Merge pull request #123105 from danwinship/nodeport-addresses-primary
Add `--nodeport-addresses primary`, warn on empty `--nodeport-addresses`
This commit is contained in:
Kubernetes Prow Robot
@@ -17,10 +17,6 @@ limitations under the License.
|
||||
package config
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"sort"
|
||||
"strings"
|
||||
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
componentbaseconfig "k8s.io/component-base/config"
|
||||
logsapi "k8s.io/component-base/logs/api/v1"
|
||||
@@ -228,10 +224,12 @@ type KubeProxyConfiguration struct {
|
||||
// used.)
|
||||
ClusterCIDR string
|
||||
|
||||
// nodePortAddresses is a list of CIDR ranges that contain valid node IPs. If set,
|
||||
// nodePortAddresses is a list of CIDR ranges that contain valid node IPs, or
|
||||
// alternatively, the single string 'primary'. If set to a list of CIDRs,
|
||||
// connections to NodePort services will only be accepted on node IPs in one of
|
||||
// the indicated ranges. If unset, NodePort connections will be accepted on all
|
||||
// local IPs.
|
||||
// the indicated ranges. If set to 'primary', NodePort services will only be
|
||||
// accepted on the node's primary IPv4 and/or IPv6 address according to the Node
|
||||
// object. If unset, NodePort connections will be accepted on all local IPs.
|
||||
NodePortAddresses []string
|
||||
|
||||
// oomScoreAdj is the oom-score-adj value for kube-proxy process. Values must be within
|
||||
@@ -265,17 +263,6 @@ const (
|
||||
ProxyModeKernelspace ProxyMode = "kernelspace"
|
||||
)
|
||||
|
||||
// LocalMode represents modes to detect local traffic from the node
|
||||
type LocalMode string
|
||||
|
||||
// Currently supported modes for LocalMode
|
||||
const (
|
||||
LocalModeClusterCIDR LocalMode = "ClusterCIDR"
|
||||
LocalModeNodeCIDR LocalMode = "NodeCIDR"
|
||||
LocalModeBridgeInterface LocalMode = "BridgeInterface"
|
||||
LocalModeInterfaceNamePrefix LocalMode = "InterfaceNamePrefix"
|
||||
)
|
||||
|
||||
func (m *ProxyMode) Set(s string) error {
|
||||
*m = ProxyMode(s)
|
||||
return nil
|
||||
@@ -292,6 +279,17 @@ func (m *ProxyMode) Type() string {
|
||||
return "ProxyMode"
|
||||
}
|
||||
|
||||
// LocalMode represents modes to detect local traffic from the node
|
||||
type LocalMode string
|
||||
|
||||
// Currently supported modes for LocalMode
|
||||
const (
|
||||
LocalModeClusterCIDR LocalMode = "ClusterCIDR"
|
||||
LocalModeNodeCIDR LocalMode = "NodeCIDR"
|
||||
LocalModeBridgeInterface LocalMode = "BridgeInterface"
|
||||
LocalModeInterfaceNamePrefix LocalMode = "InterfaceNamePrefix"
|
||||
)
|
||||
|
||||
func (m *LocalMode) Set(s string) error {
|
||||
*m = LocalMode(s)
|
||||
return nil
|
||||
@@ -308,32 +306,6 @@ func (m *LocalMode) Type() string {
|
||||
return "LocalMode"
|
||||
}
|
||||
|
||||
type ConfigurationMap map[string]string
|
||||
|
||||
func (m *ConfigurationMap) String() string {
|
||||
pairs := []string{}
|
||||
for k, v := range *m {
|
||||
pairs = append(pairs, fmt.Sprintf("%s=%s", k, v))
|
||||
}
|
||||
sort.Strings(pairs)
|
||||
return strings.Join(pairs, ",")
|
||||
}
|
||||
|
||||
func (m *ConfigurationMap) Set(value string) error {
|
||||
for _, s := range strings.Split(value, ",") {
|
||||
if len(s) == 0 {
|
||||
continue
|
||||
}
|
||||
arr := strings.SplitN(s, "=", 2)
|
||||
if len(arr) == 2 {
|
||||
(*m)[strings.TrimSpace(arr[0])] = strings.TrimSpace(arr[1])
|
||||
} else {
|
||||
(*m)[strings.TrimSpace(arr[0])] = ""
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (*ConfigurationMap) Type() string {
|
||||
return "mapStringString"
|
||||
}
|
||||
// NodePortAddressesPrimary is a special value for NodePortAddresses indicating that it
|
||||
// should only use the primary node IPs.
|
||||
const NodePortAddressesPrimary string = "primary"
|
||||
|
||||
@@ -297,6 +297,13 @@ func validateKubeProxyNodePortAddress(nodePortAddresses []string, fldPath *field
|
||||
allErrs := field.ErrorList{}
|
||||
|
||||
for i := range nodePortAddresses {
|
||||
if nodePortAddresses[i] == kubeproxyconfig.NodePortAddressesPrimary {
|
||||
if i != 0 || len(nodePortAddresses) != 1 {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Index(i), nodePortAddresses[i], "can't use both 'primary' and CIDRs"))
|
||||
}
|
||||
break
|
||||
}
|
||||
|
||||
if _, _, err := netutils.ParseCIDRSloppy(nodePortAddresses[i]); err != nil {
|
||||
allErrs = append(allErrs, field.Invalid(fldPath.Index(i), nodePortAddresses[i], "must be a valid CIDR"))
|
||||
}
|
||||
|
||||
@@ -975,6 +975,7 @@ func TestValidateKubeProxyNodePortAddress(t *testing.T) {
|
||||
{[]string{"10.20.0.0/16", "100.200.0.0/16"}},
|
||||
{[]string{"10.0.0.0/8"}},
|
||||
{[]string{"2001:db8::/32"}},
|
||||
{[]string{kubeproxyconfig.NodePortAddressesPrimary}},
|
||||
}
|
||||
|
||||
for _, successCase := range successCases {
|
||||
@@ -1012,6 +1013,14 @@ func TestValidateKubeProxyNodePortAddress(t *testing.T) {
|
||||
addresses: []string{"::1/128", "2001:db8::/32", "2001:db8:xyz/64"},
|
||||
expectedErrs: field.ErrorList{field.Invalid(newPath.Child("NodePortAddresses[2]"), "2001:db8:xyz/64", "must be a valid CIDR")},
|
||||
},
|
||||
"invalid primary/CIDR mix 1": {
|
||||
addresses: []string{"primary", "127.0.0.1/32"},
|
||||
expectedErrs: field.ErrorList{field.Invalid(newPath.Child("NodePortAddresses[0]"), "primary", "can't use both 'primary' and CIDRs")},
|
||||
},
|
||||
"invalid primary/CIDR mix 2": {
|
||||
addresses: []string{"127.0.0.1/32", "primary"},
|
||||
expectedErrs: field.ErrorList{field.Invalid(newPath.Child("NodePortAddresses[1]"), "primary", "can't use both 'primary' and CIDRs")},
|
||||
},
|
||||
}
|
||||
|
||||
for _, testCase := range testCases {
|
||||
|
||||
22
pkg/proxy/apis/config/zz_generated.deepcopy.go
generated
22
pkg/proxy/apis/config/zz_generated.deepcopy.go
generated
@@ -26,28 +26,6 @@ import (
|
||||
runtime "k8s.io/apimachinery/pkg/runtime"
|
||||
)
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in ConfigurationMap) DeepCopyInto(out *ConfigurationMap) {
|
||||
{
|
||||
in := &in
|
||||
*out = make(ConfigurationMap, len(*in))
|
||||
for key, val := range *in {
|
||||
(*out)[key] = val
|
||||
}
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationMap.
|
||||
func (in ConfigurationMap) DeepCopy() ConfigurationMap {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(ConfigurationMap)
|
||||
in.DeepCopyInto(out)
|
||||
return *out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *DetectLocalConfiguration) DeepCopyInto(out *DetectLocalConfiguration) {
|
||||
*out = *in
|
||||
|
||||
@@ -150,7 +150,7 @@ func (fake fakeProxierHealthChecker) IsHealthy() bool {
|
||||
func TestServer(t *testing.T) {
|
||||
listener := newFakeListener()
|
||||
httpFactory := newFakeHTTPServerFactory()
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(v1.IPv4Protocol, []string{}, nil)
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(v1.IPv4Protocol, []string{})
|
||||
proxyChecker := &fakeProxierHealthChecker{true}
|
||||
|
||||
hcsi := newServiceHealthServer("hostname", nil, listener, httpFactory, nodePortAddresses, proxyChecker)
|
||||
@@ -664,7 +664,7 @@ func TestServerWithSelectiveListeningAddress(t *testing.T) {
|
||||
|
||||
// limiting addresses to loop back. We don't want any cleverness here around getting IP for
|
||||
// machine nor testing ipv6 || ipv4. using loop back guarantees the test will work on any machine
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(v1.IPv4Protocol, []string{"127.0.0.0/8"}, nil)
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(v1.IPv4Protocol, []string{"127.0.0.0/8"})
|
||||
|
||||
hcsi := newServiceHealthServer("hostname", nil, listener, httpFactory, nodePortAddresses, proxyChecker)
|
||||
hcs := hcsi.(*server)
|
||||
|
||||
@@ -232,7 +232,7 @@ func NewProxier(ipFamily v1.IPFamily,
|
||||
nodePortAddressStrings []string,
|
||||
initOnly bool,
|
||||
) (*Proxier, error) {
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings, nil)
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings)
|
||||
|
||||
if !nodePortAddresses.ContainsIPv4Loopback() {
|
||||
localhostNodePorts = false
|
||||
|
||||
@@ -133,7 +133,7 @@ func NewFakeProxier(ipt utiliptables.Interface) *Proxier {
|
||||
natRules: proxyutil.NewLineBuffer(),
|
||||
nodeIP: netutils.ParseIPSloppy(testNodeIP),
|
||||
localhostNodePorts: true,
|
||||
nodePortAddresses: proxyutil.NewNodePortAddresses(ipfamily, nil, nil),
|
||||
nodePortAddresses: proxyutil.NewNodePortAddresses(ipfamily, nil),
|
||||
networkInterfacer: networkInterfacer,
|
||||
}
|
||||
p.setInitialized(true)
|
||||
@@ -2342,7 +2342,7 @@ func TestNodePorts(t *testing.T) {
|
||||
fp := NewFakeProxier(ipt)
|
||||
fp.localhostNodePorts = tc.localhostNodePorts
|
||||
if tc.nodePortAddresses != nil {
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(tc.family, tc.nodePortAddresses, nil)
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(tc.family, tc.nodePortAddresses)
|
||||
}
|
||||
|
||||
makeServiceMap(fp,
|
||||
@@ -2490,7 +2490,7 @@ func TestNodePorts(t *testing.T) {
|
||||
func TestHealthCheckNodePort(t *testing.T) {
|
||||
ipt := iptablestest.NewFake()
|
||||
fp := NewFakeProxier(ipt)
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(v1.IPv4Protocol, []string{"127.0.0.0/8"}, nil)
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(v1.IPv4Protocol, []string{"127.0.0.0/8"})
|
||||
|
||||
svcIP := "172.30.0.42"
|
||||
svcPort := 80
|
||||
|
||||
@@ -359,7 +359,7 @@ func NewProxier(ipFamily v1.IPFamily,
|
||||
scheduler = defaultScheduler
|
||||
}
|
||||
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings, nil)
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings)
|
||||
|
||||
serviceHealthServer := healthcheck.NewServiceHealthServer(hostname, recorder, nodePortAddresses, healthzServer)
|
||||
|
||||
|
||||
@@ -158,7 +158,7 @@ func NewFakeProxier(ipt utiliptables.Interface, ipvs utilipvs.Interface, ipset u
|
||||
filterRules: proxyutil.NewLineBuffer(),
|
||||
netlinkHandle: netlinkHandle,
|
||||
ipsetList: ipsetList,
|
||||
nodePortAddresses: proxyutil.NewNodePortAddresses(ipFamily, nil, nil),
|
||||
nodePortAddresses: proxyutil.NewNodePortAddresses(ipFamily, nil),
|
||||
networkInterfacer: proxyutiltest.NewFakeNetwork(),
|
||||
gracefuldeleteManager: NewGracefulTerminationManager(ipvs),
|
||||
ipFamily: ipFamily,
|
||||
@@ -945,7 +945,7 @@ func TestNodePortIPv4(t *testing.T) {
|
||||
ipvs := ipvstest.NewFake()
|
||||
ipset := ipsettest.NewFake(testIPSetVersion)
|
||||
fp := NewFakeProxier(ipt, ipvs, ipset, test.nodeIPs, nil, v1.IPv4Protocol)
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(v1.IPv4Protocol, test.nodePortAddresses, nil)
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(v1.IPv4Protocol, test.nodePortAddresses)
|
||||
|
||||
makeServiceMap(fp, test.services...)
|
||||
populateEndpointSlices(fp, test.endpoints...)
|
||||
@@ -1287,7 +1287,7 @@ func TestNodePortIPv6(t *testing.T) {
|
||||
ipvs := ipvstest.NewFake()
|
||||
ipset := ipsettest.NewFake(testIPSetVersion)
|
||||
fp := NewFakeProxier(ipt, ipvs, ipset, test.nodeIPs, nil, v1.IPv6Protocol)
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(v1.IPv6Protocol, test.nodePortAddresses, nil)
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(v1.IPv6Protocol, test.nodePortAddresses)
|
||||
|
||||
makeServiceMap(fp, test.services...)
|
||||
populateEndpointSlices(fp, test.endpoints...)
|
||||
@@ -2040,7 +2040,7 @@ func TestOnlyLocalNodePorts(t *testing.T) {
|
||||
addrs1 := []net.Addr{&net.IPNet{IP: netutils.ParseIPSloppy("2001:db8::"), Mask: net.CIDRMask(64, 128)}}
|
||||
fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf, addrs)
|
||||
fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf1, addrs1)
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(v1.IPv4Protocol, []string{"100.101.102.0/24"}, nil)
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(v1.IPv4Protocol, []string{"100.101.102.0/24"})
|
||||
|
||||
fp.syncProxyRules()
|
||||
|
||||
@@ -2128,7 +2128,7 @@ func TestHealthCheckNodePort(t *testing.T) {
|
||||
addrs1 := []net.Addr{&net.IPNet{IP: netutils.ParseIPSloppy("2001:db8::"), Mask: net.CIDRMask(64, 128)}}
|
||||
fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf, addrs)
|
||||
fp.networkInterfacer.(*proxyutiltest.FakeNetwork).AddInterfaceAddr(&itf1, addrs1)
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(v1.IPv4Protocol, []string{"100.101.102.0/24"}, nil)
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(v1.IPv4Protocol, []string{"100.101.102.0/24"})
|
||||
|
||||
fp.syncProxyRules()
|
||||
|
||||
|
||||
@@ -211,8 +211,6 @@ func NewProxier(ipFamily v1.IPFamily,
|
||||
nodePortAddressStrings []string,
|
||||
initOnly bool,
|
||||
) (*Proxier, error) {
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings, nodeIP)
|
||||
|
||||
if initOnly {
|
||||
klog.InfoS("System initialized and --init-only specified")
|
||||
return nil, nil
|
||||
@@ -223,6 +221,8 @@ func NewProxier(ipFamily v1.IPFamily,
|
||||
masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue)
|
||||
klog.V(2).InfoS("Using nftables mark for masquerade", "ipFamily", ipFamily, "mark", masqueradeMark)
|
||||
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings)
|
||||
|
||||
serviceHealthServer := healthcheck.NewServiceHealthServer(hostname, recorder, nodePortAddresses, healthzServer)
|
||||
|
||||
var nftablesFamily knftables.Family
|
||||
|
||||
@@ -86,6 +86,7 @@ func NewFakeProxier(ipFamily v1.IPFamily) (*knftables.Fake, *Proxier) {
|
||||
serviceCIDRs = "fd00:10:96::/112"
|
||||
}
|
||||
detectLocal, _ := proxyutiliptables.NewDetectLocalByCIDR(podCIDR)
|
||||
nodePortAddresses := []string{fmt.Sprintf("%s/32", testNodeIP), fmt.Sprintf("%s/128", testNodeIPv6)}
|
||||
|
||||
networkInterfacer := proxyutiltest.NewFakeNetwork()
|
||||
itf := net.Interface{Index: 0, MTU: 0, Name: "lo", HardwareAddr: nil, Flags: 0}
|
||||
@@ -125,7 +126,7 @@ func NewFakeProxier(ipFamily v1.IPFamily) (*knftables.Fake, *Proxier) {
|
||||
hostname: testHostname,
|
||||
serviceHealthServer: healthcheck.NewFakeServiceHealthServer(),
|
||||
nodeIP: nodeIP,
|
||||
nodePortAddresses: proxyutil.NewNodePortAddresses(ipFamily, nil, nodeIP),
|
||||
nodePortAddresses: proxyutil.NewNodePortAddresses(ipFamily, nodePortAddresses),
|
||||
networkInterfacer: networkInterfacer,
|
||||
staleChains: make(map[string]time.Time),
|
||||
serviceCIDRs: serviceCIDRs,
|
||||
@@ -951,7 +952,7 @@ func TestNodePorts(t *testing.T) {
|
||||
nodeIP = testNodeIPv6
|
||||
}
|
||||
if tc.nodePortAddresses != nil {
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(tc.family, tc.nodePortAddresses, netutils.ParseIPSloppy(nodeIP))
|
||||
fp.nodePortAddresses = proxyutil.NewNodePortAddresses(tc.family, tc.nodePortAddresses)
|
||||
}
|
||||
|
||||
makeServiceMap(fp,
|
||||
@@ -3985,6 +3986,7 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
add rule ip kube-proxy services ip daddr @nodeport-ips meta l4proto . th dport vmap @service-nodeports
|
||||
add set ip kube-proxy cluster-ips { type ipv4_addr ; comment "Active ClusterIPs" ; }
|
||||
add set ip kube-proxy nodeport-ips { type ipv4_addr ; comment "IPs that accept NodePort traffic" ; }
|
||||
add element ip kube-proxy nodeport-ips { 192.168.0.2 }
|
||||
add rule ip kube-proxy service-endpoints-check ip daddr . meta l4proto . th dport vmap @no-endpoint-services
|
||||
|
||||
add map ip kube-proxy firewall-ips { type ipv4_addr . inet_proto . inet_service : verdict ; comment "destinations that are subject to LoadBalancerSourceRanges" ; }
|
||||
@@ -4057,7 +4059,6 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
expected := baseRules + dedent.Dedent(`
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.41 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.42 }
|
||||
add element ip kube-proxy nodeport-ips { 192.168.0.2 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.41 . tcp . 80 : goto service-ULMVA6XW-ns1/svc1/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.42 . tcp . 8080 : goto service-MHHHYRWA-ns2/svc2/tcp/p8080 }
|
||||
|
||||
@@ -4110,7 +4111,6 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.41 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.42 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.43 }
|
||||
add element ip kube-proxy nodeport-ips { 192.168.0.2 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.41 . tcp . 80 : goto service-ULMVA6XW-ns1/svc1/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.42 . tcp . 8080 : goto service-MHHHYRWA-ns2/svc2/tcp/p8080 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.43 . tcp . 80 : goto service-4AT6LBPK-ns3/svc3/tcp/p80 }
|
||||
@@ -4144,7 +4144,6 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
expected = baseRules + dedent.Dedent(`
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.41 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.43 }
|
||||
add element ip kube-proxy nodeport-ips { 192.168.0.2 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.41 . tcp . 80 : goto service-ULMVA6XW-ns1/svc1/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.43 . tcp . 80 : goto service-4AT6LBPK-ns3/svc3/tcp/p80 }
|
||||
|
||||
@@ -4173,7 +4172,6 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
expected = baseRules + dedent.Dedent(`
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.41 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.43 }
|
||||
add element ip kube-proxy nodeport-ips { 192.168.0.2 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.41 . tcp . 80 : goto service-ULMVA6XW-ns1/svc1/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.43 . tcp . 80 : goto service-4AT6LBPK-ns3/svc3/tcp/p80 }
|
||||
|
||||
@@ -4210,7 +4208,6 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.41 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.43 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.44 }
|
||||
add element ip kube-proxy nodeport-ips { 192.168.0.2 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.41 . tcp . 80 : goto service-ULMVA6XW-ns1/svc1/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.43 . tcp . 80 : goto service-4AT6LBPK-ns3/svc3/tcp/p80 }
|
||||
|
||||
@@ -4250,7 +4247,6 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.41 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.43 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.44 }
|
||||
add element ip kube-proxy nodeport-ips { 192.168.0.2 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.41 . tcp . 80 : goto service-ULMVA6XW-ns1/svc1/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.43 . tcp . 80 : goto service-4AT6LBPK-ns3/svc3/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.44 . tcp . 80 : goto service-LAUZTJTB-ns4/svc4/tcp/p80 }
|
||||
@@ -4289,7 +4285,6 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.41 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.43 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.44 }
|
||||
add element ip kube-proxy nodeport-ips { 192.168.0.2 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.41 . tcp . 80 : goto service-ULMVA6XW-ns1/svc1/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.43 . tcp . 80 : goto service-4AT6LBPK-ns3/svc3/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.44 . tcp . 80 : goto service-LAUZTJTB-ns4/svc4/tcp/p80 }
|
||||
@@ -4331,7 +4326,6 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.41 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.43 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.44 }
|
||||
add element ip kube-proxy nodeport-ips { 192.168.0.2 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.41 . tcp . 80 : goto service-ULMVA6XW-ns1/svc1/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.43 . tcp . 80 : goto service-4AT6LBPK-ns3/svc3/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.44 . tcp . 80 : goto service-LAUZTJTB-ns4/svc4/tcp/p80 }
|
||||
@@ -4371,7 +4365,6 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.41 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.43 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.44 }
|
||||
add element ip kube-proxy nodeport-ips { 192.168.0.2 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.41 . tcp . 80 : goto service-ULMVA6XW-ns1/svc1/tcp/p80 }
|
||||
add element ip kube-proxy no-endpoint-services { 172.30.0.43 . tcp . 80 comment "ns3/svc3:p80" : goto reject-chain }
|
||||
add element ip kube-proxy service-ips { 172.30.0.44 . tcp . 80 : goto service-LAUZTJTB-ns4/svc4/tcp/p80 }
|
||||
@@ -4407,7 +4400,6 @@ func TestSyncProxyRulesRepeated(t *testing.T) {
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.41 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.43 }
|
||||
add element ip kube-proxy cluster-ips { 172.30.0.44 }
|
||||
add element ip kube-proxy nodeport-ips { 192.168.0.2 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.41 . tcp . 80 : goto service-ULMVA6XW-ns1/svc1/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.43 . tcp . 80 : goto service-4AT6LBPK-ns3/svc3/tcp/p80 }
|
||||
add element ip kube-proxy service-ips { 172.30.0.44 . tcp . 80 : goto service-LAUZTJTB-ns4/svc4/tcp/p80 }
|
||||
|
||||
@@ -20,7 +20,7 @@ import (
|
||||
"fmt"
|
||||
"net"
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
"k8s.io/api/core/v1"
|
||||
netutils "k8s.io/utils/net"
|
||||
)
|
||||
|
||||
@@ -37,12 +37,11 @@ type NodePortAddresses struct {
|
||||
var ipv4LoopbackStart = net.IPv4(127, 0, 0, 0)
|
||||
|
||||
// NewNodePortAddresses takes an IP family and the `--nodeport-addresses` value (which is
|
||||
// assumed to contain only valid CIDRs, potentially of both IP families) and the primary IP
|
||||
// (which will be used as node port address when `--nodeport-addresses` is empty).
|
||||
// It will return a NodePortAddresses object for the given family. If there are no CIDRs of
|
||||
// the given family then the CIDR "0.0.0.0/0" or "::/0" will be added (even if there are
|
||||
// CIDRs of the other family).
|
||||
func NewNodePortAddresses(family v1.IPFamily, cidrStrings []string, primaryIP net.IP) *NodePortAddresses {
|
||||
// assumed to contain only valid CIDRs, potentially of both IP families) and returns a
|
||||
// NodePortAddresses object for the given family. If there are no CIDRs of the given
|
||||
// family then the CIDR "0.0.0.0/0" or "::/0" will be added (even if there are CIDRs of
|
||||
// the other family).
|
||||
func NewNodePortAddresses(family v1.IPFamily, cidrStrings []string) *NodePortAddresses {
|
||||
npa := &NodePortAddresses{}
|
||||
|
||||
// Filter CIDRs to correct family
|
||||
@@ -52,24 +51,17 @@ func NewNodePortAddresses(family v1.IPFamily, cidrStrings []string, primaryIP ne
|
||||
}
|
||||
}
|
||||
if len(npa.cidrStrings) == 0 {
|
||||
if primaryIP == nil {
|
||||
if family == v1.IPv4Protocol {
|
||||
npa.cidrStrings = []string{IPv4ZeroCIDR}
|
||||
} else {
|
||||
npa.cidrStrings = []string{IPv6ZeroCIDR}
|
||||
}
|
||||
if family == v1.IPv4Protocol {
|
||||
npa.cidrStrings = []string{IPv4ZeroCIDR}
|
||||
} else {
|
||||
if family == v1.IPv4Protocol {
|
||||
npa.cidrStrings = []string{fmt.Sprintf("%s/32", primaryIP.String())}
|
||||
} else {
|
||||
npa.cidrStrings = []string{fmt.Sprintf("%s/128", primaryIP.String())}
|
||||
}
|
||||
npa.cidrStrings = []string{IPv6ZeroCIDR}
|
||||
}
|
||||
}
|
||||
|
||||
// Now parse
|
||||
for _, str := range npa.cidrStrings {
|
||||
_, cidr, _ := netutils.ParseCIDRSloppy(str)
|
||||
|
||||
if netutils.IsIPv4CIDR(cidr) {
|
||||
if cidr.IP.IsLoopback() || cidr.Contains(ipv4LoopbackStart) {
|
||||
npa.containsIPv4Loopback = true
|
||||
|
||||
@@ -21,7 +21,7 @@ import (
|
||||
"net"
|
||||
"testing"
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
"k8s.io/api/core/v1"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
fake "k8s.io/kubernetes/pkg/proxy/util/testing"
|
||||
netutils "k8s.io/utils/net"
|
||||
@@ -60,8 +60,6 @@ func TestGetNodeIPs(t *testing.T) {
|
||||
cidrs []string
|
||||
itfAddrsPairs []InterfaceAddrsPair
|
||||
expected map[v1.IPFamily]expectation
|
||||
// nodeIP will take effect when `--nodeport-addresses` is empty
|
||||
nodeIP net.IP
|
||||
}{
|
||||
{
|
||||
name: "IPv4 single",
|
||||
@@ -371,53 +369,6 @@ func TestGetNodeIPs(t *testing.T) {
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
name: "ipv4 with nodeIP",
|
||||
itfAddrsPairs: []InterfaceAddrsPair{
|
||||
{
|
||||
itf: net.Interface{Index: 0, MTU: 0, Name: "eth0", HardwareAddr: nil, Flags: 0},
|
||||
addrs: []net.Addr{
|
||||
&net.IPNet{IP: netutils.ParseIPSloppy("1.2.3.4"), Mask: net.CIDRMask(30, 32)},
|
||||
},
|
||||
},
|
||||
{
|
||||
itf: net.Interface{Index: 1, MTU: 0, Name: "lo", HardwareAddr: nil, Flags: 0},
|
||||
addrs: []net.Addr{
|
||||
&net.IPNet{IP: netutils.ParseIPSloppy("127.0.0.1"), Mask: net.CIDRMask(8, 32)},
|
||||
},
|
||||
},
|
||||
},
|
||||
expected: map[v1.IPFamily]expectation{
|
||||
v1.IPv4Protocol: {
|
||||
ips: sets.New[string]("1.2.3.4"),
|
||||
},
|
||||
},
|
||||
nodeIP: netutils.ParseIPSloppy("1.2.3.4"),
|
||||
},
|
||||
{
|
||||
name: "ipv6 with nodeIP",
|
||||
itfAddrsPairs: []InterfaceAddrsPair{
|
||||
{
|
||||
itf: net.Interface{Index: 0, MTU: 0, Name: "eth0", HardwareAddr: nil, Flags: 0},
|
||||
addrs: []net.Addr{
|
||||
&net.IPNet{IP: netutils.ParseIPSloppy("2001:db8::1"), Mask: net.CIDRMask(64, 128)},
|
||||
},
|
||||
},
|
||||
{
|
||||
itf: net.Interface{Index: 1, MTU: 0, Name: "lo", HardwareAddr: nil, Flags: 0},
|
||||
addrs: []net.Addr{
|
||||
&net.IPNet{IP: netutils.ParseIPSloppy("::1"), Mask: net.CIDRMask(128, 128)},
|
||||
},
|
||||
},
|
||||
},
|
||||
expected: map[v1.IPFamily]expectation{
|
||||
v1.IPv6Protocol: {
|
||||
matchAll: true,
|
||||
ips: sets.New[string]("2001:db8::1", "::1"),
|
||||
},
|
||||
},
|
||||
nodeIP: netutils.ParseIPSloppy("1.2.3.4"),
|
||||
},
|
||||
}
|
||||
|
||||
for _, tc := range testCases {
|
||||
@@ -428,10 +379,7 @@ func TestGetNodeIPs(t *testing.T) {
|
||||
}
|
||||
|
||||
for _, family := range []v1.IPFamily{v1.IPv4Protocol, v1.IPv6Protocol} {
|
||||
if tc.nodeIP != nil && v1.IPFamily(fmt.Sprintf("IPv%s", netutils.IPFamilyOf(tc.nodeIP))) != family {
|
||||
continue
|
||||
}
|
||||
npa := NewNodePortAddresses(family, tc.cidrs, tc.nodeIP)
|
||||
npa := NewNodePortAddresses(family, tc.cidrs)
|
||||
|
||||
if npa.MatchAll() != tc.expected[family].matchAll {
|
||||
t.Errorf("unexpected MatchAll(%s), expected: %v", family, tc.expected[family].matchAll)
|
||||
@@ -503,12 +451,12 @@ func TestContainsIPv4Loopback(t *testing.T) {
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
npa := NewNodePortAddresses(v1.IPv4Protocol, tt.cidrStrings, nil)
|
||||
npa := NewNodePortAddresses(v1.IPv4Protocol, tt.cidrStrings)
|
||||
if got := npa.ContainsIPv4Loopback(); got != tt.want {
|
||||
t.Errorf("IPv4 ContainsIPv4Loopback() = %v, want %v", got, tt.want)
|
||||
}
|
||||
// ContainsIPv4Loopback should always be false for family=IPv6
|
||||
npa = NewNodePortAddresses(v1.IPv6Protocol, tt.cidrStrings, nil)
|
||||
npa = NewNodePortAddresses(v1.IPv6Protocol, tt.cidrStrings)
|
||||
if got := npa.ContainsIPv4Loopback(); got {
|
||||
t.Errorf("IPv6 ContainsIPv4Loopback() = %v, want %v", got, false)
|
||||
}
|
||||
|
||||
@@ -29,10 +29,11 @@ import (
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/client-go/tools/events"
|
||||
utilsysctl "k8s.io/component-helpers/node/util/sysctl"
|
||||
"k8s.io/klog/v2"
|
||||
helper "k8s.io/kubernetes/pkg/apis/core/v1/helper"
|
||||
"k8s.io/kubernetes/pkg/features"
|
||||
netutils "k8s.io/utils/net"
|
||||
|
||||
"k8s.io/klog/v2"
|
||||
)
|
||||
|
||||
const (
|
||||
|
||||
@@ -666,7 +666,7 @@ func NewProxier(
|
||||
}
|
||||
|
||||
// windows listens to all node addresses
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nil, nil)
|
||||
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nil)
|
||||
serviceHealthServer := healthcheck.NewServiceHealthServer(hostname, recorder, nodePortAddresses, healthzServer)
|
||||
|
||||
var healthzPort int
|
||||
|
||||
Reference in New Issue
Block a user