Commit Graph

2122 Commits

Author SHA1 Message Date
Kubernetes Prow Robot
bf07ef3950 Merge pull request #124383 from danwinship/nftables-proxy-to-beta
KEP-3866 kube-proxy nftables to beta
2024-04-18 17:42:20 -07:00
Dan Winship
fdf22533a8 KEP-3866 kube-proxy nftables mode to beta 2024-04-18 13:20:23 -04:00
Kubernetes Prow Robot
b2c32fb015 Merge pull request #123105 from danwinship/nodeport-addresses-primary
Add `--nodeport-addresses primary`, warn on empty `--nodeport-addresses`
2024-04-18 08:49:21 -07:00
Dan Winship
3ecd933276 fix/simplify an nftables unit test
The nodeport-ips value is part of the baseline, which wouldn't change
no matter what Services or EndpointSlices we added/removed.
2024-04-18 09:25:06 -04:00
Dan Winship
19b3a9e194 (Mostly) Revert "change --nodeport-addresses behavior to default to primary node ip only"
This reverts commit 8bccf4873b, except
for the nftables unit test changes, since we still want the "new"
results (not to mention the bugfixes), just for a different reason
now.
2024-04-18 09:25:06 -04:00
Dan Winship
0b599aa8e3 Add --nodeport-addresses primary
The behavior when you specify no --nodeport-addresses value in a
dual-stack cluster is terrible and we can't fix it, for
backward-compatibility reasons. Actually, the behavior when you
specify no --nodeport-addresses value in a single-stack cluster isn't
exactly awesome either...

Allow specifying `--nodeport-addresses primary` to get the
previously-nftables-backend-specific behavior of listening on only the
node's primary IP or IPs.
2024-04-18 09:25:06 -04:00
Dan Winship
8de0fc09aa Remove an unused type from kube-proxy config, move around some helpers 2024-04-13 11:12:28 -04:00
Nadia Pinaeva
56d1011aa5 kube-proxy: ensure nftables unit test parity with iptables.
Add packet tracing unit tests for ipv4 and ipv6.
Remove unreachable code from runChain, since some of the parsed rules
are never generated by the proxy implementation.

Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
2024-04-02 11:57:47 +02:00
Nadia Pinaeva
1c7b366182 kube-proxy: rename iptables unit test to match tested function name.
Signed-off-by: Nadia Pinaeva <n.m.pinaeva@gmail.com>
2024-04-02 11:57:47 +02:00
Gaurav Ghildiyal
51f86b9124 Change kube-proxy behaviour to consider hints when ServiceTrafficDistribution feature gate is enabled 2024-03-03 22:46:03 -08:00
Kubernetes Prow Robot
98bd90fbe2 Merge pull request #114672 from pohly/log-text-split-streams
log: split streams also for text output
2024-02-26 01:44:58 -08:00
Antonin Bas
5fb002147b Remove unused Resolver interface in pkg/proxy/util
Signed-off-by: Antonin Bas <antonin.bas@broadcom.com>
2024-02-20 11:32:59 -08:00
Ayodele Abejide
71479b5577 [kube-proxy] add log verbosity to endpoint topology hint loop.
We enabled topology hint on one of our services and this log line was
emitted ~92 million times in one day from one cluster tripping our log
quota for that cluster, as it is the log line cannot be disabled via the
`-v` flag because it does not specify verbosity.

I think more log locations need to set verbosity at which they are
logged, but this one is currently hurting the most.
2024-02-15 18:26:19 +00:00
Quan Tian
42672ee2ea Make comment about reject action more accurate
Signed-off-by: Quan Tian <qtian@vmware.com>
2024-02-07 23:57:47 +08:00
Quan Tian
c7e48f1ebf kube-proxy: flush nftables base chains on startup
Do an extra "add+delete" once to ensure all previous base chains in the
table will be recreated. Otherwise, altering properties (e.g. priority)
of these chains would fail the transaction.

Signed-off-by: Quan Tian <qtian@vmware.com>
2024-02-07 23:57:40 +08:00
Kubernetes Prow Robot
27ad20db35 Merge pull request #123005 from danwinship/minor-proxy-cleanup
Minor proxy cleanup
2024-01-28 08:44:38 -08:00
Dan Winship
da05076868 Reorganize a bit of winkernel proxier setup
Rather than doing winkernel-specific parsing of generic config data in
cmd/kube-proxy, do it in pkg/proxy/winkernel.
2024-01-28 09:30:51 -05:00
Dan Winship
33bd5fb3c4 Remove unused param to winkernel proxier
The winkernel code was originally based on the iptables code but never
made use of some parts of it. (e.g., it logs a warning if you didn't
set `--cluster-cidr`, even though it doesn't actually use
`--cluster-cidr` if you do set it.)
2024-01-28 09:30:51 -05:00
Kubernetes Prow Robot
c4feb19195 Merge pull request #122878 from liggitt/typecheck-kube-proxy-darwin
Re-allow building kube-proxy on all platforms
2024-01-26 16:32:12 +01:00
Kubernetes Prow Robot
053acbed90 Merge pull request #122724 from nayihz/feat_nft_nodeport_addr
change --nodeport-addresses behavior to default to primary node ip only
2024-01-26 16:32:03 +01:00
Kubernetes Prow Robot
e023511deb Merge pull request #122920 from danwinship/knftables-migration
Update knftables, with new sigs.k8s.io module name
2024-01-26 07:14:16 +01:00
Jordan Liggitt
6a60a1ddad Mark conntrack/fake as linux-only, add non-OS doc.go 2024-01-25 23:15:49 -05:00
Dan Winship
ebba2d4472 Move some code in the proxiers
For no real reason, the core Proxier definitions weren't at the start
of the files.

(This just moves code around. It doesn't change anything.)
2024-01-25 18:41:58 -05:00
nayihz
8bccf4873b change --nodeport-addresses behavior to default to primary node ip only 2024-01-25 13:42:30 +08:00
Kubernetes Prow Robot
55f9657e07 Merge pull request #122692 from aroradaman/reject-packets-to-invalid-port
proxy/nftables: reject packets destined for invalid ports of service ips
2024-01-24 23:17:34 +01:00
Dan Winship
09abfa46be Update knftables, with new sigs.k8s.io module name 2024-01-23 08:09:05 -05:00
Daman Arora
25a40b1c7c pkg/proxy/nftables: handle traffic to node ports with no endpoints
NFTables proxy will no longer install drop and reject rules for node
port services with no endpoints in chains associated with forward and
output hooks.

Signed-off-by: Daman Arora <aroradaman@gmail.com>
2024-01-21 20:07:56 +05:30
Daman Arora
4b40299133 pkg/proxy/nftables: handle traffic to cluster ip
NFTables proxy will now drop traffic directed towards unallocated
ClusterIPs and reject traffic directed towards invalid ports of
Cluster IPs.

Signed-off-by: Daman Arora <aroradaman@gmail.com>
2024-01-21 19:58:37 +05:30
Daman Arora
01d7de5464 pkg/proxy/nftables: rename constant names for nftable objects
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2024-01-21 13:12:18 +05:30
Daman Arora
80ca91c90c pkg/proxy/nftables: refactor packet tracer address matching
Use bool instead of not-equal-operator as string in
tracer.addressMatches of helpers_test.go

Signed-off-by: Daman Arora <aroradaman@gmail.com>
2024-01-21 12:53:55 +05:30
Daman Arora
d23483dd7c pkg/proxy/config: rename import aliases
* coreinformers -> v1informers
* discovery -> discoveryv1
* discoveryinformers -> discoveryv1informers

Signed-off-by: Daman Arora <aroradaman@gmail.com>
2024-01-21 12:36:39 +05:30
Daman Arora
212c5dd216 pkg/proxy/config: use blank identifier instead of ignoring error
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2024-01-21 12:28:52 +05:30
Patrick Ohly
8f4c9c7605 k8s.io/component-base/logs: replace klog text implementation
This replaces the klog formatting and message routing with a simpler
implementation that uses less code. The main difference is that we skip the
entire unused message routing.

Instead, the same split output streams as for JSON gets implemented in the
io.Writer implementation that gets passed to the textlogger.
2024-01-17 13:50:03 +01:00
Dan Winship
fcb51554a1 Plumb the conntrack.Interface up to the proxiers
And use the fake interface in the unit tests, removing the dependency
on setting up FakeExec stuff when conntrack cleanup will be invoked.

Also, remove the isIPv6 argument to CleanStaleEntries, because it can
be inferred from the other args.
2024-01-15 13:09:05 -05:00
Dan Winship
cdf934d5bc Remove redundant iptables/nftables conntrack cleanup tests
The iptables and nftables proxy backends had 2 unit tests
(TestDeleteEndpointConnections and TestProxierDeleteNodePortStaleUDP)
that were effectively testing that:

  - If the proxy saw various Service/EndpointSlice events this would
    result in specific changes to the service/endpoints trackers, AND

  - If the service/endpoints trackers changed in those specific ways
    this would result in specific UpdateServiceMapResult and
    UpdateEndpointsMapResult values being generated, AND

  - If you passed those specific UpdateServiceMapResult and
    UpdateEndpointsMapResult values to conntrack.CleanStaleEntries it
    would make specific calls to the lower-level conntrack methods,
    AND

  - If you called the lower-level conntrack methods with those
    specific arguments, it would result in specific executions of the
    conntrack binary, mixed with a specific number of klog
    invocations.

This... is not a good unit test. We already test the change tracker
behavior in other unit tests, and we already tested the
Update{Service,Endpoints}MapResult behavior in the pkg/proxy unit
tests, and we already tested the conntrack exec behavior in
pkg/proxy/conntrack/conntrack_test.go, and we now test the
CleanStaleEntries behavior in pkg/proxy/conntrack/cleanup_test.go. So
there is no need to try to test the top-to-bottom behavior as a "unit
test".
2024-01-15 13:08:52 -05:00
Dan Winship
db12cbe2ae Add conntrack.Interface, test CleanStaleEntries
Add an interface between CleanStaleEntries and the lower-level
conntrack helpers (ClearEntriesForIP, etc), and a fake implementation
of that interface, so that we can explicitly test CleanStaleEntries's
logic.

Remove some comments from conntrack.go that were explaining the
functions' callers rather than explaining the functions themselves
(and which were redundant with other comments in the callers anyway).
2024-01-15 13:08:36 -05:00
Dan Winship
51063cb5c4 Clean up conntrack unit tests
Fix the test names to match the functions they are testing.

Abstract out the repetitive FakeExec handling.

Explicitly specify the "expectCommand" in each one, to make it clearer
that that's really the part that we're testing.

For everything except TestExec(), test each case with both a "success"
result and a "nothing to delete" result from the conntrack binary.
2024-01-15 13:07:08 -05:00
Kubernetes Prow Robot
12fc215656 Merge pull request #122663 from aroradaman/drop-ct-state-invalid-rule
pkg/proxy/nftables: drop conntrack state invalid rule
2024-01-13 19:01:16 +01:00
Dan Winship
5ca73197b3 Document the nftables kube-proxy packet flow 2024-01-11 12:59:21 -05:00
Daman Arora
4ffa12b9d9 pkg/proxy/nftables: drop ct-state-invalid rule
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2024-01-10 22:53:09 +05:30
Kubernetes Prow Robot
95a159299b Merge pull request #122614 from tnqn/nftables-firewall
kube-proxy: fix LoadBalancerSourceRanges not working for nftables mode
2024-01-09 22:27:16 +01:00
Quan Tian
f21f8d9984 kube-proxy: fix LoadBalancerSourceRanges not working for nftables mode
Previously, the firewall-check chain was run in input, forward, and
output hook but not prerouting hook. When the LoadBalancer traffic
arrived at input or forward hook, it had been DNATed to endpoint IP and
port, so the firewall-check chain didn't take effect, traffic from out
of LoadBalancerSourceRanges was not dropped.

It was not detected by unit test because the chains were sorted by
priority only, while hook should be taken into consideration.

The commit links the firewall-check chain to prerouting hook and unlinks
it from input and forward hook to ensure the traffic is filtered before
DNAT. The priorities of filter chains are updated from "DNATPriority-1"
to "DNATPriority-10" to allow third parties to insert something else
between them.

Signed-off-by: Quan Tian <qtian@vmware.com>
2024-01-09 17:34:16 +08:00
Lars Ekman
50b3ffc71f kube-proxy: LoadBalancerSourceRanges as *net.IPNet 2024-01-09 09:17:56 +01:00
Lars Ekman
9eac24c656 kube-proxy: store ExternalIPs as net.IP
They were stored as strings which could be non-canonical
and cause problems
2024-01-09 09:17:50 +01:00
Lars Ekman
d2294007b0 kube-proxy: store LoadBalancerVIPs as net.IP
They were stored as strings which could be non-canonical
and cause problems
2024-01-09 09:17:43 +01:00
Lars Ekman
564b80b1e1 kube-proxy: don't use invalid cidrs in unit test
CIDRs like 192.168.200.3/24 and fd00:20::1/64 replaced with
192.168.200.0/24 and fd00:20::/64
2024-01-09 09:17:31 +01:00
Kubernetes Prow Robot
2cf7465755 Merge pull request #122605 from tnqn/stale-chain-cleanup
kube-proxy: do not delete previously stale but currently active chains
2024-01-08 17:30:53 +01:00
Kubernetes Prow Robot
f538feed8c Merge pull request #122296 from tnqn/nftables-kernel-requirement
kube-proxy: change implementation of LoadBalancerSourceRanges for wider kernel support
2024-01-08 17:30:27 +01:00
Quan Tian
377f521038 kube-proxy: change implementation of LoadBalancerSourceRanges for wider kernel support
The nftables implementation made use of concatenation of ranges when
creating the set "firewall-allow", but the support was not available
before kernel 5.6. Therefore, nftables mode couldn't run on earlier
kernels, while 5.4 is still widely used.

An alternative of concatenation of ranges is to create a separate
firewall chain for every service port that needs firewalling, and jump
to the service's firewall chain from the common firewall chain via a
rule with vmap.

Renaming from "firewall" to "firewall-ips" is required when changing the
set to the map to support existing clusters to upgrade, otherwise it
would fail to create the map. Besides, "firewall-ips" corresponds to the
"service-ips" map, later we can add use "firewall-nodeports" if it's
determined that NodePort traffic should be subject to
LoadBalancerSourceRanges.

Signed-off-by: Quan Tian <qtian@vmware.com>
2024-01-08 19:26:38 +08:00
Quan Tian
ca8c27c480 kube-proxy: do not delete previously stale but currently active chains
In some cases a chain could change from stale to active, but once it's
added to staleChains it would always be deleted once. When the proxier
tries to delete a previously stale but currently active chain, it would
fail and lead to errors, though it won't cause real problem thanks to
kernel's validation.

The commit removes a chain from staleChains if it becomes active.

Signed-off-by: Quan Tian <qtian@vmware.com>
2024-01-08 17:53:52 +08:00