Browse Source

server: Allow to enable network policies with IPv6-only

After previous changes, network policies are working on IPv6-only
installations.

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
pull/5518/head
Michal Rostecki 3 years ago committed by Brad Davidson
parent
commit
5f2a4d4209
  1. 20
      pkg/agent/netpol/netpol.go
  2. 7
      pkg/cli/server/server.go

20
pkg/agent/netpol/netpol.go

@ -80,17 +80,19 @@ func Run(ctx context.Context, nodeConfig *config.Node) error {
iptablesCmdHandlers := make(map[v1core.IPFamily]utils.IPTablesHandler, 2)
ipSetHandlers := make(map[v1core.IPFamily]utils.IPSetHandler, 2)
iptHandler, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
if err != nil {
return errors.Wrap(err, "failed to create iptables handler")
}
iptablesCmdHandlers[v1core.IPv4Protocol] = iptHandler
if nodeConfig.AgentConfig.EnableIPv4 {
iptHandler, err := iptables.NewWithProtocol(iptables.ProtocolIPv4)
if err != nil {
return errors.Wrap(err, "failed to create iptables handler")
}
iptablesCmdHandlers[v1core.IPv4Protocol] = iptHandler
ipset, err := utils.NewIPSet(false)
if err != nil {
return errors.Wrap(err, "failed to create ipset handler")
ipset, err := utils.NewIPSet(false)
if err != nil {
return errors.Wrap(err, "failed to create ipset handler")
}
ipSetHandlers[v1core.IPv4Protocol] = ipset
}
ipSetHandlers[v1core.IPv4Protocol] = ipset
if nodeConfig.AgentConfig.EnableIPv6 {
ipt6Handler, err := iptables.NewWithProtocol(iptables.ProtocolIPv6)

7
pkg/cli/server/server.go

@ -528,13 +528,6 @@ func validateNetworkConfiguration(serverConfig server.Config) error {
return errors.New("dual-stack cluster-dns is not supported")
}
IPv6OnlyService, _ := util.IsIPv6OnlyCIDRs(serverConfig.ControlConfig.ServiceIPRanges)
if IPv6OnlyService {
if serverConfig.ControlConfig.DisableNPC == false {
return errors.New("network policy enforcement is not compatible with IPv6 only operation; server must be restarted with --disable-network-policy")
}
}
return nil
}

Loading…
Cancel
Save