* in DeleteFunc handlers across the controllers handle the case where received object can be of
type DeletedFinalStateUnknown
fixes one of the symptoms (panic on receiving DeletedFinalStateUnknown objects) reported in #712
* address review comments
While --set is still ambiguous it can clash with other module options,
so it is better to be more specific and use the --match-set option. This
also more closely aligns with all other areas of the code that already
use --match-set.
From iptables-extensions man page:
The option --match-set can be replaced by --set if that does not clash
with an option of other extensions.
For very busy tcp connections there is a small possibility to receive
a TCP RST during the iptables sync.
A default `REJECT` rule is chronologically added before the allow-`RELATED,ESTABLISHED` rule for ingress and
egress connections.
In between of the creation of these two rules a connection reset can happen for already established connections.
This commits swaps the order of rule insertion.
In reference to issue #725, we modified kube-router to send
heartbeats before starting policy sync to prevent missing
heartbeats while running iptables commands.
Signed-off-by: Jérôme Poulin <jeromepoulin@gmail.com>
This fixes#642, which causes kube-router to crash on valid network
policies, and also implements support for ingress and egress rules
without a port specified.
* update metrics docs & dashboard
* renamed `namespace` label to `svc_namespace` for service metrics as it would be overwritten by most Prometheus setups
* Made histograms for all the controller sync times for better visualization
* added `controller_routes_sync_time`, `controller_bgp_advertisements_sent` & `controller_policy_chains_sync_time` metrics
* using ipset to manage multiple src CIDRs
* using ipset to manage multiple dst CIDRs
* soft-code the prefix of iptables chain name and ipset name
* gofmt
* Moved code for evaluation of policy peers into separate func to avoid code duplication
* Ensured fallback to policy namespace, if namespaceSelector is not set
* use strconv for converting int64 to string
* change order of pod-fw sync, chain items has to be added before jumping to the chain starts
* added logging of syncversion, decreased logging verbosity+severity for planned chain cleanups
* Instead of clearing the iptables firewall chains for each resync, new chains are now generated side-by-side with the existing ones.
* Chain naming now has an addition component, version, which ensures chain name uniqueness.
* Existing cleanup procedure for stale iptables rules will handle garbage collection of unused chains.
