From 760568796f97613f4c538299525f88bb586ffb39 Mon Sep 17 00:00:00 2001 From: CJ Cullen Date: Mon, 18 Apr 2016 14:45:35 -0700 Subject: [PATCH] Masquerade traffic from off-cluster going through kube-proxy. --- .../salt/kube-proxy/kube-proxy.manifest | 6 +- cmd/kube-proxy/app/options/options.go | 1 + cmd/kube-proxy/app/server.go | 2 +- docs/admin/kube-proxy.md | 3 +- hack/verify-flags/exceptions.txt | 1 + .../componentconfig/deep_copy_generated.go | 1 + pkg/apis/componentconfig/types.generated.go | 603 ++++++++++-------- pkg/apis/componentconfig/types.go | 4 + .../v1alpha1/conversion_generated.go | 2 + .../v1alpha1/deep_copy_generated.go | 1 + pkg/apis/componentconfig/v1alpha1/types.go | 4 + pkg/proxy/iptables/proxier.go | 7 +- 12 files changed, 350 insertions(+), 285 deletions(-) diff --git a/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest b/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest index 4a87c62dd83..bbf79bb65ea 100644 --- a/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest +++ b/cluster/saltbase/salt/kube-proxy/kube-proxy.manifest @@ -14,6 +14,10 @@ {% if pillar['kubeproxy_test_args'] is defined -%} {% set test_args=pillar['kubeproxy_test_args'] %} {% endif -%} +{% set cluster_cidr = "" -%} +{% if pillar['cluster_cidr'] is defined -%} + {% set cluster_cidr=" --cluster-cidr=" + pillar['cluster_cidr'] %} +{% endif -%} {% set log_level = pillar['log_level'] -%} {% if pillar['kubeproxy_test_log_level'] is defined -%} @@ -40,7 +44,7 @@ spec: command: - /bin/sh - -c - - kube-proxy {{api_servers_with_port}} {{kubeconfig}} --resource-container="" {{log_level}} {{test_args}} 1>>/var/log/kube-proxy.log 2>&1 + - kube-proxy {{api_servers_with_port}} {{kubeconfig}} {{cluster_cidr}} --resource-container="" {{log_level}} {{test_args}} 1>>/var/log/kube-proxy.log 2>&1 securityContext: privileged: true volumeMounts: diff --git a/cmd/kube-proxy/app/options/options.go b/cmd/kube-proxy/app/options/options.go index 3c10b9e0d8d..425b1ae744f 100644 --- a/cmd/kube-proxy/app/options/options.go +++ b/cmd/kube-proxy/app/options/options.go @@ -75,6 +75,7 @@ func (s *ProxyServerConfig) AddFlags(fs *pflag.FlagSet) { fs.DurationVar(&s.IPTablesSyncPeriod.Duration, "iptables-sync-period", s.IPTablesSyncPeriod.Duration, "How often iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.") fs.DurationVar(&s.ConfigSyncPeriod, "config-sync-period", s.ConfigSyncPeriod, "How often configuration from the apiserver is refreshed. Must be greater than 0.") fs.BoolVar(&s.MasqueradeAll, "masquerade-all", s.MasqueradeAll, "If using the pure iptables proxy, SNAT everything") + fs.StringVar(&s.ClusterCIDR, "cluster-cidr", s.ClusterCIDR, "The CIDR range of pods in the cluster. It is used to bridge traffic coming from outside of the cluster. If not provided, no off-cluster bridging will be performed.") fs.BoolVar(&s.CleanupAndExit, "cleanup-iptables", s.CleanupAndExit, "If true cleanup iptables rules and exit.") fs.Float32Var(&s.KubeAPIQPS, "kube-api-qps", s.KubeAPIQPS, "QPS to use while talking with kubernetes apiserver") fs.IntVar(&s.KubeAPIBurst, "kube-api-burst", s.KubeAPIBurst, "Burst to use while talking with kubernetes apiserver") diff --git a/cmd/kube-proxy/app/server.go b/cmd/kube-proxy/app/server.go index 23c0b3cf6e3..e97fdd0badb 100644 --- a/cmd/kube-proxy/app/server.go +++ b/cmd/kube-proxy/app/server.go @@ -203,7 +203,7 @@ func NewProxyServerDefault(config *options.ProxyServerConfig) (*ProxyServer, err return nil, fmt.Errorf("Unable to read IPTablesMasqueradeBit from config") } - proxierIptables, err := iptables.NewProxier(iptInterface, execer, config.IPTablesSyncPeriod.Duration, config.MasqueradeAll, *config.IPTablesMasqueradeBit) + proxierIptables, err := iptables.NewProxier(iptInterface, execer, config.IPTablesSyncPeriod.Duration, config.MasqueradeAll, *config.IPTablesMasqueradeBit, config.ClusterCIDR) if err != nil { glog.Fatalf("Unable to create proxier: %v", err) } diff --git a/docs/admin/kube-proxy.md b/docs/admin/kube-proxy.md index d53f66a1dae..aec29818d4c 100644 --- a/docs/admin/kube-proxy.md +++ b/docs/admin/kube-proxy.md @@ -56,6 +56,7 @@ kube-proxy ``` --bind-address=0.0.0.0: The IP address for the proxy server to serve on (set to 0.0.0.0 for all interfaces) --cleanup-iptables[=false]: If true cleanup iptables rules and exit. + --cluster-cidr="": The CIDR range of pods in the cluster. It is used to bridge traffic coming from outside of the cluster. If not provided, no off-cluster bridging will be performed. --config-sync-period=15m0s: How often configuration from the apiserver is refreshed. Must be greater than 0. --conntrack-max=262144: Maximum number of NAT connections to track (0 to leave as-is) --conntrack-tcp-timeout-established=24h0m0s: Idle timeout for established TCP connections (0 to leave as-is) @@ -77,7 +78,7 @@ kube-proxy --udp-timeout=250ms: How long an idle UDP connection will be kept open (e.g. '250ms', '2s'). Must be greater than 0. Only applicable for proxy-mode=userspace ``` -###### Auto generated by spf13/cobra on 7-Feb-2016 +###### Auto generated by spf13/cobra on 18-Apr-2016 diff --git a/hack/verify-flags/exceptions.txt b/hack/verify-flags/exceptions.txt index 82caf87825f..6e1f64722c9 100644 --- a/hack/verify-flags/exceptions.txt +++ b/hack/verify-flags/exceptions.txt @@ -33,6 +33,7 @@ cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest:{% set params = add cluster/saltbase/salt/kube-controller-manager/kube-controller-manager.manifest:{% set params = "--master=127.0.0.1:8080" + " " + cluster_name + " " + cluster_cidr + " " + allocate_node_cidrs + " " + terminated_pod_gc + " " + cloud_provider + " " + cloud_config + " " + service_account_key + " " + log_level + " " + root_ca_file -%} cluster/saltbase/salt/kube-proxy/kube-proxy.manifest: {% set api_servers_with_port = api_servers + ":6443" -%} cluster/saltbase/salt/kube-proxy/kube-proxy.manifest: {% set api_servers_with_port = api_servers -%} +cluster/saltbase/salt/kube-proxy/kube-proxy.manifest: {% set cluster_cidr=" --cluster-cidr=" + pillar['cluster_cidr'] %} cluster/saltbase/salt/kubelet/default: {% set api_servers_with_port = api_servers + ":6443" -%} cluster/saltbase/salt/kubelet/default: {% set api_servers_with_port = api_servers -%} cluster/saltbase/salt/kubelet/default: {% set enable_custom_metrics="--enable-custom-metrics=" + pillar['enable_custom_metrics'] %} diff --git a/pkg/apis/componentconfig/deep_copy_generated.go b/pkg/apis/componentconfig/deep_copy_generated.go index cc500efecad..55dce511ae1 100644 --- a/pkg/apis/componentconfig/deep_copy_generated.go +++ b/pkg/apis/componentconfig/deep_copy_generated.go @@ -138,6 +138,7 @@ func DeepCopy_componentconfig_KubeProxyConfiguration(in KubeProxyConfiguration, return err } out.BindAddress = in.BindAddress + out.ClusterCIDR = in.ClusterCIDR out.HealthzBindAddress = in.HealthzBindAddress out.HealthzPort = in.HealthzPort out.HostnameOverride = in.HostnameOverride diff --git a/pkg/apis/componentconfig/types.generated.go b/pkg/apis/componentconfig/types.generated.go index daef3fd6e12..0a5470fd042 100644 --- a/pkg/apis/componentconfig/types.generated.go +++ b/pkg/apis/componentconfig/types.generated.go @@ -81,16 +81,16 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { } else { yysep2 := !z.EncBinary() yy2arr2 := z.EncBasicHandle().StructToArray - var yyq2 [18]bool + var yyq2 [19]bool _, _, _ = yysep2, yyq2, yy2arr2 const yyr2 bool = false - yyq2[16] = x.Kind != "" - yyq2[17] = x.APIVersion != "" + yyq2[17] = x.Kind != "" + yyq2[18] = x.APIVersion != "" var yynn2 int if yyr2 || yy2arr2 { - r.EncodeArrayStart(18) + r.EncodeArrayStart(19) } else { - yynn2 = 16 + yynn2 = 17 for _, b := range yyq2 { if b { yynn2++ @@ -124,17 +124,17 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { _ = yym7 if false { } else { - r.EncodeString(codecSelferC_UTF81234, string(x.HealthzBindAddress)) + r.EncodeString(codecSelferC_UTF81234, string(x.ClusterCIDR)) } } else { z.EncSendContainerState(codecSelfer_containerMapKey1234) - r.EncodeString(codecSelferC_UTF81234, string("healthzBindAddress")) + r.EncodeString(codecSelferC_UTF81234, string("clusterCIDR")) z.EncSendContainerState(codecSelfer_containerMapValue1234) yym8 := z.EncBinary() _ = yym8 if false { } else { - r.EncodeString(codecSelferC_UTF81234, string(x.HealthzBindAddress)) + r.EncodeString(codecSelferC_UTF81234, string(x.ClusterCIDR)) } } if yyr2 || yy2arr2 { @@ -143,17 +143,17 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { _ = yym10 if false { } else { - r.EncodeInt(int64(x.HealthzPort)) + r.EncodeString(codecSelferC_UTF81234, string(x.HealthzBindAddress)) } } else { z.EncSendContainerState(codecSelfer_containerMapKey1234) - r.EncodeString(codecSelferC_UTF81234, string("healthzPort")) + r.EncodeString(codecSelferC_UTF81234, string("healthzBindAddress")) z.EncSendContainerState(codecSelfer_containerMapValue1234) yym11 := z.EncBinary() _ = yym11 if false { } else { - r.EncodeInt(int64(x.HealthzPort)) + r.EncodeString(codecSelferC_UTF81234, string(x.HealthzBindAddress)) } } if yyr2 || yy2arr2 { @@ -161,6 +161,25 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { yym13 := z.EncBinary() _ = yym13 if false { + } else { + r.EncodeInt(int64(x.HealthzPort)) + } + } else { + z.EncSendContainerState(codecSelfer_containerMapKey1234) + r.EncodeString(codecSelferC_UTF81234, string("healthzPort")) + z.EncSendContainerState(codecSelfer_containerMapValue1234) + yym14 := z.EncBinary() + _ = yym14 + if false { + } else { + r.EncodeInt(int64(x.HealthzPort)) + } + } + if yyr2 || yy2arr2 { + z.EncSendContainerState(codecSelfer_containerArrayElem1234) + yym16 := z.EncBinary() + _ = yym16 + if false { } else { r.EncodeString(codecSelferC_UTF81234, string(x.HostnameOverride)) } @@ -168,8 +187,8 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { z.EncSendContainerState(codecSelfer_containerMapKey1234) r.EncodeString(codecSelferC_UTF81234, string("hostnameOverride")) z.EncSendContainerState(codecSelfer_containerMapValue1234) - yym14 := z.EncBinary() - _ = yym14 + yym17 := z.EncBinary() + _ = yym17 if false { } else { r.EncodeString(codecSelferC_UTF81234, string(x.HostnameOverride)) @@ -180,12 +199,12 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { if x.IPTablesMasqueradeBit == nil { r.EncodeNil() } else { - yy16 := *x.IPTablesMasqueradeBit - yym17 := z.EncBinary() - _ = yym17 + yy19 := *x.IPTablesMasqueradeBit + yym20 := z.EncBinary() + _ = yym20 if false { } else { - r.EncodeInt(int64(yy16)) + r.EncodeInt(int64(yy19)) } } } else { @@ -195,59 +214,40 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { if x.IPTablesMasqueradeBit == nil { r.EncodeNil() } else { - yy18 := *x.IPTablesMasqueradeBit - yym19 := z.EncBinary() - _ = yym19 + yy21 := *x.IPTablesMasqueradeBit + yym22 := z.EncBinary() + _ = yym22 if false { } else { - r.EncodeInt(int64(yy18)) + r.EncodeInt(int64(yy21)) } } } if yyr2 || yy2arr2 { z.EncSendContainerState(codecSelfer_containerArrayElem1234) - yy21 := &x.IPTablesSyncPeriod - yym22 := z.EncBinary() - _ = yym22 + yy24 := &x.IPTablesSyncPeriod + yym25 := z.EncBinary() + _ = yym25 if false { - } else if z.HasExtensions() && z.EncExt(yy21) { - } else if !yym22 && z.IsJSONHandle() { - z.EncJSONMarshal(yy21) + } else if z.HasExtensions() && z.EncExt(yy24) { + } else if !yym25 && z.IsJSONHandle() { + z.EncJSONMarshal(yy24) } else { - z.EncFallback(yy21) + z.EncFallback(yy24) } } else { z.EncSendContainerState(codecSelfer_containerMapKey1234) r.EncodeString(codecSelferC_UTF81234, string("iptablesSyncPeriodSeconds")) z.EncSendContainerState(codecSelfer_containerMapValue1234) - yy23 := &x.IPTablesSyncPeriod - yym24 := z.EncBinary() - _ = yym24 - if false { - } else if z.HasExtensions() && z.EncExt(yy23) { - } else if !yym24 && z.IsJSONHandle() { - z.EncJSONMarshal(yy23) - } else { - z.EncFallback(yy23) - } - } - if yyr2 || yy2arr2 { - z.EncSendContainerState(codecSelfer_containerArrayElem1234) - yym26 := z.EncBinary() - _ = yym26 - if false { - } else { - r.EncodeString(codecSelferC_UTF81234, string(x.KubeconfigPath)) - } - } else { - z.EncSendContainerState(codecSelfer_containerMapKey1234) - r.EncodeString(codecSelferC_UTF81234, string("kubeconfigPath")) - z.EncSendContainerState(codecSelfer_containerMapValue1234) + yy26 := &x.IPTablesSyncPeriod yym27 := z.EncBinary() _ = yym27 if false { + } else if z.HasExtensions() && z.EncExt(yy26) { + } else if !yym27 && z.IsJSONHandle() { + z.EncJSONMarshal(yy26) } else { - r.EncodeString(codecSelferC_UTF81234, string(x.KubeconfigPath)) + z.EncFallback(yy26) } } if yyr2 || yy2arr2 { @@ -256,17 +256,17 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { _ = yym29 if false { } else { - r.EncodeBool(bool(x.MasqueradeAll)) + r.EncodeString(codecSelferC_UTF81234, string(x.KubeconfigPath)) } } else { z.EncSendContainerState(codecSelfer_containerMapKey1234) - r.EncodeString(codecSelferC_UTF81234, string("masqueradeAll")) + r.EncodeString(codecSelferC_UTF81234, string("kubeconfigPath")) z.EncSendContainerState(codecSelfer_containerMapValue1234) yym30 := z.EncBinary() _ = yym30 if false { } else { - r.EncodeBool(bool(x.MasqueradeAll)) + r.EncodeString(codecSelferC_UTF81234, string(x.KubeconfigPath)) } } if yyr2 || yy2arr2 { @@ -274,6 +274,25 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { yym32 := z.EncBinary() _ = yym32 if false { + } else { + r.EncodeBool(bool(x.MasqueradeAll)) + } + } else { + z.EncSendContainerState(codecSelfer_containerMapKey1234) + r.EncodeString(codecSelferC_UTF81234, string("masqueradeAll")) + z.EncSendContainerState(codecSelfer_containerMapValue1234) + yym33 := z.EncBinary() + _ = yym33 + if false { + } else { + r.EncodeBool(bool(x.MasqueradeAll)) + } + } + if yyr2 || yy2arr2 { + z.EncSendContainerState(codecSelfer_containerArrayElem1234) + yym35 := z.EncBinary() + _ = yym35 + if false { } else { r.EncodeString(codecSelferC_UTF81234, string(x.Master)) } @@ -281,8 +300,8 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { z.EncSendContainerState(codecSelfer_containerMapKey1234) r.EncodeString(codecSelferC_UTF81234, string("master")) z.EncSendContainerState(codecSelfer_containerMapValue1234) - yym33 := z.EncBinary() - _ = yym33 + yym36 := z.EncBinary() + _ = yym36 if false { } else { r.EncodeString(codecSelferC_UTF81234, string(x.Master)) @@ -293,12 +312,12 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { if x.OOMScoreAdj == nil { r.EncodeNil() } else { - yy35 := *x.OOMScoreAdj - yym36 := z.EncBinary() - _ = yym36 + yy38 := *x.OOMScoreAdj + yym39 := z.EncBinary() + _ = yym39 if false { } else { - r.EncodeInt(int64(yy35)) + r.EncodeInt(int64(yy38)) } } } else { @@ -308,12 +327,12 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { if x.OOMScoreAdj == nil { r.EncodeNil() } else { - yy37 := *x.OOMScoreAdj - yym38 := z.EncBinary() - _ = yym38 + yy40 := *x.OOMScoreAdj + yym41 := z.EncBinary() + _ = yym41 if false { } else { - r.EncodeInt(int64(yy37)) + r.EncodeInt(int64(yy40)) } } } @@ -328,8 +347,8 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { } if yyr2 || yy2arr2 { z.EncSendContainerState(codecSelfer_containerArrayElem1234) - yym43 := z.EncBinary() - _ = yym43 + yym46 := z.EncBinary() + _ = yym46 if false { } else { r.EncodeString(codecSelferC_UTF81234, string(x.PortRange)) @@ -338,8 +357,8 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { z.EncSendContainerState(codecSelfer_containerMapKey1234) r.EncodeString(codecSelferC_UTF81234, string("portRange")) z.EncSendContainerState(codecSelfer_containerMapValue1234) - yym44 := z.EncBinary() - _ = yym44 + yym47 := z.EncBinary() + _ = yym47 if false { } else { r.EncodeString(codecSelferC_UTF81234, string(x.PortRange)) @@ -347,8 +366,8 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { } if yyr2 || yy2arr2 { z.EncSendContainerState(codecSelfer_containerArrayElem1234) - yym46 := z.EncBinary() - _ = yym46 + yym49 := z.EncBinary() + _ = yym49 if false { } else { r.EncodeString(codecSelferC_UTF81234, string(x.ResourceContainer)) @@ -357,8 +376,8 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { z.EncSendContainerState(codecSelfer_containerMapKey1234) r.EncodeString(codecSelferC_UTF81234, string("kubeletCgroups")) z.EncSendContainerState(codecSelfer_containerMapValue1234) - yym47 := z.EncBinary() - _ = yym47 + yym50 := z.EncBinary() + _ = yym50 if false { } else { r.EncodeString(codecSelferC_UTF81234, string(x.ResourceContainer)) @@ -366,35 +385,35 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { } if yyr2 || yy2arr2 { z.EncSendContainerState(codecSelfer_containerArrayElem1234) - yy49 := &x.UDPIdleTimeout - yym50 := z.EncBinary() - _ = yym50 + yy52 := &x.UDPIdleTimeout + yym53 := z.EncBinary() + _ = yym53 if false { - } else if z.HasExtensions() && z.EncExt(yy49) { - } else if !yym50 && z.IsJSONHandle() { - z.EncJSONMarshal(yy49) + } else if z.HasExtensions() && z.EncExt(yy52) { + } else if !yym53 && z.IsJSONHandle() { + z.EncJSONMarshal(yy52) } else { - z.EncFallback(yy49) + z.EncFallback(yy52) } } else { z.EncSendContainerState(codecSelfer_containerMapKey1234) r.EncodeString(codecSelferC_UTF81234, string("udpTimeoutMilliseconds")) z.EncSendContainerState(codecSelfer_containerMapValue1234) - yy51 := &x.UDPIdleTimeout - yym52 := z.EncBinary() - _ = yym52 + yy54 := &x.UDPIdleTimeout + yym55 := z.EncBinary() + _ = yym55 if false { - } else if z.HasExtensions() && z.EncExt(yy51) { - } else if !yym52 && z.IsJSONHandle() { - z.EncJSONMarshal(yy51) + } else if z.HasExtensions() && z.EncExt(yy54) { + } else if !yym55 && z.IsJSONHandle() { + z.EncJSONMarshal(yy54) } else { - z.EncFallback(yy51) + z.EncFallback(yy54) } } if yyr2 || yy2arr2 { z.EncSendContainerState(codecSelfer_containerArrayElem1234) - yym54 := z.EncBinary() - _ = yym54 + yym57 := z.EncBinary() + _ = yym57 if false { } else { r.EncodeInt(int64(x.ConntrackMax)) @@ -403,8 +422,8 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { z.EncSendContainerState(codecSelfer_containerMapKey1234) r.EncodeString(codecSelferC_UTF81234, string("conntrackMax")) z.EncSendContainerState(codecSelfer_containerMapValue1234) - yym55 := z.EncBinary() - _ = yym55 + yym58 := z.EncBinary() + _ = yym58 if false { } else { r.EncodeInt(int64(x.ConntrackMax)) @@ -412,54 +431,29 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { } if yyr2 || yy2arr2 { z.EncSendContainerState(codecSelfer_containerArrayElem1234) - yy57 := &x.ConntrackTCPEstablishedTimeout - yym58 := z.EncBinary() - _ = yym58 + yy60 := &x.ConntrackTCPEstablishedTimeout + yym61 := z.EncBinary() + _ = yym61 if false { - } else if z.HasExtensions() && z.EncExt(yy57) { - } else if !yym58 && z.IsJSONHandle() { - z.EncJSONMarshal(yy57) + } else if z.HasExtensions() && z.EncExt(yy60) { + } else if !yym61 && z.IsJSONHandle() { + z.EncJSONMarshal(yy60) } else { - z.EncFallback(yy57) + z.EncFallback(yy60) } } else { z.EncSendContainerState(codecSelfer_containerMapKey1234) r.EncodeString(codecSelferC_UTF81234, string("conntrackTCPEstablishedTimeout")) z.EncSendContainerState(codecSelfer_containerMapValue1234) - yy59 := &x.ConntrackTCPEstablishedTimeout - yym60 := z.EncBinary() - _ = yym60 + yy62 := &x.ConntrackTCPEstablishedTimeout + yym63 := z.EncBinary() + _ = yym63 if false { - } else if z.HasExtensions() && z.EncExt(yy59) { - } else if !yym60 && z.IsJSONHandle() { - z.EncJSONMarshal(yy59) + } else if z.HasExtensions() && z.EncExt(yy62) { + } else if !yym63 && z.IsJSONHandle() { + z.EncJSONMarshal(yy62) } else { - z.EncFallback(yy59) - } - } - if yyr2 || yy2arr2 { - z.EncSendContainerState(codecSelfer_containerArrayElem1234) - if yyq2[16] { - yym62 := z.EncBinary() - _ = yym62 - if false { - } else { - r.EncodeString(codecSelferC_UTF81234, string(x.Kind)) - } - } else { - r.EncodeString(codecSelferC_UTF81234, "") - } - } else { - if yyq2[16] { - z.EncSendContainerState(codecSelfer_containerMapKey1234) - r.EncodeString(codecSelferC_UTF81234, string("kind")) - z.EncSendContainerState(codecSelfer_containerMapValue1234) - yym63 := z.EncBinary() - _ = yym63 - if false { - } else { - r.EncodeString(codecSelferC_UTF81234, string(x.Kind)) - } + z.EncFallback(yy62) } } if yyr2 || yy2arr2 { @@ -469,7 +463,7 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { _ = yym65 if false { } else { - r.EncodeString(codecSelferC_UTF81234, string(x.APIVersion)) + r.EncodeString(codecSelferC_UTF81234, string(x.Kind)) } } else { r.EncodeString(codecSelferC_UTF81234, "") @@ -477,11 +471,36 @@ func (x *KubeProxyConfiguration) CodecEncodeSelf(e *codec1978.Encoder) { } else { if yyq2[17] { z.EncSendContainerState(codecSelfer_containerMapKey1234) - r.EncodeString(codecSelferC_UTF81234, string("apiVersion")) + r.EncodeString(codecSelferC_UTF81234, string("kind")) z.EncSendContainerState(codecSelfer_containerMapValue1234) yym66 := z.EncBinary() _ = yym66 if false { + } else { + r.EncodeString(codecSelferC_UTF81234, string(x.Kind)) + } + } + } + if yyr2 || yy2arr2 { + z.EncSendContainerState(codecSelfer_containerArrayElem1234) + if yyq2[18] { + yym68 := z.EncBinary() + _ = yym68 + if false { + } else { + r.EncodeString(codecSelferC_UTF81234, string(x.APIVersion)) + } + } else { + r.EncodeString(codecSelferC_UTF81234, "") + } + } else { + if yyq2[18] { + z.EncSendContainerState(codecSelfer_containerMapKey1234) + r.EncodeString(codecSelferC_UTF81234, string("apiVersion")) + z.EncSendContainerState(codecSelfer_containerMapValue1234) + yym69 := z.EncBinary() + _ = yym69 + if false { } else { r.EncodeString(codecSelferC_UTF81234, string(x.APIVersion)) } @@ -554,6 +573,12 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromMap(l int, d *codec1978.Deco } else { x.BindAddress = string(r.DecodeString()) } + case "clusterCIDR": + if r.TryDecodeAsNil() { + x.ClusterCIDR = "" + } else { + x.ClusterCIDR = string(r.DecodeString()) + } case "healthzBindAddress": if r.TryDecodeAsNil() { x.HealthzBindAddress = "" @@ -581,8 +606,8 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromMap(l int, d *codec1978.Deco if x.IPTablesMasqueradeBit == nil { x.IPTablesMasqueradeBit = new(int) } - yym9 := z.DecBinary() - _ = yym9 + yym10 := z.DecBinary() + _ = yym10 if false { } else { *((*int)(x.IPTablesMasqueradeBit)) = int(r.DecodeInt(codecSelferBitsize1234)) @@ -592,15 +617,15 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromMap(l int, d *codec1978.Deco if r.TryDecodeAsNil() { x.IPTablesSyncPeriod = pkg1_unversioned.Duration{} } else { - yyv10 := &x.IPTablesSyncPeriod - yym11 := z.DecBinary() - _ = yym11 + yyv11 := &x.IPTablesSyncPeriod + yym12 := z.DecBinary() + _ = yym12 if false { - } else if z.HasExtensions() && z.DecExt(yyv10) { - } else if !yym11 && z.IsJSONHandle() { - z.DecJSONUnmarshal(yyv10) + } else if z.HasExtensions() && z.DecExt(yyv11) { + } else if !yym12 && z.IsJSONHandle() { + z.DecJSONUnmarshal(yyv11) } else { - z.DecFallback(yyv10, false) + z.DecFallback(yyv11, false) } } case "kubeconfigPath": @@ -630,8 +655,8 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromMap(l int, d *codec1978.Deco if x.OOMScoreAdj == nil { x.OOMScoreAdj = new(int) } - yym16 := z.DecBinary() - _ = yym16 + yym17 := z.DecBinary() + _ = yym17 if false { } else { *((*int)(x.OOMScoreAdj)) = int(r.DecodeInt(codecSelferBitsize1234)) @@ -659,15 +684,15 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromMap(l int, d *codec1978.Deco if r.TryDecodeAsNil() { x.UDPIdleTimeout = pkg1_unversioned.Duration{} } else { - yyv20 := &x.UDPIdleTimeout - yym21 := z.DecBinary() - _ = yym21 + yyv21 := &x.UDPIdleTimeout + yym22 := z.DecBinary() + _ = yym22 if false { - } else if z.HasExtensions() && z.DecExt(yyv20) { - } else if !yym21 && z.IsJSONHandle() { - z.DecJSONUnmarshal(yyv20) + } else if z.HasExtensions() && z.DecExt(yyv21) { + } else if !yym22 && z.IsJSONHandle() { + z.DecJSONUnmarshal(yyv21) } else { - z.DecFallback(yyv20, false) + z.DecFallback(yyv21, false) } } case "conntrackMax": @@ -680,15 +705,15 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromMap(l int, d *codec1978.Deco if r.TryDecodeAsNil() { x.ConntrackTCPEstablishedTimeout = pkg1_unversioned.Duration{} } else { - yyv23 := &x.ConntrackTCPEstablishedTimeout - yym24 := z.DecBinary() - _ = yym24 + yyv24 := &x.ConntrackTCPEstablishedTimeout + yym25 := z.DecBinary() + _ = yym25 if false { - } else if z.HasExtensions() && z.DecExt(yyv23) { - } else if !yym24 && z.IsJSONHandle() { - z.DecJSONUnmarshal(yyv23) + } else if z.HasExtensions() && z.DecExt(yyv24) { + } else if !yym25 && z.IsJSONHandle() { + z.DecJSONUnmarshal(yyv24) } else { - z.DecFallback(yyv23, false) + z.DecFallback(yyv24, false) } } case "kind": @@ -714,16 +739,16 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De var h codecSelfer1234 z, r := codec1978.GenHelperDecoder(d) _, _, _ = h, z, r - var yyj27 int - var yyb27 bool - var yyhl27 bool = l >= 0 - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + var yyj28 int + var yyb28 bool + var yyhl28 bool = l >= 0 + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -733,13 +758,29 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.BindAddress = string(r.DecodeString()) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { + z.DecSendContainerState(codecSelfer_containerArrayEnd1234) + return + } + z.DecSendContainerState(codecSelfer_containerArrayElem1234) + if r.TryDecodeAsNil() { + x.ClusterCIDR = "" + } else { + x.ClusterCIDR = string(r.DecodeString()) + } + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l + } else { + yyb28 = r.CheckBreak() + } + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -749,13 +790,13 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.HealthzBindAddress = string(r.DecodeString()) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -765,13 +806,13 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.HealthzPort = int(r.DecodeInt(codecSelferBitsize1234)) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -781,13 +822,13 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.HostnameOverride = string(r.DecodeString()) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -800,20 +841,20 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De if x.IPTablesMasqueradeBit == nil { x.IPTablesMasqueradeBit = new(int) } - yym33 := z.DecBinary() - _ = yym33 + yym35 := z.DecBinary() + _ = yym35 if false { } else { *((*int)(x.IPTablesMasqueradeBit)) = int(r.DecodeInt(codecSelferBitsize1234)) } } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -821,24 +862,24 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De if r.TryDecodeAsNil() { x.IPTablesSyncPeriod = pkg1_unversioned.Duration{} } else { - yyv34 := &x.IPTablesSyncPeriod - yym35 := z.DecBinary() - _ = yym35 + yyv36 := &x.IPTablesSyncPeriod + yym37 := z.DecBinary() + _ = yym37 if false { - } else if z.HasExtensions() && z.DecExt(yyv34) { - } else if !yym35 && z.IsJSONHandle() { - z.DecJSONUnmarshal(yyv34) + } else if z.HasExtensions() && z.DecExt(yyv36) { + } else if !yym37 && z.IsJSONHandle() { + z.DecJSONUnmarshal(yyv36) } else { - z.DecFallback(yyv34, false) + z.DecFallback(yyv36, false) } } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -848,13 +889,13 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.KubeconfigPath = string(r.DecodeString()) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -864,13 +905,13 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.MasqueradeAll = bool(r.DecodeBool()) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -880,13 +921,13 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.Master = string(r.DecodeString()) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -899,20 +940,20 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De if x.OOMScoreAdj == nil { x.OOMScoreAdj = new(int) } - yym40 := z.DecBinary() - _ = yym40 + yym42 := z.DecBinary() + _ = yym42 if false { } else { *((*int)(x.OOMScoreAdj)) = int(r.DecodeInt(codecSelferBitsize1234)) } } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -922,13 +963,13 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.Mode = ProxyMode(r.DecodeString()) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -938,13 +979,13 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.PortRange = string(r.DecodeString()) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -954,13 +995,13 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.ResourceContainer = string(r.DecodeString()) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -968,24 +1009,24 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De if r.TryDecodeAsNil() { x.UDPIdleTimeout = pkg1_unversioned.Duration{} } else { - yyv44 := &x.UDPIdleTimeout - yym45 := z.DecBinary() - _ = yym45 + yyv46 := &x.UDPIdleTimeout + yym47 := z.DecBinary() + _ = yym47 if false { - } else if z.HasExtensions() && z.DecExt(yyv44) { - } else if !yym45 && z.IsJSONHandle() { - z.DecJSONUnmarshal(yyv44) + } else if z.HasExtensions() && z.DecExt(yyv46) { + } else if !yym47 && z.IsJSONHandle() { + z.DecJSONUnmarshal(yyv46) } else { - z.DecFallback(yyv44, false) + z.DecFallback(yyv46, false) } } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -995,13 +1036,13 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.ConntrackMax = int(r.DecodeInt(codecSelferBitsize1234)) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -1009,24 +1050,24 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De if r.TryDecodeAsNil() { x.ConntrackTCPEstablishedTimeout = pkg1_unversioned.Duration{} } else { - yyv47 := &x.ConntrackTCPEstablishedTimeout - yym48 := z.DecBinary() - _ = yym48 + yyv49 := &x.ConntrackTCPEstablishedTimeout + yym50 := z.DecBinary() + _ = yym50 if false { - } else if z.HasExtensions() && z.DecExt(yyv47) { - } else if !yym48 && z.IsJSONHandle() { - z.DecJSONUnmarshal(yyv47) + } else if z.HasExtensions() && z.DecExt(yyv49) { + } else if !yym50 && z.IsJSONHandle() { + z.DecJSONUnmarshal(yyv49) } else { - z.DecFallback(yyv47, false) + z.DecFallback(yyv49, false) } } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -1036,13 +1077,13 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De } else { x.Kind = string(r.DecodeString()) } - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { z.DecSendContainerState(codecSelfer_containerArrayEnd1234) return } @@ -1053,17 +1094,17 @@ func (x *KubeProxyConfiguration) codecDecodeSelfFromArray(l int, d *codec1978.De x.APIVersion = string(r.DecodeString()) } for { - yyj27++ - if yyhl27 { - yyb27 = yyj27 > l + yyj28++ + if yyhl28 { + yyb28 = yyj28 > l } else { - yyb27 = r.CheckBreak() + yyb28 = r.CheckBreak() } - if yyb27 { + if yyb28 { break } z.DecSendContainerState(codecSelfer_containerArrayElem1234) - z.DecStructFieldNotFound(yyj27-1, "") + z.DecStructFieldNotFound(yyj28-1, "") } z.DecSendContainerState(codecSelfer_containerArrayEnd1234) } diff --git a/pkg/apis/componentconfig/types.go b/pkg/apis/componentconfig/types.go index bc893094106..f6ca7edb2e0 100644 --- a/pkg/apis/componentconfig/types.go +++ b/pkg/apis/componentconfig/types.go @@ -24,6 +24,10 @@ type KubeProxyConfiguration struct { // bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0 // for all interfaces) BindAddress string `json:"bindAddress"` + // clusterCIDR is the CIDR range of the pods in the cluster. It is used to + // bridge traffic coming from outside of the cluster. If not provided, + // no off-cluster bridging will be performed. + ClusterCIDR string `json:"clusterCIDR"` // healthzBindAddress is the IP address for the health check server to serve on, // defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces) HealthzBindAddress string `json:"healthzBindAddress"` diff --git a/pkg/apis/componentconfig/v1alpha1/conversion_generated.go b/pkg/apis/componentconfig/v1alpha1/conversion_generated.go index c7024501321..69c54b00ea4 100644 --- a/pkg/apis/componentconfig/v1alpha1/conversion_generated.go +++ b/pkg/apis/componentconfig/v1alpha1/conversion_generated.go @@ -49,6 +49,7 @@ func autoConvert_v1alpha1_KubeProxyConfiguration_To_componentconfig_KubeProxyCon return err } out.BindAddress = in.BindAddress + out.ClusterCIDR = in.ClusterCIDR out.HealthzBindAddress = in.HealthzBindAddress out.HealthzPort = int(in.HealthzPort) out.HostnameOverride = in.HostnameOverride @@ -100,6 +101,7 @@ func autoConvert_componentconfig_KubeProxyConfiguration_To_v1alpha1_KubeProxyCon return err } out.BindAddress = in.BindAddress + out.ClusterCIDR = in.ClusterCIDR out.HealthzBindAddress = in.HealthzBindAddress out.HealthzPort = int32(in.HealthzPort) out.HostnameOverride = in.HostnameOverride diff --git a/pkg/apis/componentconfig/v1alpha1/deep_copy_generated.go b/pkg/apis/componentconfig/v1alpha1/deep_copy_generated.go index d901043e90a..0c352b4822b 100644 --- a/pkg/apis/componentconfig/v1alpha1/deep_copy_generated.go +++ b/pkg/apis/componentconfig/v1alpha1/deep_copy_generated.go @@ -42,6 +42,7 @@ func DeepCopy_v1alpha1_KubeProxyConfiguration(in KubeProxyConfiguration, out *Ku return err } out.BindAddress = in.BindAddress + out.ClusterCIDR = in.ClusterCIDR out.HealthzBindAddress = in.HealthzBindAddress out.HealthzPort = in.HealthzPort out.HostnameOverride = in.HostnameOverride diff --git a/pkg/apis/componentconfig/v1alpha1/types.go b/pkg/apis/componentconfig/v1alpha1/types.go index 7210541ddf1..307999a4b66 100644 --- a/pkg/apis/componentconfig/v1alpha1/types.go +++ b/pkg/apis/componentconfig/v1alpha1/types.go @@ -24,6 +24,10 @@ type KubeProxyConfiguration struct { // bindAddress is the IP address for the proxy server to serve on (set to 0.0.0.0 // for all interfaces) BindAddress string `json:"bindAddress"` + // clusterCIDR is the CIDR range of the pods in the cluster. It is used to + // bridge traffic coming from outside of the cluster. If not provided, + // no off-cluster bridging will be performed. + ClusterCIDR string `json:"clusterCIDR"` // healthzBindAddress is the IP address for the health check server to serve on, // defaulting to 127.0.0.1 (set to 0.0.0.0 for all interfaces) HealthzBindAddress string `json:"healthzBindAddress"` diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 1a1196e3d67..70119eaaffa 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -162,6 +162,7 @@ type Proxier struct { masqueradeAll bool masqueradeMark string exec utilexec.Interface + clusterCIDR string } type localPort struct { @@ -187,7 +188,7 @@ var _ proxy.ProxyProvider = &Proxier{} // An error will be returned if iptables fails to update or acquire the initial lock. // Once a proxier is created, it will keep iptables up to date in the background and // will not terminate if a particular iptables call fails. -func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod time.Duration, masqueradeAll bool, masqueradeBit int) (*Proxier, error) { +func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod time.Duration, masqueradeAll bool, masqueradeBit int, clusterCIDR string) (*Proxier, error) { // Set the route_localnet sysctl we need for if err := utilsysctl.SetSysctl(sysctlRouteLocalnet, 1); err != nil { return nil, fmt.Errorf("can't set sysctl %s: %v", sysctlRouteLocalnet, err) @@ -223,6 +224,7 @@ func NewProxier(ipt utiliptables.Interface, exec utilexec.Interface, syncPeriod masqueradeAll: masqueradeAll, masqueradeMark: masqueradeMark, exec: exec, + clusterCIDR: clusterCIDR, }, nil } @@ -792,6 +794,9 @@ func (proxier *Proxier) syncProxyRules() { if proxier.masqueradeAll { writeLine(natRules, append(args, "-j", string(kubeMarkMasqChain))...) } + if len(proxier.clusterCIDR) > 0 { + writeLine(natRules, append(args, "! -s", proxier.clusterCIDR, "-j", string(kubeMarkMasqChain))...) + } writeLine(natRules, append(args, "-j", string(svcChain))...) // Capture externalIPs.