(pod's traffic that is destined to node's local ip). with out this fix even
with network policy to drop all egress traffic, pod can reach host IP's.
Pod's can access any service hosted in host network as well
* in DeleteFunc handlers across the controllers handle the case where received object can be of
type DeletedFinalStateUnknown
fixes one of the symptoms (panic on receiving DeletedFinalStateUnknown objects) reported in #712
* address review comments
While --set is still ambiguous it can clash with other module options,
so it is better to be more specific and use the --match-set option. This
also more closely aligns with all other areas of the code that already
use --match-set.
From iptables-extensions man page:
The option --match-set can be replaced by --set if that does not clash
with an option of other extensions.
For very busy tcp connections there is a small possibility to receive
a TCP RST during the iptables sync.
A default `REJECT` rule is chronologically added before the allow-`RELATED,ESTABLISHED` rule for ingress and
egress connections.
In between of the creation of these two rules a connection reset can happen for already established connections.
This commits swaps the order of rule insertion.
In reference to issue #725, we modified kube-router to send
heartbeats before starting policy sync to prevent missing
heartbeats while running iptables commands.
Signed-off-by: Jérôme Poulin <jeromepoulin@gmail.com>
This fixes#642, which causes kube-router to crash on valid network
policies, and also implements support for ingress and egress rules
without a port specified.
* update metrics docs & dashboard
* renamed `namespace` label to `svc_namespace` for service metrics as it would be overwritten by most Prometheus setups
* Made histograms for all the controller sync times for better visualization
* added `controller_routes_sync_time`, `controller_bgp_advertisements_sent` & `controller_policy_chains_sync_time` metrics
* using ipset to manage multiple src CIDRs
* using ipset to manage multiple dst CIDRs
* soft-code the prefix of iptables chain name and ipset name
* gofmt
* Moved code for evaluation of policy peers into separate func to avoid code duplication
* Ensured fallback to policy namespace, if namespaceSelector is not set
* use strconv for converting int64 to string
* change order of pod-fw sync, chain items has to be added before jumping to the chain starts
* added logging of syncversion, decreased logging verbosity+severity for planned chain cleanups
* Instead of clearing the iptables firewall chains for each resync, new chains are now generated side-by-side with the existing ones.
* Chain naming now has an addition component, version, which ensures chain name uniqueness.
* Existing cleanup procedure for stale iptables rules will handle garbage collection of unused chains.
