Commit Graph

178 Commits

Author SHA1 Message Date
Artem Minyaylov
f573e14942 Update k8s.io/utils to latest version
Update all usages of FakeExec to pointer to avoid copying the mutex
2023-02-04 11:05:22 -08:00
Kubernetes Prow Robot
112a7a590c
Merge pull request #110723 from yangjunmyfm192085/fixklog
Fix incorrect log information and log structure
2022-12-16 19:17:41 -08:00
JunYang
856146e67e Fix incorrect log information
Update pkg/util/iptables/iptables.go

Co-authored-by: Dan Winship <danwinship@redhat.com>

Update pkg/util/iptables/iptables.go

Co-authored-by: Dan Winship <danwinship@redhat.com>

Update pkg/util/iptables/iptables.go

Co-authored-by: Dan Winship <danwinship@redhat.com>

Update pkg/util/iptables/iptables.go

Co-authored-by: Dan Winship <danwinship@redhat.com>

Update pkg/util/iptables/iptables.go

Co-authored-by: Dan Winship <danwinship@redhat.com>

Update pkg/util/iptables/iptables.go

Co-authored-by: Dan Winship <danwinship@redhat.com>

Update pkg/util/iptables/iptables.go

Co-authored-by: Dan Winship <danwinship@redhat.com>

Update pkg/util/iptables/iptables.go

Co-authored-by: Dan Winship <danwinship@redhat.com>
2022-10-24 08:36:52 +08:00
Dan Winship
818de5a545 proxy/iptables: Add metric for partial sync failures, add test 2022-09-26 16:31:42 -04:00
Kubernetes Prow Robot
0d9ed2c3e7
Merge pull request #110328 from danwinship/iptables-counters
Stop trying to "preserve" iptables counters that are always 0
2022-06-29 08:06:06 -07:00
Dan Winship
7c27cf0b9b Simplify iptables-save parsing
We don't need to parse out the counter values from the iptables-save
output (since they are always 0 for the chains we care about). Just
parse the chain names themselves.

Also, all of the callers of GetChainLines() pass it input that
contains only a single table, so just assume that, rather than
carefully parsing only a single table's worth of the input.
2022-06-28 08:39:32 -04:00
Dan Winship
4988699c2f Use dedent to fix GetChainLines() tests
The test was calling GetChainLines() on invalid pseudo-iptables-save
output where most of the lines were indented. GetChainLines() happened
to still parse this "correctly", but it would be better to be testing
it on actually-correct data.
2022-06-28 08:39:32 -04:00
21kyu
df168d5b5c Change reflect.Ptr to reflect.Pointer 2022-06-26 01:23:43 +09:00
Dan Winship
913f4bc0ba pkg/util/iptables/testing: Fix FakeIPTables
FakeIPTables barely implemented any of the iptables interface, and the
main part that it did implement, it implemented incorrectly. Fix it:

- Implement EnsureChain, DeleteChain, EnsureRule, and DeleteRule, not
  just SaveInto/Restore/RestoreAll.

- Restore/RestoreAll now correctly merge the provided state with the
  existing state, rather than simply overwriting it.

- SaveInto now returns the table that was requested, rather than just
  echoing back the Restore/RestoreAll.
2022-05-09 11:29:08 -04:00
Dan Winship
10a72a9e03 pkg/util/iptables/testing: Add IPTables dump-parsing helpers 2022-05-09 11:29:06 -04:00
Dan Winship
f2fa1033d0 pkg/util/iptables/testing: Add better IPTables rule-parsing helpers
There were previously some strange iptables-rule-parsing functions
that were only used by two unit tests in pkg/proxy/ipvs. Get rid of
them and replace them with some much better iptables-rule-parsing
functions.
2022-05-09 11:19:26 -04:00
Dan Winship
4af471f8be proxy/iptables: move GetChainLines unit tests to the right package
GetChainLines is a utiliptables method, so it should be part of the
unit tests there.
2022-02-21 09:16:22 -05:00
cyclinder
97bd6e977d kube-proxy should log the payload when iptables-restore fails
Signed-off-by: cyclinder <qifeng.guo@daocloud.io>
2021-12-23 09:50:56 +08:00
Davanum Srinivas
9405e9b55e
Check in OWNERS modified by update-yamlfmt.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-12-09 21:31:26 -05:00
cyclinder
d8a801a7a2 kube-proxy remove todo: call iptables -S first when delete chain
Signed-off-by: cyclinder <qifeng.guo@daocloud.io>
2021-11-17 10:12:57 +08:00
Khaled Henidak (Kal)
a53e2eaeab
move IPv6DualStack feature to stable. (#104691)
* kube-proxy

* endpoints controller

* app: kube-controller-manager

* app: cloud-controller-manager

* kubelet

* app: api-server

* node utils + registry/strategy

* api: validation (comment removal)

* api:pod strategy (util pkg)

* api: docs

* core: integration testing

* kubeadm: change feature gate to GA

* service registry and rest stack

* move feature to GA

* generated
2021-09-24 16:30:22 -07:00
Stephen Augustus
481cf6fbe7
generated: Run hack/update-gofmt.sh
Signed-off-by: Stephen Augustus <foo@auggie.dev>
2021-08-24 15:47:49 -04:00
Davanum Srinivas
26cc8e40a8
fix deadcode issues
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2021-07-14 08:41:21 -04:00
Masashi Honma
39538463de test: Use bytes.Buffer.String
Fix some warnings from go-staticcheck.

"should use buffer.String() instead of string(buffer.Bytes()) (S1030)"

This warning is explained at this link.
https://staticcheck.io/docs/checks#S1030
2021-03-22 17:48:21 +09:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Dan Winship
95c6a488d8 Make kube-proxy check if IPv6 is really supported before assuming dual-stack 2021-02-17 09:11:15 -05:00
Antonio Ojea
7223f12f39 don´t leak files on iptables tests
the iptables restore function, if it considers that the --wait flag
is not supported, creates a lock file to mimic the iptables behaviour.

The test should take this into account and remove the file.
2021-02-11 00:20:38 +01:00
Hanlin Shi
4cd1eacbc1 Add rule to allow healthcheck nodeport traffic in filter table
1. For iptables mode, add KUBE-NODEPORTS chain in filter table. Add
   rules to allow healthcheck node port traffic.
2. For ipvs mode, add KUBE-NODE-PORT chain in filter table. Add
   KUBE-HEALTH-CHECK-NODE-PORT ipset to allow traffic to healthcheck
   node port.
2021-02-03 15:20:10 +00:00
knight42
ce0a423ef7
test(iptables): deflake TestRestoreAllWaitOldIptablesRestore
Signed-off-by: knight42 <anonymousknight96@gmail.com>
2020-09-12 22:43:44 +08:00
knight42
b25af8e3c9
feat(iptables): be able to override iptables-1.4-compatible lock path 2020-09-12 22:43:43 +08:00
knight42
f6f0f7922a
test(iptables): deflake TestRestoreAllGrabOldLock
Signed-off-by: knight42 <anonymousknight96@gmail.com>
2020-09-05 01:07:46 +08:00
Antonio Ojea
924553b7ee iptables don't do reverse DNS lookups
the iptables monitor was using iptables -L to list the chains,
without the -n option, so it was trying to do reverse DNS lookups.
A side effect is that it was holding the lock, so other components
could not use it.
We can use -S instead of -L -n to avoid this, since we only want
to check the chain exists.
2020-07-08 18:39:22 +02:00
Benjamin Elder
2abc8afece eparis to emeritus 2020-06-30 09:50:44 -07:00
Davanum Srinivas
07d88617e5
Run hack/update-vendor.sh
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:33 -04:00
Davanum Srinivas
442a69c3bd
switch over k/k to use klog v2
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-16 07:54:27 -04:00
Tim Hockin
9551ecb7c3 Cleanup: Change "Ip" to "IP" in func and var names 2020-04-10 15:29:50 -07:00
Tim Hockin
efb24d44c6 Rename iptables IsIpv6 to IsIPv6 2020-04-10 15:29:50 -07:00
Tim Hockin
ef934a2c5e Add Protocol() method to iptables
Enables simpler printing of which IP family the iptables interface is
managing.
2020-04-10 15:29:49 -07:00
Satyadeep Musuvathy
8c6956e5bb Refactor handling of local traffic detection. 2020-02-21 17:57:34 -08:00
SataQiu
51c742c1dd fix staticcheck failures of pkg/util/ipconfig pkg/util/iptables pkg/util/ipvs/testing 2020-01-09 16:05:11 +08:00
SataQiu
2497a1209b bump k8s.io/utils version 2019-12-21 14:54:44 +08:00
Antonio Ojea
51814ae189
Be more agressive acquiring the iptables lock
iptables has two options to modify the behaviour trying to
acquire the lock.

--wait  -w [seconds]    maximum wait to acquire xtables lock
                        before give up
--wait-interval -W [usecs]  wait time to try to acquire xtables
                            lock
                            interval to wait for xtables lock
                            default is 1 second

Kubernetes uses -w 5 that means that wait 5 seconds to try to
acquire the lock. If we are not able to acquire it, kube-proxy
fails and retries in 30 seconds, that is an important penalty
on sensitive applications.
We can be a bit more aggresive and try to acquire the lock every
100 msec, that means that we have to fail 50 times to not being
able to succeed.
2019-12-03 17:38:13 +01:00
gkarthiks
c38e79e76d refactor: incorporated the review comments
Signed-off-by: gkarthiks <github.gkarthiks@gmail.com>
2019-11-24 11:46:57 -08:00
gkarthiks
a4abc1dd4d refactor(golint): lint fixes for iptables test file
Signed-off-by: gkarthiks <github.gkarthiks@gmail.com>
2019-11-22 19:58:56 -08:00
gkarthiks
b05749c619 chore(gofmt): go format fix
Signed-off-by: gkarthiks <github.gkarthiks@gmail.com>
2019-11-19 08:30:16 -08:00
Karthikeyan Govindaraj
a4631c845e
chore(lint): lint fix in /pkg/util/iptables 2019-11-18 23:44:49 -08:00
Karthikeyan Govindaraj
bdc11c2806
chore(lint): fix iptable.go file lint 2019-11-18 23:43:51 -08:00
Kubernetes Prow Robot
e434d2dbab
Merge pull request #84295 from aojea/iptableslogs
Improve iptables logging
2019-11-14 17:49:51 -08:00
Kubernetes Prow Robot
6c5fb3ee60
Merge pull request #83491 from dcbw/winship-iptables-owner
pkg/util/iptables: add Dan Winship to approvers
2019-11-14 16:37:26 -08:00
Jordan Liggitt
297570e06a hack/update-vendor.sh 2019-11-06 17:42:34 -05:00
Antonio Ojea
1268d1a8ff Improve iptables logging 2019-10-24 15:52:05 +02:00
Dan Williams
765bb2707d pkg/util/iptables: add Dan Winship to OWNERS 2019-10-03 22:21:48 -05:00
Dan Winship
2f89c03c63 iptables.Monitor: don't be fooled by "could not get lock" errors 2019-10-02 11:35:12 -04:00
chenyaqi01
3175c9e226 simplify regexp with raw string 2019-09-20 16:53:56 +08:00
Dan Winship
3948f16ff4 Add iptables.Monitor, use it from kubelet and kube-proxy
Kubelet and kube-proxy both had loops to ensure that their iptables
rules didn't get deleted, by repeatedly recreating them. But on
systems with lots of iptables rules (ie, thousands of services), this
can be very slow (and thus might end up holding the iptables lock for
several seconds, blocking other operations, etc).

The specific threat that they need to worry about is
firewall-management commands that flush *all* dynamic iptables rules.
So add a new iptables.Monitor() function that handles this by creating
iptables-flush canaries and only triggering a full rule reload after
noticing that someone has deleted those chains.
2019-09-17 10:19:26 -04:00