From 58191c446c76298b46904ac79914518e2489f94f Mon Sep 17 00:00:00 2001 From: Justin Santa Barbara Date: Thu, 7 Jan 2016 15:44:40 -0500 Subject: [PATCH] Allow non-masquerade-cidr to be passed to the kubelet Removing the hard-coding of 10.0.0.0/8 Issue #11204 --- cmd/kubelet/app/options/options.go | 2 ++ cmd/kubelet/app/server.go | 3 +++ docs/admin/kubelet.md | 3 ++- hack/verify-flags/known-flags.txt | 1 + pkg/apis/componentconfig/types.go | 2 ++ pkg/kubelet/container_bridge.go | 9 +++++---- pkg/kubelet/kubelet.go | 7 ++++++- 7 files changed, 21 insertions(+), 6 deletions(-) diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go index ef985ae8790..5a4f56b3c86 100644 --- a/cmd/kubelet/app/options/options.go +++ b/cmd/kubelet/app/options/options.go @@ -97,6 +97,7 @@ func NewKubeletServer() *KubeletServer { MinimumGCAge: unversioned.Duration{1 * time.Minute}, NetworkPluginDir: "/usr/libexec/kubernetes/kubelet-plugins/net/exec/", NetworkPluginName: "", + NonMasqueradeCIDR: "10.0.0.0/8", VolumePluginDir: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/", NodeStatusUpdateFrequency: unversioned.Duration{10 * time.Second}, NodeLabels: make(map[string]string), @@ -194,6 +195,7 @@ func (s *KubeletServer) AddFlags(fs *pflag.FlagSet) { fs.BoolVar(&s.ConfigureCBR0, "configure-cbr0", s.ConfigureCBR0, "If true, kubelet will configure cbr0 based on Node.Spec.PodCIDR.") fs.IntVar(&s.MaxPods, "max-pods", s.MaxPods, "Number of Pods that can run on this Kubelet.") fs.StringVar(&s.DockerExecHandlerName, "docker-exec-handler", s.DockerExecHandlerName, "Handler to use when executing a command in a container. Valid values are 'native' and 'nsenter'. Defaults to 'native'.") + fs.StringVar(&s.NonMasqueradeCIDR, "non-masquerade-cidr", s.NonMasqueradeCIDR, "Traffic to IPs outside this range will use IP masquerade.") fs.StringVar(&s.PodCIDR, "pod-cidr", "", "The CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master.") fs.StringVar(&s.ResolverConfig, "resolv-conf", kubetypes.ResolvConfDefault, "Resolver configuration file used as the basis for the container DNS resolution configuration.") fs.BoolVar(&s.CPUCFSQuota, "cpu-cfs-quota", s.CPUCFSQuota, "Enable CPU CFS quota enforcement for containers that specify CPU limits") diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 32d9599ad63..1e54f7cb8ce 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -222,6 +222,7 @@ func UnsecuredKubeletConfig(s *options.KubeletServer) (*KubeletConfig, error) { NetworkPlugins: ProbeNetworkPlugins(s.NetworkPluginDir), NodeLabels: s.NodeLabels, NodeStatusUpdateFrequency: s.NodeStatusUpdateFrequency.Duration, + NonMasqueradeCIDR: s.NonMasqueradeCIDR, OOMAdjuster: oom.NewOOMAdjuster(), OSInterface: kubecontainer.RealOS{}, PodCIDR: s.PodCIDR, @@ -700,6 +701,7 @@ type KubeletConfig struct { NodeName string NodeLabels map[string]string NodeStatusUpdateFrequency time.Duration + NonMasqueradeCIDR string OOMAdjuster *oom.OOMAdjuster OSInterface kubecontainer.OSInterface PodCIDR string @@ -803,6 +805,7 @@ func CreateAndInitKubelet(kc *KubeletConfig) (k KubeletBootstrap, pc *config.Pod kc.DockerDaemonContainer, kc.SystemContainer, kc.ConfigureCBR0, + kc.NonMasqueradeCIDR, kc.PodCIDR, kc.ReconcileCIDR, kc.MaxPods, diff --git a/docs/admin/kubelet.md b/docs/admin/kubelet.md index 42a99a7aca7..eb316da8453 100644 --- a/docs/admin/kubelet.md +++ b/docs/admin/kubelet.md @@ -117,6 +117,7 @@ kubelet --node-ip="": IP address of the node. If set, kubelet will use this IP address for the node --node-labels=: Labels to add when registering the node in the cluster. Labels must are key=value pairs seperated by ','. --node-status-update-frequency=10s: Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. Default: 10s + --non-masquerade-cidr="10.0.0.0/8": Traffic to IPs outside this range will use IP masquerade. --oom-score-adj=-999: The oom-score-adj value for kubelet process. Values must be within the range [-1000, 1000] --outofdisk-transition-frequency=5m0s: Duration for which the kubelet has to wait before transitioning out of out-of-disk node condition status. Default: 5m0s --pod-cidr="": The CIDR to use for pod IP addresses, only used in standalone mode. In cluster mode, this is obtained from the master. @@ -145,7 +146,7 @@ kubelet --volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/volume/exec/": The full path of the directory in which to search for additional third party volume plugins ``` -###### Auto generated by spf13/cobra on 15-Jan-2016 +###### Auto generated by spf13/cobra on 21-Jan-2016 diff --git a/hack/verify-flags/known-flags.txt b/hack/verify-flags/known-flags.txt index 04b9ac72aa9..9c307172e38 100644 --- a/hack/verify-flags/known-flags.txt +++ b/hack/verify-flags/known-flags.txt @@ -142,6 +142,7 @@ input-dirs insecure-bind-address insecure-port insecure-skip-tls-verify +internal-cidr iptables-sync-period ir-data-source ir-dbname diff --git a/pkg/apis/componentconfig/types.go b/pkg/apis/componentconfig/types.go index 65591b40428..cb8be651cd7 100644 --- a/pkg/apis/componentconfig/types.go +++ b/pkg/apis/componentconfig/types.go @@ -274,6 +274,8 @@ type KubeletConfiguration struct { NodeIP string `json:"nodeIP,omitempty"` // nodeLabels to add when registering the node in the cluster. NodeLabels map[string]string `json:"nodeLabels"` + // nonMasqueradeCIDR configures masquerading: traffic to IPs outside this range will use IP masquerade. + NonMasqueradeCIDR string `json:"nonMasqueradeCIDR"` } // LeaderElectionConfiguration defines the configuration of leader election diff --git a/pkg/kubelet/container_bridge.go b/pkg/kubelet/container_bridge.go index 7b5377a283f..6f25f8e886f 100644 --- a/pkg/kubelet/container_bridge.go +++ b/pkg/kubelet/container_bridge.go @@ -119,23 +119,24 @@ func cbr0CidrCorrect(wantCIDR *net.IPNet) bool { } // TODO(dawnchen): Using pkg/util/iptables -func ensureIPTablesMasqRule() error { +// nonMasqueradeCIDR is the CIDR for our internal IP range; traffic to IPs outside this range will use IP masquerade. +func ensureIPTablesMasqRule(nonMasqueradeCIDR string) error { // Check if the MASQUERADE rule exist or not if err := exec.Command("iptables", "-t", "nat", "-C", "POSTROUTING", - "!", "-d", "10.0.0.0/8", + "!", "-d", nonMasqueradeCIDR, "-m", "addrtype", "!", "--dst-type", "LOCAL", "-j", "MASQUERADE").Run(); err == nil { // The MASQUERADE rule exists return nil } - glog.Infof("MASQUERADE rule doesn't exist, recreate it") + glog.Infof("MASQUERADE rule doesn't exist, recreate it (with nonMasqueradeCIDR %s)", nonMasqueradeCIDR) if err := exec.Command("iptables", "-t", "nat", "-A", "POSTROUTING", - "!", "-d", "10.0.0.0/8", + "!", "-d", nonMasqueradeCIDR, "-m", "addrtype", "!", "--dst-type", "LOCAL", "-j", "MASQUERADE").Run(); err != nil { return err diff --git a/pkg/kubelet/kubelet.go b/pkg/kubelet/kubelet.go index 1931f6e57d1..ff4ebb1be1d 100644 --- a/pkg/kubelet/kubelet.go +++ b/pkg/kubelet/kubelet.go @@ -182,6 +182,7 @@ func NewMainKubelet( dockerDaemonContainer string, systemContainer string, configureCBR0 bool, + nonMasqueradeCIDR string, podCIDR string, reconcileCIDR bool, maxPods int, @@ -301,6 +302,7 @@ func NewMainKubelet( chownRunner: chownRunner, writer: writer, configureCBR0: configureCBR0, + nonMasqueradeCIDR: nonMasqueradeCIDR, reconcileCIDR: reconcileCIDR, maxPods: maxPods, syncLoopMonitor: atomic.Value{}, @@ -609,6 +611,9 @@ type Kubelet struct { configureCBR0 bool reconcileCIDR bool + // Traffic to IPs outside this range will use IP masquerade. + nonMasqueradeCIDR string + // Maximum Number of Pods which can be run by this Kubelet maxPods int @@ -2644,7 +2649,7 @@ func (kl *Kubelet) syncNetworkStatus() { kl.runtimeState.podCIDR(), podCIDR) kl.runtimeState.setPodCIDR(podCIDR) } - if err := ensureIPTablesMasqRule(); err != nil { + if err := ensureIPTablesMasqRule(kl.nonMasqueradeCIDR); err != nil { err = fmt.Errorf("Error on adding ip table rules: %v", err) glog.Error(err) kl.runtimeState.setNetworkState(err)