Harden kube-proxy for unmatched IP versions #56880
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
MrHohn
force-pushed
the
kube-proxy-ipv6-fix
branch
from
a325f20 to
4c8edf0
Compare
MrHohn
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
MrHohn
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
MrHohn
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
pkg/proxy/util/utils.go
Outdated
| @@ -56,3 +65,20 @@ func ShouldSkipService(svcName types.NamespacedName, service *api.Service) bool | |||
| } | |||
| return false | |||
| } | |||
|
|
|||
| // This assumes ip is a valid IP. | |||
| func IsDualStackIP(ip string, isIPv6Mode bool) bool { | |||
There was a problem hiding this comment.
This is an awkward API, to me. Maybe it's just the name. What if this were "IsCorrectIPVersion(ip string, expectIPv6 bool)" ? It's not really about dual-stack at all, but about not matching the expected version. Would eliminate "dual stack" from all the names
There was a problem hiding this comment.
Ack, I chose a wrong name. Will remove "dual stack"s.
|
@m1093782566 Do we need similar filters for ipvs mode? |
|
Yes, we need it. I am willing to create another PR... |
pkg/proxy/iptables/proxier_test.go
Outdated
| @@ -1550,11 +1553,69 @@ func Test_endpointsToEndpointsMap(t *testing.T) { | |||
| {endpoint: "1.1.1.1:22", isLocal: false}, | |||
| }, | |||
| }, | |||
| }, { | |||
| // Case: should omit IPv6 address in IPv4 mode | |||
There was a problem hiding this comment.
nit: Can we add test case number, e.g. Case[9]: should omit IPv6 address in IPv4 mode?
pkg/proxy/iptables/proxier_test.go
Outdated
| }, | ||
| }, | ||
| }, { | ||
| // Case: should omit IPv4 address in IPv6 mode |
pkg/proxy/iptables/proxier_test.go
Outdated
| desc string | ||
| newService *api.Service | ||
| isIPv6Mode bool | ||
| // This unit test only does verification on externalIPs and loadBalancerSourceRanges. |
There was a problem hiding this comment.
Why the test doesn't cover ClusterIP?
There was a problem hiding this comment.
Sorry, the comments are confusing, it does cover ClusterIP. Will clarify it a bit in comment,
MrHohn
changed the title
pkg/proxy/iptables/proxier.go
Outdated
| Name: service.Name, | ||
| Namespace: service.Namespace, | ||
| UID: service.UID, | ||
| }, v1.EventTypeWarning, "KubeProxyDualStackUnsupported", "Unsupported dual stack externalIP: %v", externalIP) |
There was a problem hiding this comment.
Before I push the updated commit, one more thing to point out --- emitting event like this means if there are 1,000 nodes, we will have 1,000 events, given that the hostname in EventSource is different. Would this be a problem? Or I can seek for a way to remove the hostname source so that they can be deduped.
Example events as below:
25s 25s 1 my-nginx Service Warning KubeProxyIncorrectIPVersion kube-proxy, e2e-test-XXX-minion-group-p1ch Incorrect IP version in loadBalancerSourceRanges: 2600:1900::/35
25s 25s 1 my-nginx Service Warning KubeProxyIncorrectIPVersion kube-proxy, e2e-test-XXX-minion-group-5qks Incorrect IP version in loadBalancerSourceRanges: 2600:1900::/35
25s 25s 1 my-nginx Service Warning KubeProxyIncorrectIPVersion kube-proxy, e2e-test-XXX-minion-group-dz4x Incorrect IP version in loadBalancerSourceRanges: 2600:1900::/35
4c8edf0 to
c5219e9
Compare
Wrapped some identical logging and eventing into a function. Also pointing to the question on #56880 (comment) again as it somehow got folded. |
k8s-ci-robot
added
release-note
|
/retest |
pkg/proxy/iptables/proxier.go
Outdated
| @@ -466,16 +487,33 @@ func NewProxier(ipt utiliptables.Interface, | |||
|
|
|||
| if len(clusterCIDR) == 0 { | |||
| glog.Warningf("clusterCIDR not specified, unable to distinguish between internal and external traffic") | |||
| } else { | |||
| // Filter out the incorrect IP version case. | |||
There was a problem hiding this comment.
Rather than filtering - this should probably be a real error. What do you think?
There was a problem hiding this comment.
Yes, this should be a real error. Done.
pkg/proxy/iptables/proxier.go
Outdated
| @@ -864,9 +902,16 @@ func endpointsToEndpointsMap(endpoints *api.Endpoints, hostname string) proxyEnd | |||
| glog.Warningf("ignoring invalid endpoint port %s with empty host", port.Name) | |||
| continue | |||
| } | |||
| // Filter out the incorrect IP version case. | |||
| if !utilproxy.CheckIPVersion(addr.IP, ecm.isIPv6Mode) { | |||
There was a problem hiding this comment.
Maybe easier to read:
if utilproxy.IsIPv6(addr.IP) != ecm.isIPv6Mode {
Same at other callsites
There was a problem hiding this comment.
Good point, suggestion applied.
pkg/proxy/iptables/proxier.go
Outdated
| info.externalIPs = append(info.externalIPs, externalIP) | ||
| } | ||
| for _, sourceRange := range service.Spec.LoadBalancerSourceRanges { | ||
| if !utilproxy.CheckCIDRVersion(sourceRange, scm.isIPv6Mode) { |
There was a problem hiding this comment.
if utilproxy.IsIPv6CIDR(sourceRange) != scm.isIPv6Mode {
c5219e9 to
877ed17
Compare
MrHohn
force-pushed
the
kube-proxy-ipv6-fix
branch
from
f3b9a03 to
9d64f94
Compare
|
/retest |
MrHohn
force-pushed
the
kube-proxy-ipv6-fix
branch
2 times, most recently
from
351b407 to
c865460
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Thanks! Rebasing now... |
MrHohn
force-pushed
the
kube-proxy-ipv6-fix
branch
from
c865460 to
6004452
Compare
k8s-github-robot
removed
the
lgtm
|
@freehan Rebased PR. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bowei, freehan, MrHohn, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
/test pull-kubernetes-e2e-gce |
|
Added milestone as @bowei already approved it for the milestone |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 53689, 56880, 55856, 59289, 60249). If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
This PR makes kube-proxy omits & logs & emits event for unmatched IP versions configuration (IPv6 address in IPv4 mode or IPv4 address in IPv6 mode).
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #57219
Special notes for your reviewer:
Release note: