Add check for IPv6 '::' when calculating kube-proxy's node IP
kube-proxy currently checks for a bind address of 0.0.0.0 (IPv4 all-zeros) when calculating kube-proxy's node IP, but it does not check for an address of '::' (IPv6 all-zeros). For either of those all-zeros addresses, the node IP should be determined based on the hostname, rather than using the address directly. Also added a helpful log message when the kube-proxy protocol is determined to be IPv6. fixes #52613
This commit is contained in:
		| @@ -65,6 +65,7 @@ func NewProxyServer(config *componentconfig.KubeProxyConfiguration, cleanupAndEx | |||||||
|  |  | ||||||
| 	protocol := utiliptables.ProtocolIpv4 | 	protocol := utiliptables.ProtocolIpv4 | ||||||
| 	if net.ParseIP(config.BindAddress).To4() == nil { | 	if net.ParseIP(config.BindAddress).To4() == nil { | ||||||
|  | 		glog.V(0).Infof("IPv6 bind address (%s), assume IPv6 operation", config.BindAddress) | ||||||
| 		protocol = utiliptables.ProtocolIpv6 | 		protocol = utiliptables.ProtocolIpv6 | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| @@ -115,10 +116,8 @@ func NewProxyServer(config *componentconfig.KubeProxyConfiguration, cleanupAndEx | |||||||
| 	proxyMode := getProxyMode(string(config.Mode), iptInterface, iptables.LinuxKernelCompatTester{}) | 	proxyMode := getProxyMode(string(config.Mode), iptInterface, iptables.LinuxKernelCompatTester{}) | ||||||
| 	if proxyMode == proxyModeIPTables { | 	if proxyMode == proxyModeIPTables { | ||||||
| 		glog.V(0).Info("Using iptables Proxier.") | 		glog.V(0).Info("Using iptables Proxier.") | ||||||
| 		var nodeIP net.IP | 		nodeIP := net.ParseIP(config.BindAddress) | ||||||
| 		if config.BindAddress != "0.0.0.0" { | 		if nodeIP.Equal(net.IPv4zero) || nodeIP.Equal(net.IPv6zero) { | ||||||
| 			nodeIP = net.ParseIP(config.BindAddress) |  | ||||||
| 		} else { |  | ||||||
| 			nodeIP = getNodeIP(client, hostname) | 			nodeIP = getNodeIP(client, hostname) | ||||||
| 		} | 		} | ||||||
| 		if config.IPTables.MasqueradeBit == nil { | 		if config.IPTables.MasqueradeBit == nil { | ||||||
|   | |||||||
| @@ -177,7 +177,7 @@ func TestProxyServerWithCleanupAndExit(t *testing.T) { | |||||||
| 	// Each bind address below is a separate test case | 	// Each bind address below is a separate test case | ||||||
| 	bindAddresses := []string{ | 	bindAddresses := []string{ | ||||||
| 		"0.0.0.0", | 		"0.0.0.0", | ||||||
| 		"2001:db8::1", | 		"::", | ||||||
| 	} | 	} | ||||||
| 	for _, addr := range bindAddresses { | 	for _, addr := range bindAddresses { | ||||||
| 		options, err := NewOptions() | 		options, err := NewOptions() | ||||||
| @@ -308,13 +308,54 @@ udpTimeoutMilliseconds: 123ms | |||||||
| 		metricsBindAddress string | 		metricsBindAddress string | ||||||
| 	}{ | 	}{ | ||||||
| 		{ | 		{ | ||||||
| 			name:               "iptables mode, IPv4 config", | 			name:               "iptables mode, IPv4 all-zeros bind address", | ||||||
|  | 			mode:               "iptables", | ||||||
|  | 			bindAddress:        "0.0.0.0", | ||||||
|  | 			clusterCIDR:        "1.2.3.0/24", | ||||||
|  | 			healthzBindAddress: "1.2.3.4:12345", | ||||||
|  | 			metricsBindAddress: "2.3.4.5:23456", | ||||||
|  | 		}, | ||||||
|  | 		{ | ||||||
|  | 			name:               "iptables mode, non-zeros IPv4 config", | ||||||
| 			mode:               "iptables", | 			mode:               "iptables", | ||||||
| 			bindAddress:        "9.8.7.6", | 			bindAddress:        "9.8.7.6", | ||||||
| 			clusterCIDR:        "1.2.3.0/24", | 			clusterCIDR:        "1.2.3.0/24", | ||||||
| 			healthzBindAddress: "1.2.3.4:12345", | 			healthzBindAddress: "1.2.3.4:12345", | ||||||
| 			metricsBindAddress: "2.3.4.5:23456", | 			metricsBindAddress: "2.3.4.5:23456", | ||||||
| 		}, | 		}, | ||||||
|  | 		{ | ||||||
|  | 			// Test for 'bindAddress: "::"' (IPv6 all-zeros) in kube-proxy | ||||||
|  | 			// config file. The user will need to put quotes around '::' since | ||||||
|  | 			// 'bindAddress: ::' is invalid yaml syntax. | ||||||
|  | 			name:               "iptables mode, IPv6 \"::\" bind address", | ||||||
|  | 			mode:               "iptables", | ||||||
|  | 			bindAddress:        "\"::\"", | ||||||
|  | 			clusterCIDR:        "fd00:1::0/64", | ||||||
|  | 			healthzBindAddress: "[fd00:1::5]:12345", | ||||||
|  | 			metricsBindAddress: "[fd00:2::5]:23456", | ||||||
|  | 		}, | ||||||
|  | 		{ | ||||||
|  | 			// Test for 'bindAddress: "[::]"' (IPv6 all-zeros in brackets) | ||||||
|  | 			// in kube-proxy config file. The user will need to use | ||||||
|  | 			// surrounding quotes here since 'bindAddress: [::]' is invalid | ||||||
|  | 			// yaml syntax. | ||||||
|  | 			name:               "iptables mode, IPv6 \"[::]\" bind address", | ||||||
|  | 			mode:               "iptables", | ||||||
|  | 			bindAddress:        "\"[::]\"", | ||||||
|  | 			clusterCIDR:        "fd00:1::0/64", | ||||||
|  | 			healthzBindAddress: "[fd00:1::5]:12345", | ||||||
|  | 			metricsBindAddress: "[fd00:2::5]:23456", | ||||||
|  | 		}, | ||||||
|  | 		{ | ||||||
|  | 			// Test for 'bindAddress: ::0' (another form of IPv6 all-zeros). | ||||||
|  | 			// No surrounding quotes are required around '::0'. | ||||||
|  | 			name:               "iptables mode, IPv6 ::0 bind address", | ||||||
|  | 			mode:               "iptables", | ||||||
|  | 			bindAddress:        "::0", | ||||||
|  | 			clusterCIDR:        "fd00:1::0/64", | ||||||
|  | 			healthzBindAddress: "[fd00:1::5]:12345", | ||||||
|  | 			metricsBindAddress: "[fd00:2::5]:23456", | ||||||
|  | 		}, | ||||||
| 		{ | 		{ | ||||||
| 			name:               "ipvs mode, IPv6 config", | 			name:               "ipvs mode, IPv6 config", | ||||||
| 			mode:               "ipvs", | 			mode:               "ipvs", | ||||||
| @@ -326,8 +367,13 @@ udpTimeoutMilliseconds: 123ms | |||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	for _, tc := range testCases { | 	for _, tc := range testCases { | ||||||
|  | 		expBindAddr := tc.bindAddress | ||||||
|  | 		if tc.bindAddress[0] == '"' { | ||||||
|  | 			// Surrounding double quotes will get stripped by the yaml parser. | ||||||
|  | 			expBindAddr = expBindAddr[1 : len(tc.bindAddress)-1] | ||||||
|  | 		} | ||||||
| 		expected := &componentconfig.KubeProxyConfiguration{ | 		expected := &componentconfig.KubeProxyConfiguration{ | ||||||
| 			BindAddress: tc.bindAddress, | 			BindAddress: expBindAddr, | ||||||
| 			ClientConnection: componentconfig.ClientConnectionConfiguration{ | 			ClientConnection: componentconfig.ClientConnectionConfiguration{ | ||||||
| 				AcceptContentTypes: "abc", | 				AcceptContentTypes: "abc", | ||||||
| 				Burst:              100, | 				Burst:              100, | ||||||
| @@ -374,7 +420,7 @@ udpTimeoutMilliseconds: 123ms | |||||||
| 		config, err := options.loadConfig([]byte(yaml)) | 		config, err := options.loadConfig([]byte(yaml)) | ||||||
| 		assert.NoError(t, err, "unexpected error for %s: %v", tc.name, err) | 		assert.NoError(t, err, "unexpected error for %s: %v", tc.name, err) | ||||||
| 		if !reflect.DeepEqual(expected, config) { | 		if !reflect.DeepEqual(expected, config) { | ||||||
| 			t.Fatalf("unexpected config for %s test, diff = %s", tc.name, diff.ObjectDiff(config, expected)) | 			t.Fatalf("unexpected config for %s, diff = %s", tc.name, diff.ObjectDiff(config, expected)) | ||||||
| 		} | 		} | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
| @@ -396,6 +442,11 @@ func TestLoadConfigFailures(t *testing.T) { | |||||||
| 			config: "kind: KubeSchedulerConfiguration", | 			config: "kind: KubeSchedulerConfiguration", | ||||||
| 			expErr: "unexpected config type", | 			expErr: "unexpected config type", | ||||||
| 		}, | 		}, | ||||||
|  | 		{ | ||||||
|  | 			name:   "Missing quotes around :: bindAddress", | ||||||
|  | 			config: "bindAddress: ::", | ||||||
|  | 			expErr: "mapping values are not allowed in this context", | ||||||
|  | 		}, | ||||||
| 	} | 	} | ||||||
| 	version := "apiVersion: componentconfig/v1alpha1" | 	version := "apiVersion: componentconfig/v1alpha1" | ||||||
| 	for _, tc := range testCases { | 	for _, tc := range testCases { | ||||||
|   | |||||||
| @@ -942,7 +942,7 @@ func iptablesFlush(ipt iptables.Interface) error { | |||||||
| var zeroIPv4 = net.ParseIP("0.0.0.0") | var zeroIPv4 = net.ParseIP("0.0.0.0") | ||||||
| var localhostIPv4 = net.ParseIP("127.0.0.1") | var localhostIPv4 = net.ParseIP("127.0.0.1") | ||||||
|  |  | ||||||
| var zeroIPv6 = net.ParseIP("::0") | var zeroIPv6 = net.ParseIP("::") | ||||||
| var localhostIPv6 = net.ParseIP("::1") | var localhostIPv6 = net.ParseIP("::1") | ||||||
|  |  | ||||||
| // Build a slice of iptables args that are common to from-container and from-host portal rules. | // Build a slice of iptables args that are common to from-container and from-host portal rules. | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Dane LeBlanc
					Dane LeBlanc