NP-621: add doc for nodeport host addresses #1372
Conversation
openshift-ci-robot
added
the
jira/valid-reference
|
@zshi-redhat: This pull request references NP-621 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
approved
openshift-merge-robot
added
the
needs-rebase
openshift-merge-robot
removed
the
needs-rebase
| ``` | ||
|
|
||
| > Record the `handle` number of the newly added rule (for removal) | ||
|
|
There was a problem hiding this comment.
It would be better to also tell users how to make the nft rules permanent.
There was a problem hiding this comment.
Done.
Updated the nftable rule to use PREROUTING chain which doesn't need to specify rule handle, this makes it easier to add a persist rule with nftables systemd service. Also added a link to the rhel9 doc about persisting and auto-loading nftable rules with systemd service.
docs/network/default_cni_plugin.md
Outdated
| > Replace value of NODEPORT variable with the host port number assigned to kubernetes NodePort service | ||
| > Replace value of INTERFACE_IP with the IP address from the host interface where you'd like to block the NodePort service |
There was a problem hiding this comment.
I'm not sure about this, but I looked at "rich diff" and these two lines were merged into one. Maybe adding one empty with > will keep them separate but in the same quote block
| > Replace value of NODEPORT variable with the host port number assigned to kubernetes NodePort service | |
| > Replace value of INTERFACE_IP with the IP address from the host interface where you'd like to block the NodePort service | |
| > Replace value of NODEPORT variable with the host port number assigned to kubernetes NodePort service | |
| > | |
| > Replace value of INTERFACE_IP with the IP address from the host interface where you'd like to block the NodePort service |
There was a problem hiding this comment.
added line break at the end of each line.
ovn-kubernetes doesn't restrict the host addresses where k8s nodeport service can be accessed from outside microshift node, this commit adds nftable instructions to drop packet matching the nodeport and host interface IPs. These nftable instructions can work regardless of firewalld service state. Signed-off-by: Zenghui Shi <zshi@redhat.com> Co-authored-by: Patryk Matuszak <305846+pmtk@users.noreply.github.com>
|
@zshi-redhat: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pmtk, zshi-redhat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ovn-kubernetes doesn't restrict the host addresses where
k8s nodeport service can be accessed from outside microshift
node, this commit adds nftable instructions to drop packet
matching the nodeport and host interface IPs. These nftable
instructions can work regardless of firewalld service state.
Signed-off-by: Zenghui Shi zshi@redhat.com