diff --git a/docs/user-guide.md b/docs/user-guide.md index 7ce8056fc6..0a3d4255c7 100644 --- a/docs/user-guide.md +++ b/docs/user-guide.md @@ -52,7 +52,7 @@ Usage of kube-router: --enable-overlay When enable-overlay set to true, IP-in-IP tunneling is used for pod-to-pod networking across nodes in different subnets. When set to false no tunneling is used and routing infrastrcture is expected to route traffic for pod-to-pod networking across nodes in different subnets (default true) --enable-pod-egress SNAT traffic from Pods to destinations outside the cluster. (default true) --enable-pprof Enables pprof for debugging performance and memory leak issues. - --hairpin-mode Add iptable rules for every Service Endpoint to support hairpin traffic. + --hairpin-mode Add iptables rules for every Service Endpoint to support hairpin traffic. --health-port uint16 Health check port, 0 = Disabled (default 20244) -h, --help Print usage information. --hostname-override string Overrides the NodeName of the node. Set this if kube-router is unable to determine your NodeName automatically. diff --git a/pkg/controllers/netpol/network_policy_controller.go b/pkg/controllers/netpol/network_policy_controller.go index ea843981df..d04064e361 100644 --- a/pkg/controllers/netpol/network_policy_controller.go +++ b/pkg/controllers/netpol/network_policy_controller.go @@ -40,11 +40,11 @@ const ( // Network policy controller provides both ingress and egress filtering for the pods as per the defined network // policies. Two different types of iptables chains are used. Each pod running on the node which either -// requires ingress or egress filtering gets a pod specific chains. Each network policy has a iptable chain, which +// requires ingress or egress filtering gets a pod specific chains. Each network policy has a iptables chain, which // has rules expressed through ipsets matching source and destination pod ip's. In the FORWARD chain of the // filter table a rule is added to jump the traffic originating (in case of egress network policy) from the pod -// or destined (in case of ingress network policy) to the pod specific iptable chain. Each -// pod specific iptable chain has rules to jump to the network polices chains, that pod matches. So packet +// or destined (in case of ingress network policy) to the pod specific iptables chain. Each +// pod specific iptables chain has rules to jump to the network polices chains, that pod matches. So packet // originating/destined from/to pod goes through fitler table's, FORWARD chain, followed by pod specific chain, // followed by one or more network policy chains, till there is a match which will accept the packet, or gets // dropped by the rule in the pod chain, if there is no match. @@ -257,13 +257,13 @@ func (npc *NetworkPolicyController) Sync() error { err = cleanupStaleRules(activePolicyChains, activePodFwChains, activePolicyIpSets) if err != nil { - return errors.New("Aborting sync. Failed to cleanup stale iptable rules: " + err.Error()) + return errors.New("Aborting sync. Failed to cleanup stale iptables rules: " + err.Error()) } return nil } -// Configure iptable rules representing each network policy. All pod's matched by +// Configure iptables rules representing each network policy. All pod's matched by // network policy spec podselector labels are grouped together in one ipset which // is used for matching destination ip address. Each ingress rule in the network // policyspec is evaluated to set of matching pods, which are grouped in to a @@ -358,7 +358,7 @@ func (npc *NetworkPolicyController) processIngressRules(policy networkPolicyInfo policyChainName := networkPolicyChainName(policy.namespace, policy.name, version) - // run through all the ingress rules in the spec and create iptable rules + // run through all the ingress rules in the spec and create iptables rules // in the chain for the network policy for i, ingressRule := range policy.ingressRules { @@ -521,7 +521,7 @@ func (npc *NetworkPolicyController) processEgressRules(policy networkPolicyInfo, policyChainName := networkPolicyChainName(policy.namespace, policy.name, version) - // run through all the egress rules in the spec and create iptable rules + // run through all the egress rules in the spec and create iptables rules // in the chain for the network policy for i, egressRule := range policy.egressRules { @@ -1460,7 +1460,7 @@ func (npc *NetworkPolicyController) Cleanup() { // delete jump rules in FORWARD chain to pod specific firewall chain forwardChainRules, err := iptablesCmdHandler.List("filter", "FORWARD") if err != nil { - glog.Errorf("Failed to delete iptable rules as part of cleanup") + glog.Errorf("Failed to delete iptables rules as part of cleanup") return } @@ -1476,7 +1476,7 @@ func (npc *NetworkPolicyController) Cleanup() { // delete jump rules in OUTPUT chain to pod specific firewall chain forwardChainRules, err = iptablesCmdHandler.List("filter", "OUTPUT") if err != nil { - glog.Errorf("Failed to delete iptable rules as part of cleanup") + glog.Errorf("Failed to delete iptables rules as part of cleanup") return } @@ -1495,12 +1495,12 @@ func (npc *NetworkPolicyController) Cleanup() { if strings.HasPrefix(chain, kubePodFirewallChainPrefix) { err = iptablesCmdHandler.ClearChain("filter", chain) if err != nil { - glog.Errorf("Failed to cleanup iptable rules: " + err.Error()) + glog.Errorf("Failed to cleanup iptables rules: " + err.Error()) return } err = iptablesCmdHandler.DeleteChain("filter", chain) if err != nil { - glog.Errorf("Failed to cleanup iptable rules: " + err.Error()) + glog.Errorf("Failed to cleanup iptables rules: " + err.Error()) return } } @@ -1512,12 +1512,12 @@ func (npc *NetworkPolicyController) Cleanup() { if strings.HasPrefix(chain, kubeNetworkPolicyChainPrefix) { err = iptablesCmdHandler.ClearChain("filter", chain) if err != nil { - glog.Errorf("Failed to cleanup iptable rules: " + err.Error()) + glog.Errorf("Failed to cleanup iptables rules: " + err.Error()) return } err = iptablesCmdHandler.DeleteChain("filter", chain) if err != nil { - glog.Errorf("Failed to cleanup iptable rules: " + err.Error()) + glog.Errorf("Failed to cleanup iptables rules: " + err.Error()) return } } diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go index cabe3837fb..c46a61931e 100644 --- a/pkg/controllers/proxy/network_services_controller.go +++ b/pkg/controllers/proxy/network_services_controller.go @@ -277,10 +277,10 @@ func (nsc *NetworkServicesController) Run(healthChan chan<- *healthcheck.Control glog.Infof("Starting network services controller") - // enable masquerad rule err := ensureMasqueradeIptablesRule(nsc.masqueradeAll, nsc.podCidr) + // enable masquerade rule if err != nil { - return errors.New("Failed to do add masquerad rule in POSTROUTING chain of nat table due to: %s" + err.Error()) + return errors.New("Failed to do add masquerade rule in POSTROUTING chain of nat table due to: %s" + err.Error()) } // https://www.kernel.org/doc/Documentation/networking/ipvs-sysctl.txt // enable ipvs connection tracking @@ -362,17 +362,17 @@ func (nsc *NetworkServicesController) sync() error { nsc.mu.Lock() defer nsc.mu.Unlock() - // enable masquerad rule err = ensureMasqueradeIptablesRule(nsc.masqueradeAll, nsc.podCidr) + // enable masquerade rule if err != nil { - glog.Errorf("Failed to do add masquerad rule in POSTROUTING chain of nat table due to: %s", err.Error()) + glog.Errorf("Failed to do add masquerade rule in POSTROUTING chain of nat table due to: %s", err.Error()) } nsc.serviceMap = nsc.buildServicesInfo() nsc.endpointsMap = nsc.buildEndpointsInfo() err = nsc.syncHairpinIptablesRules() if err != nil { - glog.Errorf("Error syncing hairpin iptable rules: %s", err.Error()) + glog.Errorf("Error syncing hairpin iptables rules: %s", err.Error()) } err = nsc.syncIpvsServices(nsc.serviceMap, nsc.endpointsMap) @@ -931,7 +931,7 @@ func (nsc *NetworkServicesController) syncIpvsServices(serviceInfoMap serviceInf fwMark := generateFwmark(externalIP, svc.protocol, strconv.Itoa(svc.port)) externalIpServiceId = fmt.Sprint(fwMark) - // ensure there is iptable mangle table rule to FWMARK the packet + // ensure there is iptables mangle table rule to FWMARK the packet err = setupMangleTableRule(externalIP, svc.protocol, strconv.Itoa(svc.port), externalIpServiceId) if err != nil { glog.Errorf("Failed to setup mangle table rule to FMWARD the traffic to external IP") @@ -964,7 +964,7 @@ func (nsc *NetworkServicesController) syncIpvsServices(serviceInfoMap serviceInf externalIpServices = append(externalIpServices, externalIPService{ipvsSvc: ipvsExternalIPSvc, externalIp: externalIP}) externalIpServiceId = generateIpPortId(externalIP, svc.protocol, strconv.Itoa(svc.port)) - // ensure there is NO iptable mangle table rule to FWMARK the packet + // ensure there is NO iptables mangle table rule to FWMARK the packet fwMark := fmt.Sprint(generateFwmark(externalIP, svc.protocol, strconv.Itoa(svc.port))) err = nsc.ln.cleanupMangleTableRule(externalIP, svc.protocol, strconv.Itoa(svc.port), fwMark) if err != nil { @@ -1157,7 +1157,7 @@ func (nsc *NetworkServicesController) syncIpvsServices(serviceInfoMap serviceInf err = nsc.syncIpvsFirewall() if err != nil { - glog.Errorf("Error syncing ipvs svc iptable rules: %s", err.Error()) + glog.Errorf("Error syncing ipvs svc iptables rules: %s", err.Error()) } glog.V(1).Info("IPVS servers and services are synced to desired state") @@ -1471,7 +1471,7 @@ func (nsc *NetworkServicesController) buildEndpointsInfo() endpointsInfoMap { return endpointsMap } -// Add an iptable rule to masquerad outbound IPVS traffic. IPVS nat requires that reverse path traffic +// Add an iptables rule to masquerade outbound IPVS traffic. IPVS nat requires that reverse path traffic // to go through the director for its functioning. So the masquerade rule ensures source IP is modifed // to node ip, so return traffic from real server (endpoint pods) hits the node/lvs director func ensureMasqueradeIptablesRule(masqueradeAll bool, podCidr string) error { @@ -1496,7 +1496,7 @@ func ensureMasqueradeIptablesRule(masqueradeAll bool, podCidr string) error { return errors.New("Failed to run iptables command" + err.Error()) } } - glog.V(2).Info("Successfully synced iptables masquerad rule") + glog.V(2).Info("Successfully synced iptables masquerade rule") return nil } @@ -1668,7 +1668,7 @@ func deleteHairpinIptablesRules() error { jumpArgs := []string{"-m", "ipvs", "--vdir", "ORIGINAL", "-j", hairpinChain} hasHairpinJumpRule, err := iptablesCmdHandler.Exists("nat", "POSTROUTING", jumpArgs...) if err != nil { - return errors.New("Failed to search POSTROUTING iptable rules: " + err.Error()) + return errors.New("Failed to search POSTROUTING iptables rules: " + err.Error()) } // Delete the jump rule to the hairpin chain @@ -1702,7 +1702,7 @@ func deleteMasqueradeIptablesRule() error { } postRoutingChainRules, err := iptablesCmdHandler.List("nat", "POSTROUTING") if err != nil { - return errors.New("Failed to list iptable rules in POSTROUTING chain in nat table" + err.Error()) + return errors.New("Failed to list iptables rules in POSTROUTING chain in nat table" + err.Error()) } for i, rule := range postRoutingChainRules { if strings.Contains(rule, "ipvs") && strings.Contains(rule, "MASQUERADE") { @@ -2003,7 +2003,7 @@ const ( externalIPRouteTableName = "external_ip" ) -// setupMangleTableRule: setsup iptable rule to FWMARK the traffic to exteranl IP vip +// setupMangleTableRule: setsup iptables rule to FWMARK the traffic to exteranl IP vip func setupMangleTableRule(ip string, protocol string, port string, fwmark string) error { iptablesCmdHandler, err := iptables.New() if err != nil { @@ -2250,17 +2250,17 @@ func (nsc *NetworkServicesController) Cleanup() { handle.Close() - // cleanup iptable masquerad rule + // cleanup iptables masquerade rule err = deleteMasqueradeIptablesRule() if err != nil { - glog.Errorf("Failed to cleanup iptable masquerade rule due to: %s", err.Error()) + glog.Errorf("Failed to cleanup iptablesmasquerade rule due to: %s", err.Error()) return } - // cleanup iptable hairpin rules + // cleanup iptables hairpin rules err = deleteHairpinIptablesRules() if err != nil { - glog.Errorf("Failed to cleanup iptable hairpin rules: %s", err.Error()) + glog.Errorf("Failed to cleanup iptables hairpin rules: %s", err.Error()) return } diff --git a/pkg/controllers/routing/network_routes_controller.go b/pkg/controllers/routing/network_routes_controller.go index bc5e036b0e..85b30b37ce 100644 --- a/pkg/controllers/routing/network_routes_controller.go +++ b/pkg/controllers/routing/network_routes_controller.go @@ -517,12 +517,12 @@ func (nrc *NetworkRoutingController) Cleanup() { // Pod egress cleanup err := nrc.deletePodEgressRule() if err != nil { - glog.Warningf("Error deleting Pod egress iptable rule: %s", err.Error()) + glog.Warningf("Error deleting Pod egress iptables rule: %s", err.Error()) } err = nrc.deleteBadPodEgressRules() if err != nil { - glog.Warningf("Error deleting Pod egress iptable rule: %s", err.Error()) + glog.Warningf("Error deleting Pod egress iptables rule: %s", err.Error()) } // delete all ipsets created by kube-router @@ -607,7 +607,7 @@ func (nrc *NetworkRoutingController) newIptablesCmdHandler() (*iptables.IPTables } // ensure there is rule in filter table and FORWARD chain to permit in/out traffic from pods -// this rules will be appended so that any iptable rules for network policies will take +// this rules will be appended so that any iptables rules for network policies will take // precedence func (nrc *NetworkRoutingController) enableForwarding() error { diff --git a/pkg/controllers/routing/pod_egress.go b/pkg/controllers/routing/pod_egress.go index 22e41b6a60..7122ed634a 100644 --- a/pkg/controllers/routing/pod_egress.go +++ b/pkg/controllers/routing/pod_egress.go @@ -7,7 +7,7 @@ import ( "github.com/golang/glog" ) -// set up MASQUERADE rule so that egress traffic from the pods gets masquraded to node's IP +// set up MASQUERADE rule so that egress traffic from the pods gets masqueraded to node's IP var ( podEgressArgs4 = []string{"-m", "set", "--match-set", podSubnetsIPSetName, "src", @@ -38,12 +38,12 @@ func (nrc *NetworkRoutingController) createPodEgressRule() error { } err = iptablesCmdHandler.AppendUnique("nat", "POSTROUTING", podEgressArgs...) if err != nil { - return errors.New("Failed to add iptable rule to masqurade outbound traffic from pods: " + + return errors.New("Failed to add iptables rule to masquerade outbound traffic from pods: " + err.Error() + "External connectivity will not work.") } - glog.V(1).Infof("Added iptables rule to masqurade outbound traffic from pods.") + glog.V(1).Infof("Added iptables rule to masquerade outbound traffic from pods.") return nil } @@ -59,16 +59,16 @@ func (nrc *NetworkRoutingController) deletePodEgressRule() error { } exists, err := iptablesCmdHandler.Exists("nat", "POSTROUTING", podEgressArgs...) if err != nil { - return errors.New("Failed to lookup iptable rule to masqurade outbound traffic from pods: " + err.Error()) + return errors.New("Failed to lookup iptables rule to masquerade outbound traffic from pods: " + err.Error()) } if exists { err = iptablesCmdHandler.Delete("nat", "POSTROUTING", podEgressArgs...) if err != nil { - return errors.New("Failed to delete iptable rule to masqurade outbound traffic from pods: " + + return errors.New("Failed to delete iptables rule to masquerade outbound traffic from pods: " + err.Error() + ". Pod egress might still work...") } - glog.Infof("Deleted iptables rule to masqurade outbound traffic from pods.") + glog.Infof("Deleted iptables rule to masquerade outbound traffic from pods.") } return nil @@ -92,12 +92,12 @@ func (nrc *NetworkRoutingController) deleteBadPodEgressRules() error { if exists { err = iptablesCmdHandler.Delete("nat", "POSTROUTING", args...) if err != nil { - return fmt.Errorf("Failed to delete old/bad iptable rule to "+ - "masqurade outbound traffic from pods: %s.\n"+ + return fmt.Errorf("Failed to delete old/bad iptables rule to "+ + "masquerade outbound traffic from pods: %s.\n"+ "Pod egress might still work, or bugs may persist after upgrade...", err) } - glog.Infof("Deleted old/bad iptables rule to masqurade outbound traffic from pods.") + glog.Infof("Deleted old/bad iptables rule to masquerade outbound traffic from pods.") } } diff --git a/pkg/options/options.go b/pkg/options/options.go index 34f3d08856..9e2473914d 100644 --- a/pkg/options/options.go +++ b/pkg/options/options.go @@ -130,7 +130,7 @@ func (s *KubeRouterConfig) AddFlags(fs *pflag.FlagSet) { fs.StringVar(&s.HostnameOverride, "hostname-override", s.HostnameOverride, "Overrides the NodeName of the node. Set this if kube-router is unable to determine your NodeName automatically.") fs.BoolVar(&s.GlobalHairpinMode, "hairpin-mode", false, - "Add iptable rules for every Service Endpoint to support hairpin traffic.") + "Add iptables rules for every Service Endpoint to support hairpin traffic.") fs.BoolVar(&s.NodePortBindOnAllIp, "nodeport-bindon-all-ip", false, "For service of NodePort type create IPVS service that listens on all IP's of the node.") fs.BoolVar(&s.EnableOverlay, "enable-overlay", true,