Merge pull request #120864 from uablrek/kube-proxy-init
kube-proxy: Optionally do privileged configs only
This commit is contained in:
Kubernetes Prow Robot
@@ -233,6 +233,7 @@ func NewProxier(ipFamily v1.IPFamily,
|
||||
recorder events.EventRecorder,
|
||||
healthzServer *healthcheck.ProxierHealthServer,
|
||||
nodePortAddressStrings []string,
|
||||
initOnly bool,
|
||||
) (*Proxier, error) {
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings)
|
||||
|
||||
@@ -257,6 +258,11 @@ func NewProxier(ipFamily v1.IPFamily,
|
||||
klog.InfoS("nf_conntrack_tcp_be_liberal set, not installing DROP rules for INVALID packets")
|
||||
}
|
||||
|
||||
if initOnly {
|
||||
klog.InfoS("System initialized and --init-only specified")
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// Generate the masquerade mark to use for SNAT rules.
|
||||
masqueradeValue := 1 << uint(masqueradeBit)
|
||||
masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue)
|
||||
@@ -330,21 +336,25 @@ func NewDualStackProxier(
|
||||
recorder events.EventRecorder,
|
||||
healthzServer *healthcheck.ProxierHealthServer,
|
||||
nodePortAddresses []string,
|
||||
initOnly bool,
|
||||
) (proxy.Provider, error) {
|
||||
// Create an ipv4 instance of the single-stack proxier
|
||||
ipv4Proxier, err := NewProxier(v1.IPv4Protocol, ipt[0], sysctl,
|
||||
exec, syncPeriod, minSyncPeriod, masqueradeAll, localhostNodePorts, masqueradeBit, localDetectors[0], hostname,
|
||||
nodeIPs[v1.IPv4Protocol], recorder, healthzServer, nodePortAddresses)
|
||||
nodeIPs[v1.IPv4Protocol], recorder, healthzServer, nodePortAddresses, initOnly)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err)
|
||||
}
|
||||
|
||||
ipv6Proxier, err := NewProxier(v1.IPv6Protocol, ipt[1], sysctl,
|
||||
exec, syncPeriod, minSyncPeriod, masqueradeAll, false, masqueradeBit, localDetectors[1], hostname,
|
||||
nodeIPs[v1.IPv6Protocol], recorder, healthzServer, nodePortAddresses)
|
||||
nodeIPs[v1.IPv6Protocol], recorder, healthzServer, nodePortAddresses, initOnly)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err)
|
||||
}
|
||||
if initOnly {
|
||||
return nil, nil
|
||||
}
|
||||
return metaproxier.NewMetaProxier(ipv4Proxier, ipv6Proxier), nil
|
||||
}
|
||||
|
||||
|
||||
@@ -340,6 +340,7 @@ func NewProxier(ipFamily v1.IPFamily,
|
||||
scheduler string,
|
||||
nodePortAddressStrings []string,
|
||||
kernelHandler KernelHandler,
|
||||
initOnly bool,
|
||||
) (*Proxier, error) {
|
||||
// Set the conntrack sysctl we need for
|
||||
if err := proxyutil.EnsureSysctl(sysctl, sysctlVSConnTrack, 1); err != nil {
|
||||
@@ -402,6 +403,11 @@ func NewProxier(ipFamily v1.IPFamily,
|
||||
}
|
||||
}
|
||||
|
||||
if initOnly {
|
||||
klog.InfoS("System initialized and --init-only specified")
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// Generate the masquerade mark to use for SNAT rules.
|
||||
masqueradeValue := 1 << uint(masqueradeBit)
|
||||
masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue)
|
||||
@@ -490,6 +496,7 @@ func NewDualStackProxier(
|
||||
scheduler string,
|
||||
nodePortAddresses []string,
|
||||
kernelHandler KernelHandler,
|
||||
initOnly bool,
|
||||
) (proxy.Provider, error) {
|
||||
|
||||
safeIpset := newSafeIpset(ipset)
|
||||
@@ -499,7 +506,7 @@ func NewDualStackProxier(
|
||||
exec, syncPeriod, minSyncPeriod, filterCIDRs(false, excludeCIDRs), strictARP,
|
||||
tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit,
|
||||
localDetectors[0], hostname, nodeIPs[v1.IPv4Protocol],
|
||||
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler)
|
||||
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler, initOnly)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err)
|
||||
}
|
||||
@@ -508,10 +515,13 @@ func NewDualStackProxier(
|
||||
exec, syncPeriod, minSyncPeriod, filterCIDRs(true, excludeCIDRs), strictARP,
|
||||
tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit,
|
||||
localDetectors[1], hostname, nodeIPs[v1.IPv6Protocol],
|
||||
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler)
|
||||
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler, initOnly)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err)
|
||||
}
|
||||
if initOnly {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
// Return a meta-proxier that dispatch calls between the two
|
||||
// single-stack proxier instances
|
||||
|
||||
@@ -109,6 +109,7 @@ func NewHollowProxyOrDie(
|
||||
recorder,
|
||||
nil,
|
||||
[]string{},
|
||||
false,
|
||||
)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to create proxier: %v", err)
|
||||
|
||||
Reference in New Issue
Block a user