github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-02 00:07:50 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #47612 from freehan/hostport-bug-fix

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 47523, 47438, 47550, 47450, 47612)

append KUBE-HOSTPORTS to system chains instead of prepend

Bug fix for conflicting iptables rules between hostport and kube-proxy
This commit is contained in:
Kubernetes Submit Queue 2017-06-15 18:54:08 -07:00 committed by GitHub
commit 509bf69a2d
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/kubelet/network/hostport/hostport.go
View File

@ -184,7 +184,10 @@ func ensureKubeHostportChains(iptables utiliptables.Interface, natInterfaceName
"-m", "addrtype", "--dst-type", "LOCAL",
"-j", string(kubeHostportsChain)}
for _, tc := range tableChainsNeedJumpServices {
if _, err := iptables.EnsureRule(utiliptables.Prepend, tc.table, tc.chain, args...); err != nil {
// KUBE-HOSTPORTS chain needs to be appended to the system chains.
// This ensures KUBE-SERVICES chain gets processed first.
// Since rules in KUBE-HOSTPORTS chain matches broader cases, allow the more specific rules to be processed first.
if _, err := iptables.EnsureRule(utiliptables.Append, tc.table, tc.chain, args...); err != nil {
return fmt.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", tc.table, tc.chain, kubeHostportsChain, err)
}
}