kube-proxy: add a flag to disables the allowing NodePort services to be accessed via localhost

2025-09-11 22:20:18 +00:00 · 2022-11-02 16:17:52 +08:00
parent ccf57ba09d
commit bef2070031
18 changed files with 578 additions and 22 deletions
--- a/cmd/kube-proxy/app/server.go
+++ b/cmd/kube-proxy/app/server.go
@@ -199,6 +199,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {

 	fs.BoolVar(&o.config.IPVS.StrictARP, "ipvs-strict-arp", o.config.IPVS.StrictARP, "Enable strict ARP by setting arp_ignore to 1 and arp_announce to 2")
 	fs.BoolVar(&o.config.IPTables.MasqueradeAll, "masquerade-all", o.config.IPTables.MasqueradeAll, "If using the pure iptables proxy, SNAT all traffic sent via Service cluster IPs (this not commonly needed)")
+	fs.BoolVar(o.config.IPTables.LocalhostNodePorts, "iptables-localhost-nodeports", pointer.BoolDeref(o.config.IPTables.LocalhostNodePorts, true), "If false Kube-proxy will disable the legacy behavior of allowing NodePort services to be accessed via localhost, This only applies to iptables mode and ipv4.")
 	fs.BoolVar(&o.config.EnableProfiling, "profiling", o.config.EnableProfiling, "If true enables profiling via web interface on /debug/pprof handler. This parameter is ignored if a config file is specified by --config.")

 	fs.Float32Var(&o.config.ClientConnection.QPS, "kube-api-qps", o.config.ClientConnection.QPS, "QPS to use while talking with kubernetes apiserver")
--- a/cmd/kube-proxy/app/server_others.go
+++ b/cmd/kube-proxy/app/server_others.go
@@ -197,6 +197,7 @@ func newProxyServer(
 				config.IPTables.SyncPeriod.Duration,
 				config.IPTables.MinSyncPeriod.Duration,
 				config.IPTables.MasqueradeAll,
+				*config.IPTables.LocalhostNodePorts,
 				int(*config.IPTables.MasqueradeBit),
 				localDetectors,
 				hostname,
@@ -221,6 +222,7 @@ func newProxyServer(
 				config.IPTables.SyncPeriod.Duration,
 				config.IPTables.MinSyncPeriod.Duration,
 				config.IPTables.MasqueradeAll,
+				*config.IPTables.LocalhostNodePorts,
 				int(*config.IPTables.MasqueradeBit),
 				localDetector,
 				hostname,
--- a/cmd/kube-proxy/app/server_test.go
+++ b/cmd/kube-proxy/app/server_test.go
@@ -107,6 +107,7 @@ iptables:
  masqueradeBit: 17
  minSyncPeriod: 10s
  syncPeriod: 60s
+  localhostNodePorts: true
 ipvs:
  minSyncPeriod: 10s
  syncPeriod: 60s
@@ -246,10 +247,11 @@ nodePortAddresses:
 			HealthzBindAddress: tc.healthzBindAddress,
 			HostnameOverride:   "foo",
 			IPTables: kubeproxyconfig.KubeProxyIPTablesConfiguration{
-				MasqueradeAll: true,
-				MasqueradeBit: pointer.Int32(17),
-				MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second},
-				SyncPeriod:    metav1.Duration{Duration: 60 * time.Second},
+				MasqueradeAll:      true,
+				MasqueradeBit:      pointer.Int32(17),
+				LocalhostNodePorts: pointer.Bool(true),
+				MinSyncPeriod:      metav1.Duration{Duration: 10 * time.Second},
+				SyncPeriod:         metav1.Duration{Duration: 60 * time.Second},
 			},
 			IPVS: kubeproxyconfig.KubeProxyIPVSConfiguration{
 				MinSyncPeriod: metav1.Duration{Duration: 10 * time.Second},