This fixes#642, which causes kube-router to crash on valid network
policies, and also implements support for ingress and egress rules
without a port specified.
* prevent host services from being accessible through service IPs
- on startup create ipsets and firewall rules
- on sync update ipsets
- on cleanup remove firewall rules and ipsets
Fixes#282.
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* ensure iptables rules are also available during cleanup
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* first check if chain exists
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* err not a new variable
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* more redeclared vars
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* maintain a ipset for local addresses and exclude those from our default deny rule
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* copy/paste errors
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* Change append to insert for iptables rules
Updates how iptables FORWARD rules are applied to accommodate an existing final DROP rule for the chain.
* Fix the calls to Insert() to include a position
* iptables rules indexes are 1-based
* add unit tests for implementing #75
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* integration tests for #75
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* update docs for #75
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* define new kube-router.io/service.advertise.* annotations
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* Implement per service annotations for advertising IPs.
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* more consistent annotation names
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* remove redundant tests
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* update metrics docs & dashboard
* renamed `namespace` label to `svc_namespace` for service metrics as it would be overwritten by most Prometheus setups
* Made histograms for all the controller sync times for better visualization
* added `controller_routes_sync_time`, `controller_bgp_advertisements_sent` & `controller_policy_chains_sync_time` metrics
Using echo places a new-line character at the end of the base64
generated string which will cause peering to fail for most use-cases as
it is unlikely to be present in the configuration of the other peer.
* make IPVS proxier set net/ipv4/vs/conn_reuse_mode to 0 by default, which will fix the IPVS low throughput issue
* better error message
* check and inform if to old kernel to use feature
* Add to set ip_vs_mh scheduler and flags
Signed-off-by: Inju Song <inju.song@navercorp.com>
* Use scheduler flags when adding or updating service
Signed-off-by: Inju Song <inju.song@navercorp.com>
* Refactor with gofmt, generate moq file and fix test source
Signed-off-by: Inju Song <inju.song@navercorp.com>
The 'kube-proxy --cleanup' checks that ip_vs.ko exists/is loaded.
To do this it ends up looking in /lib/modules/... and generates
an error: `Running modprobe ip_vs failed with message...`.
Add -v /lib/modules:/lib/modules to instructions.
Signed-off-by: Don Bowman <db@donbowman.ca>
* Use ip6tables for ipv6 and handle ipv6 for egress rules
* Make the temp ipset's fit into 31 characters
This should be improved. Some hash string should be used for
temp names.
When the number of nodes in a cluster is high enough, the
`disableSourceDestinationCheck()` logic creates a high number
of requests to EC2, resulting in throttling and subsequent
problems, such as the inability to attach EBS volumes. This is
not necessarily mitigated by the `ec2IamAuthorized` attribute
which was added to overcome this issue, as the number of
requests can still be high enough to reach Amazon's request
limits. In addition, it is not necessary to run this multiple
times in a loop for all the nodes in a cluster, as it is
sufficient to set it once when an instance boots.
This CLI option allows an administrator to turn off this
feature for kube-router so they can use some other means of
setting the attribute.
* using ipset to manage multiple src CIDRs
* using ipset to manage multiple dst CIDRs
* soft-code the prefix of iptables chain name and ipset name
* gofmt
* Introduced new cmdline flag --bgp-port, which controls BGP Server listening port and remote port of in-cluster node peers
* Introduced new cmdline flag --peer-router-ports, which controls remote BGP port for external peers
* Introduced new node annotation kube-router.io/peer.ports with same effect as --peer-router-ports
* Introduces the option --override-nexthop, setting it to true will make
advertised next hop for the routers to the peers will be automatically
selected to be appropriate reachable local IP. This will be overrider
any next-hop set for the routes in the RIB. Kube-router by defauly set
the next-hop to `node IP` which is not correct in case of nodes with
multiple interfaces and use differnt interaces for differect external
peers.
Fixes#480
* add next-hop-self documentation
