Enable local traffic detection using the interface options

This commit adds the framework for the new local detection modes BridgeInterface and InterfaceNamePrefix to work. Signed-off-by: Surya Seetharaman <suryaseetharaman.9@gmail.com>
2025-09-10 21:50:05 +00:00 · 2022-01-29 12:01:09 +01:00
parent 5632991115
commit 7d480d8ac8
12 changed files with 272 additions and 6 deletions
--- a/cmd/kube-proxy/app/server.go
+++ b/cmd/kube-proxy/app/server.go
@@ -211,6 +211,8 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {

 	fs.Float32Var(&o.config.ClientConnection.QPS, "kube-api-qps", o.config.ClientConnection.QPS, "QPS to use while talking with kubernetes apiserver")
 	fs.Var(&o.config.DetectLocalMode, "detect-local-mode", "Mode to use to detect local traffic. This parameter is ignored if a config file is specified by --config.")
+	fs.StringVar(&o.config.DetectLocal.BridgeInterface, "pod-bridge-interface", o.config.DetectLocal.BridgeInterface, "A bridge interface name in the cluster. Kube-proxy considers traffic as local if originating from an interface which matches the value. This argument should be set if DetectLocalMode is set to BridgeInterface.")
+	fs.StringVar(&o.config.DetectLocal.InterfaceNamePrefix, "pod-interface-name-prefix", o.config.DetectLocal.InterfaceNamePrefix, "An interface prefix in the cluster. Kube-proxy considers traffic as local if originating from interfaces that match the given prefix. This argument should be set if DetectLocalMode is set to InterfaceNamePrefix.")
 }

 // NewOptions returns initialized Options
--- a/cmd/kube-proxy/app/server_others.go
+++ b/cmd/kube-proxy/app/server_others.go
@@ -436,7 +436,7 @@ func detectNumCPU() int {
 func getDetectLocalMode(config *proxyconfigapi.KubeProxyConfiguration) (proxyconfigapi.LocalMode, error) {
 	mode := config.DetectLocalMode
 	switch mode {
-	case proxyconfigapi.LocalModeClusterCIDR, proxyconfigapi.LocalModeNodeCIDR:
+	case proxyconfigapi.LocalModeClusterCIDR, proxyconfigapi.LocalModeNodeCIDR, proxyconfigapi.LocalModeBridgeInterface, proxyconfigapi.LocalModeInterfaceNamePrefix:
 		return mode, nil
 	default:
 		if strings.TrimSpace(mode.String()) != "" {
@@ -461,6 +461,16 @@ func getLocalDetector(mode proxyconfigapi.LocalMode, config *proxyconfigapi.Kube
 			break
 		}
 		return proxyutiliptables.NewDetectLocalByCIDR(nodeInfo.Spec.PodCIDR, ipt)
+	case proxyconfigapi.LocalModeBridgeInterface:
+		if len(strings.TrimSpace(config.DetectLocal.BridgeInterface)) == 0 {
+			return nil, fmt.Errorf("Detect-local-mode set to BridgeInterface, but no bridge-interface-name %s is defined", config.DetectLocal.BridgeInterface)
+		}
+		return proxyutiliptables.NewDetectLocalByBridgeInterface(config.DetectLocal.BridgeInterface)
+	case proxyconfigapi.LocalModeInterfaceNamePrefix:
+		if len(strings.TrimSpace(config.DetectLocal.InterfaceNamePrefix)) == 0 {
+			return nil, fmt.Errorf("Detect-local-mode set to InterfaceNamePrefix, but no interface-prefix %s is defined", config.DetectLocal.InterfaceNamePrefix)
+		}
+		return proxyutiliptables.NewDetectLocalByInterfaceNamePrefix(config.DetectLocal.InterfaceNamePrefix)
 	}
 	klog.V(0).InfoS("Defaulting to no-op detect-local", "detect-local-mode", string(mode))
 	return proxyutiliptables.NewNoOpLocalDetector(), nil
@@ -518,6 +528,13 @@ func getDualStackLocalDetectorTuple(mode proxyconfigapi.LocalMode, config *proxy
 			}
 		}
 		return localDetectors, err
+	case proxyconfigapi.LocalModeBridgeInterface, proxyconfigapi.LocalModeInterfaceNamePrefix:
+		localDetector, err := getLocalDetector(mode, config, ipt[0], nodeInfo)
+		if err == nil {
+			localDetectors[0] = localDetector
+			localDetectors[1] = localDetector
+		}
+		return localDetectors, err
 	default:
 		klog.InfoS("Unknown detect-local-mode", "detect-local-mode", mode)
 	}
--- a/cmd/kube-proxy/app/server_others_test.go
+++ b/cmd/kube-proxy/app/server_others_test.go
@@ -196,6 +196,16 @@ func Test_getDetectLocalMode(t *testing.T) {
 			expected:    proxyconfigapi.LocalModeClusterCIDR,
 			errExpected: false,
 		},
+		{
+			detectLocal: string(proxyconfigapi.LocalModeInterfaceNamePrefix),
+			expected:    proxyconfigapi.LocalModeInterfaceNamePrefix,
+			errExpected: false,
+		},
+		{
+			detectLocal: string(proxyconfigapi.LocalModeBridgeInterface),
+			expected:    proxyconfigapi.LocalModeBridgeInterface,
+			errExpected: false,
+		},
 		{
 			detectLocal: "abcd",
 			expected:    proxyconfigapi.LocalMode("abcd"),
@@ -450,6 +460,54 @@ func Test_getLocalDetector(t *testing.T) {
 			expected:    proxyutiliptables.NewNoOpLocalDetector(),
 			errExpected: false,
 		},
+		// LocalModeBridgeInterface, nodeInfo and ipt are not needed for these cases
+		{
+			mode: proxyconfigapi.LocalModeBridgeInterface,
+			config: &proxyconfigapi.KubeProxyConfiguration{
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "eth"},
+			},
+			expected:    resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByBridgeInterface("eth")),
+			errExpected: false,
+		},
+		{
+			mode: proxyconfigapi.LocalModeBridgeInterface,
+			config: &proxyconfigapi.KubeProxyConfiguration{
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{BridgeInterface: ""},
+			},
+			errExpected: true,
+		},
+		{
+			mode: proxyconfigapi.LocalModeBridgeInterface,
+			config: &proxyconfigapi.KubeProxyConfiguration{
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "1234567890123456789"},
+			},
+			expected:    resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByBridgeInterface("1234567890123456789")),
+			errExpected: false,
+		},
+		// LocalModeInterfaceNamePrefix, nodeInfo and ipt are not needed for these cases
+		{
+			mode: proxyconfigapi.LocalModeInterfaceNamePrefix,
+			config: &proxyconfigapi.KubeProxyConfiguration{
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "eth"},
+			},
+			expected:    resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByInterfaceNamePrefix("eth")),
+			errExpected: false,
+		},
+		{
+			mode: proxyconfigapi.LocalModeInterfaceNamePrefix,
+			config: &proxyconfigapi.KubeProxyConfiguration{
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: ""},
+			},
+			errExpected: true,
+		},
+		{
+			mode: proxyconfigapi.LocalModeInterfaceNamePrefix,
+			config: &proxyconfigapi.KubeProxyConfiguration{
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "1234567890123456789"},
+			},
+			expected:    resolveLocalDetector(t)(proxyutiliptables.NewDetectLocalByInterfaceNamePrefix("1234567890123456789")),
+			errExpected: false,
+		},
 	}
 	for i, c := range cases {
 		r, err := getLocalDetector(c.mode, c.config, c.ipt, c.nodeInfo)
@@ -587,6 +645,42 @@ func Test_getDualStackLocalDetectorTuple(t *testing.T) {
 			expected:    [2]proxyutiliptables.LocalTrafficDetector{proxyutiliptables.NewNoOpLocalDetector(), proxyutiliptables.NewNoOpLocalDetector()},
 			errExpected: false,
 		},
+		// LocalModeBridgeInterface, nodeInfo and ipt are not needed for these cases
+		{
+			mode: proxyconfigapi.LocalModeBridgeInterface,
+			config: &proxyconfigapi.KubeProxyConfiguration{
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{BridgeInterface: "eth"},
+			},
+			expected: resolveDualStackLocalDetectors(t)(
+				proxyutiliptables.NewDetectLocalByBridgeInterface("eth"))(
+				proxyutiliptables.NewDetectLocalByBridgeInterface("eth")),
+			errExpected: false,
+		},
+		{
+			mode: proxyconfigapi.LocalModeBridgeInterface,
+			config: &proxyconfigapi.KubeProxyConfiguration{
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{BridgeInterface: ""},
+			},
+			errExpected: true,
+		},
+		// LocalModeInterfaceNamePrefix, nodeInfo and ipt are not needed for these cases
+		{
+			mode: proxyconfigapi.LocalModeInterfaceNamePrefix,
+			config: &proxyconfigapi.KubeProxyConfiguration{
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: "veth"},
+			},
+			expected: resolveDualStackLocalDetectors(t)(
+				proxyutiliptables.NewDetectLocalByInterfaceNamePrefix("veth"))(
+				proxyutiliptables.NewDetectLocalByInterfaceNamePrefix("veth")),
+			errExpected: false,
+		},
+		{
+			mode: proxyconfigapi.LocalModeInterfaceNamePrefix,
+			config: &proxyconfigapi.KubeProxyConfiguration{
+				DetectLocal: proxyconfigapi.DetectLocalConfiguration{InterfaceNamePrefix: ""},
+			},
+			errExpected: true,
+		},
 	}
 	for i, c := range cases {
 		r, err := getDualStackLocalDetectorTuple(c.mode, c.config, c.ipt, c.nodeInfo)
--- a/cmd/kube-proxy/app/server_test.go
+++ b/cmd/kube-proxy/app/server_test.go
@@ -122,6 +122,9 @@ oomScoreAdj: 17
 portRange: "2-7"
 udpIdleTimeout: 123ms
 detectLocalMode: "ClusterCIDR"
+detectLocal:
+  bridgeInterface: "cbr0"
+  interfaceNamePrefix: "veth"
 nodePortAddresses:
  - "10.20.30.40/16"
  - "fd00:1::0/64"
@@ -263,6 +266,10 @@ nodePortAddresses:
 			UDPIdleTimeout:     metav1.Duration{Duration: 123 * time.Millisecond},
 			NodePortAddresses:  []string{"10.20.30.40/16", "fd00:1::0/64"},
 			DetectLocalMode:    kubeproxyconfig.LocalModeClusterCIDR,
+			DetectLocal: kubeproxyconfig.DetectLocalConfiguration{
+				BridgeInterface:     string("cbr0"),
+				InterfaceNamePrefix: string("veth"),
+			},
 		}

 		options := NewOptions()
@@ -450,7 +457,7 @@ mode: ""
 nodePortAddresses: null
 oomScoreAdj: -999
 portRange: ""
-detectLocalMode: "ClusterCIDR"
+detectLocalMode: "BridgeInterface"
 udpIdleTimeout: 250ms`)
 		if err != nil {
 			return nil, "", fmt.Errorf("unexpected error when writing content to temp kube-proxy config file: %v", err)