-
Notifications
You must be signed in to change notification settings - Fork 40k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make nodeport ip configurable #58052
Make nodeport ip configurable #58052
Conversation
ffe4c7b
to
c7b3378
Compare
/assign @thockin @brendandburns /unassign |
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
357ff11
to
05d7ed1
Compare
257213e
to
04cd7fe
Compare
I love this feature. |
I understand, but NIC name is very tricky especially in systemd system, for example, |
allErrs := field.ErrorList{} | ||
LOOP: | ||
for i := range nodePortAddresses { | ||
switch nodePortAddresses[i] { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this a switch with a single case? shouldn't that be an if
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pkg/proxy/iptables/proxier.go
Outdated
} else { | ||
addressList := addresses.UnsortedList() | ||
if len(addressList) == 1 && utilproxy.IsZeroCIDR(addressList[0]) { | ||
writeLine(proxier.natRules, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we structure this like:
cmd := []string {
...
}
if len(addressList) && ... {
cmd = append(cmd, ...)
} else {
cmd = append(cmd, ...)
}
cmd = append(cmd, ...)
writeLine(...)
So that we don't have quite so much code duplication?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
pkg/proxy/ipvs/proxier.go
Outdated
if err != nil { | ||
glog.Errorf("Failed to get node IP, err: %v", err) | ||
glog.Errorf("Failed to get node ip address matching nodeport cidr") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we bail out instead of having the else?
if ... {
glog.Errorf(...)
return
}
...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
This generally looks good to me, but should probably be approved by @kubernetes/sig-network-api-reviews |
a7405ed
to
2edc97b
Compare
/retest |
@@ -169,6 +169,8 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { | |||
"NAT timeout for TCP connections in the CLOSE_WAIT state") | |||
fs.BoolVar(&o.config.EnableProfiling, "profiling", o.config.EnableProfiling, "If true enables profiling via web interface on /debug/pprof handler.") | |||
fs.StringVar(&o.config.IPVS.Scheduler, "ipvs-scheduler", o.config.IPVS.Scheduler, "The ipvs scheduler type when proxy mode is ipvs") | |||
fs.StringSliceVar(&o.config.NodePortAddresses, "nodeport-addresses", o.config.NodePortAddresses, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a FLAG, not code. Someone using the command-line doesn't know what a slice is. You have to tell them how to use it. "A comma-delimited list of IP blocks (e.g. 10.0.0.0/8, 1.2.3.4/32) used to filter addresses local to this node. Defaults to use all local addresses".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK, THANKS!
allErrs = append(allErrs, field.Invalid(fldPath, nodePortAddresses, "must be non-empty")) | ||
break | ||
} | ||
if _, _, err := net.ParseCIDR(nodePortAddresses[i]); err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK for now. The UX is a little weird, but probably won't get that much use.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can be fixed in followup.
isIPv6 := proxier.iptables.IsIpv6() | ||
for address := range addresses { | ||
// TODO(thockin, m1093782566): If/when we have dual-stack support we will want to distinguish v4 from v6 zero-CIDRs. | ||
if utilproxy.IsZeroCIDR(address) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
need to also test the v6-ness of it. If I specified "10.0.0.0/8,::/0" I would not expect 192.168.1.1 to match.
break | ||
} | ||
// Ignore IP addresses with incorrect version | ||
if isIPv6 && !conntrack.IsIPv6String(address) || !isIPv6 && conntrack.IsIPv6String(address) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if isIPv6 != conntrack.IsIPv6String(address)
?
NetworkInterfaces []net.Interface | ||
// The key of map Addrs is the network interface name | ||
Address map[string][]net.Addr | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add
var _ proxyutil.NetworkInterfacer = &FakeNetwork{}
} | ||
// First round of iteration to pick out `0.0.0.0/0` or `::/0` for the sake of excluding non-zero IPs. | ||
for _, cidr := range cidrs { | ||
if IsZeroCIDR(cidr) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will allow the zero-cidr more than once, Not a big deal, but odd.
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: m1093782566, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Review the full test history for this PR. Silence the bot with an |
Seems verify-bazel is broken, PTAL. |
/retest |
1 similar comment
/retest |
adding milestone as it's for 1.10 |
Automatic merge from submit-queue (batch tested with PRs 60430, 60115, 58052, 60355, 60116). If you want to cherry-pick this change to another branch, please follow the instructions here. |
All outstanding comments will be fixed after freeze. |
What this PR does / why we need it:
By default, kube-proxy accepts everything from NodePort without any filter. It can be a problem for nodes which has both public and private NICs, and people only want to provide a service in private network and avoid exposing any internal service on the public IPs.
This PR makes nodeport ip configurable.
Which issue(s) this PR fixes:
Closes: #21070
Special notes for your reviewer:
Design proposal see: kubernetes/community#1547
Issue in feature repo: kubernetes/enhancements#539
Release note: