-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NP-621: add doc for nodeport host addresses #1372
Conversation
@zshi-redhat: This pull request references NP-621 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
``` | ||
|
||
> Record the `handle` number of the newly added rule (for removal) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to also tell users how to make the nft rules permanent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
Updated the nftable rule to use PREROUTING chain which doesn't need to specify rule handle, this makes it easier to add a persist rule with nftables systemd service. Also added a link to the rhel9 doc about persisting and auto-loading nftable rules with systemd service.
docs/network/default_cni_plugin.md
Outdated
> Replace value of NODEPORT variable with the host port number assigned to kubernetes NodePort service | ||
> Replace value of INTERFACE_IP with the IP address from the host interface where you'd like to block the NodePort service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure about this, but I looked at "rich diff" and these two lines were merged into one. Maybe adding one empty with >
will keep them separate but in the same quote block
> Replace value of NODEPORT variable with the host port number assigned to kubernetes NodePort service | |
> Replace value of INTERFACE_IP with the IP address from the host interface where you'd like to block the NodePort service | |
> Replace value of NODEPORT variable with the host port number assigned to kubernetes NodePort service | |
> | |
> Replace value of INTERFACE_IP with the IP address from the host interface where you'd like to block the NodePort service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added line break at the end of each line.
ovn-kubernetes doesn't restrict the host addresses where k8s nodeport service can be accessed from outside microshift node, this commit adds nftable instructions to drop packet matching the nodeport and host interface IPs. These nftable instructions can work regardless of firewalld service state. Signed-off-by: Zenghui Shi <zshi@redhat.com> Co-authored-by: Patryk Matuszak <305846+pmtk@users.noreply.github.com>
@zshi-redhat: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: pmtk, zshi-redhat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ovn-kubernetes doesn't restrict the host addresses where
k8s nodeport service can be accessed from outside microshift
node, this commit adds nftable instructions to drop packet
matching the nodeport and host interface IPs. These nftable
instructions can work regardless of firewalld service state.
Signed-off-by: Zenghui Shi zshi@redhat.com