From e7ed7220eb5e0b33cde480fbbe5fcb14c22894e6 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Thu, 22 Dec 2022 14:38:38 -0500 Subject: [PATCH] Explicitly pass IP family to proxier Rather than re-determining it from the iptables object in both proxies. --- cmd/kube-proxy/app/server_others.go | 4 ++++ pkg/kubemark/hollow_proxy.go | 5 +++++ pkg/proxy/iptables/proxier.go | 12 ++++-------- pkg/proxy/ipvs/proxier.go | 12 ++++-------- 4 files changed, 17 insertions(+), 16 deletions(-) diff --git a/cmd/kube-proxy/app/server_others.go b/cmd/kube-proxy/app/server_others.go index 2a83d7191da..d55f9b2cae3 100644 --- a/cmd/kube-proxy/app/server_others.go +++ b/cmd/kube-proxy/app/server_others.go @@ -145,8 +145,10 @@ func newProxyServer( klog.V(2).InfoS("DetectLocalMode", "LocalMode", string(detectLocalMode)) + primaryFamily := v1.IPv4Protocol primaryProtocol := utiliptables.ProtocolIPv4 if netutils.IsIPv6(nodeIP) { + primaryFamily = v1.IPv6Protocol primaryProtocol = utiliptables.ProtocolIPv6 } execer := exec.New() @@ -216,6 +218,7 @@ func newProxyServer( // TODO this has side effects that should only happen when Run() is invoked. proxier, err = iptables.NewProxier( + primaryFamily, iptInterface, utilsysctl.New(), execer, @@ -290,6 +293,7 @@ func newProxyServer( } proxier, err = ipvs.NewProxier( + primaryFamily, iptInterface, ipvsInterface, ipsetInterface, diff --git a/pkg/kubemark/hollow_proxy.go b/pkg/kubemark/hollow_proxy.go index bbd4bd04d5d..87780614002 100644 --- a/pkg/kubemark/hollow_proxy.go +++ b/pkg/kubemark/hollow_proxy.go @@ -85,9 +85,14 @@ func NewHollowProxyOrDie( klog.InfoS("can't determine this node's IP, assuming 127.0.0.1") nodeIP = netutils.ParseIPSloppy("127.0.0.1") } + family := v1.IPv4Protocol + if iptInterface.IsIPv6() { + family = v1.IPv6Protocol + } // Real proxier with fake iptables, sysctl, etc underneath it. //var err error proxier, err = iptables.NewProxier( + family, iptInterface, sysctl, execer, diff --git a/pkg/proxy/iptables/proxier.go b/pkg/proxy/iptables/proxier.go index 87cad7c8669..85d958bec1b 100644 --- a/pkg/proxy/iptables/proxier.go +++ b/pkg/proxy/iptables/proxier.go @@ -221,7 +221,8 @@ var _ proxy.Provider = &Proxier{} // An error will be returned if iptables fails to update or acquire the initial lock. // Once a proxier is created, it will keep iptables up to date in the background and // will not terminate if a particular iptables call fails. -func NewProxier(ipt utiliptables.Interface, +func NewProxier(ipFamily v1.IPFamily, + ipt utiliptables.Interface, sysctl utilsysctl.Interface, exec utilexec.Interface, syncPeriod time.Duration, @@ -259,11 +260,6 @@ func NewProxier(ipt utiliptables.Interface, serviceHealthServer := healthcheck.NewServiceHealthServer(hostname, recorder, nodePortAddresses) - ipFamily := v1.IPv4Protocol - if ipt.IsIPv6() { - ipFamily = v1.IPv6Protocol - } - ipFamilyMap := utilproxy.MapCIDRsByIPFamily(nodePortAddresses) nodePortAddresses = ipFamilyMap[ipFamily] // Log the IPs not matching the ipFamily @@ -337,14 +333,14 @@ func NewDualStackProxier( ) (proxy.Provider, error) { // Create an ipv4 instance of the single-stack proxier ipFamilyMap := utilproxy.MapCIDRsByIPFamily(nodePortAddresses) - ipv4Proxier, err := NewProxier(ipt[0], sysctl, + ipv4Proxier, err := NewProxier(v1.IPv4Protocol, ipt[0], sysctl, exec, syncPeriod, minSyncPeriod, masqueradeAll, localhostNodePorts, masqueradeBit, localDetectors[0], hostname, nodeIP[0], recorder, healthzServer, ipFamilyMap[v1.IPv4Protocol]) if err != nil { return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err) } - ipv6Proxier, err := NewProxier(ipt[1], sysctl, + ipv6Proxier, err := NewProxier(v1.IPv6Protocol, ipt[1], sysctl, exec, syncPeriod, minSyncPeriod, masqueradeAll, false, masqueradeBit, localDetectors[1], hostname, nodeIP[1], recorder, healthzServer, ipFamilyMap[v1.IPv6Protocol]) if err != nil { diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go index fbe0e7876d4..5f1bcfb1ef8 100644 --- a/pkg/proxy/ipvs/proxier.go +++ b/pkg/proxy/ipvs/proxier.go @@ -354,7 +354,8 @@ var _ proxy.Provider = &Proxier{} // An error will be returned if it fails to update or acquire the initial lock. // Once a proxier is created, it will keep iptables and ipvs rules up to date in the background and // will not terminate if a particular iptables or ipvs call fails. -func NewProxier(ipt utiliptables.Interface, +func NewProxier(ipFamily v1.IPFamily, + ipt utiliptables.Interface, ipvs utilipvs.Interface, ipset utilipset.Interface, sysctl utilsysctl.Interface, @@ -449,11 +450,6 @@ func NewProxier(ipt utiliptables.Interface, masqueradeValue := 1 << uint(masqueradeBit) masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue) - ipFamily := v1.IPv4Protocol - if ipt.IsIPv6() { - ipFamily = v1.IPv6Protocol - } - klog.V(2).InfoS("Record nodeIP and family", "nodeIP", nodeIP, "family", ipFamily) if len(scheduler) == 0 { @@ -551,7 +547,7 @@ func NewDualStackProxier( ipFamilyMap := utilproxy.MapCIDRsByIPFamily(nodePortAddresses) // Create an ipv4 instance of the single-stack proxier - ipv4Proxier, err := NewProxier(ipt[0], ipvs, safeIpset, sysctl, + ipv4Proxier, err := NewProxier(v1.IPv4Protocol, ipt[0], ipvs, safeIpset, sysctl, exec, syncPeriod, minSyncPeriod, filterCIDRs(false, excludeCIDRs), strictARP, tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit, localDetectors[0], hostname, nodeIP[0], @@ -560,7 +556,7 @@ func NewDualStackProxier( return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err) } - ipv6Proxier, err := NewProxier(ipt[1], ipvs, safeIpset, sysctl, + ipv6Proxier, err := NewProxier(v1.IPv6Protocol, ipt[1], ipvs, safeIpset, sysctl, exec, syncPeriod, minSyncPeriod, filterCIDRs(true, excludeCIDRs), strictARP, tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit, localDetectors[1], hostname, nodeIP[1],