mirror of https://github.com/k3s-io/k3s
Merge pull request #72534 from thockin/kube-proxy-reject-no-endpoints-bug
kube-proxy: Fix bug in rejecting 0 endpoint svcpull/564/head
Kubernetes Prow Robot
GitHub
commit
fc282645ac
|
|
@ -358,39 +358,35 @@ func NewProxier(ipt utiliptables.Interface,
|
|||
}
|
||||
|
||||
type iptablesJumpChain struct {
|
||||
table utiliptables.Table
|
||||
chain utiliptables.Chain
|
||||
sourceChain utiliptables.Chain
|
||||
comment string
|
||||
extraArgs []string
|
||||
table utiliptables.Table
|
||||
dstChain utiliptables.Chain
|
||||
srcChain utiliptables.Chain
|
||||
comment string
|
||||
extraArgs []string
|
||||
}
|
||||
|
||||
var iptablesJumpChains = []iptablesJumpChain{
|
||||
{utiliptables.TableFilter, kubeExternalServicesChain, utiliptables.ChainInput, "kubernetes externally-visible service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainForward, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", []string{"-m", "conntrack", "--ctstate", "NEW"}},
|
||||
{utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules", nil},
|
||||
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", nil},
|
||||
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals", nil},
|
||||
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
|
||||
{utiliptables.TableFilter, kubeForwardChain, utiliptables.ChainForward, "kubernetes forwarding rules", nil},
|
||||
}
|
||||
|
||||
var iptablesCleanupOnlyChains = []iptablesJumpChain{
|
||||
// Present in kube 1.6 - 1.9. Removed by #56164 in favor of kubeExternalServicesChain
|
||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainInput, "kubernetes service portals", nil},
|
||||
// Present in kube <= 1.9. Removed by #60306 in favor of rule with extraArgs
|
||||
{utiliptables.TableFilter, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", nil},
|
||||
}
|
||||
var iptablesCleanupOnlyChains = []iptablesJumpChain{}
|
||||
|
||||
// CleanupLeftovers removes all iptables rules and chains created by the Proxier
|
||||
// It returns true if an error was encountered. Errors are logged.
|
||||
func CleanupLeftovers(ipt utiliptables.Interface) (encounteredError bool) {
|
||||
// Unlink our chains
|
||||
for _, chain := range append(iptablesJumpChains, iptablesCleanupOnlyChains...) {
|
||||
args := append(chain.extraArgs,
|
||||
"-m", "comment", "--comment", chain.comment,
|
||||
"-j", string(chain.chain),
|
||||
for _, jump := range append(iptablesJumpChains, iptablesCleanupOnlyChains...) {
|
||||
args := append(jump.extraArgs,
|
||||
"-m", "comment", "--comment", jump.comment,
|
||||
"-j", string(jump.dstChain),
|
||||
)
|
||||
if err := ipt.DeleteRule(chain.table, chain.sourceChain, args...); err != nil {
|
||||
if err := ipt.DeleteRule(jump.table, jump.srcChain, args...); err != nil {
|
||||
if !utiliptables.IsNotFoundError(err) {
|
||||
klog.Errorf("Error removing pure-iptables proxy rule: %v", err)
|
||||
encounteredError = true
|
||||
|
|
@ -670,17 +666,17 @@ func (proxier *Proxier) syncProxyRules() {
|
|||
klog.V(3).Info("Syncing iptables rules")
|
||||
|
||||
// Create and link the kube chains.
|
||||
for _, chain := range iptablesJumpChains {
|
||||
if _, err := proxier.iptables.EnsureChain(chain.table, chain.chain); err != nil {
|
||||
klog.Errorf("Failed to ensure that %s chain %s exists: %v", chain.table, kubeServicesChain, err)
|
||||
for _, jump := range iptablesJumpChains {
|
||||
if _, err := proxier.iptables.EnsureChain(jump.table, jump.dstChain); err != nil {
|
||||
klog.Errorf("Failed to ensure that %s chain %s exists: %v", jump.table, jump.dstChain, err)
|
||||
return
|
||||
}
|
||||
args := append(chain.extraArgs,
|
||||
"-m", "comment", "--comment", chain.comment,
|
||||
"-j", string(chain.chain),
|
||||
args := append(jump.extraArgs,
|
||||
"-m", "comment", "--comment", jump.comment,
|
||||
"-j", string(jump.dstChain),
|
||||
)
|
||||
if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, chain.table, chain.sourceChain, args...); err != nil {
|
||||
klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", chain.table, chain.sourceChain, chain.chain, err)
|
||||
if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, jump.table, jump.srcChain, args...); err != nil {
|
||||
klog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", jump.table, jump.srcChain, jump.dstChain, err)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue