New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Filter nodePortAddresses to proxiers #89998
Conversation
With;
Ipvs config;
|
I think you should add it to the single stack one too kubernetes/pkg/proxy/ipvs/proxier.go Line 483 in 7b20442
nodePortAddresses: filterCIDRs(isIPv6, nodePortAddresses), |
@aojea You mean in case of user mistakes? |
The corresponding in the iptables proxier; kubernetes/pkg/proxy/iptables/proxier.go Lines 351 to 363 in 7b20442
|
If the "filterCIDRs()" shall be used in the iptables proxier it should be moved to some "util" packade IMO to avoid duplicated code (and duplicated tests). If so, where shall it go? |
🤔 well,I think you are right, if you define IPv6 addresses in
my apologies, I was assuming you were already using this one kubernetes/pkg/proxy/util/utils.go Lines 240 to 243 in 4d0e86f
|
@aojea Thanks for the pointer 😃 The "filterCIDRs()" is just below the updated code and is already used in the call. I will remove the "filterCIDRs()" to clean-up the code and also move to the place you pointed out. Then it can't go wrong since "NewProxy()" is called for ipv4/ipv6 in dual-stack. I think it will be cleaner. Also I will add the update in the iptables proxier to avoid any yet-unseen problems. |
Hmm, IMHO "FilterIncorrectCIDRVersion()" is not intuitive. Not the name and not how it works. You must read the code to use it. I will use it in the iptables proxier, but keep "filterCIDRs()" in the ipvs proxier and let reviewers decide. |
The nodePortAddresses are filtered in Not only will this catch user mistakes which are probably common in transition to dual-stack and makes the code a little bit cleaner, it also allows a common setting for ipv4-only, ipv6-only and dual-stack in our use-case; Use caseWhen K8s is deployed in a DC (in VMs or bare-metal) with no K8s-aware load-balancers, loadbalancing to nodePorts can not be used. The external addresses must be configured in DC-GWs in some way, likely announced with BGP. This works fine but since NodePorts are implicit for services with These ports show up on mandatory security scans, and a request to either describe their purpose or to close them is raised. We can't close them but by setting;
we do not expose them externally. They will not show up on port scans any more. |
As the robot suggested; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Corrections after review are pushed. True to;
a warning is logged if NodePortAddresses of the wrong family is configured in a single-stack cluster;
In dual-stack the addresses are filtered in |
/test pull-kubernetes-integration |
/retest |
Problem does not seem to be related to the PR |
/retest |
/lgtm |
/retest |
@aojea Can you please help since you have good knowledge of flaky tests. The |
/test pull-kubernetes-e2e-gci-gce-ipvs let me check again, but seems the common test failures on all runs are
|
seems those tests were failing for a long time, in the meantime let me fix the reporting in testgrid so we can notice it sooner next time (cc: @andrewsykim ) |
@aojea Thanks a lot! |
I'm also removing the storage tests for the ipvs jobs, I don't have time for debugging current failures and we weren't tracking those tests. |
/retest |
Updated after review please see; #89998 (comment) @liggitt Please have a new look at it. The failing test is a problem with the test, not with this PR. |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: thockin, uablrek The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
/retest Review the full test history for this PR. Silence the bot with an |
/retest Review the full test history for this PR. Silence the bot with an |
@uablrek: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
To avoid faulty entries in ipvs when both ipv4 and ipv6 addresses are used in "nodePortAddresses".
May also cause some yet unseen faults.
Which issue(s) this PR fixes:
Fixes #89923
Special notes for your reviewer:
I did not see any faults for proxy-mode=iptables, but the same filtering might be appropriate also for proxy-mode=iptables.
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: