github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-01 15:58:37 +00:00
Code Issues Projects Releases Wiki Activity

add iptables rule for MASQUERADE for egress

Browse Source
This commit is contained in:
Dawn Chen 2015-06-24 12:56:36 -07:00
parent 6ddfa512de
commit 710fb4e413
4 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
pkg/kubelet/container_bridge.go
View File

@ -39,7 +39,7 @@ func createCBR0(wantCIDR *net.IPNet) error {
glog.Error(err) glog.Error(err)
return err return err
} }
if err := exec.Command("ip", "link", "set", "dev", "cbr0", "up").Run(); err != nil { if err := exec.Command("ip", "link", "set", "dev", "cbr0", "mtu", "1460", "up").Run(); err != nil {
glog.Error(err) glog.Error(err)
return err return err
} }
@ -117,3 +117,18 @@ func cbr0CidrCorrect(wantCIDR *net.IPNet) bool {
glog.V(5).Infof("Want cbr0 CIDR: %s, have cbr0 CIDR: %s", wantCIDR, cbr0CIDR) glog.V(5).Infof("Want cbr0 CIDR: %s, have cbr0 CIDR: %s", wantCIDR, cbr0CIDR)
return wantCIDR.IP.Equal(cbr0IP) && bytes.Equal(wantCIDR.Mask, cbr0CIDR.Mask) return wantCIDR.IP.Equal(cbr0IP) && bytes.Equal(wantCIDR.Mask, cbr0CIDR.Mask)
} }
// TODO(dawnchen): Using pkg/util/iptables
func ensureIPTablesMasqRule() error {
// Check if the MASQUERADE rule exist or not
if err := exec.Command("iptables", "-t", "nat", "-C", "POSTROUTING", "-o", "eth0", "-j", "MASQUERADE", "!", "-d", "10.0.0.0/8").Run(); err == nil {
// The MASQUERADE rule exists
return nil
}
glog.Infof("MASQUERADE rule doesn't exist, recreate it")
if err := exec.Command("iptables", "-t", "nat", "-A", "POSTROUTING", "-o", "eth0", "-j", "MASQUERADE", "!", "-d", "10.0.0.0/8").Run(); err != nil {
return err
}
return nil
}

4
pkg/kubelet/kubelet.go
View File

@ -1918,6 +1918,10 @@ func (kl *Kubelet) syncNetworkStatus() {
networkConfigured := true networkConfigured := true
if kl.configureCBR0 { if kl.configureCBR0 {
if err := ensureIPTablesMasqRule(); err != nil {
networkConfigured = false
glog.Errorf("Error on adding ip table rules: %v", err)
}
if len(kl.podCIDR) == 0 { if len(kl.podCIDR) == 0 {
networkConfigured = false networkConfigured = false
} else if err := kl.reconcileCBR0(kl.podCIDR); err != nil { } else if err := kl.reconcileCBR0(kl.podCIDR); err != nil {

4
pkg/kubelet/status_manager.go
View File

@ -17,7 +17,6 @@ limitations under the License.
package kubelet package kubelet
import ( import (
"errors"
"fmt" "fmt"
"reflect" "reflect"
"sort" "sort"
@ -144,7 +143,8 @@ func (s *statusManager) RemoveOrphanedStatuses(podFullNames map[string]bool) {
// syncBatch syncs pods statuses with the apiserver. // syncBatch syncs pods statuses with the apiserver.
func (s *statusManager) syncBatch() error { func (s *statusManager) syncBatch() error {
if s.kubeClient == nil { if s.kubeClient == nil {
return errors.New("Kubernetes client is nil, skipping pod status updates") glog.V(4).Infof("Kubernetes client is nil, skipping pod status updates")
return nil
} }
syncRequest := <-s.podStatusChannel syncRequest := <-s.podStatusChannel
pod := syncRequest.pod pod := syncRequest.pod

2
pkg/util/util.go
View File

@ -205,7 +205,7 @@ func CompileRegexps(regexpStrings []string) ([]*regexp.Regexp, error) {
// TODO(dchen1107): realiably detects the init system using on the system: // TODO(dchen1107): realiably detects the init system using on the system:
// systemd, upstart, initd, etc. // systemd, upstart, initd, etc.
func UsingSystemdInitSystem() bool { func UsingSystemdInitSystem() bool {
if _, err := os.Stat("/run/systemd/system"); err != nil { if _, err := os.Stat("/run/systemd/system"); err == nil {
return true return true
} }