From aeea967149d270d90678d7aed02b1ca5fcd46b89 Mon Sep 17 00:00:00 2001 From: Pengfei Ni Date: Wed, 22 Aug 2018 14:08:18 +0800 Subject: [PATCH] Kubelet: only sync iptables on linux --- pkg/kubelet/BUILD | 2 + pkg/kubelet/kubelet_network.go | 85 -------------------- pkg/kubelet/kubelet_network_linux.go | 111 ++++++++++++++++++++++++++ pkg/kubelet/kubelet_network_others.go | 22 +++++ pkg/kubelet/kubelet_network_test.go | 2 + 5 files changed, 137 insertions(+), 85 deletions(-) create mode 100644 pkg/kubelet/kubelet_network_linux.go create mode 100644 pkg/kubelet/kubelet_network_others.go diff --git a/pkg/kubelet/BUILD b/pkg/kubelet/BUILD index d1c0b61bee..bbd347c72d 100644 --- a/pkg/kubelet/BUILD +++ b/pkg/kubelet/BUILD @@ -14,6 +14,8 @@ go_library( "kubelet.go", "kubelet_getters.go", "kubelet_network.go", + "kubelet_network_linux.go", + "kubelet_network_others.go", "kubelet_node_status.go", "kubelet_pods.go", "kubelet_resources.go", diff --git a/pkg/kubelet/kubelet_network.go b/pkg/kubelet/kubelet_network.go index a07ece7bb5..0528d2c1e5 100644 --- a/pkg/kubelet/kubelet_network.go +++ b/pkg/kubelet/kubelet_network.go @@ -77,91 +77,6 @@ func (kl *Kubelet) updatePodCIDR(cidr string) error { return nil } -// syncNetworkUtil ensures the network utility are present on host. -// Network util includes: -// 1. In nat table, KUBE-MARK-DROP rule to mark connections for dropping -// Marked connection will be drop on INPUT/OUTPUT Chain in filter table -// 2. In nat table, KUBE-MARK-MASQ rule to mark connections for SNAT -// Marked connection will get SNAT on POSTROUTING Chain in nat table -func (kl *Kubelet) syncNetworkUtil() { - if kl.iptablesMasqueradeBit < 0 || kl.iptablesMasqueradeBit > 31 { - glog.Errorf("invalid iptables-masquerade-bit %v not in [0, 31]", kl.iptablesMasqueradeBit) - return - } - - if kl.iptablesDropBit < 0 || kl.iptablesDropBit > 31 { - glog.Errorf("invalid iptables-drop-bit %v not in [0, 31]", kl.iptablesDropBit) - return - } - - if kl.iptablesDropBit == kl.iptablesMasqueradeBit { - glog.Errorf("iptables-masquerade-bit %v and iptables-drop-bit %v must be different", kl.iptablesMasqueradeBit, kl.iptablesDropBit) - return - } - - // Setup KUBE-MARK-DROP rules - dropMark := getIPTablesMark(kl.iptablesDropBit) - if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubeMarkDropChain); err != nil { - glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubeMarkDropChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubeMarkDropChain, "-j", "MARK", "--set-xmark", dropMark); err != nil { - glog.Errorf("Failed to ensure marking rule for %v: %v", KubeMarkDropChain, err) - return - } - if _, err := kl.iptClient.EnsureChain(utiliptables.TableFilter, KubeFirewallChain); err != nil { - glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableFilter, KubeFirewallChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableFilter, KubeFirewallChain, - "-m", "comment", "--comment", "kubernetes firewall for dropping marked packets", - "-m", "mark", "--mark", dropMark, - "-j", "DROP"); err != nil { - glog.Errorf("Failed to ensure rule to drop packet marked by %v in %v chain %v: %v", KubeMarkDropChain, utiliptables.TableFilter, KubeFirewallChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainOutput, "-j", string(KubeFirewallChain)); err != nil { - glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainOutput, KubeFirewallChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainInput, "-j", string(KubeFirewallChain)); err != nil { - glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainInput, KubeFirewallChain, err) - return - } - - // Setup KUBE-MARK-MASQ rules - masqueradeMark := getIPTablesMark(kl.iptablesMasqueradeBit) - if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubeMarkMasqChain); err != nil { - glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubeMarkMasqChain, err) - return - } - if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubePostroutingChain); err != nil { - glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubePostroutingChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubeMarkMasqChain, "-j", "MARK", "--set-xmark", masqueradeMark); err != nil { - glog.Errorf("Failed to ensure marking rule for %v: %v", KubeMarkMasqChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableNAT, utiliptables.ChainPostrouting, - "-m", "comment", "--comment", "kubernetes postrouting rules", "-j", string(KubePostroutingChain)); err != nil { - glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableNAT, utiliptables.ChainPostrouting, KubePostroutingChain, err) - return - } - if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubePostroutingChain, - "-m", "comment", "--comment", "kubernetes service traffic requiring SNAT", - "-m", "mark", "--mark", masqueradeMark, "-j", "MASQUERADE"); err != nil { - glog.Errorf("Failed to ensure SNAT rule for packets marked by %v in %v chain %v: %v", KubeMarkMasqChain, utiliptables.TableNAT, KubePostroutingChain, err) - return - } -} - -// getIPTablesMark returns the fwmark given the bit -func getIPTablesMark(bit int) string { - value := 1 << uint(bit) - return fmt.Sprintf("%#08x/%#08x", value, value) -} - // GetPodDNS returns DNS settings for the pod. // This function is defined in kubecontainer.RuntimeHelper interface so we // have to implement it. diff --git a/pkg/kubelet/kubelet_network_linux.go b/pkg/kubelet/kubelet_network_linux.go new file mode 100644 index 0000000000..002b226b19 --- /dev/null +++ b/pkg/kubelet/kubelet_network_linux.go @@ -0,0 +1,111 @@ +// +build linux + +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kubelet + +import ( + "fmt" + + "github.com/golang/glog" + utiliptables "k8s.io/kubernetes/pkg/util/iptables" +) + +// syncNetworkUtil ensures the network utility are present on host. +// Network util includes: +// 1. In nat table, KUBE-MARK-DROP rule to mark connections for dropping +// Marked connection will be drop on INPUT/OUTPUT Chain in filter table +// 2. In nat table, KUBE-MARK-MASQ rule to mark connections for SNAT +// Marked connection will get SNAT on POSTROUTING Chain in nat table +func (kl *Kubelet) syncNetworkUtil() { + if kl.iptablesMasqueradeBit < 0 || kl.iptablesMasqueradeBit > 31 { + glog.Errorf("invalid iptables-masquerade-bit %v not in [0, 31]", kl.iptablesMasqueradeBit) + return + } + + if kl.iptablesDropBit < 0 || kl.iptablesDropBit > 31 { + glog.Errorf("invalid iptables-drop-bit %v not in [0, 31]", kl.iptablesDropBit) + return + } + + if kl.iptablesDropBit == kl.iptablesMasqueradeBit { + glog.Errorf("iptables-masquerade-bit %v and iptables-drop-bit %v must be different", kl.iptablesMasqueradeBit, kl.iptablesDropBit) + return + } + + // Setup KUBE-MARK-DROP rules + dropMark := getIPTablesMark(kl.iptablesDropBit) + if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubeMarkDropChain); err != nil { + glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubeMarkDropChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubeMarkDropChain, "-j", "MARK", "--set-xmark", dropMark); err != nil { + glog.Errorf("Failed to ensure marking rule for %v: %v", KubeMarkDropChain, err) + return + } + if _, err := kl.iptClient.EnsureChain(utiliptables.TableFilter, KubeFirewallChain); err != nil { + glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableFilter, KubeFirewallChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableFilter, KubeFirewallChain, + "-m", "comment", "--comment", "kubernetes firewall for dropping marked packets", + "-m", "mark", "--mark", dropMark, + "-j", "DROP"); err != nil { + glog.Errorf("Failed to ensure rule to drop packet marked by %v in %v chain %v: %v", KubeMarkDropChain, utiliptables.TableFilter, KubeFirewallChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainOutput, "-j", string(KubeFirewallChain)); err != nil { + glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainOutput, KubeFirewallChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableFilter, utiliptables.ChainInput, "-j", string(KubeFirewallChain)); err != nil { + glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableFilter, utiliptables.ChainInput, KubeFirewallChain, err) + return + } + + // Setup KUBE-MARK-MASQ rules + masqueradeMark := getIPTablesMark(kl.iptablesMasqueradeBit) + if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubeMarkMasqChain); err != nil { + glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubeMarkMasqChain, err) + return + } + if _, err := kl.iptClient.EnsureChain(utiliptables.TableNAT, KubePostroutingChain); err != nil { + glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, KubePostroutingChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubeMarkMasqChain, "-j", "MARK", "--set-xmark", masqueradeMark); err != nil { + glog.Errorf("Failed to ensure marking rule for %v: %v", KubeMarkMasqChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Prepend, utiliptables.TableNAT, utiliptables.ChainPostrouting, + "-m", "comment", "--comment", "kubernetes postrouting rules", "-j", string(KubePostroutingChain)); err != nil { + glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableNAT, utiliptables.ChainPostrouting, KubePostroutingChain, err) + return + } + if _, err := kl.iptClient.EnsureRule(utiliptables.Append, utiliptables.TableNAT, KubePostroutingChain, + "-m", "comment", "--comment", "kubernetes service traffic requiring SNAT", + "-m", "mark", "--mark", masqueradeMark, "-j", "MASQUERADE"); err != nil { + glog.Errorf("Failed to ensure SNAT rule for packets marked by %v in %v chain %v: %v", KubeMarkMasqChain, utiliptables.TableNAT, KubePostroutingChain, err) + return + } +} + +// getIPTablesMark returns the fwmark given the bit +func getIPTablesMark(bit int) string { + value := 1 << uint(bit) + return fmt.Sprintf("%#08x/%#08x", value, value) +} diff --git a/pkg/kubelet/kubelet_network_others.go b/pkg/kubelet/kubelet_network_others.go new file mode 100644 index 0000000000..53267bfc5f --- /dev/null +++ b/pkg/kubelet/kubelet_network_others.go @@ -0,0 +1,22 @@ +// +build !linux + +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package kubelet + +// Do nothing. +func (kl *Kubelet) syncNetworkUtil() {} diff --git a/pkg/kubelet/kubelet_network_test.go b/pkg/kubelet/kubelet_network_test.go index 7e611766c4..2dd0a5ffcf 100644 --- a/pkg/kubelet/kubelet_network_test.go +++ b/pkg/kubelet/kubelet_network_test.go @@ -1,3 +1,5 @@ +// +build linux + /* Copyright 2016 The Kubernetes Authors.