github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Prevent host access on VIP addresses in proxy-mode=ipvs

Browse Source
This commit is contained in:
Lars Ekman
2022-03-27 17:24:41 +02:00
parent 07dfdf0859
commit c1e5a9e6f0
5 changed files with 47 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/proxy/ipvs/ipset.go
View File

@@ -78,6 +78,9 @@ const (
kubeHealthCheckNodePortSetComment = "Kubernetes health check node port"
kubeHealthCheckNodePortSet = "KUBE-HEALTH-CHECK-NODE-PORT"
kubeIPVSSetComment = "Addresses on the ipvs interface"
kubeIPVSSet = "KUBE-IPVS-IPS"
)
// IPSetVersioner can query the current ipset version.

27
pkg/proxy/ipvs/proxier.go
View File

@@ -84,6 +84,10 @@ const (
// kubeLoadBalancerChain is the kubernetes chain for loadbalancer type service
kubeLoadBalancerChain utiliptables.Chain = "KUBE-LOAD-BALANCER"
// kubeIPVSFilterChain filters external access to main netns
// https://github.com/kubernetes/kubernetes/issues/72236
kubeIPVSFilterChain utiliptables.Chain = "KUBE-IPVS-FILTER"
// defaultScheduler is the default ipvs scheduler algorithm - round robin.
defaultScheduler = "rr"
@@ -112,6 +116,7 @@ var iptablesJumpChain = []struct {
{utiliptables.TableFilter, utiliptables.ChainInput, kubeNodePortChain, "kubernetes health check rules"},
{utiliptables.TableFilter, utiliptables.ChainInput, kubeProxyFirewallChain, "kube-proxy firewall rules"},
{utiliptables.TableFilter, utiliptables.ChainForward, kubeProxyFirewallChain, "kube-proxy firewall rules"},
{utiliptables.TableFilter, utiliptables.ChainInput, kubeIPVSFilterChain, "kubernetes ipvs access filter"},
}
var iptablesChains = []struct {
@@ -127,6 +132,7 @@ var iptablesChains = []struct {
{utiliptables.TableFilter, kubeNodePortChain},
{utiliptables.TableFilter, kubeProxyFirewallChain},
{utiliptables.TableFilter, kubeSourceRangesFirewallChain},
{utiliptables.TableFilter, kubeIPVSFilterChain},
}
var iptablesCleanupChains = []struct {
@@ -141,6 +147,7 @@ var iptablesCleanupChains = []struct {
{utiliptables.TableFilter, kubeNodePortChain},
{utiliptables.TableFilter, kubeProxyFirewallChain},
{utiliptables.TableFilter, kubeSourceRangesFirewallChain},
{utiliptables.TableFilter, kubeIPVSFilterChain},
}
// ipsetInfo is all ipset we needed in ipvs proxier
@@ -165,6 +172,7 @@ var ipsetInfo = []struct {
{kubeNodePortSetSCTP, utilipset.HashIPPort, kubeNodePortSetSCTPComment},
{kubeNodePortLocalSetSCTP, utilipset.HashIPPort, kubeNodePortLocalSetSCTPComment},
{kubeHealthCheckNodePortSet, utilipset.BitmapPort, kubeHealthCheckNodePortSetComment},
{kubeIPVSSet, utilipset.HashIP, kubeIPVSSetComment},
}
// ipsetWithIptablesChain is the ipsets list with iptables source chain and the chain jump to
@@ -1536,6 +1544,9 @@ func (proxier *Proxier) syncProxyRules() {
}
}
// Set the KUBE-IPVS-IPS set to the "activeBindAddrs"
proxier.ipsetList[kubeIPVSSet].activeEntries = sets.StringKeySet(activeBindAddrs)
// sync ipset entries
for _, set := range proxier.ipsetList {
set.syncIPSetEntries()
@@ -1779,6 +1790,22 @@ func (proxier *Proxier) writeIptablesRules() {
"-j", "ACCEPT",
)
// Add rules to the filter/KUBE-IPVS-FILTER chain to prevent access to ports on the host through VIP addresses.
// https://github.com/kubernetes/kubernetes/issues/72236
proxier.filterRules.Write(
"-A", string(kubeIPVSFilterChain),
"-m", "set", "--match-set", proxier.ipsetList[kubeLoadBalancerSet].Name, "dst,dst", "-j", "ACCEPT")
proxier.filterRules.Write(
"-A", string(kubeIPVSFilterChain),
"-m", "set", "--match-set", proxier.ipsetList[kubeClusterIPSet].Name, "dst,dst", "-j", "ACCEPT")
proxier.filterRules.Write(
"-A", string(kubeIPVSFilterChain),
"-m", "set", "--match-set", proxier.ipsetList[kubeExternalIPSet].Name, "dst,dst", "-j", "ACCEPT")
proxier.filterRules.Write(
"-A", string(kubeIPVSFilterChain),
"-m", "conntrack", "--ctstate", "NEW",
"-m", "set", "--match-set", proxier.ipsetList[kubeIPVSSet].Name, "dst", "-j", "REJECT")
// Install the kubernetes-specific postrouting rules. We use a whole chain for
// this so that it is easier to flush and change, for example if the mark
// value should ever change.

1
pkg/proxy/ipvs/proxier_test.go
View File

@@ -4681,6 +4681,7 @@ func TestCreateAndLinkKubeChain(t *testing.T) {
:KUBE-NODE-PORT - [0:0]
:KUBE-PROXY-FIREWALL - [0:0]
:KUBE-SOURCE-RANGES-FIREWALL - [0:0]
:KUBE-IPVS-FILTER - [0:0]
`
assert.Equal(t, expectedNATChains, string(fp.natChains.Bytes()))
assert.Equal(t, expectedFilterChains, string(fp.filterChains.Bytes()))