From 709b4f696d0df0c168aeae9572388b173847d864 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Wed, 13 Apr 2022 13:08:21 -0400 Subject: [PATCH] proxy/iptables: test LoadBalancerSourceRanges vs node IP The LoadBalancer rules change if the node IP is in one of the LoadBalancerSourceRange subnets, so make sure to set nodeIP on the fake proxier so we can test this, and add a second source range to TestLoadBalancer containing the node IP. (This changes the result of one flow test that previously expected that node-to-LB would be dropped.) --- pkg/proxy/iptables/proxier_test.go | 30 +++++++++++++++++++++++++----- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/pkg/proxy/iptables/proxier_test.go b/pkg/proxy/iptables/proxier_test.go index fc2feadd874..7be539f944d 100644 --- a/pkg/proxy/iptables/proxier_test.go +++ b/pkg/proxy/iptables/proxier_test.go @@ -420,6 +420,7 @@ func NewFakeProxier(ipt utiliptables.Interface) *Proxier { filterRules: utilproxy.LineBuffer{}, natChains: utilproxy.LineBuffer{}, natRules: utilproxy.LineBuffer{}, + nodeIP: netutils.ParseIPSloppy(testNodeIP), nodePortAddresses: make([]string, 0), networkInterfacer: networkInterfacer, } @@ -2389,9 +2390,12 @@ func TestLoadBalancer(t *testing.T) { svc.Status.LoadBalancer.Ingress = []v1.LoadBalancerIngress{{ IP: svcLBIP, }} - // Also ensure that invalid LoadBalancerSourceRanges will not result - // in a crash. - svc.Spec.LoadBalancerSourceRanges = []string{" 203.0.113.0/25"} + svc.Spec.LoadBalancerSourceRanges = []string{ + "192.168.0.0/24", + + // Regression test that excess whitespace gets ignored + " 203.0.113.0/25", + } }), ) @@ -2438,7 +2442,9 @@ func TestLoadBalancer(t *testing.T) { -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS -A KUBE-EXT-XPGD46QRK7WJZT7O -m comment --comment "masquerade traffic for ns1/svc1:p80 external destinations" -j KUBE-MARK-MASQ -A KUBE-EXT-XPGD46QRK7WJZT7O -j KUBE-SVC-XPGD46QRK7WJZT7O + -A KUBE-FW-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 loadbalancer IP" -s 192.168.0.0/24 -j KUBE-EXT-XPGD46QRK7WJZT7O -A KUBE-FW-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 loadbalancer IP" -s 203.0.113.0/25 -j KUBE-EXT-XPGD46QRK7WJZT7O + -A KUBE-FW-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 loadbalancer IP" -s 1.2.3.4 -j KUBE-EXT-XPGD46QRK7WJZT7O -A KUBE-FW-XPGD46QRK7WJZT7O -m comment --comment "ns1/svc1:p80 loadbalancer IP" -j KUBE-MARK-DROP -A KUBE-MARK-MASQ -j MARK --or-mark 0x4000 -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN @@ -2501,11 +2507,25 @@ func TestLoadBalancer(t *testing.T) { output: "DROP", }, { - name: "node to LB (blocked by LoadBalancerSourceRanges)", + name: "node to LB (allowed by LoadBalancerSourceRanges)", sourceIP: testNodeIP, destIP: svcLBIP, destPort: svcPort, - output: "DROP", + output: fmt.Sprintf("%s:%d", epIP, svcPort), + masq: true, + }, + + // The LB rules assume that when you connect from a node to a LB IP, that + // something external to kube-proxy will cause the connection to be + // SNATted to the LB IP, so if the LoadBalancerSourceRanges include the + // node IP, then we add a rule allowing traffic from the LB IP as well... + { + name: "same node to LB, SNATted to LB (implicitly allowed)", + sourceIP: svcLBIP, + destIP: svcLBIP, + destPort: svcPort, + output: fmt.Sprintf("%s:%d", epIP, svcPort), + masq: true, }, }) }