Kube-proxy: REJECT LB IPs with no endpoints
We REJECT every other case. Close this FIXME. To get this to work in all cases, we have to process service in filter.INPUT, since LB IPS might be manged as local addresses.
This commit is contained in:
Tim Hockin
@@ -738,6 +738,28 @@ func (j *ServiceTestJig) RunOrFail(namespace string, tweak func(rc *v1.Replicati
|
||||
return result
|
||||
}
|
||||
|
||||
func (j *ServiceTestJig) Scale(namespace string, replicas int) {
|
||||
rc := j.Name
|
||||
scale, err := j.Client.CoreV1().ReplicationControllers(namespace).GetScale(rc, metav1.GetOptions{})
|
||||
if err != nil {
|
||||
Failf("Failed to get scale for RC %q: %v", rc, err)
|
||||
}
|
||||
|
||||
scale.Spec.Replicas = int32(replicas)
|
||||
_, err = j.Client.CoreV1().ReplicationControllers(namespace).UpdateScale(rc, scale)
|
||||
if err != nil {
|
||||
Failf("Failed to scale RC %q: %v", rc, err)
|
||||
}
|
||||
pods, err := j.waitForPodsCreated(namespace, replicas)
|
||||
if err != nil {
|
||||
Failf("Failed waiting for pods: %v", err)
|
||||
}
|
||||
if err := j.waitForPodsReady(namespace, pods); err != nil {
|
||||
Failf("Failed waiting for pods to be running: %v", err)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
func (j *ServiceTestJig) waitForPdbReady(namespace string) error {
|
||||
timeout := 2 * time.Minute
|
||||
for start := time.Now(); time.Since(start) < timeout; time.Sleep(2 * time.Second) {
|
||||
@@ -911,6 +933,20 @@ func (j *ServiceTestJig) TestNotReachableHTTP(host string, port int, timeout tim
|
||||
}
|
||||
}
|
||||
|
||||
func (j *ServiceTestJig) TestRejectedHTTP(host string, port int, timeout time.Duration) {
|
||||
pollfn := func() (bool, error) {
|
||||
result := PokeHTTP(host, port, "/", nil)
|
||||
if result.Status == HTTPRefused {
|
||||
return true, nil
|
||||
}
|
||||
return false, nil // caller can retry
|
||||
}
|
||||
|
||||
if err := wait.PollImmediate(Poll, timeout, pollfn); err != nil {
|
||||
Failf("HTTP service %v:%v not rejected: %v", host, port, err)
|
||||
}
|
||||
}
|
||||
|
||||
func (j *ServiceTestJig) TestReachableUDP(host string, port int, timeout time.Duration) {
|
||||
pollfn := func() (bool, error) {
|
||||
result := PokeUDP(host, port, "echo hello", &UDPPokeParams{
|
||||
@@ -941,6 +977,19 @@ func (j *ServiceTestJig) TestNotReachableUDP(host string, port int, timeout time
|
||||
}
|
||||
}
|
||||
|
||||
func (j *ServiceTestJig) TestRejectedUDP(host string, port int, timeout time.Duration) {
|
||||
pollfn := func() (bool, error) {
|
||||
result := PokeUDP(host, port, "echo hello", &UDPPokeParams{Timeout: 3 * time.Second})
|
||||
if result.Status == UDPRefused {
|
||||
return true, nil
|
||||
}
|
||||
return false, nil // caller can retry
|
||||
}
|
||||
if err := wait.PollImmediate(Poll, timeout, pollfn); err != nil {
|
||||
Failf("UDP service %v:%v not rejected: %v", host, port, err)
|
||||
}
|
||||
}
|
||||
|
||||
func (j *ServiceTestJig) GetHTTPContent(host string, port int, timeout time.Duration, url string) bytes.Buffer {
|
||||
var body bytes.Buffer
|
||||
if pollErr := wait.PollImmediate(Poll, timeout, func() (bool, error) {
|
||||
|
||||
@@ -791,11 +791,47 @@ var _ = SIGDescribe("Services", func() {
|
||||
jig.TestReachableUDP(nodeIP, udpNodePort, framework.KubeProxyLagTimeout)
|
||||
|
||||
By("hitting the TCP service's LoadBalancer")
|
||||
jig.TestReachableHTTP(tcpIngressIP, svcPort, loadBalancerCreateTimeout) // this may actually recreate the LB
|
||||
jig.TestReachableHTTP(tcpIngressIP, svcPort, loadBalancerCreateTimeout)
|
||||
|
||||
if loadBalancerSupportsUDP {
|
||||
By("hitting the UDP service's LoadBalancer")
|
||||
jig.TestReachableUDP(udpIngressIP, svcPort, loadBalancerCreateTimeout) // this may actually recreate the LB)
|
||||
jig.TestReachableUDP(udpIngressIP, svcPort, loadBalancerCreateTimeout)
|
||||
}
|
||||
|
||||
By("Scaling the pods to 0")
|
||||
jig.Scale(ns1, 0)
|
||||
jig.Scale(ns2, 0)
|
||||
|
||||
By("looking for ICMP REJECT on the TCP service's NodePort")
|
||||
jig.TestRejectedHTTP(nodeIP, tcpNodePort, framework.KubeProxyLagTimeout)
|
||||
|
||||
By("looking for ICMP REJECT on the UDP service's NodePort")
|
||||
jig.TestRejectedUDP(nodeIP, udpNodePort, framework.KubeProxyLagTimeout)
|
||||
|
||||
By("looking for ICMP REJECT on the TCP service's LoadBalancer")
|
||||
jig.TestRejectedHTTP(tcpIngressIP, svcPort, loadBalancerCreateTimeout)
|
||||
|
||||
if loadBalancerSupportsUDP {
|
||||
By("looking for ICMP REJECT on the UDP service's LoadBalancer")
|
||||
jig.TestRejectedUDP(udpIngressIP, svcPort, loadBalancerCreateTimeout)
|
||||
}
|
||||
|
||||
By("Scaling the pods to 1")
|
||||
jig.Scale(ns1, 1)
|
||||
jig.Scale(ns2, 1)
|
||||
|
||||
By("hitting the TCP service's NodePort")
|
||||
jig.TestReachableHTTP(nodeIP, tcpNodePort, framework.KubeProxyLagTimeout)
|
||||
|
||||
By("hitting the UDP service's NodePort")
|
||||
jig.TestReachableUDP(nodeIP, udpNodePort, framework.KubeProxyLagTimeout)
|
||||
|
||||
By("hitting the TCP service's LoadBalancer")
|
||||
jig.TestReachableHTTP(tcpIngressIP, svcPort, loadBalancerCreateTimeout)
|
||||
|
||||
if loadBalancerSupportsUDP {
|
||||
By("hitting the UDP service's LoadBalancer")
|
||||
jig.TestReachableUDP(udpIngressIP, svcPort, loadBalancerCreateTimeout)
|
||||
}
|
||||
|
||||
// Change the services back to ClusterIP.
|
||||
|
||||
Reference in New Issue
Block a user