Commit Graph

2021 Commits

Author SHA1 Message Date
Dan Winship
fcc55280b0
Use k8s.io/utils/ptr in pkg/proxy (#121154)
* Use k8s.io/utils/ptr in pkg/proxy

* Replace pointer.String(), pointer.StringPtr(), and pointer.Bool() with ptr.To()

* Replace pointer.Int32(constexpr) with ptr.To[int32](constexpr)

* Replace pointer.Int32(int32(var)) with ptr.To(int32(var))

* Replace remaining pointer.Int32() cases with ptr.To

* Replace 'tcpProtocol := v1.ProtocolTCP; ... &tcpProtocol', etc with ptr.To(v1.ProtocolTCP)

* Replace 'nodeName = testHostname; ... &nodeName' with ptr.To(testHostname)

* Use ptr.To for SessionAffinityConfig.ClientIP.TimeoutSeconds

* Use ptr.To for InternalTrafficPolicy

* Use ptr.To for LoadBalancer.Ingress.IPMode
2023-10-26 20:56:39 +02:00
Kubernetes Prow Robot
5fbc278d94
Merge pull request #121097 from danwinship/BaseEndpointInfo-fixes
BaseEndpointInfo cleanup
2023-10-26 01:07:56 +02:00
Kubernetes Prow Robot
06a7febe00
Merge pull request #120864 from uablrek/kube-proxy-init
kube-proxy: Optionally do privileged configs only
2023-10-25 21:28:47 +02:00
Dan Winship
f91228ee71 Unexport BaseEndpointInfo fields, fix getter names
BaseEndpointInfo's fields, unlike BaseServicePortInfo's, were all
exported, which then required adding "Get" before some of the function
names in Endpoint so they wouldn't conflict.

Fix that, now that the iptables and ipvs unit tests don't need to be
able to construct BaseEndpointInfos by hand.
2023-10-25 09:00:46 -04:00
Dan Winship
e3357d0c5f Clean up Endpoint / BaseEndpointInfo a bit
Remove NodeName, which was unused because we only care about IsLocal
which was tracked separately.

Remove Zone, which was unused because it's from the old topology
system?

Fix up some comments which still referred to Endpoints vs
EndpointSlice differences.

Also remove an unhelpful helper function in endpoints_test.go
2023-10-25 08:59:53 -04:00
Dan Winship
2879ec10d5 Rewrite ipvs/iptables tests that manually construct BaseEndpointInfo
The tests in pkg/proxy already test that EndpointSlice ->
BaseEndpointInfo conversion works correctly; all we need to test in
pkg/proxy/ipvs and pkg/proxy/iptables is that the correct set of
endpoints get picked out where we expect them to, which doesn't
require us to compare the complete BaseEndpointInfo objects.
2023-10-25 08:59:53 -04:00
Kubernetes Prow Robot
d2383ce467
Merge pull request #121457 from SteveProXNA/stevepro-topology-endpoint-logging
Add endpoint to skip topology aware log when missing zone hint
2023-10-24 17:10:45 +02:00
Lars Ekman
4b59d2b05c kube-proxy: Optionally do privileged configs only
A new --init-only flag is added tha makes kube-proxy perform
configuration that requires privileged mode and exit. It is
intended to be executed in a privileged initContainer, while
the main container may run with a stricter securityContext
2023-10-24 07:01:31 +02:00
Kubernetes Prow Robot
441d4b54ae
Merge pull request #120397 from ty-dc/StaticCheck
cleanup: omit comparison with bool constants
2023-10-24 05:25:52 +02:00
Kubernetes Prow Robot
b5ba899dfa
Merge pull request #118146 from aroradaman/fix/proxy-healthzserver
proxy healthz server for dualstack clusters
2023-10-16 21:19:25 +02:00
Daman Arora
bfda244e54 pkg/proxy: dual stack health checker
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2023-10-16 16:11:18 +05:30
Daman Arora
4ea6ec738c pkg/proxy: add an ipFamily field to the winkernel proxier
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2023-10-15 19:55:09 +05:30
Kubernetes Prow Robot
cf54acce5c
Merge pull request #120274 from danwinship/kube-proxy-config-docs
kube-proxy config/CLI doc fixups
2023-10-15 02:56:24 +02:00
Kubernetes Prow Robot
6bc2f2ec22
Merge pull request #118729 from danwinship/endpoint-naming
Fix endpoint-related names to use consistent singular/plural
2023-10-12 05:13:38 +02:00
Kubernetes Prow Robot
b47aa1c20e
Merge pull request #120808 from aroradaman/proxy-conntrack-udp-timeouts
Adding option to configure UDP timeouts for conntrack
2023-10-12 01:59:55 +02:00
Daman Arora
15ae6cc160 pkg/proxy: add flag to configure udp conntrack timeouts
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2023-10-12 03:08:21 +05:30
Kubernetes Prow Robot
86a0b1c57a
Merge pull request #119791 from aroradaman/fix/ipvs-source-ranges
Hardening LB SourceRanges filtering for IPVS proxier
2023-10-11 11:46:11 +02:00
Dan Winship
6c395eb098 Fix "Endpoint" vs "Endpoints" in proxy type names
The use of "Endpoint" vs "Endpoints" in these type names is tricky
because it doesn't always make sense to use the same singular/plural
convention as the corresonding service-related types, since often the
service-related type is referring to a single service while the
endpoint-related type is referring to multiple endpoint IPs.

The "endpointsInfo" types in the iptables and winkernel proxiers are
now "endpointInfo" because they describe a single endpoint IP (and
wrap proxy.BaseEndpointInfo).

"UpdateEndpointMapResult" is now "UpdateEndpointsMapResult", because
it is the result of EndpointsMap.Update (and it's clearly correct for
EndpointsMap to have plural "Endpoints" because it's a map to an array
of proxy.Endpoint objects.)

"EndpointChangeTracker" is now "EndpointsChangeTracker" because it
tracks changes to the full set of endpoints for a particular service
(and the new name matches the existing "endpointsChange" type and
"Proxier.endpointsChanges" fields.)
2023-10-09 17:21:12 -04:00
Daman Arora
62683c8d95 pkg/proxy/ipvs: hardening lb source ranges filtering
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2023-10-08 20:57:17 +05:30
Kubernetes Prow Robot
ed72ee264e
Merge pull request #120829 from danwinship/proxy-rule-testing-cleanup
iptables proxy test cleanups, moving away from assertIPTablesRulesEqual
2023-10-01 09:50:56 -07:00
Dan Winship
6c9ddf300c update generated 2023-09-30 10:19:10 -04:00
Dan Winship
9242cb1934 Rearrange kube-proxy config fields / CLI flags to make more sense. 2023-09-30 10:19:07 -04:00
Dan Winship
44cb330aa0 Improve kube-proxy config / CLI documentation 2023-09-30 10:18:16 -04:00
Dan Winship
2b973806bc Remove remaining unnecessary assertIPTablesRulesEqual checks
TestLoadBalancer and TestHealthCheckNodePort still had iptables rules
checks, but they also have sufficient runPacketFlowTests checks to
cover everything we care about.

(This leaves only TestOverallIPTablesRules and
TestSyncProxyRulesRepeated using assertIPTablesRulesEqual.)
2023-09-26 13:01:25 -04:00
Dan Winship
de077f448e Rename TestNonLocalExternalIPs to TestExternalTrafficPolicyCluster
For consistency with TestExternalTrafficPolicyLocal, test all of the
Cluster external traffic policy cases together here (ensuring that
masquerading happens where needed). Drop the assertIPTablesRulesEqual
test in favor of runPacketFlowTests.
2023-09-26 13:01:25 -04:00
Dan Winship
19f19e2f4f Merge the ExternalTrafficPolicy: Local tests together
Merge TestOnlyLocalExternalIPs, TestOnlyLocalLoadBalancing, and
TestOnlyLocalNodePorts together into TestExternalTrafficPolicyLocal.
Drop the assertIPTablesRulesEqual tests in favor of
runPacketFlowTests.

Remove TestOnlyLocalNodePortsNoClusterCIDR; the relevant bits of the
"no local detector" case are already fully covered by
TestInternalExternalMasquerade.
2023-09-26 13:01:23 -04:00
Dan Winship
ff5f5bc161 Merge several NodePort tests into TestNodePorts
Previously we had TestNodePort, which tested basic NodePort behavior,
plus Test{Enable,Disable}LocalhostNodePorts{IPv4,IPv6} to test the
behavior of --localhost-nodeports under IPv4 and IPv6, plus
TestDisableLocalhostNodePortsIPv4WithNodeAddress to test
--nodeport-addresses.

Merge all of these together into TestNodePorts, and use
runPacketFlowTests to check the results rather than
assertIPTablesRulesEqual.

The packet tracer is not full-featured enough to be able to check the
"anti martian packet spoofing" rule, so we check the iptables dump for
that manually.

(This also fixes the --localhost-nodeport tests to use the same IP
ranges as most of the other tests now.)
2023-09-26 12:01:28 -04:00
Dan Winship
f38231d568 Merge all the "reject when no endpoints" tests together
Merge TestClusterIPReject, TestExternalIPsReject, TestNodePortReject,
and TestLoadBalancerReject into a single test.

Also remove the assertIPTablesRulesEqual tests because the packet flow
tests cover all of the details we care about here.
2023-09-26 12:00:19 -04:00
Dan Winship
2435da11d5 Rewrite TestClusterIPEndpointsMore as TestClusterIPGeneral
Create some ClusterIP services and use runPacketFlowTests to test
general functionality:

  - normal connection
  - hairpin connection
  - multiple endpoints
  - port != targetPort
  - multiple protocols on same port

Remove the assertIPTablesRulesEqual test because the packet flow tests
cover all of the details we care about here.
2023-09-26 12:00:19 -04:00
Dan Winship
ce7ffa8175 Extend iptables packet tracer to support multiple node IPs 2023-09-26 12:00:17 -04:00
dhruvmehtaaa
7c5219438d Remove an old compatibility check/warning 2023-09-24 20:08:40 +05:30
Dan Winship
0910fe4b98 Extend iptables packet tracer to check the protocol 2023-09-22 11:41:21 -04:00
Dan Winship
a25fb03c00 Add assertIPTablesChainEquals, to streamline a few tests
Rather than checking the entire iptables dump, only check a single
chain.
2023-09-22 11:41:21 -04:00
Dan Winship
0ab0e404b8 Drop the now-unused assertIPTablesRulesNotEqual
Previously this was used to assert "something changed since the last
sync", but we already have packet flow tests in all of those cases now
to assert that the *specific* something we care about changed.
2023-09-22 11:41:21 -04:00
Dan Winship
4438f5e436 Remove assertIPTablesRulesEqual checks from terminating endpoints tests
The flow tests sufficiently check the results.

Also remove some irrelevant bits of the Service definition that don't
affect these tests.
2023-09-22 11:41:17 -04:00
Dan Winship
d57a51d0a9 Remove assertIPTablesRulesEqual from InternalTrafficPolicy test
Just use the flow tests. Also, add a new test for a missing case.
2023-09-22 11:07:53 -04:00
Dan Winship
43db55e93d Rename and extend TestOverallIPTablesRulesWithMultipleServices
Rename TestOverallIPTablesRulesWithMultipleServices to just
TestOverallIPTablesRules, and add one rule type we weren't previously
testing (session affinity).
2023-09-22 11:06:45 -04:00
Dan Winship
b489beb365 Remove an old compatibility check/warning
It was IPv4-specific but nobody ever noticed this or reported the lack
of IPv6 check as a problem, suggesting that it is no longer needed.
2023-09-21 16:49:23 -04:00
Prince Pereira
1a27531d2e Fix for Kubeproxy Mock framework where hcn object is holding always new object and not the pointer reference. 2023-09-18 11:59:01 +05:30
pegasas
f446745777 Improve logging on kube-proxy exit 2023-09-11 00:50:29 +08:00
Kubernetes Prow Robot
80cd9d7a9a
Merge pull request #120105 from princepereira/ppereira-kubeproxy-mock-tests
New mock test framework for windows kubeproxy.
2023-09-08 00:32:14 -07:00
Prince Pereira
7dea3d6c3b New mock test framework for windows kubeproxy. 2023-09-08 08:38:46 +05:30
Antonio Ojea
933bcc123b only drop invalid cstate packets if non liberal
Conntrack invalid packets may cause unexpected and subtle bugs
on esblished connections, because of that we install by default an
iptables rules that drops the packets with this conntrack state.

However, there are network scenarios, specially those that use multihoming
nodes, that may have legit traffic that is detected by conntrack as
invalid, hence these iptables rules are causing problems dropping this
traffic.

An alternative to solve the spurious problems caused by the invalid
connectrack packets is to set the sysctl nf_conntrack_tcp_be_liberal
option, but this is a system wide setting and we don't want kube-proxy
to be opinionated about the whole node networking configuration.

Kube-proxy will only install the DROP rules for invalid conntrack states
if the nf_conntrack_tcp_be_liberal is not set.

Change-Id: I5eb326931ed915f5ae74d210f0a375842b6a790e
2023-09-05 14:16:17 +00:00
tao.yang
b35357b6c0 cleanup: omit comparison with bool constants
Signed-off-by: tao.yang <tao.yang@daocloud.io>
2023-09-05 10:24:38 +08:00
Kubernetes Prow Robot
d4050a80c7
Merge pull request #119394 from aroradaman/fix/proxy-conntrack
Fix stale conntrack flow detection logic
2023-09-03 14:53:46 -07:00
Daman Arora
2e5f17166b pkg/proxy: fix stale detection logic
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2023-09-02 12:45:19 +05:30
Daman Arora
01df59a73b pkg/proxy: remove equal method from endpoint interface
Signed-off-by: Daman Arora <aroradaman@gmail.com>
2023-08-27 18:16:44 +05:30
Antonio Ojea
5c7529a6fc kube-proxy service cache don't treat ipMode proxy address as invalid
Change-Id: I4f79d4847943862dfd859325cdab075f62ef4707
2023-08-20 13:55:57 +00:00
Antonio Ojea
c112a34642 add unit test for kube-proxy service cache with ipMode
Change-Id: I0c25e15f259698a2882e398e05ab342bf2b38dba
2023-08-19 11:24:28 +00:00
Kubernetes Prow Robot
ee265c92fe
Merge pull request #119937 from RyanAoh/kep-1860-dev
Make Kubernetes aware of the LoadBalancer behaviour
2023-08-17 14:00:28 -07:00