Install a REJECT rule for nodeport with no backend #43415
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-github-robot
added
approved
|
This change is |
thockin
added
release-note-none
pkg/proxy/iptables/proxier.go
Outdated
| @@ -1108,6 +1108,18 @@ func (proxier *Proxier) syncProxyRules() { | |||
| // Currently we only create it for loadbalancers (#33586). | |||
| writeLine(natRules, append(args, "-j", string(svcXlbChain))...) | |||
| } | |||
|
|
|||
| // If the service has no endpoints then reject packets. | |||
| if len(proxier.endpointsMap[svcName]) >= 0 { | |||
There was a problem hiding this comment.
dangit, vestigial from something else I tried.
pkg/proxy/iptables/proxier.go
Outdated
| if len(proxier.endpointsMap[svcName]) >= 0 { | ||
| writeLine(filterRules, | ||
| "-A", string(kubeServicesChain), | ||
| "-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints"`, svcName.String()), |
There was a problem hiding this comment.
The comment here is inconsistent with >= 0
There was a problem hiding this comment.
Just wasn't sure which one was wrong :-)
| @@ -1108,6 +1108,18 @@ func (proxier *Proxier) syncProxyRules() { | |||
| // Currently we only create it for loadbalancers (#33586). | |||
| writeLine(natRules, append(args, "-j", string(svcXlbChain))...) | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
We could do the "no endpoints" check before writing the MARK/SVC or XLB rules. But I presume we want to keep the rules less volatile?
There was a problem hiding this comment.
I have an idea for future refactoring that will make this nice, so I made the smallest change I could.
There was a problem hiding this comment.
You're saying you have a cunning plan? 👍
pkg/proxy/iptables/proxier.go
Outdated
| @@ -1108,6 +1108,18 @@ func (proxier *Proxier) syncProxyRules() { | |||
| // Currently we only create it for loadbalancers (#33586). | |||
| writeLine(natRules, append(args, "-j", string(svcXlbChain))...) | |||
| } | |||
|
|
|||
| // If the service has no endpoints then reject packets. | |||
There was a problem hiding this comment.
It took me a while to figure out that this is the analog of the nodeport entry chain below (e.g. I was wondering why you were changing kubeServicesChain and not the NodePort chain). Expanding the comment to that effect may be helpful.
e.g.
If the service has no endpoints then reject packets.
We add a rule to the service chain that is the equivalent of the "tail-call to nodeports chain",
but immediately rejects the packet.
b4e4c68
to
d49370c
Compare
|
new push is up |
|
Sorry ... I see a new commit, but I don't see anything different? |
|
BTW any idea why all the e2e tests aren't failing? Aren't we blocking all NodePorts? |
Rather than actually accepting the connection, REJECT. This will avoid CLOSE_WAIT.
thockin
force-pushed
the
fix-nodeport-close-wait
branch
from
d49370c
to
2ec8799
Compare
|
I botched the amend. Fixed. It didn't trigger the e2es because the nat PREROUTING table triggers first, so the original packet never hits the filter table. |
|
/lgtm Nice - and the explanation for how the e2e tests are not blowing up makes sense now you've explained it! |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb, thockin
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
Automatic merge from submit-queue |
|
Going to propose this for cherry picking to 1.4 and 1.5. |
|
So I'm afraid I think this is still happening in 1.6.0. I can scale down a deployment to size 0 and I see CLOSE_WAIT accumulating
|
|
Edit: It does have the drop rules, in iptables -t filter (not -t nat). But the CLOSE_WAIT sockets are still accumulating. Digging... |
|
Figured it out I think - put details into #43969 |
|
@justinsb @thockin the reject rules should also be installed for externalIPs and ports in addition to service IPs and node port. I am hitting a case where reject with icmp rule get installed for destination=service ip but not for destination=externalIPs. And when no pods are present; kube-proxy accepts the connection coming via externalIPs. |
|
Can you file a new bug with a full repro, please?
…On Thu, Apr 13, 2017 at 1:25 PM, Ketan Kulkarni ***@***.***> wrote:
@thockin <https://github.com/thockin> the reject rules should also be
installed for externalIPs and ports in addition to service IPs and node
port. I am hitting a case where reject with icmp rule get installed for
destination=service ip but not for destination=externalIPs. And when no
pods are present; kube-proxy accepts the connection coming via externalIPs.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#43415 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVLTrp-qJuRx6oJJDvNbwzwAet5H-ks5rvoS1gaJpZM4MjHzg>
.
|
Automatic merge from submit-queue Reject Rules for ExternalIP and svc port if no ep - Install ICMP Reject Rules for externalIP and svc port if no endpoints are present - Includes Unit Test case - Fixes #44516 **What this PR does / why we need it**: Explained in issue #44516 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # `Fixes #44516` **Special notes for your reviewer**: Similar to #43415 Feedback welcome. Will be happy to improve the patch. Unit Test done and passing. **Release note**: ```release-note ```
Rather than actually accepting the connection, REJECT. This will avoid
CLOSE_WAIT.
Fixes #43212
@justinsb @felipejfc @Spiddy