-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Install a REJECT rule for nodeport with no backend #43415
Install a REJECT rule for nodeport with no backend #43415
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some nits, but I haven't figured out how >= 0 is correct yet (but e2e didn't fail catastrophically, so...)
pkg/proxy/iptables/proxier.go
Outdated
@@ -1108,6 +1108,18 @@ func (proxier *Proxier) syncProxyRules() { | |||
// Currently we only create it for loadbalancers (#33586). | |||
writeLine(natRules, append(args, "-j", string(svcXlbChain))...) | |||
} | |||
|
|||
// If the service has no endpoints then reject packets. | |||
if len(proxier.endpointsMap[svcName]) >= 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean == 0
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dangit, vestigial from something else I tried.
pkg/proxy/iptables/proxier.go
Outdated
if len(proxier.endpointsMap[svcName]) >= 0 { | ||
writeLine(filterRules, | ||
"-A", string(kubeServicesChain), | ||
"-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints"`, svcName.String()), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment here is inconsistent with >= 0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hush, you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just wasn't sure which one was wrong :-)
@@ -1108,6 +1108,18 @@ func (proxier *Proxier) syncProxyRules() { | |||
// Currently we only create it for loadbalancers (#33586). | |||
writeLine(natRules, append(args, "-j", string(svcXlbChain))...) | |||
} | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could do the "no endpoints" check before writing the MARK/SVC or XLB rules. But I presume we want to keep the rules less volatile?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have an idea for future refactoring that will make this nice, so I made the smallest change I could.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're saying you have a cunning plan? 👍
pkg/proxy/iptables/proxier.go
Outdated
@@ -1108,6 +1108,18 @@ func (proxier *Proxier) syncProxyRules() { | |||
// Currently we only create it for loadbalancers (#33586). | |||
writeLine(natRules, append(args, "-j", string(svcXlbChain))...) | |||
} | |||
|
|||
// If the service has no endpoints then reject packets. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It took me a while to figure out that this is the analog of the nodeport entry chain below (e.g. I was wondering why you were changing kubeServicesChain and not the NodePort chain). Expanding the comment to that effect may be helpful.
e.g.
If the service has no endpoints then reject packets.
We add a rule to the service chain that is the equivalent of the "tail-call to nodeports chain",
but immediately rejects the packet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will add words
b4e4c68
to
d49370c
Compare
new push is up |
Sorry ... I see a new commit, but I don't see anything different? |
BTW any idea why all the e2e tests aren't failing? Aren't we blocking all NodePorts? |
Rather than actually accepting the connection, REJECT. This will avoid CLOSE_WAIT.
d49370c
to
2ec8799
Compare
I botched the amend. Fixed. It didn't trigger the e2es because the nat PREROUTING table triggers first, so the original packet never hits the filter table. |
/lgtm Nice - and the explanation for how the e2e tests are not blowing up makes sense now you've explained it! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb, thockin
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
Automatic merge from submit-queue |
Going to propose this for cherry picking to 1.4 and 1.5. |
So I'm afraid I think this is still happening in 1.6.0. I can scale down a deployment to size 0 and I see CLOSE_WAIT accumulating
|
Edit: It does have the drop rules, in iptables -t filter (not -t nat). But the CLOSE_WAIT sockets are still accumulating. Digging... |
Figured it out I think - put details into #43969 |
@justinsb @thockin the reject rules should also be installed for externalIPs and ports in addition to service IPs and node port. I am hitting a case where reject with icmp rule get installed for destination=service ip but not for destination=externalIPs. And when no pods are present; kube-proxy accepts the connection coming via externalIPs. |
Can you file a new bug with a full repro, please?
…On Thu, Apr 13, 2017 at 1:25 PM, Ketan Kulkarni ***@***.***> wrote:
@thockin <https://github.com/thockin> the reject rules should also be
installed for externalIPs and ports in addition to service IPs and node
port. I am hitting a case where reject with icmp rule get installed for
destination=service ip but not for destination=externalIPs. And when no
pods are present; kube-proxy accepts the connection coming via externalIPs.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#43415 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFVgVLTrp-qJuRx6oJJDvNbwzwAet5H-ks5rvoS1gaJpZM4MjHzg>
.
|
Automatic merge from submit-queue Reject Rules for ExternalIP and svc port if no ep - Install ICMP Reject Rules for externalIP and svc port if no endpoints are present - Includes Unit Test case - Fixes #44516 **What this PR does / why we need it**: Explained in issue #44516 **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # `Fixes #44516` **Special notes for your reviewer**: Similar to #43415 Feedback welcome. Will be happy to improve the patch. Unit Test done and passing. **Release note**: ```release-note ```
Rather than actually accepting the connection, REJECT. This will avoid
CLOSE_WAIT.
Fixes #43212
@justinsb @felipejfc @Spiddy