kube-proxy: only set route_localnet if required

kube-proxy sets the sysctl net.ipv4.conf.all.route_localnet=1 so NodePort services can be accessed on the loopback addresses in IPv4, but this may present security issues. Leverage the --nodeport-addresses flag to opt-out of this feature, if the list is not empty and none of the IP ranges contains an IPv4 loopback address this sysctl is not set. In addition, add a warning to inform users about this behavior.
2022-01-21 11:27:55 +01:00
parent c175418281
commit 8b5fa408e0
3 changed files with 102 additions and 3 deletions
--- a/pkg/proxy/util/utils.go
+++ b/pkg/proxy/util/utils.go
@@ -78,6 +78,37 @@ func BuildPortsToEndpointsMap(endpoints *v1.Endpoints) map[string][]string {
 	return portsToEndpoints
 }

+// ContainsIPv4Loopback returns true if the input is empty or one of the CIDR contains an IPv4 loopback address.
+func ContainsIPv4Loopback(cidrStrings []string) bool {
+	if len(cidrStrings) == 0 {
+		return true
+	}
+	// RFC 5735 127.0.0.0/8 - This block is assigned for use as the Internet host loopback address
+	ipv4LoopbackStart := netutils.ParseIPSloppy("127.0.0.0")
+	for _, cidr := range cidrStrings {
+		if IsZeroCIDR(cidr) {
+			return true
+		}
+
+		ip, ipnet, err := netutils.ParseCIDRSloppy(cidr)
+		if err != nil {
+			continue
+		}
+
+		if netutils.IsIPv6CIDR(ipnet) {
+			continue
+		}
+
+		if ip.IsLoopback() {
+			return true
+		}
+		if ipnet.Contains(ipv4LoopbackStart) {
+			return true
+		}
+	}
+	return false
+}
+
 // IsZeroCIDR checks whether the input CIDR string is either
 // the IPv4 or IPv6 zero CIDR
 func IsZeroCIDR(cidr string) bool {