github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
48,465 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

150 Commits (8b706690fb90c7e0aade244017e8daa9445cb374)

Author SHA1 Message Date
Tim Hockin 1ce3395e7f Simplify stale-connection detection in kube-proxy 2017-02-15 12:39:49 -08:00
Tim Hockin 7046c7efcb Prep to move guts of OnEnpointsUpdate to sync 
This makes it more obvious that they run together and makes the upcoming
rate-limited syncs easier.

Also make test use ints for ports, so it's easier to see when a port is
a literal value vs a name.
 2017-02-15 10:37:05 -08:00
Tim Hockin cddda17d42 Make healthcheck an interface 2017-02-15 10:37:05 -08:00
Tim Hockin 6069d49d49 Add tests for updateEndpoints 2017-02-15 10:37:05 -08:00
Tim Hockin 8d24fc3984 Simplify maps which had almost the exact same info 2017-02-15 10:37:05 -08:00
Tim Hockin 48ea304711 Sanitize newEndpoints semantics, remove a dup arg 2017-02-15 10:37:05 -08:00
Tim Hockin 9507af3c79 Refactor OnEndpointsUpdate for testing 
This is a weird function, but I didn't want to change any semantics
until the tests are in place.  Testing exposed one bug where stale
connections of renamed ports were not marked stale.

There are other things that seem wrong here, more will follow.
 2017-02-15 10:37:05 -08:00
Tim Hockin d578105a44 Simple cleanup before refactoring 2017-02-15 10:37:05 -08:00
Tim Hockin 1c180e0865 Simplify "is local" detection 
Move the feature test to where we are activating the feature, rather
than where we detect locality.  This is in service of better tests,
which is in service of less-frequent resyncing, which is going to
require refactoring.
 2017-02-15 10:37:05 -08:00
Minhan Xia 572e3bebcc fix healthcheck update problem introduced by #41223 2017-02-13 12:18:42 -08:00
Minhan Xia 87fe4dca5e skip iptables sync if no endpoint changes 2017-02-10 10:03:23 -08:00
Klaus Ma f6aa8bbb8f Updated NodeRef to clientv1.ObjectReference. 2017-02-07 06:27:06 +08:00
deads2k 8a12000402 move client/record 2017-01-31 19:14:13 -05:00
Dr. Stefan Schimanski a6b2ebb50c pkg/flag: make feature gate extensible and split between generic and kube 2017-01-24 20:56:03 +01:00
Dr. Stefan Schimanski 56d60cfae6 pkg/util: move flags from pkg/util/config to pkg/util/flags 2017-01-24 20:56:03 +01:00
deads2k 5a8f075197 move authoritative client-go utils out of pkg 2017-01-24 08:59:18 -05:00
deads2k c47717134b move utils used in restclient to client-go 2017-01-19 07:55:14 -05:00
Dan Williams 5907639140 proxy/iptables: clean up service map creation 
Instead of copying the map, like OnServicesUpdate() used to do and which
was copied into buildServiceMap() to preserve semantics while creating
testcases, start with a new empty map and do deletion checking later.
 2017-01-11 15:17:55 -06:00
Dan Williams 6aa784e6f2 proxy/iptables: don't sync proxy rules if services map didn't change 2017-01-11 14:46:12 -06:00
Dan Williams 433f6830f8 proxy/iptables: don't proxy ExternalName services 
The API docs say:

	// ServiceTypeExternalName means a service consists of only a reference to
	// an external name that kubedns or equivalent will return as a CNAME
	// record, with no exposing or proxying of any pods involved.

which implies that ExternalName services should be ignored for proxy
purposes.
 2017-01-11 14:46:12 -06:00
Dan Williams eae2b8e9ba proxy/iptables: split out service map creation and add testcases 2017-01-11 14:46:12 -06:00
deads2k 6a4d5cd7cc start the apimachinery repo 2017-01-11 09:09:48 -05:00
Klaus Ma b0dfa4ad47 Add event when failed to open local port. 2016-12-23 04:51:12 +08:00
Dan Winship d95181fa1e Port iptables code to pkg/util/version, don't use semvers 2016-12-13 08:53:04 -05:00
Kubernetes Submit Queue 4fb21c8409 Merge pull request #37429 from andrewsykim/fix-kube-proxy-node-ip-warning 
Automatic merge from submit-queue (batch tested with PRs 35884, 37305, 37369, 37429, 35679)

fix mixleading warning message regarding kube-proxy nodeIP initializa…

The current warning message implies that the operator should restart kube-proxy with some flag related to node IP which can be very misleading.
 2016-12-08 03:55:17 -08:00
Kubernetes Submit Queue 6abb472357 Merge pull request #37720 from freehan/lb-src-update 
Automatic merge from submit-queue

Fix Service Update on LoadBalancerSourceRanges Field

Fixes: https://github.com/kubernetes/kubernetes/issues/33033
Also expands: https://github.com/kubernetes/kubernetes/pull/32748
 2016-12-01 18:21:39 -08:00
Lukasz Zajaczkowski dc54a8d46e Bug fix. Incoming UDP packets not reach newly deployed services 2016-12-01 08:52:30 +01:00
Minhan Xia 1c2c0c1f63 support service loadBalancerSourceRange update 2016-11-30 15:27:34 -08:00
andrewsykim 439ab5a487 fix mixleading warning message regarding kube-proxy nodeIP initialization 2016-11-24 01:35:45 -05:00
Kubernetes Submit Queue ddf5888da4 Merge pull request #35681 from vincentheet/issue-35677 
Automatic merge from submit-queue

Change stickyMaxAge from seconds to minutes, fixes issue #35677

**What this PR does / why we need it**: Increases the service sessionAfinity time from 180 seconds to 180 minutes for proxy mode iptables which was a bug introduced in a refactor.

**Which issue this PR fixes**: fixes #35677

**Special notes for your reviewer**: 

**Release note**:

``` release-note
Fixed wrong service sessionAffinity stickiness time from 180 sec to 180 minutes in proxy mode iptables.
```

Since there is no test for the sessionAffinity feature at the moment I wanted to create one but I don't know how.
 2016-11-22 10:35:36 -08:00
Mandar U Jog 3fdc343a98 Handle Empty clusterCIDR 
Empty clusterCIDR causes invalid rules generation.
Fixes issue #36652
 2016-11-15 14:34:25 -08:00
Zihong Zheng 55f75c37f7 Default to the old behavior for proxier sync. 2016-11-06 22:45:53 -08:00
Timothy St. Clair 2b012e822a Add minimum iptables sync period to the proxy, default is 2/sec 2016-11-04 00:38:35 -05:00
Vincent Heet 528bc97dd3 Change stickyMaxAge from seconds to minutes, fixes issue #35677 2016-10-27 09:56:17 +02:00
bprashanth a46a849b9e Promote source ip annotations to beta 2016-10-19 13:39:37 -07:00
bprashanth 5cb8e8e1d6 Fix health check node port leak 2016-10-19 13:39:37 -07:00
bprashanth 06cbb36a1f Proxier unittests 2016-09-29 17:35:43 -07:00
bprashanth 93f9b54cab NodePorts understand OnlyLocal 2016-09-29 17:35:43 -07:00
Girish Kalele d3a1510e02 Fix kube-proxy logic to change iptables chains when ESIPP is turned on or off 2016-09-06 11:04:36 -07:00
Angus Salkeld f785f3d3ef Clean up IPTables caps i.e.: sed -i "s/Iptables/IPTables/g" 2016-08-29 10:34:42 +10:00
Kubernetes Submit Queue 189a870ec8 Merge pull request #30376 from justinsb/kubenet_mtu 
Automatic merge from submit-queue

Add kubelet --network-plugin-mtu flag for MTU selection

* Add network-plugin-mtu option which lets us pass down a MTU to a network provider (currently processed by kubenet)
* Add a test, and thus make sysctl testable
 2016-08-23 21:54:50 -07:00
Girish Kalele b82c028f77 GCE Cloud provider changes for ESIPP 
Add feature gate (ExternalTrafficLocalOnly) for alpha feature
 2016-08-23 16:16:39 -07:00
Justin Santa Barbara 2c103af2b6 Create testable implementation of sysctl 
This is so we can test kubenet Init, which calls sysctl
 2016-08-23 01:42:37 -04:00
Minhan Xia ec5699e451 clean up oldIptablesMasqueradeMark 2016-08-22 15:05:13 -07:00
Minhan Xia 392a92c9fa change KUBE-XLB back to KUBE-FW 2016-08-18 10:19:59 -07:00
Minhan Xia b31874fe82 bug fixes and nits 2016-08-18 10:19:59 -07:00
Minhan Xia 1acaa1db09 Revert "Revert "syncNetworkUtil in kubelet and fix loadbalancerSourceRange on GCE"" 2016-08-18 10:19:48 -07:00
Daniel Smith 2aa0bb2dfc Revert "syncNetworkUtil in kubelet and fix loadbalancerSourceRange on GCE" 2016-08-16 18:12:28 -07:00
Minhan Xia 643fc3803b add firewall chain to filter request based on loadbalancer source range 2016-08-15 17:42:41 -07:00
Girish Kalele 5d6abf59ff kube-proxy: Propagate hostname to iptables proxier 2016-08-09 10:05:29 -07:00
Tim Hockin 04d60ddab0 Remove br_netfilter warning in kube-proxy 
Many distros have this module linked in, generating a spurious error.
 2016-07-03 09:54:26 -07:00
David McMahon ef0c9f0c5b Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
Minhan Xia 6a3ad1d66d add hostport support for kubenet 2016-05-22 22:18:58 -07:00
Clayton Coleman fdb110c859
Fix the rest of the code 2016-04-29 17:12:10 -04:00
Minhan Xia 56ad718008 only close new ports upon iptables-restore failure 2016-04-26 14:23:06 -07:00
goltermann dddc6cb6c8 Fix a few spellings. 2016-04-21 15:16:42 -07:00
CJ Cullen 760568796f Masquerade traffic from off-cluster going through kube-proxy. 2016-04-19 21:39:34 -07:00
Minhan Xia ad8c67723a add test for udp connection flush 2016-04-18 14:58:08 -07:00
Minhan Xia 4fa6f3841a fixing dead endpoint black hole udp traffic 2016-04-13 10:20:02 -07:00
Dan Williams 6248939e11 Push responsibility for bridge-nf-call-iptables to kubelet network plugins 
bridge-nf-call-iptables appears to only be relevant when the containers are
attached to a Linux bridge, which is usually the case with default Kubernetes
setups, docker, and flannel.  That ensures that the container traffic is
actually subject to the iptables rules since it traverses a Linux bridge
and bridged traffic is only subject to iptables when bridge-nf-call-iptables=1.

But with other networking solutions (like openshift-sdn) that don't use Linux
bridges, bridge-nf-call-iptables may not be not relevant, because iptables is
invoked at other points not involving a Linux bridge.

The decision to set bridge-nf-call-iptables should be influenced by networking
plugins, so push the responsiblity out to them.  If no network plugin is
specified, fall back to the existing bridge-nf-call-iptables=1 behavior.
 2016-02-23 09:34:59 -06:00
k8s-merge-robot b32078d89b Merge pull request #20496 from matthewdupre/masquerade-config 
Auto commit by PR queue bot
 2016-02-08 10:49:20 -08:00
Matt Dupre 9925cddc11 Change iptables fwmark to use single configurable bit instead of whole mark space 2016-02-08 11:12:09 +00:00
k8s-merge-robot c26087db45 Merge pull request #19611 from thockin/proxy-sysctl-decouple 
Auto commit by PR queue bot
 2016-02-06 23:01:48 -08:00
Tim Hockin 1e7db4a174 Implement proper cleanup in iptables proxy 2016-02-07 02:42:18 +00:00
Tim Hockin 107c5f7813 Put all masquerade mark logic into new chains 
This allows us to use the MARK-MASQ chain as a subroutine, rather than encoding
the mark in many places.  Having a KUBE-POSTROUTING chain means we can flush
and rebuild it atomically.  This makes followon work to change the mark
significantly easier.
 2016-02-07 02:42:07 +00:00
Tim Hockin 41ba8ced6d Dont log errors on proxy leftover cleanup 2016-02-07 02:41:50 +00:00
Marc Lough c33fcba311 Reject packets to services without endpoints 2016-02-04 20:56:02 +00:00
Prashanth Balasubramanian e1fa6e9fb8 kube-proxy applies latest snapshot of endpoints and services. 2016-02-03 12:58:37 -08:00
Tim Hockin 11f75e61b9 Inject a kernel-compat tester for kube-proxy test 2016-02-02 22:11:39 -08:00
Tim Hockin 970c045848 Enable iptables kube-proxy by default in master 2015-11-13 18:38:01 -08:00
k8s-merge-robot 36bae67910 Merge pull request #16548 from ArtfulCoder/kube-proxy-mem-use 
Auto commit by PR queue bot
 2015-10-30 06:23:14 -07:00
Abhishek Shah 5367a32ee9 Read Iptables-save output in a more-memory-efficient way 2015-10-29 15:30:00 -07:00
Avesh Agarwal e1837185de Improves iptables cleanup for pure iptables based proxier. 2015-10-27 13:08:16 -04:00
derekwaynecarr 970c369f31 Kubelet sets kernel overcommit_memory flag 2015-10-06 14:28:46 -04:00
Alex Robinson b1461be2e4 Merge pull request #14982 from Huawei-PaaS/fixed_typos_for_proxy 
Fixed some typos for pkg/proxy
 2015-10-05 11:40:03 -07:00
qiaolei 718d7df276 Fixed some typos 2015-10-03 00:33:35 +08:00
Mikaël Cluseau 4bf0ef8ce2 setSysctl for bridge-nf-call-iptables should fail with a warning 2015-09-26 17:11:33 +11:00
k8s-merge-robot bf990acefa Merge pull request #13988 from thockin/kube-proxy-startup-clobber 
Auto commit by PR queue bot
 2015-09-17 01:29:35 -07:00
Tim Hockin 84a9b0a37a Fix bug in iptables proxy that clobbered endpoints 
There is a race at startup where the two watch operations might clobber state
if the initial message comes in the wrong order.
 2015-09-15 13:07:33 -07:00
Dan Winship 30ea22f40e Make kube-proxy resync its rules on firewalld restart 2015-09-15 11:17:40 -04:00
Dan Winship a41e422600 Drop the "v" from GetIptablesVersionString() output 
Neither of its callers wants it
 2015-08-31 09:54:57 -04:00
Tim Hockin 8e503f3814 Hold node ports in iptables proxier 2015-08-24 16:35:05 -07:00
Nikhil Jindal 9a7f871d17 Merge pull request #12896 from thockin/proxy-nodeports 
Tail-call nodeports rules in iptables proxy
 2015-08-24 10:39:54 -07:00
Tim Hockin 16102c41df Tail-call nodeports rules in iptables proxy 2015-08-21 14:15:21 -07:00
BenTheElder 81ab51709a Add --cleanup-iptables flag to kube-proxy 
Adds a flag to cleanup iptables rules created by kube-proxy per
https://github.com/mesosphere/kubernetes-mesos/issues/353#issuecomment-1
27382832
 2015-08-21 14:44:11 -04:00
Jerzy Szczepkowski 3df1b9e151 Merge pull request #12986 from BenTheElder/masquerade_all_flag 
Add flag to masquerade all in kube-proxy when using iptables proxier
 2015-08-21 10:28:07 +02:00
BenTheElder 1f2076ce64 Add flag to masquerade all in kube-proxy when using iptables proxier 2015-08-20 20:12:32 -04:00
Abhishek Shah b6b8e99393 External IPs support. 2015-08-20 16:10:01 -07:00
Tim Hockin 6f34be30a3 Limit float precision to 5 points 2015-08-17 20:57:44 -07:00
Tim Hockin 7e9c685ba6 Require same min iptables version as -C 2015-08-17 20:57:44 -07:00
Tim Hockin 3a5c23d727 test for and set bridge-nf-call-iptables sysctl 2015-08-17 20:57:44 -07:00
Tim Hockin 9cf33772b4 test for and set route_localnet sysctl 2015-08-17 20:52:06 -07:00
Tim Hockin f1a48574a6 Clean up logging, make initial sync faster 2015-08-17 20:52:06 -07:00
Tim Hockin d72892d0b0 Include protocol in the hash for chain names 2015-08-17 20:52:06 -07:00
Tim Hockin 731d5e5191 Clean up iptables rules, add nodeport support 2015-08-17 20:52:06 -07:00
Tim Hockin d14c98f6cc Add nodepoprt chain and link it in, add unused MASQ rule 2015-08-17 20:52:06 -07:00
Robert Bailey 6fcdcec25d Merge pull request #12658 from sdminonne/bug_fix2 
to fix govet issue
 2015-08-17 10:58:10 -07:00
Tim Hockin 776132e1ae Make kube-proxy iptables sync period configurable 2015-08-13 09:53:32 -07:00
Salvatore Dario Minonne 48018c402c to fix govet issue 2015-08-13 17:26:43 +02:00
BenTheElder ae569e20b5 Partially Implement #3760 2015-08-12 02:39:15 -04:00