New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubelet: block non-forwarded packets from crossing the localhost boundary #91569
Conversation
/sig network |
/cc @danwinship |
/test pull-kubernetes-e2e-kind |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
This is a bit of an awkward fix to wedge in. Kubelet isn't actually responsible for setting this sysctl flag. Rather, it's set by kube-proxy and by the CNI port-forward plugin. However, kubelet owns the KUBE-FIREWALL chain, so it's not unreasonable to add the rule here. |
…dary We set route_localnet so that host-network processes can connect to <127.0.0.1:NodePort> and it still works. This, however, is too permissive. So, block martians that are not already in conntrack. See: kubernetes#90259 Signed-off-by: Casey Callendrello <cdc@redhat.com>
/lgtm |
I think @thockin said he wanted to have kubelet doing less networking setup. But as long as this is adding the new setup code to |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: derekwaynecarr, squeed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@squeed Isn't the merged commit allowing packets from say 127.127.127.127 or 127.0.0.1 to 127.0.0.1 to go through ? (if we want to attack a localhost udp service and don't care about the responses)
|
@champtar that's a very good point. A quick test with I'll file a follow-up PR. |
/cherrypick release-1.18 |
We set route_localnet so that host-network processes can connect to
127.0.0.1:NodePort
and it still works. This, however, is too permissive.So, block martians that are not already in conntrack.
What type of PR is this?
/kind bug
What this PR does / why we need it:
As outlined in #90259, blindly setting
route_localnet
is too permissive. We need to ensure that only packets we want can pass the martian boundary.Which issue(s) this PR fixes:
Fixes #90259
Does this PR introduce a user-facing change?: