* rename export policies to make it direction independent
* split creating neighborsets and prefixsets from applying export policy
* add bgp import policy to deny service VIPs
* add tests for addition of import policy
Current implementation never considers the "kube-router.io/pod-cidr"
annotation when creating an ipset for the node pod network CIDR.
The Node.Spec.PodCIDR is always used instead.
This patch prefers the annotation PodCIDR over the Node.Spec.PodCIDR
* update netlink
* update libnetwork to get ipvs stats
* update gopkg.lock for libnetwork update
* update libnetwork
* add cli options
* make endpoints delete gracefully
* move conntrack flusher
* get some order in the mainloop
* update to alpine 3.9 & go 1.11.1
* revert to 1.10.3 just update alpine
* and revert travis.yml
* lock version
* test 1.12
* test
* Introduces the option --full-overlay, to always generate IPIP tunnels regardless of node subnets
* Use --overlay-type={subnet,full} instead of --full-overlay={true,false}
* - refactor / clean up / extract code dupes into methods and reuse
* - fix 639
- get external IPs to withdraw as diff against previous generation
of service
This fixes#642, which causes kube-router to crash on valid network
policies, and also implements support for ingress and egress rules
without a port specified.
* prevent host services from being accessible through service IPs
- on startup create ipsets and firewall rules
- on sync update ipsets
- on cleanup remove firewall rules and ipsets
Fixes#282.
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* ensure iptables rules are also available during cleanup
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* first check if chain exists
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* err not a new variable
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* more redeclared vars
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* maintain a ipset for local addresses and exclude those from our default deny rule
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* copy/paste errors
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* Change append to insert for iptables rules
Updates how iptables FORWARD rules are applied to accommodate an existing final DROP rule for the chain.
* Fix the calls to Insert() to include a position
* iptables rules indexes are 1-based
* add unit tests for implementing #75
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* integration tests for #75
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* update docs for #75
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* define new kube-router.io/service.advertise.* annotations
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* Implement per service annotations for advertising IPs.
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* more consistent annotation names
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* remove redundant tests
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* update metrics docs & dashboard
* renamed `namespace` label to `svc_namespace` for service metrics as it would be overwritten by most Prometheus setups
* Made histograms for all the controller sync times for better visualization
* added `controller_routes_sync_time`, `controller_bgp_advertisements_sent` & `controller_policy_chains_sync_time` metrics
Using echo places a new-line character at the end of the base64
generated string which will cause peering to fail for most use-cases as
it is unlikely to be present in the configuration of the other peer.
* make IPVS proxier set net/ipv4/vs/conn_reuse_mode to 0 by default, which will fix the IPVS low throughput issue
* better error message
* check and inform if to old kernel to use feature
