mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
Merge pull request #65388 from DataDog/lbernail/fix-ipvs-from-host
Automatic merge from submit-queue (batch tested with PRs 65388, 64995). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Always create kubeClusterIPSet in ipvs proxier **What this PR does / why we need it**: This PR creates the kubeClusterIPSet ipset even if kube-proxy is started without masqueradeAll and clusterCIDR. This is necessary to masquerade traffic sent to a clusterIP from the host network namespace. The code to do so is actually already present here: https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/proxier.go#L1220-L1244 However the second else (neither masqueradeAll nor clusterCIDR are set) cannot be used because, before this PR, the initial test `if !proxier.ipsetList[kubeClusterIPSet].isEmpty()` can never return true when masqueradeAll and clusterCIDR are not set because kubeClusterIPSet is empty. **Which issue(s) this PR fixes** Fixes #65158 ```release-note Allow access to ClusterIP from the host network namespace when kube-proxy is started in IPVS mode without either masqueradeAll or clusterCIDR flags ``` **Additional comment** Issue #65158 is closed because ClusterIP access from the host has already fixed in master, except for the case described here (no masquerade flag). More detail in the issue.
This commit is contained in:
commit
966c77c83f
@ -789,14 +789,11 @@ func (proxier *Proxier) syncProxyRules() {
|
||||
}
|
||||
// add service Cluster IP:Port to kubeServiceAccess ip set for the purpose of solving hairpin.
|
||||
// proxier.kubeServiceAccessSet.activeEntries.Insert(entry.String())
|
||||
// Install masquerade rules if 'masqueradeAll' or 'clusterCIDR' is specified.
|
||||
if proxier.masqueradeAll || len(proxier.clusterCIDR) > 0 {
|
||||
if valid := proxier.ipsetList[kubeClusterIPSet].validateEntry(entry); !valid {
|
||||
glog.Errorf("%s", fmt.Sprintf(EntryInvalidErr, entry, proxier.ipsetList[kubeClusterIPSet].Name))
|
||||
continue
|
||||
}
|
||||
proxier.ipsetList[kubeClusterIPSet].activeEntries.Insert(entry.String())
|
||||
if valid := proxier.ipsetList[kubeClusterIPSet].validateEntry(entry); !valid {
|
||||
glog.Errorf("%s", fmt.Sprintf(EntryInvalidErr, entry, proxier.ipsetList[kubeClusterIPSet].Name))
|
||||
continue
|
||||
}
|
||||
proxier.ipsetList[kubeClusterIPSet].activeEntries.Insert(entry.String())
|
||||
// ipvs call
|
||||
serv := &utilipvs.VirtualServer{
|
||||
Address: svcInfo.ClusterIP,
|
||||
|
Loading…
Reference in New Issue
Block a user