github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-09-21 18:11:22 +00:00
Code Issues Projects Releases Wiki Activity

kube-proxy: only set route_localnet if required

Browse Source 
kube-proxy sets the sysctl net.ipv4.conf.all.route_localnet=1
so NodePort services can be accessed on the loopback addresses in
IPv4, but this may present security issues.

Leverage the --nodeport-addresses flag to opt-out of this feature,
if the list is not empty and none of the IP ranges contains an IPv4
loopback address this sysctl is not set.

In addition, add a warning to inform users about this behavior.
This commit is contained in:
Antonio Ojea
2022-01-21 11:27:55 +01:00
parent c175418281
commit 8b5fa408e0
3 changed files with 102 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
pkg/proxy/iptables/proxier.go
View File

@@ -264,9 +264,12 @@ func NewProxier(ipt utiliptables.Interface,
healthzServer healthcheck.ProxierHealthUpdater,
nodePortAddresses []string,
) (*Proxier, error) {
// Set the route_localnet sysctl we need for
if err := utilproxy.EnsureSysctl(sysctl, sysctlRouteLocalnet, 1); err != nil {
return nil, err
if utilproxy.ContainsIPv4Loopback(nodePortAddresses) {
// Set the route_localnet sysctl we need for exposing NodePorts on loopback addresses
klog.InfoS("Setting route_localnet=1, use nodePortAddresses to filter loopback addresses for NodePorts to skip it https://issues.k8s.io/90259")
if err := utilproxy.EnsureSysctl(sysctl, sysctlRouteLocalnet, 1); err != nil {
return nil, err
}
}
// Proxy needs br_netfilter and bridge-nf-call-iptables=1 when containers