add iptables rule for MASQUERADE for egress

2025-07-30 15:05:27 +00:00 · 2015-06-24 12:56:36 -07:00 · 2015-06-24 12:56:36 -07:00 · 710fb4e413
commit 710fb4e413
parent 6ddfa512de
4 changed files with 23 additions and 4 deletions
--- a/pkg/kubelet/container_bridge.go
+++ b/pkg/kubelet/container_bridge.go
@ -39,7 +39,7 @@ func createCBR0(wantCIDR *net.IPNet) error {
 		glog.Error(err)
 		return err
 	}
-	if err := exec.Command("ip", "link", "set", "dev", "cbr0", "up").Run(); err != nil {
+	if err := exec.Command("ip", "link", "set", "dev", "cbr0", "mtu", "1460", "up").Run(); err != nil {
 		glog.Error(err)
 		return err
 	}
@ -117,3 +117,18 @@ func cbr0CidrCorrect(wantCIDR *net.IPNet) bool {
 	glog.V(5).Infof("Want cbr0 CIDR: %s, have cbr0 CIDR: %s", wantCIDR, cbr0CIDR)
 	return wantCIDR.IP.Equal(cbr0IP) && bytes.Equal(wantCIDR.Mask, cbr0CIDR.Mask)
 }
+
+// TODO(dawnchen): Using pkg/util/iptables
+func ensureIPTablesMasqRule() error {
+	// Check if the MASQUERADE rule exist or not
+	if err := exec.Command("iptables", "-t", "nat", "-C", "POSTROUTING", "-o", "eth0", "-j", "MASQUERADE", "!", "-d", "10.0.0.0/8").Run(); err == nil {
+		// The MASQUERADE rule exists
+		return nil
+	}
+
+	glog.Infof("MASQUERADE rule doesn't exist, recreate it")
+	if err := exec.Command("iptables", "-t", "nat", "-A", "POSTROUTING", "-o", "eth0", "-j", "MASQUERADE", "!", "-d", "10.0.0.0/8").Run(); err != nil {
+		return err
+	}
+	return nil
+}
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@ -1918,6 +1918,10 @@ func (kl *Kubelet) syncNetworkStatus() {

 	networkConfigured := true
 	if kl.configureCBR0 {
+		if err := ensureIPTablesMasqRule(); err != nil {
+			networkConfigured = false
+			glog.Errorf("Error on adding ip table rules: %v", err)
+		}
 		if len(kl.podCIDR) == 0 {
 			networkConfigured = false
 		} else if err := kl.reconcileCBR0(kl.podCIDR); err != nil {
--- a/pkg/kubelet/status_manager.go
+++ b/pkg/kubelet/status_manager.go
@ -17,7 +17,6 @@ limitations under the License.
 package kubelet

 import (
-	"errors"
 	"fmt"
 	"reflect"
 	"sort"
@ -144,7 +143,8 @@ func (s *statusManager) RemoveOrphanedStatuses(podFullNames map[string]bool) {
 // syncBatch syncs pods statuses with the apiserver.
 func (s *statusManager) syncBatch() error {
 	if s.kubeClient == nil {
-		return errors.New("Kubernetes client is nil, skipping pod status updates")
+		glog.V(4).Infof("Kubernetes client is nil, skipping pod status updates")
+		return nil
 	}
 	syncRequest := <-s.podStatusChannel
 	pod := syncRequest.pod
--- a/pkg/util/util.go
+++ b/pkg/util/util.go
@ -205,7 +205,7 @@ func CompileRegexps(regexpStrings []string) ([]*regexp.Regexp, error) {
 // TODO(dchen1107): realiably detects the init system using on the system:
 // systemd, upstart, initd, etc.
 func UsingSystemdInitSystem() bool {
-	if _, err := os.Stat("/run/systemd/system"); err != nil {
+	if _, err := os.Stat("/run/systemd/system"); err == nil {
 		return true
 	}