diff --git a/reactive/kubernetes_master.py b/reactive/kubernetes_master.py index 8beb2958..5a6b27c8 100644 --- a/reactive/kubernetes_master.py +++ b/reactive/kubernetes_master.py @@ -704,6 +704,7 @@ def start_master(): add_systemd_restart_always() add_systemd_file_limit() add_systemd_file_watcher() + add_systemd_iptables_patch() check_call(['systemctl', 'daemon-reload']) # Add CLI options to all components @@ -2524,3 +2525,21 @@ def restart_addons_for_ca(): except Exception: hookenv.log(traceback.format_exc()) hookenv.log('Waiting to retry restarting addons') + + +def add_systemd_iptables_patch(): + source = 'templates/kube-proxy-iptables-fix.sh' + dest = '/usr/local/bin/kube-proxy-iptables-fix.sh' + copyfile(source, dest) + os.chmod(dest, 0o775) + + template = 'templates/service-iptables-fix.service' + dest_dir = '/etc/systemd/system' + os.makedirs(dest_dir, exist_ok=True) + service_name = 'kube-proxy-iptables-fix.service' + copyfile(template, '{}/{}'.format(dest_dir, service_name)) + + check_call(['systemctl', 'daemon-reload']) + + # enable and run the service + service_resume(service_name) diff --git a/templates/kube-proxy-iptables-fix.sh b/templates/kube-proxy-iptables-fix.sh new file mode 100644 index 00000000..a6d219ef --- /dev/null +++ b/templates/kube-proxy-iptables-fix.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +# add the chain, note that adding twice is ok as it will just error. +/sbin/iptables -t nat -N KUBE-MARK-DROP + +# need to check the creation of the rule to ensure we only create it once. +if ! /sbin/iptables -t nat -C KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 &> /dev/null; then + /sbin/iptables -t nat -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 +fi diff --git a/templates/service-iptables-fix.service b/templates/service-iptables-fix.service new file mode 100644 index 00000000..913aed3d --- /dev/null +++ b/templates/service-iptables-fix.service @@ -0,0 +1,11 @@ +[Unit] +Description=Apply iptables rule for KUBE-MARK-DROP +After=network.target + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/kube-proxy-iptables-fix.sh +RemainAfterExit=true + +[Install] +WantedBy=multi-user.target