Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump ip-masq-agent version to v2.3.0. Enable nomasq for reserved IPs. #77458

Merged
merged 1 commit into from May 8, 2019

Conversation

@grayluck
Copy link
Contributor

commented May 5, 2019

Bump ip-masq-agent version to v2.3.0. Enable nomasq for reserved IPs.

Also added the non-masq ranges to configure-helper.sh so that GCE clusters will have the non-masq IP ranges aligned with GKE clusters.

Corresponding ip-masq-agent change is in: kubernetes-incubator/ip-masq-agent#33

/kind feature

Special notes for your reviewer:
/cc bowei

Does this PR introduce a user-facing change?:

GCE clusters will include some IP ranges that are not in used on the public Internet to the list of non-masq IPs.
Bump ip-masq-agent version to v2.3.0 with flag `nomasq-all-reserved-ranges` turned on.

Verification (GCE cluster w/o ip-masq-agent):
GCE e2e test cluster is created. Saw following IP table rules on the nodes:
-A IP-MASQ -d 169.254.0.0/16 -m comment --comment "ip-masq: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 10.0.0.0/8 -m comment --comment "ip-masq: RFC 1918 reserved range is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 172.16.0.0/12 -m comment --comment "ip-masq: RFC 1918 reserved range is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 192.168.0.0/16 -m comment --comment "ip-masq: RFC 1918 reserved range is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 100.64.0.0/10 -m comment --comment "ip-masq: RFC 6598 reserved range is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 192.0.0.0/24 -m comment --comment "ip-masq: RFC 6890 reserved range is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 192.0.2.0/24 -m comment --comment "ip-masq: RFC 5737 reserved range is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 192.88.99.0/24 -m comment --comment "ip-masq: RFC 7526 reserved range is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 198.18.0.0/15 -m comment --comment "ip-masq: RFC 2544 reserved range is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 203.0.113.0/24 -m comment --comment "ip-masq: RFC 5737 reserved range is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 240.0.0.0/4 -m comment --comment "ip-masq: Former Class E range obsoleted by RFC 3232 is not subject to MASQUERADE" -j RETURN


Verification (GCE cluster w ip-masq-agent):
-A POSTROUTING -m comment --comment "ip-masq-agent: ensure nat POSTROUTING directs all non-LOCAL destination traffic to our custom IP-MASQ chain" -m addrtype ! --dst-type LOCAL -j IP-MASQ
-A IP-MASQ -d 169.254.0.0/16 -m comment --comment "ip-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 10.0.0.0/8 -m comment --comment "ip-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 172.16.0.0/12 -m comment --comment "ip-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 192.168.0.0/16 -m comment --comment "ip-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 100.64.0.0/10 -m comment --comment "ip-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 192.0.0.0/24 -m comment --comment "ip-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 192.0.2.0/24 -m comment --comment "ip-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 192.88.99.0/24 -m comment --comment "ip-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 198.18.0.0/15 -m comment --comment "ip-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 203.0.113.0/24 -m comment --comment "ip-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -d 240.0.0.0/4 -m comment --comment "ip-masq-agent: local traffic is not subject to MASQUERADE" -j RETURN
-A IP-MASQ -m comment --comment "ip-masq-agent: outbound traffic is subject to MASQUERADE (must be last in chain)" -j MASQUERADE

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 5, 2019

Hi @grayluck. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@grayluck

This comment has been minimized.

Copy link
Contributor Author

commented May 5, 2019

/hold not tested yet.

@grayluck

This comment has been minimized.

Copy link
Contributor Author

commented May 5, 2019

/sig network
/priority critical-urgent
Marked as critical-urgent as we have a pretty tight timeline on this and need this to be in the next cut.

@grayluck

This comment has been minimized.

Copy link
Contributor Author

commented May 5, 2019

/hold

@grayluck

This comment has been minimized.

Copy link
Contributor Author

commented May 6, 2019

/hold cancel
Tested. It works as expected.

@bowei

This comment has been minimized.

Copy link
Member

commented May 6, 2019

/lgtm
/approve

@bowei

This comment has been minimized.

Copy link
Member

commented May 6, 2019

/ok-to-test

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 6, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bowei, grayluck

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@grayluck

This comment has been minimized.

Copy link
Contributor Author

commented May 6, 2019

/retest

@grayluck

This comment has been minimized.

Copy link
Contributor Author

commented May 7, 2019

/retest

1 similar comment
@grayluck

This comment has been minimized.

Copy link
Contributor Author

commented May 7, 2019

/retest

Bump ip-masq-agent version to v2.3.0. Enable nomasq for reserved IPs.
Added the non-masq ranges to configure-helper.sh so that GCE clusters
will have the non-masq IP ranges aligned with GKE clusters.

@grayluck grayluck force-pushed the grayluck:agent-v2.3.0 branch from 9541e81 to 1059a71 May 7, 2019

@k8s-ci-robot k8s-ci-robot removed the lgtm label May 7, 2019

@bowei

This comment has been minimized.

Copy link
Member

commented May 7, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label May 7, 2019

@k8s-ci-robot k8s-ci-robot merged commit b34d7ac into kubernetes:master May 8, 2019

20 checks passed

cla/linuxfoundation grayluck authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.