From 0fd30adb3d4cbdfef8a8e76db0c5161a013ad08f Mon Sep 17 00:00:00 2001 From: Robert Pothier Date: Wed, 27 Sep 2017 11:37:35 -0400 Subject: [PATCH] ip6tables should be set in the noop plugin The noop plugin currently sets the iptables for IPv4. This updates that to also set the iptables for IPv6 so IPv6 can have parity with IPv4. --- pkg/kubelet/network/plugins.go | 12 +++++++- pkg/kubelet/network/testing/BUILD | 2 ++ pkg/kubelet/network/testing/plugins_test.go | 31 +++++++++++++++++++++ 3 files changed, 44 insertions(+), 1 deletion(-) diff --git a/pkg/kubelet/network/plugins.go b/pkg/kubelet/network/plugins.go index 1714af8005d..24e358943e9 100644 --- a/pkg/kubelet/network/plugins.go +++ b/pkg/kubelet/network/plugins.go @@ -157,6 +157,7 @@ func InitNetworkPlugin(plugins []NetworkPlugin, networkPluginName string, host H if networkPluginName == "" { // default to the no_op plugin plug := &NoopNetworkPlugin{} + plug.Sysctl = utilsysctl.New() if err := plug.Init(host, hairpinMode, nonMasqueradeCIDR, mtu); err != nil { return nil, err } @@ -200,9 +201,11 @@ func UnescapePluginName(in string) string { } type NoopNetworkPlugin struct { + Sysctl utilsysctl.Interface } const sysctlBridgeCallIPTables = "net/bridge/bridge-nf-call-iptables" +const sysctlBridgeCallIP6Tables = "net/bridge/bridge-nf-call-ip6tables" func (plugin *NoopNetworkPlugin) Init(host Host, hairpinMode kubeletconfig.HairpinMode, nonMasqueradeCIDR string, mtu int) error { // Set bridge-nf-call-iptables=1 to maintain compatibility with older @@ -214,9 +217,16 @@ func (plugin *NoopNetworkPlugin) Init(host Host, hairpinMode kubeletconfig.Hairp // Ensure the netfilter module is loaded on kernel >= 3.18; previously // it was built-in. utilexec.New().Command("modprobe", "br-netfilter").CombinedOutput() - if err := utilsysctl.New().SetSysctl(sysctlBridgeCallIPTables, 1); err != nil { + if err := plugin.Sysctl.SetSysctl(sysctlBridgeCallIPTables, 1); err != nil { glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIPTables, err) } + if val, err := plugin.Sysctl.GetSysctl(sysctlBridgeCallIP6Tables); err == nil { + if val != 1 { + if err = plugin.Sysctl.SetSysctl(sysctlBridgeCallIP6Tables, 1); err != nil { + glog.Warningf("can't set sysctl %s: %v", sysctlBridgeCallIP6Tables, err) + } + } + } return nil } diff --git a/pkg/kubelet/network/testing/BUILD b/pkg/kubelet/network/testing/BUILD index f0aa262005c..9107cd2297e 100644 --- a/pkg/kubelet/network/testing/BUILD +++ b/pkg/kubelet/network/testing/BUILD @@ -35,7 +35,9 @@ go_test( "//pkg/kubelet/apis/kubeletconfig:go_default_library", "//pkg/kubelet/container:go_default_library", "//pkg/kubelet/network:go_default_library", + "//pkg/util/sysctl/testing:go_default_library", "//vendor/github.com/golang/mock/gomock:go_default_library", + "//vendor/github.com/stretchr/testify/assert:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library", ], ) diff --git a/pkg/kubelet/network/testing/plugins_test.go b/pkg/kubelet/network/testing/plugins_test.go index 07ba256a250..6398948fa3c 100644 --- a/pkg/kubelet/network/testing/plugins_test.go +++ b/pkg/kubelet/network/testing/plugins_test.go @@ -26,8 +26,10 @@ import ( "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig" kubecontainer "k8s.io/kubernetes/pkg/kubelet/container" "k8s.io/kubernetes/pkg/kubelet/network" + sysctltest "k8s.io/kubernetes/pkg/util/sysctl/testing" "github.com/golang/mock/gomock" + "github.com/stretchr/testify/assert" ) func TestSelectDefaultPlugin(t *testing.T) { @@ -44,6 +46,35 @@ func TestSelectDefaultPlugin(t *testing.T) { } } +func TestInit(t *testing.T) { + tests := []struct { + setting string + expectedLen int + }{ + { + setting: "net/bridge/bridge-nf-call-iptables", + expectedLen: 1, + }, + { + setting: "net/bridge/bridge-nf-call-ip6tables", + expectedLen: 2, + }, + } + for _, tt := range tests { + sysctl := sysctltest.NewFake() + sysctl.Settings[tt.setting] = 0 + plug := &network.NoopNetworkPlugin{} + plug.Sysctl = sysctl + plug.Init(NewFakeHost(nil), kubeletconfig.HairpinNone, "10.0.0.0/8", network.UseDefaultMTU) + // Verify the sysctl specified is set + assert.Equal(t, 1, sysctl.Settings[tt.setting], tt.setting+" sysctl should have been set") + // Verify iptables is always set + assert.Equal(t, 1, sysctl.Settings["net/bridge/bridge-nf-call-iptables"], "net/bridge/bridge-nf-call-iptables sysctl should have been set") + // Verify ip6tables is only set if it existed + assert.Len(t, sysctl.Settings, tt.expectedLen, "length wrong for "+tt.setting) + } +} + func TestPluginManager(t *testing.T) { ctrl := gomock.NewController(t) fnp := NewMockNetworkPlugin(ctrl)