pkg/proxy/nftables: handle traffic to cluster ip

NFTables proxy will now drop traffic directed towards unallocated ClusterIPs and reject traffic directed towards invalid ports of Cluster IPs. Signed-off-by: Daman Arora <aroradaman@gmail.com>
2024-01-21 18:46:39 +05:30
parent 01d7de5464
commit 4b40299133
13 changed files with 336 additions and 31 deletions
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -534,6 +534,10 @@ func ClusterRoles() []rbacv1.ClusterRole {

 		eventsRule(),
 	}
+	if utilfeature.DefaultFeatureGate.Enabled(features.MultiCIDRServiceAllocator) {
+		nodeProxierRules = append(nodeProxierRules, rbacv1helpers.NewRule("list", "watch").Groups(networkingGroup).Resources("servicecidrs").RuleOrDie())
+	}
+
 	nodeProxierRules = append(nodeProxierRules, rbacv1helpers.NewRule("list", "watch").Groups(discoveryGroup).Resources("endpointslices").RuleOrDie())
 	roles = append(roles, rbacv1.ClusterRole{
 		ObjectMeta: metav1.ObjectMeta{Name: "system:node-proxier"},