Skip to content

v0.3.0

Latest
Latest

Choose a tag to compare

View all tags
@kvaps kvaps released this 28 Apr 09:05
v0.3.0
This tag was signed with the committer’s verified signature.
kvaps Andrei Kvapil
GPG key ID: 931CF7FEACEAF765
Verified
Learn about vigilant mode.
bd4b084
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Breaking changes

service.kubernetes.io/service-proxy-name: cozy-proxy label is now the sole selector. Services that relied on the networking.cozystack.io/wholeIP annotation alone (without the label) are no longer managed.

Port-filter is now the default ingress mode. A managed service without the wholeIP annotation only forwards the ports declared in Service.spec.ports. Whole-IP passthrough (the previous default) is opt-in via networking.cozystack.io/wholeIP: "true".

How to upgrade from v0.2.x

For every Service you want cozy-proxy to manage:

  1. Add the label service.kubernetes.io/service-proxy-name: cozy-proxy. Without it, cozy-proxy will ignore the Service after the upgrade and traffic will fall back to whatever kube-proxy / Cilium configures.
  2. If you want whole-IP passthrough (all ports forwarded), keep or add networking.cozystack.io/wholeIP: "true". Without this annotation the Service falls into per-port filtering and only spec.ports reach the backend pod.
  3. If you need ICMP (ping, PMTU discovery, ICMP unreachable) in port-filter mode, add networking.cozystack.io/allowICMP: "true".

In Cozystack, the vm-instance chart already emits the label for external VM Services (cozystack/cozystack#2357), so VM workloads upgrade transparently as long as you update the cozy-proxy image alongside the chart.

New features

  • Per-service ingress port filtering (#11). With networking.cozystack.io/wholeIP: "false", cozy-proxy drops ingress traffic to the LoadBalancer IP on ports not listed in Service.spec.ports. The datapath was split into egress_snat (raw, -300), ingress_dnat (mangle, -150), and port_filter (filter, 0) chains so conntrack can match return packets correctly. Thanks mattia-eleuteri.
  • allowICMP annotation (#12). networking.cozystack.io/allowICMP: "true" accepts ICMP toward a pod IP that is otherwise port-filtered. Without this opt-in, ICMP to a port-filtered pod is dropped — which also breaks ping, PMTU discovery (ICMP "fragmentation needed"), and ICMP unreachable signalling.
  • Label-based selector (#9). The standard Kubernetes service.kubernetes.io/service-proxy-name: cozy-proxy label now selects services for cozy-proxy management. It also makes kube-proxy ignore the service, eliminating rule conflicts in plain kube-proxy (iptables / IPVS) clusters such as RKE2 with Calico — which previously broke outbound SNAT in v0.2.0.

Fixes

  • Probe and metrics endpoints disabled by default (#10, fixes #5). The --health-probe-bind-address and --metrics-bind-address flags defaulted to :0, which in controller-runtime means "bind to a random free port" rather than "disabled". Combined with hostNetwork: true in the chart, this surfaced two unexpected high-port listeners on every node. Defaults are now 0 (disabled). Pass an explicit address via flag to opt in.

Other

  • Internal: controller wiring consolidated into reconcilePortFilter / clearPortFilter helpers (#12).

Full changelog: v0.2.0...v0.3.0

Contributors

mattia-eleuteri
Assets 2
Loading