From 1f7ea1656053aa261dd977f058c15352c6de7e95 Mon Sep 17 00:00:00 2001 From: Lion-Wei Date: Fri, 11 Sep 2020 17:41:49 +0800 Subject: [PATCH] kube-proxy ensure KUBE-MARK-DROP exist but not modify their rules --- pkg/proxy/iptables/proxier.go | 15 +++++++++++++++ pkg/proxy/ipvs/proxier.go | 16 +++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index a53c01f6970..5e618e12918 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -399,6 +399,13 @@ var iptablesJumpChains = []iptablesJumpChain{ {utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil}, } +var iptablesEnsureChains = []struct { + table utiliptables.Table + chain utiliptables.Chain +}{ + {utiliptables.TableNAT, KubeMarkDropChain}, +} + var iptablesCleanupOnlyChains = []iptablesJumpChain{} // CleanupLeftovers removes all iptables rules and chains created by the Proxier @@ -868,6 +875,14 @@ func (proxier *Proxier) syncProxyRules() { } } + // ensure KUBE-MARK-DROP chain exist but do not change any rules + for _, ch := range iptablesEnsureChains { + if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil { + klog.Errorf("Failed to ensure that %s chain %s exists: %v", ch.table, ch.chain, err) + return + } + } + // // Below this point we will not return until we try to write the iptables rules. // diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go index d0e4ac628ab..31933db0534 100644 --- a/pkg/proxy/ipvs/proxier.go +++ b/pkg/proxy/ipvs/proxier.go @@ -117,10 +117,16 @@ var iptablesChains = []struct { {utiliptables.TableNAT, KubeNodePortChain}, {utiliptables.TableNAT, KubeLoadBalancerChain}, {utiliptables.TableNAT, KubeMarkMasqChain}, - {utiliptables.TableNAT, KubeMarkDropChain}, {utiliptables.TableFilter, KubeForwardChain}, } +var iptablesEnsureChains = []struct { + table utiliptables.Table + chain utiliptables.Chain +}{ + {utiliptables.TableNAT, KubeMarkDropChain}, +} + var iptablesCleanupChains = []struct { table utiliptables.Table chain utiliptables.Chain @@ -1858,6 +1864,14 @@ func (proxier *Proxier) createAndLinkeKubeChain() { existingFilterChains := proxier.getExistingChains(proxier.filterChainsData, utiliptables.TableFilter) existingNATChains := proxier.getExistingChains(proxier.iptablesData, utiliptables.TableNAT) + // ensure KUBE-MARK-DROP chain exist but do not change any rules + for _, ch := range iptablesEnsureChains { + if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil { + klog.Errorf("Failed to ensure that %s chain %s exists: %v", ch.table, ch.chain, err) + return + } + } + // Make sure we keep stats for the top-level chains for _, ch := range iptablesChains { if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {