-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix hostport duplicate chain names #55153
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
/* | ||
Copyright 2016 The Kubernetes Authors. | ||
|
||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package hostport | ||
|
||
import ( | ||
"bytes" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
utiliptables "k8s.io/kubernetes/pkg/util/iptables" | ||
) | ||
|
||
func TestRestoreFlushRules(t *testing.T) { | ||
iptables := NewFakeIPTables() | ||
rules := [][]string{ | ||
{"-A", "KUBE-HOSTPORTS", "-m comment --comment \"pod3_ns1 hostport 8443\" -m tcp -p tcp --dport 8443 -j KUBE-HP-5N7UH5JAXCVP5UJR"}, | ||
{"-A", "POSTROUTING", "-m comment --comment \"SNAT for localhost access to hostports\" -o cbr0 -s 127.0.0.0/8 -j MASQUERADE"}, | ||
} | ||
natRules := bytes.NewBuffer(nil) | ||
writeLine(natRules, "*nat") | ||
for _, rule := range rules { | ||
_, err := iptables.EnsureChain(utiliptables.TableNAT, utiliptables.Chain(rule[1])) | ||
assert.NoError(t, err) | ||
_, err = iptables.ensureRule(utiliptables.RulePosition(rule[0]), utiliptables.TableNAT, utiliptables.Chain(rule[1]), rule[2]) | ||
assert.NoError(t, err) | ||
|
||
writeLine(natRules, utiliptables.MakeChainLine(utiliptables.Chain(rule[1]))) | ||
} | ||
writeLine(natRules, "COMMIT") | ||
assert.NoError(t, iptables.Restore(utiliptables.TableNAT, natRules.Bytes(), utiliptables.NoFlushTables, utiliptables.RestoreCounters)) | ||
natTable, ok := iptables.tables[string(utiliptables.TableNAT)] | ||
assert.True(t, ok) | ||
// check KUBE-HOSTPORTS chain, should have been cleaned up | ||
hostportChain, ok := natTable.chains["KUBE-HOSTPORTS"] | ||
assert.True(t, ok) | ||
assert.Equal(t, 0, len(hostportChain.rules)) | ||
|
||
// check builtin chains, should not been cleaned up | ||
postroutingChain, ok := natTable.chains["POSTROUTING"] | ||
assert.True(t, ok, string(postroutingChain.name)) | ||
assert.Equal(t, 1, len(postroutingChain.rules)) | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -19,12 +19,12 @@ package hostport | |
import ( | ||
"bytes" | ||
"net" | ||
"strings" | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
"k8s.io/api/core/v1" | ||
utiliptables "k8s.io/kubernetes/pkg/util/iptables" | ||
"strings" | ||
) | ||
|
||
func NewFakeHostportManager() HostPortManager { | ||
|
@@ -144,21 +144,21 @@ func TestHostportManager(t *testing.T) { | |
`:OUTPUT - [0:0]`: true, | ||
`:PREROUTING - [0:0]`: true, | ||
`:POSTROUTING - [0:0]`: true, | ||
`:KUBE-HP-4YVONL46AKYWSKS3 - [0:0]`: true, | ||
`:KUBE-HP-7THKRFSEH4GIIXK7 - [0:0]`: true, | ||
`:KUBE-HP-5N7UH5JAXCVP5UJR - [0:0]`: true, | ||
"-A KUBE-HOSTPORTS -m comment --comment \"pod3_ns1 hostport 8443\" -m tcp -p tcp --dport 8443 -j KUBE-HP-5N7UH5JAXCVP5UJR": true, | ||
"-A KUBE-HOSTPORTS -m comment --comment \"pod1_ns1 hostport 8081\" -m udp -p udp --dport 8081 -j KUBE-HP-7THKRFSEH4GIIXK7": true, | ||
"-A KUBE-HOSTPORTS -m comment --comment \"pod1_ns1 hostport 8080\" -m tcp -p tcp --dport 8080 -j KUBE-HP-4YVONL46AKYWSKS3": true, | ||
`:KUBE-HP-IJHALPHTORMHHPPK - [0:0]`: true, | ||
`:KUBE-HP-63UPIDJXVRSZGSUZ - [0:0]`: true, | ||
`:KUBE-HP-WFBOALXEP42XEMJK - [0:0]`: true, | ||
"-A KUBE-HOSTPORTS -m comment --comment \"pod3_ns1 hostport 8443\" -m tcp -p tcp --dport 8443 -j KUBE-HP-WFBOALXEP42XEMJK": true, | ||
"-A KUBE-HOSTPORTS -m comment --comment \"pod1_ns1 hostport 8081\" -m udp -p udp --dport 8081 -j KUBE-HP-63UPIDJXVRSZGSUZ": true, | ||
"-A KUBE-HOSTPORTS -m comment --comment \"pod1_ns1 hostport 8080\" -m tcp -p tcp --dport 8080 -j KUBE-HP-IJHALPHTORMHHPPK": true, | ||
"-A OUTPUT -m comment --comment \"kube hostport portals\" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS": true, | ||
"-A PREROUTING -m comment --comment \"kube hostport portals\" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS": true, | ||
"-A POSTROUTING -m comment --comment \"SNAT for localhost access to hostports\" -o cbr0 -s 127.0.0.0/8 -j MASQUERADE": true, | ||
"-A KUBE-HP-4YVONL46AKYWSKS3 -m comment --comment \"pod1_ns1 hostport 8080\" -s 10.1.1.2/32 -j KUBE-MARK-MASQ": true, | ||
"-A KUBE-HP-4YVONL46AKYWSKS3 -m comment --comment \"pod1_ns1 hostport 8080\" -m tcp -p tcp -j DNAT --to-destination 10.1.1.2:80": true, | ||
"-A KUBE-HP-7THKRFSEH4GIIXK7 -m comment --comment \"pod1_ns1 hostport 8081\" -s 10.1.1.2/32 -j KUBE-MARK-MASQ": true, | ||
"-A KUBE-HP-7THKRFSEH4GIIXK7 -m comment --comment \"pod1_ns1 hostport 8081\" -m udp -p udp -j DNAT --to-destination 10.1.1.2:81": true, | ||
"-A KUBE-HP-5N7UH5JAXCVP5UJR -m comment --comment \"pod3_ns1 hostport 8443\" -s 10.1.1.4/32 -j KUBE-MARK-MASQ": true, | ||
"-A KUBE-HP-5N7UH5JAXCVP5UJR -m comment --comment \"pod3_ns1 hostport 8443\" -m tcp -p tcp -j DNAT --to-destination 10.1.1.4:443": true, | ||
"-A KUBE-HP-IJHALPHTORMHHPPK -m comment --comment \"pod1_ns1 hostport 8080\" -s 10.1.1.2/32 -j KUBE-MARK-MASQ": true, | ||
"-A KUBE-HP-IJHALPHTORMHHPPK -m comment --comment \"pod1_ns1 hostport 8080\" -m tcp -p tcp -j DNAT --to-destination 10.1.1.2:80": true, | ||
"-A KUBE-HP-63UPIDJXVRSZGSUZ -m comment --comment \"pod1_ns1 hostport 8081\" -s 10.1.1.2/32 -j KUBE-MARK-MASQ": true, | ||
"-A KUBE-HP-63UPIDJXVRSZGSUZ -m comment --comment \"pod1_ns1 hostport 8081\" -m udp -p udp -j DNAT --to-destination 10.1.1.2:81": true, | ||
"-A KUBE-HP-WFBOALXEP42XEMJK -m comment --comment \"pod3_ns1 hostport 8443\" -s 10.1.1.4/32 -j KUBE-MARK-MASQ": true, | ||
"-A KUBE-HP-WFBOALXEP42XEMJK -m comment --comment \"pod3_ns1 hostport 8443\" -m tcp -p tcp -j DNAT --to-destination 10.1.1.4:443": true, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could we validate the cleanup logic in unit test so that we will have more confidences? |
||
`COMMIT`: true, | ||
} | ||
for _, line := range lines { | ||
|
@@ -198,3 +198,92 @@ func TestHostportManager(t *testing.T) { | |
assert.EqualValues(t, true, port.closed) | ||
} | ||
} | ||
|
||
func TestGetHostportChain(t *testing.T) { | ||
m := make(map[string]int) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: what about |
||
chain := getHostportChain("testrdma-2", &PortMapping{HostPort: 57119, Protocol: "TCP", ContainerPort: 57119}) | ||
m[string(chain)] = 1 | ||
chain = getHostportChain("testrdma-2", &PortMapping{HostPort: 55429, Protocol: "TCP", ContainerPort: 55429}) | ||
m[string(chain)] = 1 | ||
chain = getHostportChain("testrdma-2", &PortMapping{HostPort: 56833, Protocol: "TCP", ContainerPort: 56833}) | ||
m[string(chain)] = 1 | ||
if len(m) != 3 { | ||
t.Fatal(m) | ||
} | ||
} | ||
|
||
func TestHostPortManagerRemoveLegacyRules(t *testing.T) { | ||
iptables := NewFakeIPTables() | ||
legacyRules := [][]string{ | ||
{"-A", "KUBE-HOSTPORTS", "-m comment --comment \"pod3_ns1 hostport 8443\" -m tcp -p tcp --dport 8443 -j KUBE-HP-5N7UH5JAXCVP5UJR"}, | ||
{"-A", "KUBE-HOSTPORTS", "-m comment --comment \"pod1_ns1 hostport 8081\" -m udp -p udp --dport 8081 -j KUBE-HP-7THKRFSEH4GIIXK7"}, | ||
{"-A", "KUBE-HOSTPORTS", "-m comment --comment \"pod1_ns1 hostport 8080\" -m tcp -p tcp --dport 8080 -j KUBE-HP-4YVONL46AKYWSKS3"}, | ||
{"-A", "OUTPUT", "-m comment --comment \"kube hostport portals\" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS"}, | ||
{"-A", "PREROUTING", "-m comment --comment \"kube hostport portals\" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS"}, | ||
{"-A", "POSTROUTING", "-m comment --comment \"SNAT for localhost access to hostports\" -o cbr0 -s 127.0.0.0/8 -j MASQUERADE"}, | ||
{"-A", "KUBE-HP-4YVONL46AKYWSKS3", "-m comment --comment \"pod1_ns1 hostport 8080\" -s 10.1.1.2/32 -j KUBE-MARK-MASQ"}, | ||
{"-A", "KUBE-HP-4YVONL46AKYWSKS3", "-m comment --comment \"pod1_ns1 hostport 8080\" -m tcp -p tcp -j DNAT --to-destination 10.1.1.2:80"}, | ||
{"-A", "KUBE-HP-7THKRFSEH4GIIXK7", "-m comment --comment \"pod1_ns1 hostport 8081\" -s 10.1.1.2/32 -j KUBE-MARK-MASQ"}, | ||
{"-A", "KUBE-HP-7THKRFSEH4GIIXK7", "-m comment --comment \"pod1_ns1 hostport 8081\" -m udp -p udp -j DNAT --to-destination 10.1.1.2:81"}, | ||
{"-A", "KUBE-HP-5N7UH5JAXCVP5UJR", "-m comment --comment \"pod3_ns1 hostport 8443\" -s 10.1.1.4/32 -j KUBE-MARK-MASQ"}, | ||
{"-A", "KUBE-HP-5N7UH5JAXCVP5UJR", "-m comment --comment \"pod3_ns1 hostport 8443\" -m tcp -p tcp -j DNAT --to-destination 10.1.1.4:443"}, | ||
} | ||
for _, rule := range legacyRules { | ||
_, err := iptables.EnsureChain(utiliptables.TableNAT, utiliptables.Chain(rule[1])) | ||
assert.NoError(t, err) | ||
_, err = iptables.ensureRule(utiliptables.RulePosition(rule[0]), utiliptables.TableNAT, utiliptables.Chain(rule[1]), rule[2]) | ||
assert.NoError(t, err) | ||
} | ||
portOpener := NewFakeSocketManager() | ||
manager := &hostportManager{ | ||
hostPortMap: make(map[hostport]closeable), | ||
iptables: iptables, | ||
portOpener: portOpener.openFakeSocket, | ||
} | ||
err := manager.Remove("id", &PodPortMapping{ | ||
Name: "pod1", | ||
Namespace: "ns1", | ||
IP: net.ParseIP("10.1.1.2"), | ||
HostNetwork: false, | ||
PortMappings: []*PortMapping{ | ||
{ | ||
HostPort: 8080, | ||
ContainerPort: 80, | ||
Protocol: v1.ProtocolTCP, | ||
}, | ||
{ | ||
HostPort: 8081, | ||
ContainerPort: 81, | ||
Protocol: v1.ProtocolUDP, | ||
}, | ||
}, | ||
}) | ||
assert.NoError(t, err) | ||
|
||
err = manager.Remove("id", &PodPortMapping{ | ||
Name: "pod3", | ||
Namespace: "ns1", | ||
IP: net.ParseIP("10.1.1.4"), | ||
HostNetwork: false, | ||
PortMappings: []*PortMapping{ | ||
{ | ||
HostPort: 8443, | ||
ContainerPort: 443, | ||
Protocol: v1.ProtocolTCP, | ||
}, | ||
}, | ||
}) | ||
assert.NoError(t, err) | ||
|
||
natTable, ok := iptables.tables[string(utiliptables.TableNAT)] | ||
assert.True(t, ok) | ||
// check KUBE-HOSTPORTS chain should be cleaned up | ||
hostportChain, ok := natTable.chains["KUBE-HOSTPORTS"] | ||
assert.True(t, ok, string(hostportChain.name)) | ||
assert.Equal(t, 0, len(hostportChain.rules), "%v", hostportChain.rules) | ||
// check KUBE-HP-* chains should be deleted | ||
for _, name := range []string{"KUBE-HP-4YVONL46AKYWSKS3", "KUBE-HP-7THKRFSEH4GIIXK7", "KUBE-HP-5N7UH5JAXCVP5UJR"} { | ||
_, ok := natTable.chains[name] | ||
assert.False(t, ok) | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,6 +21,7 @@ import ( | |
"crypto/sha256" | ||
"encoding/base32" | ||
"fmt" | ||
"strconv" | ||
"strings" | ||
"time" | ||
|
||
|
@@ -142,7 +143,7 @@ func writeLine(buf *bytes.Buffer, words ...string) { | |
// this because IPTables Chain Names must be <= 28 chars long, and the longer | ||
// they are the harder they are to read. | ||
func hostportChainName(pm *PortMapping, podFullName string) utiliptables.Chain { | ||
hash := sha256.Sum256([]byte(string(pm.HostPort) + string(pm.Protocol) + podFullName)) | ||
hash := sha256.Sum256([]byte(strconv.Itoa(int(pm.HostPort)) + string(pm.Protocol) + podFullName)) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. For |
||
encoded := base32.StdEncoding.EncodeToString(hash[:]) | ||
return utiliptables.Chain(kubeHostportChainPrefix + encoded[:16]) | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does that mean by changing the chain name, we are orphaning the old chain/rule? Is that acceptable or anyway to workaround?
@kubernetes/sig-network-pr-reviews
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add a commit to clean up these old chains/rules as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In fact, thought about this again, I wonder why it would be an issue changing this function. Can't we assume upon node/kubelet upgrade, all iptables rules will not be retained because node has been restarted? Am I suggesting an unnecessary cleanup? Would be great to have guidance from @thockin and @freehan
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😕 Is this true? I don't think everyone will restart node upon upgrade. Is this the required step of upgrading to the next release or something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
At least that is what happens with gce/upgrade.sh :)
I'm not aware of any supported per-system-component upgrade mechanism in k8s yet, not sure if someone already support that...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is better. It's low cost.