diff --git a/cmd/kube-proxy/app/server.go b/cmd/kube-proxy/app/server.go index 46d715ed498..ff30980da27 100644 --- a/cmd/kube-proxy/app/server.go +++ b/cmd/kube-proxy/app/server.go @@ -169,6 +169,8 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { "NAT timeout for TCP connections in the CLOSE_WAIT state") fs.BoolVar(&o.config.EnableProfiling, "profiling", o.config.EnableProfiling, "If true enables profiling via web interface on /debug/pprof handler.") fs.StringVar(&o.config.IPVS.Scheduler, "ipvs-scheduler", o.config.IPVS.Scheduler, "The ipvs scheduler type when proxy mode is ipvs") + fs.StringSliceVar(&o.config.NodePortAddresses, "nodeport-addresses", o.config.NodePortAddresses, + "A string slice of values which specify the addresses to use for NodePorts. Values may be valid IP blocks (e.g. 1.2.3.0/24, 1.2.3.4/32). The default empty string slice ([]) means to use all local addresses.") fs.Var(flag.NewMapStringBool(&o.config.FeatureGates), "feature-gates", "A set of key=value pairs that describe feature gates for alpha/experimental features. "+ "Options are:\n"+strings.Join(utilfeature.DefaultFeatureGate.KnownFeatures(), "\n")) } diff --git a/cmd/kube-proxy/app/server_others.go b/cmd/kube-proxy/app/server_others.go index 30a8ac9bbf9..46b1acbe286 100644 --- a/cmd/kube-proxy/app/server_others.go +++ b/cmd/kube-proxy/app/server_others.go @@ -161,6 +161,7 @@ func newProxyServer( nodeIP, recorder, healthzUpdater, + config.NodePortAddresses, ) if err != nil { return nil, fmt.Errorf("unable to create proxier: %v", err) @@ -196,6 +197,7 @@ func newProxyServer( recorder, healthzServer, config.IPVS.Scheduler, + config.NodePortAddresses, ) if err != nil { return nil, fmt.Errorf("unable to create proxier: %v", err) @@ -226,6 +228,7 @@ func newProxyServer( config.IPTables.SyncPeriod.Duration, config.IPTables.MinSyncPeriod.Duration, config.UDPIdleTimeout.Duration, + config.NodePortAddresses, ) if err != nil { return nil, fmt.Errorf("unable to create proxier: %v", err) diff --git a/cmd/kube-proxy/app/server_test.go b/cmd/kube-proxy/app/server_test.go index 431ef73f53d..8d547f825b9 100644 --- a/cmd/kube-proxy/app/server_test.go +++ b/cmd/kube-proxy/app/server_test.go @@ -433,6 +433,9 @@ oomScoreAdj: 17 portRange: "2-7" resourceContainer: /foo udpIdleTimeout: 123ms +nodePortAddresses: + - "10.20.30.40/16" + - "fd00:1::0/64" ` testCases := []struct { @@ -545,6 +548,7 @@ udpIdleTimeout: 123ms PortRange: "2-7", ResourceContainer: "/foo", UDPIdleTimeout: metav1.Duration{Duration: 123 * time.Millisecond}, + NodePortAddresses: []string{"10.20.30.40/16", "fd00:1::0/64"}, } options := NewOptions() diff --git a/pkg/kubemark/hollow_proxy.go b/pkg/kubemark/hollow_proxy.go index 27ca1128926..8ed70fec124 100644 --- a/pkg/kubemark/hollow_proxy.go +++ b/pkg/kubemark/hollow_proxy.go @@ -92,6 +92,7 @@ func NewHollowProxyOrDie( getNodeIP(client, nodeName), recorder, nil, + []string{}, ) if err != nil { return nil, fmt.Errorf("unable to create proxier: %v", err) diff --git a/pkg/proxy/apis/kubeproxyconfig/fuzzer/fuzzer.go b/pkg/proxy/apis/kubeproxyconfig/fuzzer/fuzzer.go index 2f3347fcf2a..b96464c44c7 100644 --- a/pkg/proxy/apis/kubeproxyconfig/fuzzer/fuzzer.go +++ b/pkg/proxy/apis/kubeproxyconfig/fuzzer/fuzzer.go @@ -44,7 +44,9 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { obj.IPTables.MasqueradeBit = utilpointer.Int32Ptr(c.Int31()) obj.MetricsBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536)) obj.OOMScoreAdj = utilpointer.Int32Ptr(c.Int31()) - obj.ResourceContainer = c.RandString() + obj.ResourceContainer = "foo" + obj.ClientConnection.ContentType = "bar" + obj.NodePortAddresses = []string{"1.2.3.0/24"} }, } } diff --git a/pkg/proxy/apis/kubeproxyconfig/types.go b/pkg/proxy/apis/kubeproxyconfig/types.go index fd4d78f8b7b..b9e662826ae 100644 --- a/pkg/proxy/apis/kubeproxyconfig/types.go +++ b/pkg/proxy/apis/kubeproxyconfig/types.go @@ -144,6 +144,14 @@ type KubeProxyConfiguration struct { // configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater // than 0. ConfigSyncPeriod metav1.Duration + // nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid + // IP blocks. These values are as a parameter to select the interfaces where nodeport works. + // In case someone would like to expose a service on localhost for local visit and some other interfaces for + // particular purpose, a list of IP blocks would do that. + // If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort. + // If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node. + // An empty string slice is meant to select all network interfaces. + NodePortAddresses []string } // Currently, three modes of proxy are available in Linux platform: 'userspace' (older, going to be EOL), 'iptables' diff --git a/pkg/proxy/apis/kubeproxyconfig/v1alpha1/types.go b/pkg/proxy/apis/kubeproxyconfig/v1alpha1/types.go index fabec668f00..b0e44c1fe12 100644 --- a/pkg/proxy/apis/kubeproxyconfig/v1alpha1/types.go +++ b/pkg/proxy/apis/kubeproxyconfig/v1alpha1/types.go @@ -140,6 +140,14 @@ type KubeProxyConfiguration struct { // configSyncPeriod is how often configuration from the apiserver is refreshed. Must be greater // than 0. ConfigSyncPeriod metav1.Duration `json:"configSyncPeriod"` + // nodePortAddresses is the --nodeport-addresses value for kube-proxy process. Values must be valid + // IP blocks. These values are as a parameter to select the interfaces where nodeport works. + // In case someone would like to expose a service on localhost for local visit and some other interfaces for + // particular purpose, a list of IP blocks would do that. + // If set it to "127.0.0.0/8", kube-proxy will only select the loopback interface for NodePort. + // If set it to a non-zero IP block, kube-proxy will filter that down to just the IPs that applied to the node. + // An empty string slice is meant to select all network interfaces. + NodePortAddresses []string `json:"nodePortAddresses"` } // Currently, three modes of proxy are available in Linux platform: 'userspace' (older, going to be EOL), 'iptables'