Skip to content

Commit

Permalink
netpol: Add dual-stack support
Browse files Browse the repository at this point in the history
This change allows to define two cluster CIDRs for compatibility with
Kubernetes dual-stack, with an assumption that two CIDRs are usually
IPv4 and IPv6.

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
  • Loading branch information
vadorovsky authored and rbrtbnfgl committed Apr 5, 2023
1 parent e1825ed commit a96679d
Show file tree
Hide file tree
Showing 14 changed files with 1,266 additions and 551 deletions.
2 changes: 2 additions & 0 deletions docs/user-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ Usage of kube-router:
--disable-source-dest-check Disable the source-dest-check attribute for AWS EC2 instances. When this option is false, it must be set some other way. (default true)
--enable-cni Enable CNI plugin. Disable if you want to use kube-router features alongside another CNI plugin. (default true)
--enable-ibgp Enables peering with nodes with the same ASN, if disabled will only peer with external BGP peers (default true)
--enable-ipv4 Enables IPv4 support (default true)
--enable-ipv6 Enables IPv6 support (default true)
--enable-overlay When enable-overlay is set to true, IP-in-IP tunneling is used for pod-to-pod networking across nodes in different subnets. When set to false no tunneling is used and routing infrastructure is expected to route traffic for pod-to-pod networking across nodes in different subnets (default true)
--enable-pod-egress SNAT traffic from Pods to destinations outside the cluster. (default true)
--enable-pprof Enables pprof for debugging performance and memory leak issues.
Expand Down
37 changes: 36 additions & 1 deletion pkg/cmd/kube-router.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package cmd

import (
"errors"
"fmt"
"os"
"os/signal"
"sync"
Expand All @@ -14,9 +15,12 @@ import (
"github.com/cloudnativelabs/kube-router/pkg/healthcheck"
"github.com/cloudnativelabs/kube-router/pkg/metrics"
"github.com/cloudnativelabs/kube-router/pkg/options"
"github.com/cloudnativelabs/kube-router/pkg/utils"
"github.com/cloudnativelabs/kube-router/pkg/version"
"github.com/coreos/go-iptables/iptables"
"k8s.io/klog/v2"

v1core "k8s.io/api/core/v1"
"k8s.io/client-go/informers"
"k8s.io/client-go/kubernetes"
"k8s.io/client-go/rest"
Expand Down Expand Up @@ -184,8 +188,39 @@ func (kr *KubeRouter) Run() error {
}

if kr.Config.RunFirewall {
iptablesCmdHandlers := make(map[v1core.IPFamily]utils.IPTablesHandler, 2)
ipSetHandlers := make(map[v1core.IPFamily]utils.IPSetHandler, 2)

if kr.Config.EnableIPv4 {
iptHandler, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
if err != nil {
return fmt.Errorf("failed to create iptables handler: %w", err)
}
iptablesCmdHandlers[v1core.IPv4Protocol] = iptHandler

ipset, err := utils.NewIPSet(false)
if err != nil {
return fmt.Errorf("failed to create ipset handler: %w", err)
}
ipSetHandlers[v1core.IPv4Protocol] = ipset
}
if kr.Config.EnableIPv6 {
iptHandler, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)
if err != nil {
return fmt.Errorf("failed to create iptables handler: %w", err)
}
iptablesCmdHandlers[v1core.IPv6Protocol] = iptHandler

ipset, err := utils.NewIPSet(true)
if err != nil {
return fmt.Errorf("failed to create ipset handler: %w", err)
}
ipSetHandlers[v1core.IPv6Protocol] = ipset
}

npc, err := netpol.NewNetworkPolicyController(kr.Client,
kr.Config, podInformer, npInformer, nsInformer, &ipsetMutex)
kr.Config, podInformer, npInformer, nsInformer, &ipsetMutex,
iptablesCmdHandlers, ipSetHandlers)
if err != nil {
return errors.New("Failed to create network policy controller: " + err.Error())
}
Expand Down
Loading

0 comments on commit a96679d

Please sign in to comment.