Bridge off-cluster traffic into services by masquerading. #24429
Conversation
|
I am flagging this for Cherrypick |
| @@ -75,6 +75,7 @@ func (s *ProxyServerConfig) AddFlags(fs *pflag.FlagSet) { | |||
| fs.DurationVar(&s.IPTablesSyncPeriod.Duration, "iptables-sync-period", s.IPTablesSyncPeriod.Duration, "How often iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.") | |||
| fs.DurationVar(&s.ConfigSyncPeriod, "config-sync-period", s.ConfigSyncPeriod, "How often configuration from the apiserver is refreshed. Must be greater than 0.") | |||
| fs.BoolVar(&s.MasqueradeAll, "masquerade-all", s.MasqueradeAll, "If using the pure iptables proxy, SNAT everything") | |||
| fs.StringVar(&s.ClusterCIDR, "cluster-cidr", s.ClusterCIDR, "The CIDR range of Pods in the Cluster.") | |||
There was a problem hiding this comment.
nit: don't capitalize Pod and Cluster here :)
say what happens if this is not provided.
k8s-github-robot
added
kind/api-change
| @@ -713,6 +715,9 @@ func (proxier *Proxier) syncProxyRules() { | |||
| if proxier.masqueradeAll { | |||
| writeLine(natRules, append(args, "-j", string(kubeMarkMasqChain))...) | |||
| } | |||
| if len(proxier.clusterCIDR) > 0 { | |||
There was a problem hiding this comment.
This will write once per-service, won't it? Can you achieve the same effect by writing once at ~L687
There was a problem hiding this comment.
or is that too broad? Hmm, don't do it yet, let me think.
There was a problem hiding this comment.
Thought about that too. I copied the functionality of --masquerade-all
There was a problem hiding this comment.
Yeah, you're right. It's unfortunate, but any simpler solution is either too broad or costs the same number of rules.
|
GCE e2e build/test passed for commit 20fb8c70da6580e8e3a92242710a1689698ae7c0. |
|
GCE e2e build/test passed for commit 8aaf6466040d01a16e74eeafd3d8dde12e2913f7. |
cjcullen
force-pushed
the
bastion
branch
2 times, most recently
from
eb8b18f to
8cbc137
Compare
| @@ -75,6 +75,7 @@ func (s *ProxyServerConfig) AddFlags(fs *pflag.FlagSet) { | |||
| fs.DurationVar(&s.IPTablesSyncPeriod.Duration, "iptables-sync-period", s.IPTablesSyncPeriod.Duration, "How often iptables rules are refreshed (e.g. '5s', '1m', '2h22m'). Must be greater than 0.") | |||
| fs.DurationVar(&s.ConfigSyncPeriod, "config-sync-period", s.ConfigSyncPeriod, "How often configuration from the apiserver is refreshed. Must be greater than 0.") | |||
| fs.BoolVar(&s.MasqueradeAll, "masquerade-all", s.MasqueradeAll, "If using the pure iptables proxy, SNAT everything") | |||
| fs.StringVar(&s.ClusterCIDR, "cluster-cidr", s.ClusterCIDR, "The CIDR range of pods in the cluster. It is used to masquerade traffic coming from outside of the cluster. If not provided, no off-cluster masquerading will be performed.") | |||
|
Only a nit on the flag description. |
thockin
added
release-note
thockin
changed the title
|
I re-titled this for release note |
|
feel free to self-LGTM when nit is done. |
|
GCE e2e build/test passed for commit eb8b18f5dddabfa0896ca7fce3fdc957f95d38ac. |
|
GCE e2e build/test passed for commit 55855778134d37a41d5faa16791a8400ad7a3447. |
|
GCE e2e build/test passed for commit 8cbc137de76534ad5a6be1dfd4c0961bd1c560ed. |
cjcullen
added
the
lgtm
|
GCE e2e build/test passed for commit 0dd7cf8e881c1ba816e22a5ce1808bc29ccbe1df. |
|
@pwittrock Any info on how to dig into the node e2e failure? |
|
@cjcullen The node e2e tests don't post comments (it was decided that adding yet another comment bot was too much spam), so the details link is the best way. If you have jenkins access, you can also find the build there. In this case the issue seems to be:
I filed #24508 for this since I didn't see any other issues with the same symptom. |
|
GCE e2e build/test passed for commit 0dd7cf8e881c1ba816e22a5ce1808bc29ccbe1df. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
k8s-github-robot
added
the
needs-rebase
|
GCE e2e build/test passed for commit 0dd7cf8e881c1ba816e22a5ce1808bc29ccbe1df. |
|
PR changed after LGTM, removing LGTM. |
k8s-github-robot
removed
lgtm
|
Automatic merge from submit-queue |
|
GCE e2e build/test passed for commit 7605687. |
zmerlynn
added
the
cherry-pick-approved
…29-upstream-release-1.2 Automated cherry pick of #24429
|
Commit found in the "release-1.2" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked. |
Automatic merge from submit-queue Trusty: Handle the new var in kube-proxy manifest This is to capture the kube-proxy manifest change in PR #24429. @roberthbailey @fabioy @zmerlynn please review this change and mark it as cherry pick candidate. We need to catch up 1.2.3 release. cc/ @dchen1107 @wonderfly @cjcullen FYI. I have verified this fix. Without this fix, kube-proxy pod in Trusty nodes cannot be started correctly, i.e., the command line has an unhadled variable. And some other kube-system pods do not work correctly as kube-proxy is not working well. After applying this fix, kube-proxy can be started correctly, and all kube-system pods run successfully.
|
@zmerlynn looks like the k8sm CI has been hosed for a while. We'll have to fix master. |
…ck-of-#24429-upstream-release-1.2 Automated cherry pick of kubernetes#24429
…ck-of-#24429-upstream-release-1.2 Automated cherry pick of kubernetes#24429
Allows service IPs to be accessed from outside of the cluster. This requires that the service range be routed to a node (or several nodes) in the cluster.
Addresses #24224.
@thockin @ArtfulCoder