Make nodeport ip configurable #58052
Conversation
k8s-ci-robot
added
release-note
k8s-ci-robot
added
do-not-merge/work-in-progress
m1093782566
force-pushed
the
nodeip-config
branch
from
ffe4c7b
to
c7b3378
Compare
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
/assign @thockin @brendandburns /unassign |
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
m1093782566
force-pushed
the
nodeip-config
branch
from
357ff11
to
05d7ed1
Compare
k8s-ci-robot
added
cncf-cla: yes
m1093782566
force-pushed
the
nodeip-config
branch
3 times, most recently
from
257213e
to
04cd7fe
Compare
|
I love this feature. |
|
I understand, but NIC name is very tricky especially in systemd system, for example, |
| allErrs := field.ErrorList{} | ||
| LOOP: | ||
| for i := range nodePortAddresses { | ||
| switch nodePortAddresses[i] { |
There was a problem hiding this comment.
Why is this a switch with a single case? shouldn't that be an if?
pkg/proxy/iptables/proxier.go
Outdated
| } else { | ||
| addressList := addresses.UnsortedList() | ||
| if len(addressList) == 1 && utilproxy.IsZeroCIDR(addressList[0]) { | ||
| writeLine(proxier.natRules, |
There was a problem hiding this comment.
Can we structure this like:
cmd := []string {
...
}
if len(addressList) && ... {
cmd = append(cmd, ...)
} else {
cmd = append(cmd, ...)
}
cmd = append(cmd, ...)
writeLine(...)So that we don't have quite so much code duplication?
pkg/proxy/ipvs/proxier.go
Outdated
| if err != nil { | ||
| glog.Errorf("Failed to get node IP, err: %v", err) | ||
| glog.Errorf("Failed to get node ip address matching nodeport cidr") |
There was a problem hiding this comment.
Shouldn't we bail out instead of having the else?
if ... {
glog.Errorf(...)
return
}
...
|
This generally looks good to me, but should probably be approved by @kubernetes/sig-network-api-reviews |
m1093782566
force-pushed
the
nodeip-config
branch
from
a7405ed
to
2edc97b
Compare
|
/retest |
| @@ -169,6 +169,8 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { | |||
| "NAT timeout for TCP connections in the CLOSE_WAIT state") | |||
| fs.BoolVar(&o.config.EnableProfiling, "profiling", o.config.EnableProfiling, "If true enables profiling via web interface on /debug/pprof handler.") | |||
| fs.StringVar(&o.config.IPVS.Scheduler, "ipvs-scheduler", o.config.IPVS.Scheduler, "The ipvs scheduler type when proxy mode is ipvs") | |||
| fs.StringSliceVar(&o.config.NodePortAddresses, "nodeport-addresses", o.config.NodePortAddresses, | |||
There was a problem hiding this comment.
This is a FLAG, not code. Someone using the command-line doesn't know what a slice is. You have to tell them how to use it. "A comma-delimited list of IP blocks (e.g. 10.0.0.0/8, 1.2.3.4/32) used to filter addresses local to this node. Defaults to use all local addresses".
| allErrs = append(allErrs, field.Invalid(fldPath, nodePortAddresses, "must be non-empty")) | ||
| break | ||
| } | ||
| if _, _, err := net.ParseCIDR(nodePortAddresses[i]); err != nil { |
There was a problem hiding this comment.
OK for now. The UX is a little weird, but probably won't get that much use.
| isIPv6 := proxier.iptables.IsIpv6() | ||
| for address := range addresses { | ||
| // TODO(thockin, m1093782566): If/when we have dual-stack support we will want to distinguish v4 from v6 zero-CIDRs. | ||
| if utilproxy.IsZeroCIDR(address) { |
There was a problem hiding this comment.
need to also test the v6-ness of it. If I specified "10.0.0.0/8,::/0" I would not expect 192.168.1.1 to match.
| break | ||
| } | ||
| // Ignore IP addresses with incorrect version | ||
| if isIPv6 && !conntrack.IsIPv6String(address) || !isIPv6 && conntrack.IsIPv6String(address) { |
There was a problem hiding this comment.
if isIPv6 != conntrack.IsIPv6String(address)
?
| NetworkInterfaces []net.Interface | ||
| // The key of map Addrs is the network interface name | ||
| Address map[string][]net.Addr | ||
| } |
There was a problem hiding this comment.
add
var _ proxyutil.NetworkInterfacer = &FakeNetwork{}
| } | ||
| // First round of iteration to pick out `0.0.0.0/0` or `::/0` for the sake of excluding non-zero IPs. | ||
| for _, cidr := range cidrs { | ||
| if IsZeroCIDR(cidr) { |
There was a problem hiding this comment.
This will allow the zero-cidr more than once, Not a big deal, but odd.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: m1093782566, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest Review the full test history for this PR. Silence the bot with an |
k8s-ci-robot
added
status/approved-for-milestone
and removed
approved-for-milestone
labels
Seems verify-bazel is broken, PTAL. |
|
/retest |
1 similar comment
|
/retest |
|
adding milestone as it's for 1.10 |
|
Automatic merge from submit-queue (batch tested with PRs 60430, 60115, 58052, 60355, 60116). If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
All outstanding comments will be fixed after freeze. |
What this PR does / why we need it:
By default, kube-proxy accepts everything from NodePort without any filter. It can be a problem for nodes which has both public and private NICs, and people only want to provide a service in private network and avoid exposing any internal service on the public IPs.
This PR makes nodeport ip configurable.
Which issue(s) this PR fixes:
Closes: #21070
Special notes for your reviewer:
Design proposal see: kubernetes/community#1547
Issue in feature repo: kubernetes/enhancements#539
Release note: