Allow non-masquerade-cidr to be passed to the kubelet

Removing the hard-coding of 10.0.0.0/8 Issue #11204
2025-07-30 15:05:27 +00:00 · 2016-01-07 15:44:40 -05:00 · 2016-01-07 15:44:40 -05:00 · 58191c446c
commit 58191c446c
parent cf8d05f420
7 changed files with 21 additions and 6 deletions
--- a/cmd/kubelet/app/options/options.go
+++ b/cmd/kubelet/app/options/options.go
@ -97,6 +97,7 @@ func NewKubeletServer() *KubeletServer {
 			MinimumGCAge:                unversioned.Duration{1 * time.Minute},
 			NetworkPluginDir:            "/usr/libexec/kubernetes/kubelet-plugins/net/exec/",
 			NetworkPluginName:           "",
+			NonMasqueradeCIDR:           "10.0.0.0/8",
 			VolumePluginDir:             "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/",
 			NodeStatusUpdateFrequency:   unversioned.Duration{10 * time.Second},
 			NodeLabels:                  make(map[string]string),
@ -194,6 +195,7 @@ func (s *KubeletServer) AddFlags(fs *pflag.FlagSet) {
 	fs.BoolVar(&s.ConfigureCBR0, "configure-cbr0", s.ConfigureCBR0, "If true, kubelet will configure cbr0 based on Node.Spec.PodCIDR.")
 	fs.IntVar(&s.MaxPods, "max-pods", s.MaxPods, "Number of Pods that can run on this Kubelet.")
 	fs.StringVar(&s.DockerExecHandlerName, "docker-exec-handler", s.DockerExecHandlerName, "Handler to use when executing a command in a container. Valid values are 'native' and 'nsenter'. Defaults to 'native'.")
+	fs.StringVar(&s.NonMasqueradeCIDR, "non-masquerade-cidr", s.NonMasqueradeCIDR, "Traffic to IPs outside this range will use IP masquerade.")
 	fs.StringVar(&s.PodCIDR, "pod-cidr", "", "The CIDR to use for pod IP addresses, only used in standalone mode.  In cluster mode, this is obtained from the master.")
 	fs.StringVar(&s.ResolverConfig, "resolv-conf", kubetypes.ResolvConfDefault, "Resolver configuration file used as the basis for the container DNS resolution configuration.")
 	fs.BoolVar(&s.CPUCFSQuota, "cpu-cfs-quota", s.CPUCFSQuota, "Enable CPU CFS quota enforcement for containers that specify CPU limits")
--- a/cmd/kubelet/app/server.go
+++ b/cmd/kubelet/app/server.go
@ -222,6 +222,7 @@ func UnsecuredKubeletConfig(s *options.KubeletServer) (*KubeletConfig, error) {
 		NetworkPlugins:            ProbeNetworkPlugins(s.NetworkPluginDir),
 		NodeLabels:                s.NodeLabels,
 		NodeStatusUpdateFrequency: s.NodeStatusUpdateFrequency.Duration,
+		NonMasqueradeCIDR:         s.NonMasqueradeCIDR,
 		OOMAdjuster:               oom.NewOOMAdjuster(),
 		OSInterface:               kubecontainer.RealOS{},
 		PodCIDR:                   s.PodCIDR,
@ -700,6 +701,7 @@ type KubeletConfig struct {
 	NodeName                       string
 	NodeLabels                     map[string]string
 	NodeStatusUpdateFrequency      time.Duration
+	NonMasqueradeCIDR              string
 	OOMAdjuster                    *oom.OOMAdjuster
 	OSInterface                    kubecontainer.OSInterface
 	PodCIDR                        string
@ -803,6 +805,7 @@ func CreateAndInitKubelet(kc *KubeletConfig) (k KubeletBootstrap, pc *config.Pod
 		kc.DockerDaemonContainer,
 		kc.SystemContainer,
 		kc.ConfigureCBR0,
+		kc.NonMasqueradeCIDR,
 		kc.PodCIDR,
 		kc.ReconcileCIDR,
 		kc.MaxPods,
--- a/docs/admin/kubelet.md
+++ b/docs/admin/kubelet.md
@ -117,6 +117,7 @@ kubelet
      --node-ip="": IP address of the node. If set, kubelet will use this IP address for the node
      --node-labels=: <Warning: Alpha feature> Labels to add when registering the node in the cluster.  Labels must are key=value pairs seperated by ','.
      --node-status-update-frequency=10s: Specifies how often kubelet posts node status to master. Note: be cautious when changing the constant, it must work with nodeMonitorGracePeriod in nodecontroller. Default: 10s
+      --non-masquerade-cidr="10.0.0.0/8": Traffic to IPs outside this range will use IP masquerade.
      --oom-score-adj=-999: The oom-score-adj value for kubelet process. Values must be within the range [-1000, 1000]
      --outofdisk-transition-frequency=5m0s: Duration for which the kubelet has to wait before transitioning out of out-of-disk node condition status. Default: 5m0s
      --pod-cidr="": The CIDR to use for pod IP addresses, only used in standalone mode.  In cluster mode, this is obtained from the master.
@ -145,7 +146,7 @@ kubelet
      --volume-plugin-dir="/usr/libexec/kubernetes/kubelet-plugins/volume/exec/": <Warning: Alpha feature> The full path of the directory in which to search for additional third party volume plugins
 ```

-###### Auto generated by spf13/cobra on 15-Jan-2016
+###### Auto generated by spf13/cobra on 21-Jan-2016


 <!-- BEGIN MUNGE: GENERATED_ANALYTICS -->
--- a/hack/verify-flags/known-flags.txt
+++ b/hack/verify-flags/known-flags.txt
@ -142,6 +142,7 @@ input-dirs
 insecure-bind-address
 insecure-port
 insecure-skip-tls-verify
+internal-cidr
 iptables-sync-period
 ir-data-source
 ir-dbname
--- a/pkg/apis/componentconfig/types.go
+++ b/pkg/apis/componentconfig/types.go
@ -274,6 +274,8 @@ type KubeletConfiguration struct {
 	NodeIP string `json:"nodeIP,omitempty"`
 	// nodeLabels to add when registering the node in the cluster.
 	NodeLabels map[string]string `json:"nodeLabels"`
+	// nonMasqueradeCIDR configures masquerading: traffic to IPs outside this range will use IP masquerade.
+	NonMasqueradeCIDR string `json:"nonMasqueradeCIDR"`
 }

 // LeaderElectionConfiguration defines the configuration of leader election
--- a/pkg/kubelet/container_bridge.go
+++ b/pkg/kubelet/container_bridge.go
@ -119,23 +119,24 @@ func cbr0CidrCorrect(wantCIDR *net.IPNet) bool {
 }

 // TODO(dawnchen): Using pkg/util/iptables
-func ensureIPTablesMasqRule() error {
+// nonMasqueradeCIDR is the CIDR for our internal IP range; traffic to IPs outside this range will use IP masquerade.
+func ensureIPTablesMasqRule(nonMasqueradeCIDR string) error {
 	// Check if the MASQUERADE rule exist or not
 	if err := exec.Command("iptables",
 		"-t", "nat",
 		"-C", "POSTROUTING",
-		"!", "-d", "10.0.0.0/8",
+		"!", "-d", nonMasqueradeCIDR,
 		"-m", "addrtype", "!", "--dst-type", "LOCAL",
 		"-j", "MASQUERADE").Run(); err == nil {
 		// The MASQUERADE rule exists
 		return nil
 	}

-	glog.Infof("MASQUERADE rule doesn't exist, recreate it")
+	glog.Infof("MASQUERADE rule doesn't exist, recreate it (with nonMasqueradeCIDR %s)", nonMasqueradeCIDR)
 	if err := exec.Command("iptables",
 		"-t", "nat",
 		"-A", "POSTROUTING",
-		"!", "-d", "10.0.0.0/8",
+		"!", "-d", nonMasqueradeCIDR,
 		"-m", "addrtype", "!", "--dst-type", "LOCAL",
 		"-j", "MASQUERADE").Run(); err != nil {
 		return err
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@ -182,6 +182,7 @@ func NewMainKubelet(
 	dockerDaemonContainer string,
 	systemContainer string,
 	configureCBR0 bool,
+	nonMasqueradeCIDR string,
 	podCIDR string,
 	reconcileCIDR bool,
 	maxPods int,
@ -301,6 +302,7 @@ func NewMainKubelet(
 		chownRunner:                    chownRunner,
 		writer:                         writer,
 		configureCBR0:                  configureCBR0,
+		nonMasqueradeCIDR:              nonMasqueradeCIDR,
 		reconcileCIDR:                  reconcileCIDR,
 		maxPods:                        maxPods,
 		syncLoopMonitor:                atomic.Value{},
@ -609,6 +611,9 @@ type Kubelet struct {
 	configureCBR0 bool
 	reconcileCIDR bool

+	// Traffic to IPs outside this range will use IP masquerade.
+	nonMasqueradeCIDR string
+
 	// Maximum Number of Pods which can be run by this Kubelet
 	maxPods int

@ -2644,7 +2649,7 @@ func (kl *Kubelet) syncNetworkStatus() {
 				kl.runtimeState.podCIDR(), podCIDR)
 			kl.runtimeState.setPodCIDR(podCIDR)
 		}
-		if err := ensureIPTablesMasqRule(); err != nil {
+		if err := ensureIPTablesMasqRule(kl.nonMasqueradeCIDR); err != nil {
 			err = fmt.Errorf("Error on adding ip table rules: %v", err)
 			glog.Error(err)
 			kl.runtimeState.setNetworkState(err)