,66 +74,6 @@ func TestDetectLocalByCIDR(t *testing.T) {
} }
} }
func TestNewDetectLocalByBridgeInterface(t *testing.T) {
cases := []struct {
ifaceName string
errExpected bool
}{
{
ifaceName: "avz",
errExpected: false,
},
{
ifaceName: "",
errExpected: true,
},
}
for i, c := range cases {
r, err := NewDetectLocalByBridgeInterface(c.ifaceName)
if c.errExpected {
if err == nil {
t.Errorf("Case[%d] expected error, but succeeded with: %q", i, r)
}
continue
}
if err != nil {
t.Errorf("Case[%d] failed with error: %v", i, err)
}
}
}
func TestNewDetectLocalByInterfaceNamePrefix(t *testing.T) {
cases := []struct {
ifacePrefix string
errExpected bool
}{
{
ifacePrefix: "veth",
errExpected: false,
},
{
ifacePrefix: "cbr0",
errExpected: false,
},
{
ifacePrefix: "",
errExpected: true,
},
}
for i, c := range cases {
r, err := NewDetectLocalByInterfaceNamePrefix(c.ifacePrefix)
if c.errExpected {
if err == nil {
t.Errorf("Case[%d] expected error, but succeeded with: %q", i, r)
}
continue
}
if err != nil {
t.Errorf("Case[%d] failed with error: %v", i, err)
}
}
}
func TestDetectLocalByBridgeInterface(t *testing.T) { func TestDetectLocalByBridgeInterface(t *testing.T) {
cases := []struct { cases := []struct {
ifaceName string ifaceName string
@ -191,11 +87,7 @@ func TestDetectLocalByBridgeInterface(t *testing.T) {
}, },
} }
for _, c := range cases { for _, c := range cases {
localDetector, err := NewDetectLocalByBridgeInterface(c.ifaceName) localDetector := NewDetectLocalByBridgeInterface(c.ifaceName)
if err != nil {
t.Errorf("Error initializing localDetector: %v", err)
continue
}
if !localDetector.IsImplemented() { if !localDetector.IsImplemented() {
t.Error("DetectLocalByBridgeInterface returns false for IsImplemented") t.Error("DetectLocalByBridgeInterface returns false for IsImplemented")
} }
@ -228,11 +120,7 @@ func TestDetectLocalByInterfaceNamePrefix(t *testing.T) {
}, },
} }
for _, c := range cases { for _, c := range cases {
localDetector, err := NewDetectLocalByInterfaceNamePrefix(c.ifacePrefix) localDetector := NewDetectLocalByInterfaceNamePrefix(c.ifacePrefix)
if err != nil {
t.Errorf("Error initializing localDetector: %v", err)
continue
}
if !localDetector.IsImplemented() { if !localDetector.IsImplemented() {
t.Error("DetectLocalByInterfaceNamePrefix returns false for IsImplemented") t.Error("DetectLocalByInterfaceNamePrefix returns false for IsImplemented")
} }