Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden kube-proxy for unmatched IP versions #56880

Merged
merged 8 commits into from
Feb 28, 2018
Merged

Harden kube-proxy for unmatched IP versions #56880

merged 8 commits into from
Feb 28, 2018

Conversation

MrHohn
Copy link
Member

@MrHohn MrHohn commented Dec 6, 2017
edited

What this PR does / why we need it:
This PR makes kube-proxy omits & logs & emits event for unmatched IP versions configuration (IPv6 address in IPv4 mode or IPv4 address in IPv6 mode).

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #57219

Special notes for your reviewer:

Release note:

Fix the issue in kube-proxy iptables/ipvs mode to properly handle incorrect IP version.

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note-none Denotes a PR that doesn't merit a release note. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Dec 6, 2017
@MrHohn MrHohn changed the title [WIP] Harden kube-proxy iptables mode for dual stack case Harden kube-proxy iptables mode for dual stack case Dec 6, 2017
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 6, 2017
@MrHohn MrHohn changed the title Harden kube-proxy iptables mode for dual stack case [WIP] Harden kube-proxy iptables mode for dual stack case Dec 6, 2017
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 6, 2017
@MrHohn MrHohn changed the title [WIP] Harden kube-proxy iptables mode for dual stack case Harden kube-proxy iptables mode for dual stack case Dec 6, 2017
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 6, 2017
@MrHohn
Copy link
Member Author

MrHohn commented Dec 6, 2017

/assign @thockin @bowei @freehan
/unassign

Will create the associated issue soon.

@k8s-ci-robot k8s-ci-robot assigned bowei, freehan and thockin and unassigned MrHohn Dec 6, 2017
thockin
thockin reviewed Dec 14, 2017
View reviewed changes
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall OK. Can we make the eventing and logging less verbose by wrapping in a function?

pkg/proxy/util/utils.go Outdated
@@ -56,3 +65,20 @@ func ShouldSkipService(svcName types.NamespacedName, service *api.Service) bool
}
return false
}

// This assumes ip is a valid IP.
func IsDualStackIP(ip string, isIPv6Mode bool) bool {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is an awkward API, to me. Maybe it's just the name. What if this were "IsCorrectIPVersion(ip string, expectIPv6 bool)" ? It's not really about dual-stack at all, but about not matching the expected version. Would eliminate "dual stack" from all the names

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, I chose a wrong name. Will remove "dual stack"s.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@thockin
Copy link
Member

thockin commented Dec 14, 2017

@m1093782566 Do we need similar filters for ipvs mode?

@m1093782566
Copy link
Contributor

@thockin

Yes, we need it. I am willing to create another PR...

m1093782566
m1093782566 reviewed Dec 14, 2017
View reviewed changes
pkg/proxy/iptables/proxier_test.go Outdated
@@ -1550,11 +1553,69 @@ func Test_endpointsToEndpointsMap(t *testing.T) {
{endpoint: "1.1.1.1:22", isLocal: false},
},
},
}, {
// Case: should omit IPv6 address in IPv4 mode
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Can we add test case number, e.g. Case[9]: should omit IPv6 address in IPv4 mode?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

pkg/proxy/iptables/proxier_test.go Outdated
},
},
}, {
// Case: should omit IPv4 address in IPv6 mode
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

pkg/proxy/iptables/proxier_test.go Outdated
desc string
newService *api.Service
isIPv6Mode bool
// This unit test only does verification on externalIPs and loadBalancerSourceRanges.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why the test doesn't cover ClusterIP?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, the comments are confusing, it does cover ClusterIP. Will clarify it a bit in comment,

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@MrHohn MrHohn changed the title Harden kube-proxy iptables mode for dual stack case Harden kube-proxy iptables mode for unmatched IP versions Dec 14, 2017
MrHohn
MrHohn commented Dec 14, 2017
View reviewed changes
pkg/proxy/iptables/proxier.go Outdated
Name: service.Name,
Namespace: service.Namespace,
UID: service.UID,
}, v1.EventTypeWarning, "KubeProxyDualStackUnsupported", "Unsupported dual stack externalIP: %v", externalIP)
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before I push the updated commit, one more thing to point out --- emitting event like this means if there are 1,000 nodes, we will have 1,000 events, given that the hostname in EventSource is different. Would this be a problem? Or I can seek for a way to remove the hostname source so that they can be deduped.

Example events as below:

25s        25s         1         my-nginx                             Service               Warning   KubeProxyIncorrectIPVersion   kube-proxy, e2e-test-XXX-minion-group-p1ch   Incorrect IP version in loadBalancerSourceRanges: 2600:1900::/35
25s        25s         1         my-nginx                             Service               Warning   KubeProxyIncorrectIPVersion   kube-proxy, e2e-test-XXX-minion-group-5qks   Incorrect IP version in loadBalancerSourceRanges: 2600:1900::/35
25s        25s         1         my-nginx                             Service               Warning   KubeProxyIncorrectIPVersion   kube-proxy, e2e-test-XXX-minion-group-dz4x   Incorrect IP version in loadBalancerSourceRanges: 2600:1900::/35

@MrHohn
Copy link
Member Author

MrHohn commented Dec 15, 2017

Can we make the eventing and logging less verbose by wrapping in a function?

Wrapped some identical logging and eventing into a function.

Also pointing to the question on #56880 (comment) again as it somehow got folded.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Dec 15, 2017
@MrHohn
Copy link
Member Author

MrHohn commented Dec 15, 2017

/retest

thockin
thockin reviewed Dec 15, 2017
View reviewed changes
Copy link
Member

@thockin thockin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just nits

pkg/proxy/iptables/proxier.go Outdated
@@ -466,16 +487,33 @@ func NewProxier(ipt utiliptables.Interface,

if len(clusterCIDR) == 0 {
glog.Warningf("clusterCIDR not specified, unable to distinguish between internal and external traffic")
} else {
// Filter out the incorrect IP version case.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rather than filtering - this should probably be a real error. What do you think?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this should be a real error. Done.

pkg/proxy/iptables/proxier.go Outdated
@@ -864,9 +902,16 @@ func endpointsToEndpointsMap(endpoints *api.Endpoints, hostname string) proxyEnd
glog.Warningf("ignoring invalid endpoint port %s with empty host", port.Name)
continue
}
// Filter out the incorrect IP version case.
if !utilproxy.CheckIPVersion(addr.IP, ecm.isIPv6Mode) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe easier to read:

if utilproxy.IsIPv6(addr.IP) != ecm.isIPv6Mode {

Same at other callsites

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, suggestion applied.

pkg/proxy/iptables/proxier.go Outdated
info.externalIPs = append(info.externalIPs, externalIP)
}
for _, sourceRange := range service.Spec.LoadBalancerSourceRanges {
if !utilproxy.CheckCIDRVersion(sourceRange, scm.isIPv6Mode) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

if utilproxy.IsIPv6CIDR(sourceRange) != scm.isIPv6Mode {

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Applied.

@MrHohn MrHohn mentioned this pull request Feb 27, 2018
Closed
@BenTheElder
Copy link
Member

/retest

@MrHohn MrHohn force-pushed the kube-proxy-ipv6-fix branch 2 times, most recently from 351b407 to c865460 Compare February 27, 2018 04:13
@freehan
Copy link
Contributor

freehan commented Feb 27, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 27, 2018
@MrHohn
Copy link
Member Author

MrHohn commented Feb 27, 2018

Thanks! Rebasing now...

@k8s-github-robot k8s-github-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 27, 2018
@MrHohn
Copy link
Member Author

MrHohn commented Feb 27, 2018

@freehan Rebased PR.

@freehan
Copy link
Contributor

freehan commented Feb 27, 2018

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 27, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bowei, freehan, MrHohn, thockin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@MrHohn
Copy link
Member Author

MrHohn commented Feb 27, 2018

/test pull-kubernetes-e2e-gce

@cblecker cblecker added this to the v1.10 milestone Feb 28, 2018
@cblecker
Copy link
Member

Added milestone as @bowei already approved it for the milestone

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 53689, 56880, 55856, 59289, 60249). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit f45f4a4 into kubernetes:master Feb 28, 2018
@danwinship danwinship mentioned this pull request Apr 5, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@freehan freehan freehan left review comments

@m1093782566 m1093782566 m1093782566 left review comments

@thockin thockin thockin left review comments

@prameshj prameshj prameshj left review comments

Assignees

@bowei bowei

@freehan freehan

@thockin thockin

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
v1.10
Development

Successfully merging this pull request may close these issues.

kube-proxy iptables mode is not handling unmatched IP versions properly.
10 participants
@MrHohn @thockin @m1093782566 @freehan @bowei @prameshj @BenTheElder @k8s-ci-robot @k8s-github-robot @cblecker