Merge pull request #120864 from uablrek/kube-proxy-init
kube-proxy: Optionally do privileged configs only
This commit is contained in:
Kubernetes Prow Robot
@@ -108,6 +108,8 @@ type Options struct {
|
||||
WriteConfigTo string
|
||||
// CleanupAndExit, when true, makes the proxy server clean up iptables and ipvs rules, then exit.
|
||||
CleanupAndExit bool
|
||||
// InitAndExit, when true, makes the proxy server makes configurations that need privileged access, then exit.
|
||||
InitAndExit bool
|
||||
// WindowsService should be set to true if kube-proxy is running as a service on Windows.
|
||||
// Its corresponding flag only gets registered in Windows builds
|
||||
WindowsService bool
|
||||
@@ -168,7 +170,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
|
||||
"The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, "+
|
||||
"rather than being surprised when they are permanently removed in the release after that. "+
|
||||
"This parameter is ignored if a config file is specified by --config.")
|
||||
|
||||
fs.BoolVar(&o.InitAndExit, "init-only", o.InitAndExit, "If true, perform any initialization steps that must be done with full root privileges, and then exit. After doing this, you can run kube-proxy again with only the CAP_NET_ADMIN capability.")
|
||||
fs.Var(&o.config.Mode, "proxy-mode", "Which proxy mode to use: on Linux this can be 'iptables' (default) or 'ipvs'. On Windows the only supported value is 'kernelspace'."+
|
||||
"This parameter is ignored if a config file is specified by --config.")
|
||||
|
||||
@@ -376,10 +378,13 @@ func (o *Options) Run() error {
|
||||
return cleanupAndExit()
|
||||
}
|
||||
|
||||
proxyServer, err := newProxyServer(o.config, o.master)
|
||||
proxyServer, err := newProxyServer(o.config, o.master, o.InitAndExit)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if o.InitAndExit {
|
||||
return nil
|
||||
}
|
||||
|
||||
o.proxyServer = proxyServer
|
||||
return o.runLoop()
|
||||
@@ -589,7 +594,7 @@ type ProxyServer struct {
|
||||
}
|
||||
|
||||
// newProxyServer creates a ProxyServer based on the given config
|
||||
func newProxyServer(config *kubeproxyconfig.KubeProxyConfiguration, master string) (*ProxyServer, error) {
|
||||
func newProxyServer(config *kubeproxyconfig.KubeProxyConfiguration, master string, initOnly bool) (*ProxyServer, error) {
|
||||
s := &ProxyServer{Config: config}
|
||||
|
||||
cz, err := configz.New(kubeproxyconfig.GroupName)
|
||||
@@ -653,7 +658,7 @@ func newProxyServer(config *kubeproxyconfig.KubeProxyConfiguration, master strin
|
||||
klog.ErrorS(err, "Kube-proxy configuration may be incomplete or incorrect")
|
||||
}
|
||||
|
||||
s.Proxier, err = s.createProxier(config, dualStackSupported)
|
||||
s.Proxier, err = s.createProxier(config, dualStackSupported, initOnly)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -125,7 +125,7 @@ func (s *ProxyServer) platformCheckSupported() (ipv4Supported, ipv6Supported, du
|
||||
}
|
||||
|
||||
// createProxier creates the proxy.Provider
|
||||
func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStack bool) (proxy.Provider, error) {
|
||||
func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStack, initOnly bool) (proxy.Provider, error) {
|
||||
var proxier proxy.Provider
|
||||
var err error
|
||||
|
||||
@@ -175,6 +175,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
|
||||
s.Recorder,
|
||||
s.HealthzServer,
|
||||
config.NodePortAddresses,
|
||||
initOnly,
|
||||
)
|
||||
} else {
|
||||
// Create a single-stack proxier if and only if the node does not support dual-stack (i.e, no iptables support).
|
||||
@@ -201,6 +202,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
|
||||
s.Recorder,
|
||||
s.HealthzServer,
|
||||
config.NodePortAddresses,
|
||||
initOnly,
|
||||
)
|
||||
}
|
||||
|
||||
@@ -247,6 +249,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
|
||||
config.IPVS.Scheduler,
|
||||
config.NodePortAddresses,
|
||||
kernelHandler,
|
||||
initOnly,
|
||||
)
|
||||
} else {
|
||||
var localDetector proxyutiliptables.LocalTrafficDetector
|
||||
@@ -279,6 +282,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
|
||||
config.IPVS.Scheduler,
|
||||
config.NodePortAddresses,
|
||||
kernelHandler,
|
||||
initOnly,
|
||||
)
|
||||
}
|
||||
if err != nil {
|
||||
|
||||
@@ -79,7 +79,10 @@ func (s *ProxyServer) platformCheckSupported() (ipv4Supported, ipv6Supported, du
|
||||
}
|
||||
|
||||
// createProxier creates the proxy.Provider
|
||||
func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStackMode bool) (proxy.Provider, error) {
|
||||
func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStackMode, initOnly bool) (proxy.Provider, error) {
|
||||
if initOnly {
|
||||
return nil, fmt.Errorf("--init-only is not implemented on Windows")
|
||||
}
|
||||
var healthzPort int
|
||||
if len(config.HealthzBindAddress) > 0 {
|
||||
_, port, _ := net.SplitHostPort(config.HealthzBindAddress)
|
||||
|
||||
Reference in New Issue
Block a user