Skip to content

the "publicIPs" field should be validated for actual IP address values #4897

New issue
Jump to bottom
New issue
Jump to bottom
Closed
Closed
the "publicIPs" field should be validated for actual IP address values#4897
Assignees
fgrzadkowski
Labels
area/apiIndicates an issue on api area.priority/backlogHigher priority than priority/awaiting-more-evidence.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.
Milestone
 
v1.0
@miabbott

Description

@miabbott
miabbott
opened on Feb 27, 2015

Setup

  • RHEL Atomic
  • kubernetes-0.9.0-0.3.git96af0c3.el7.x86_64

Description
When creating a simple service, I tried using a hostname for the publicIPs field as show below:

{
    "apiVersion": "v1beta1",
    "containerPort": 80,
    "id": "frontend",
    "kind": "Service",
    "labels": {
        "name": "frontend"
    },
    "port": 80,
    "publicIPs": [
        "kube-minion1"
    ],
    "selector": {
        "name": "apache"
    }
}

When I fed that service to kubectl, it happily tried to create it.

# kubectl create -f frontend.json 
frontend

However, when the minion tried to start up the service, it was unable to create the necessary iptables rules to start the service:

Feb 27 14:31:34 atomic-00.localdomain systemd[1]: Starting Kubernetes Kube-Proxy Server...
Feb 27 14:31:34 atomic-00.localdomain systemd[1]: Started Kubernetes Kube-Proxy Server.
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.668187    8559 proxier.go:782] Choosing interface ens3 for from-host portals
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.668323    8559 proxier.go:787] Interface ens3 = 192.168.122.178/24
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.668332    8559 proxier.go:326] Initializing iptables
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.669263    8559 iptables.go:186] running iptables -C [PREROUTING -t nat -j KUBE-PROXY]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.671206    8559 iptables.go:186] running iptables -C [OUTPUT -t nat -j KUBE-PROXY]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.672179    8559 iptables.go:186] running iptables -F [KUBE-PROXY -t nat]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.673575    8559 iptables.go:186] running iptables -X [KUBE-PROXY -t nat]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.675136    8559 iptables.go:186] running iptables -N [KUBE-PORTALS-CONTAINER -t nat]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.677610    8559 iptables.go:186] running iptables -C [PREROUTING -t nat -j KUBE-PORTALS-CONTAINER]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.678870    8559 iptables.go:186] running iptables -N [KUBE-PORTALS-HOST -t nat]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.680732    8559 iptables.go:186] running iptables -C [OUTPUT -t nat -j KUBE-PORTALS-HOST]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.681917    8559 iptables.go:186] running iptables -F [KUBE-PORTALS-CONTAINER -t nat]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.682885    8559 iptables.go:186] running iptables -F [KUBE-PORTALS-HOST -t nat]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.684109    8559 proxy.go:89] Using api calls to get config http://kube-master:8080
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.691305    8559 roundrobin.go:214] LoadBalancerRR: Setting endpoints for kubernetes to [192.168.122.61:8080]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.691379    8559 roundrobin.go:195] Delete endpoint 192.168.122.61:8080 for service: kubernetes
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.691393    8559 roundrobin.go:214] LoadBalancerRR: Setting endpoints for kubernetes-ro to [192.168.122.61:7080]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.691399    8559 roundrobin.go:195] Delete endpoint 192.168.122.61:7080 for service: kubernetes-ro
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.691404    8559 roundrobin.go:214] LoadBalancerRR: Setting endpoints for frontend to [18.0.79.2:80]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.691408    8559 roundrobin.go:195] Delete endpoint 18.0.79.2:80 for service: frontend
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.693986    8559 proxier.go:480] Adding new service "frontend" at 10.254.195.231:80/TCP (local :0)
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.694202    8559 proxier.go:443] Proxying for service "frontend" on TCP port 39694
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.695492    8559 iptables.go:186] running iptables -C [KUBE-PORTALS-CONTAINER -t nat -m comment --comment frontend -p tcp -m tcp -d 10.254.195.231/32 --dport 80 -j REDIRECT --to-ports 39694]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.697206    8559 iptables.go:186] running iptables -A [KUBE-PORTALS-CONTAINER -t nat -m comment --comment frontend -p tcp -m tcp -d 10.254.195.231/32 --dport 80 -j REDIRECT --to-ports 39694]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.698675    8559 proxier.go:552] Opened iptables from-containers portal for service "frontend" on TCP 10.254.195.231:80
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.699826    8559 iptables.go:186] running iptables -C [KUBE-PORTALS-HOST -t nat -m comment --comment frontend -p tcp -m tcp -d 10.254.195.231/32 --dport 80 -j DNAT --to-destination 192.168.122.178:39694]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.702526    8559 iptables.go:186] running iptables -A [KUBE-PORTALS-HOST -t nat -m comment --comment frontend -p tcp -m tcp -d 10.254.195.231/32 --dport 80 -j DNAT --to-destination 192.168.122.178:39694]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.704000    8559 proxier.go:563] Opened iptables from-host portal for service "frontend" on TCP 10.254.195.231:80
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: I0227 14:31:34.705133    8559 iptables.go:186] running iptables -C [KUBE-PORTALS-CONTAINER -t nat -m comment --comment frontend -p tcp -m tcp -d <nil>/32 --dport 80 -j REDIRECT --to-ports 39694]
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: E0227 14:31:34.707053    8559 proxier.go:548] Failed to install iptables KUBE-PORTALS-CONTAINER rule for service "frontend"
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: E0227 14:31:34.707074    8559 proxier.go:496] Failed to open portal for "frontend": error checking rule: exit status 2: iptables v1.4.21: host/network `<nil>' not found
Feb 27 14:31:34 atomic-00.localdomain kube-proxy[8559]: Try `iptables -h' or 'iptables --help' for more information.

When I changed the value of publicIPs to an actual IP address, the iptables rules on the minions were successfully created.

This leads be to believe there should be some validation of the publicIPs field to make sure that actual IP addresses are provided.

Metadata

Assignees

Labels

area/apiIndicates an issue on api area.priority/backlogHigher priority than priority/awaiting-more-evidence.sig/api-machineryCategorizes an issue or PR as relevant to SIG API Machinery.

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions