mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
Fix calico network policy for opensource.
Signed-off-by: Lantao Liu <lantaol@google.com>
This commit is contained in:
Lantao Liu
parent
dc35709eee
commit
8279916c65
@ -899,12 +899,17 @@ EOF
|
|||||||
cat >>$file <<EOF
|
cat >>$file <<EOF
|
||||||
NODE_LABELS: $(yaml-quote ${NODE_LABELS})
|
NODE_LABELS: $(yaml-quote ${NODE_LABELS})
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
if [ -n "${NON_MASTER_NODE_LABELS:-}" ]; then
|
||||||
|
cat >>$file <<EOF
|
||||||
|
NON_MASTER_NODE_LABELS: $(yaml-quote ${NON_MASTER_NODE_LABELS})
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
if [ -n "${EVICTION_HARD:-}" ]; then
|
if [ -n "${EVICTION_HARD:-}" ]; then
|
||||||
cat >>$file <<EOF
|
cat >>$file <<EOF
|
||||||
EVICTION_HARD: $(yaml-quote ${EVICTION_HARD})
|
EVICTION_HARD: $(yaml-quote ${EVICTION_HARD})
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
if [[ "${master}" == "true" && "${MASTER_OS_DISTRIBUTION}" == "container-linux" ]] || \
|
if [[ "${master}" == "true" && "${MASTER_OS_DISTRIBUTION}" == "container-linux" ]] || \
|
||||||
[[ "${master}" == "false" && "${NODE_OS_DISTRIBUTION}" == "container-linux" ]]; then
|
[[ "${master}" == "false" && "${NODE_OS_DISTRIBUTION}" == "container-linux" ]]; then
|
||||||
# Container-Linux-only env vars. TODO(yifan): Make them available on other distros.
|
# Container-Linux-only env vars. TODO(yifan): Make them available on other distros.
|
||||||
|
|||||||
@ -144,10 +144,13 @@ HEAPSTER_MACHINE_TYPE="${HEAPSTER_MACHINE_TYPE:-}"
|
|||||||
# TODO(piosz): remove this in 1.8
|
# TODO(piosz): remove this in 1.8
|
||||||
NODE_LABELS="${KUBE_NODE_LABELS:-beta.kubernetes.io/fluentd-ds-ready=true}"
|
NODE_LABELS="${KUBE_NODE_LABELS:-beta.kubernetes.io/fluentd-ds-ready=true}"
|
||||||
|
|
||||||
|
# NON_MASTER_NODE_LABELS are labels will only be applied on non-master nodes.
|
||||||
|
NON_MASTER_NODE_LABELS="${KUBE_NON_MASTER_NODE_LABELS:-}"
|
||||||
|
|
||||||
# To avoid running Calico on a node that is not configured appropriately,
|
# To avoid running Calico on a node that is not configured appropriately,
|
||||||
# label each Node so that the DaemonSet can run the Pods only on ready Nodes.
|
# label each Node so that the DaemonSet can run the Pods only on ready Nodes.
|
||||||
if [[ ${NETWORK_POLICY_PROVIDER:-} == "calico" ]]; then
|
if [[ ${NETWORK_POLICY_PROVIDER:-} == "calico" ]]; then
|
||||||
NODE_LABELS="${NODE_LABELS},projectcalico.org/ds-ready=true"
|
NON_MASTER_NODE_LABELS="${NON_MASTER_NODE_LABELS:+${NON_MASTER_NODE_LABELS},}projectcalico.org/ds-ready=true"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Enable metadata concealment by firewalling pod traffic to the metadata server
|
# Enable metadata concealment by firewalling pod traffic to the metadata server
|
||||||
|
|||||||
@ -199,10 +199,13 @@ KUBEPROXY_TEST_ARGS="${KUBEPROXY_TEST_ARGS:-} ${TEST_CLUSTER_API_CONTENT_TYPE}"
|
|||||||
# TODO(piosz): remove this in 1.8
|
# TODO(piosz): remove this in 1.8
|
||||||
NODE_LABELS="${KUBE_NODE_LABELS:-beta.kubernetes.io/fluentd-ds-ready=true}"
|
NODE_LABELS="${KUBE_NODE_LABELS:-beta.kubernetes.io/fluentd-ds-ready=true}"
|
||||||
|
|
||||||
|
# NON_MASTER_NODE_LABELS are labels will only be applied on non-master nodes.
|
||||||
|
NON_MASTER_NODE_LABELS="${KUBE_NON_MASTER_NODE_LABELS:-}"
|
||||||
|
|
||||||
# To avoid running Calico on a node that is not configured appropriately,
|
# To avoid running Calico on a node that is not configured appropriately,
|
||||||
# label each Node so that the DaemonSet can run the Pods only on ready Nodes.
|
# label each Node so that the DaemonSet can run the Pods only on ready Nodes.
|
||||||
if [[ ${NETWORK_POLICY_PROVIDER:-} == "calico" ]]; then
|
if [[ ${NETWORK_POLICY_PROVIDER:-} == "calico" ]]; then
|
||||||
NODE_LABELS="$NODE_LABELS,projectcalico.org/ds-ready=true"
|
NON_MASTER_NODE_LABELS="${NON_MASTER_NODE_LABELS:+${NON_MASTER_NODE_LABELS},}projectcalico.org/ds-ready=true"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Enable metadata concealment by firewalling pod traffic to the metadata server
|
# Enable metadata concealment by firewalling pod traffic to the metadata server
|
||||||
|
|||||||
@ -584,6 +584,11 @@ EOF
|
|||||||
if [ -n "${NODE_LABELS:-}" ]; then
|
if [ -n "${NODE_LABELS:-}" ]; then
|
||||||
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
|
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
|
||||||
node_labels: '$(echo "${NODE_LABELS}" | sed -e "s/'/''/g")'
|
node_labels: '$(echo "${NODE_LABELS}" | sed -e "s/'/''/g")'
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
if [ -n "${NON_MASTER_NODE_LABELS:-}" ]; then
|
||||||
|
cat <<EOF >>/srv/salt-overlay/pillar/cluster-params.sls
|
||||||
|
non_master_node_labels: '$(echo "${NON_MASTER_NODE_LABELS}" | sed -e "s/'/''/g")'
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
if [ -n "${NODE_TAINTS:-}" ]; then
|
if [ -n "${NODE_TAINTS:-}" ]; then
|
||||||
|
|||||||
@ -598,6 +598,9 @@ function start-kubelet {
|
|||||||
if [[ -n "${NODE_LABELS:-}" ]]; then
|
if [[ -n "${NODE_LABELS:-}" ]]; then
|
||||||
node_labels="${node_labels:+${node_labels},}${NODE_LABELS}"
|
node_labels="${node_labels:+${node_labels},}${NODE_LABELS}"
|
||||||
fi
|
fi
|
||||||
|
if [[ -n "${NON_MASTER_NODE_LABELS:-}" && "${KUBERNETES_MASTER:-}" != "true" ]]; then
|
||||||
|
node_labels="${node_labels:+${node_labels},}${NON_MASTER_NODE_LABELS}"
|
||||||
|
fi
|
||||||
if [[ -n "${node_labels:-}" ]]; then
|
if [[ -n "${node_labels:-}" ]]; then
|
||||||
flags+=" --node-labels=${node_labels}"
|
flags+=" --node-labels=${node_labels}"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -60,6 +60,20 @@ function config-ip-firewall {
|
|||||||
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]]; then
|
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]]; then
|
||||||
iptables -A KUBE-METADATA-SERVER -j DROP
|
iptables -A KUBE-METADATA-SERVER -j DROP
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Flush iptables nat table
|
||||||
|
iptables -t nat -F || true
|
||||||
|
|
||||||
|
if [[ "${NETWORK_POLICY_PROVIDER:-}" == "calico" && "${KUBERNETES_MASTER:-}" == false ]]; then
|
||||||
|
echo "Add rules for ip masquerade"
|
||||||
|
iptables -t nat -N IP-MASQ
|
||||||
|
iptables -t nat -A POSTROUTING -m comment --comment "ip-masq: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ
|
||||||
|
iptables -t nat -A IP-MASQ -d 169.254.0.0/16 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
|
||||||
|
iptables -t nat -A IP-MASQ -d 10.0.0.0/8 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
|
||||||
|
iptables -t nat -A IP-MASQ -d 172.16.0.0/12 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
|
||||||
|
iptables -t nat -A IP-MASQ -d 192.168.0.0/16 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
|
||||||
|
iptables -t nat -A IP-MASQ -m comment --comment "ip-masq: outbound traffic is subject to MASQUERADE (must be last in chain)" -j MASQUERADE
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
function create-dirs {
|
function create-dirs {
|
||||||
@ -938,7 +952,9 @@ function start-kubelet {
|
|||||||
flags+=" --cni-bin-dir=/home/kubernetes/bin"
|
flags+=" --cni-bin-dir=/home/kubernetes/bin"
|
||||||
if [[ "${NETWORK_POLICY_PROVIDER:-}" == "calico" ]]; then
|
if [[ "${NETWORK_POLICY_PROVIDER:-}" == "calico" ]]; then
|
||||||
# Calico uses CNI always.
|
# Calico uses CNI always.
|
||||||
if [[ "${KUBERNETES_PRIVATE_MASTER:-}" == "true" ]]; then
|
# Keep KUBERNETES_PRIVATE_MASTER for backward compatibility.
|
||||||
|
# Note that network policy won't work for master node.
|
||||||
|
if [[ "${KUBERNETES_PRIVATE_MASTER:-}" == "true" || "${KUBERNETES_MASTER:-}" == "true" ]]; then
|
||||||
flags+=" --network-plugin=${NETWORK_PROVIDER}"
|
flags+=" --network-plugin=${NETWORK_PROVIDER}"
|
||||||
else
|
else
|
||||||
flags+=" --network-plugin=cni"
|
flags+=" --network-plugin=cni"
|
||||||
@ -971,6 +987,9 @@ function start-kubelet {
|
|||||||
if [[ -n "${NODE_LABELS:-}" ]]; then
|
if [[ -n "${NODE_LABELS:-}" ]]; then
|
||||||
node_labels="${node_labels:+${node_labels},}${NODE_LABELS}"
|
node_labels="${node_labels:+${node_labels},}${NODE_LABELS}"
|
||||||
fi
|
fi
|
||||||
|
if [[ -n "${NON_MASTER_NODE_LABELS:-}" && "${KUBERNETES_MASTER:-}" != "true" ]]; then
|
||||||
|
node_labels="${node_labels:+${node_labels},}${NON_MASTER_NODE_LABELS}"
|
||||||
|
fi
|
||||||
if [[ -n "${node_labels:-}" ]]; then
|
if [[ -n "${node_labels:-}" ]]; then
|
||||||
flags+=" --node-labels=${node_labels}"
|
flags+=" --node-labels=${node_labels}"
|
||||||
fi
|
fi
|
||||||
@ -1007,9 +1026,6 @@ ExecStart=${kubelet_bin} \$KUBELET_OPTS
|
|||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
# Flush iptables nat table
|
|
||||||
iptables -t nat -F || true
|
|
||||||
|
|
||||||
systemctl start kubelet.service
|
systemctl start kubelet.service
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -171,6 +171,9 @@
|
|||||||
{% set kube_proxy_ds_label = "beta.kubernetes.io/kube-proxy-ds-ready=true," %}
|
{% set kube_proxy_ds_label = "beta.kubernetes.io/kube-proxy-ds-ready=true," %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% set node_labels = kube_proxy_ds_label + pillar['node_labels'] %}
|
{% set node_labels = kube_proxy_ds_label + pillar['node_labels'] %}
|
||||||
|
{% if grains['roles'][0] != 'kubernetes-master' and pillar['non_master_node_labels'] is defined -%}
|
||||||
|
{% set node_labels = pillar['non_master_node_labels'] + "," + node_labels %}
|
||||||
|
{% endif %}
|
||||||
{% if node_labels != "" %}
|
{% if node_labels != "" %}
|
||||||
{% set node_labels="--node-labels=" + node_labels %}
|
{% set node_labels="--node-labels=" + node_labels %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user