github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Split out a KUBE-EXTERNAL-SERVICES chain so we don't have to run KUBE-SERVICES from INPUT

Browse Source
This commit is contained in:
Dan Winship 2017-11-21 12:25:27 -05:00
parent 5ee2444a3a
commit 780d5954e0
2 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
pkg/proxy/iptables/proxier.go
View File

@ -67,6 +67,9 @@ const (
// the services chain // the services chain
kubeServicesChain utiliptables.Chain = "KUBE-SERVICES" kubeServicesChain utiliptables.Chain = "KUBE-SERVICES"
// the external services chain
kubeExternalServicesChain utiliptables.Chain = "KUBE-EXTERNAL-SERVICES"
// the nodeports chain // the nodeports chain
kubeNodePortsChain utiliptables.Chain = "KUBE-NODEPORTS" kubeNodePortsChain utiliptables.Chain = "KUBE-NODEPORTS"
@ -505,7 +508,7 @@ type iptablesJumpChain struct {
} }
var iptablesJumpChains = []iptablesJumpChain{ var iptablesJumpChains = []iptablesJumpChain{
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainInput, "kubernetes service portals"}, {utiliptables.TableFilter, kubeExternalServicesChain, utiliptables.ChainInput, "kubernetes externally-visible service portals"},
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals"}, {utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals"},
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals"}, {utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals"},
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals"}, {utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals"},
@ -513,11 +516,16 @@ var iptablesJumpChains = []iptablesJumpChain{
{utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules"}, {utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules"},
} }
var iptablesCleanupOnlyChains = []iptablesJumpChain{
// Present in kube 1.6 - 1.9. Removed by #56164 in favor of kubeExternalServicesChain
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainInput, "kubernetes service portals"},
}
// CleanupLeftovers removes all iptables rules and chains created by the Proxier // CleanupLeftovers removes all iptables rules and chains created by the Proxier
// It returns true if an error was encountered. Errors are logged. // It returns true if an error was encountered. Errors are logged.
func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) { func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
// Unlink our chains // Unlink our chains
for _, chain := range iptablesJumpChains { for _, chain := range append(iptablesJumpChains, iptablesCleanupOnlyChains...) {
args := []string{ args := []string{
"-m", "comment", "--comment", chain.comment, "-m", "comment", "--comment", chain.comment,
"-j", string(chain.chain), "-j", string(chain.chain),
@ -576,7 +584,7 @@ func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
filterChains := bytes.NewBuffer(nil) filterChains := bytes.NewBuffer(nil)
filterRules := bytes.NewBuffer(nil) filterRules := bytes.NewBuffer(nil)
writeLine(filterChains, "*filter") writeLine(filterChains, "*filter")
for _, chain := range []utiliptables.Chain{kubeServicesChain, kubeForwardChain} { for _, chain := range []utiliptables.Chain{kubeServicesChain, kubeExternalServicesChain, kubeForwardChain} {
if _, found := existingFilterChains[chain]; found { if _, found := existingFilterChains[chain]; found {
chainString := string(chain) chainString := string(chain)
writeLine(filterChains, existingFilterChains[chain]) writeLine(filterChains, existingFilterChains[chain])
@ -1033,7 +1041,7 @@ func (proxier *Proxier) syncProxyRules() {
// Make sure we keep stats for the top-level chains, if they existed // Make sure we keep stats for the top-level chains, if they existed
// (which most should have because we created them above). // (which most should have because we created them above).
for _, chainName := range []utiliptables.Chain{kubeServicesChain, kubeForwardChain} { for _, chainName := range []utiliptables.Chain{kubeServicesChain, kubeExternalServicesChain, kubeForwardChain} {
if chain, ok := existingFilterChains[chainName]; ok { if chain, ok := existingFilterChains[chainName]; ok {
writeLine(proxier.filterChains, chain) writeLine(proxier.filterChains, chain)
} else { } else {
@ -1199,7 +1207,7 @@ func (proxier *Proxier) syncProxyRules() {
// Install ICMP Reject rule in filter table for destination=externalIP and dport=svcport // Install ICMP Reject rule in filter table for destination=externalIP and dport=svcport
if len(proxier.endpointsMap[svcName]) == 0 { if len(proxier.endpointsMap[svcName]) == 0 {
writeLine(proxier.filterRules, writeLine(proxier.filterRules,
"-A", string(kubeServicesChain), "-A", string(kubeExternalServicesChain),
"-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints"`, svcNameString), "-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints"`, svcNameString),
"-m", protocol, "-p", protocol, "-m", protocol, "-p", protocol,
"-d", utilproxy.ToCIDR(net.ParseIP(externalIP)), "-d", utilproxy.ToCIDR(net.ParseIP(externalIP)),
@ -1340,7 +1348,7 @@ func (proxier *Proxier) syncProxyRules() {
// chain. // chain.
if len(proxier.endpointsMap[svcName]) == 0 { if len(proxier.endpointsMap[svcName]) == 0 {
writeLine(proxier.filterRules, writeLine(proxier.filterRules,
"-A", string(kubeServicesChain), "-A", string(kubeExternalServicesChain),
"-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints"`, svcNameString), "-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints"`, svcNameString),
"-m", "addrtype", "--dst-type", "LOCAL", "-m", "addrtype", "--dst-type", "LOCAL",
"-m", protocol, "-p", protocol, "-m", protocol, "-p", protocol,

4
pkg/proxy/iptables/proxier_test.go
View File

@ -811,7 +811,7 @@ func TestExternalIPsReject(t *testing.T) {
fp.syncProxyRules() fp.syncProxyRules()
kubeSvcRules := ipt.GetRules(string(kubeServicesChain)) kubeSvcRules := ipt.GetRules(string(kubeExternalServicesChain))
if !hasJump(kubeSvcRules, iptablestest.Reject, svcExternalIPs, svcPort) { if !hasJump(kubeSvcRules, iptablestest.Reject, svcExternalIPs, svcPort) {
errorf(fmt.Sprintf("Failed to a %v rule for externalIP %v with no endpoints", iptablestest.Reject, svcPortName), kubeSvcRules, t) errorf(fmt.Sprintf("Failed to a %v rule for externalIP %v with no endpoints", iptablestest.Reject, svcPortName), kubeSvcRules, t)
} }
@ -844,7 +844,7 @@ func TestNodePortReject(t *testing.T) {
fp.syncProxyRules() fp.syncProxyRules()
kubeSvcRules := ipt.GetRules(string(kubeServicesChain)) kubeSvcRules := ipt.GetRules(string(kubeExternalServicesChain))
if !hasJump(kubeSvcRules, iptablestest.Reject, svcIP, svcNodePort) { if !hasJump(kubeSvcRules, iptablestest.Reject, svcIP, svcNodePort) {
errorf(fmt.Sprintf("Failed to find a %v rule for service %v with no endpoints", iptablestest.Reject, svcPortName), kubeSvcRules, t) errorf(fmt.Sprintf("Failed to find a %v rule for service %v with no endpoints", iptablestest.Reject, svcPortName), kubeSvcRules, t)
} }