mirrors/kube-router
1
0
Fork 0
mirror of https://github.com/cloudnativelabs/kube-router.git synced 2025-11-20 12:31:04 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,050 Commits 23 Branches 102 Tags
Commit Graph

91 Commits

Author SHA1 Message Date
Brad Davidson
e34ef29fe2 Add additional save/restore metrics 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-10-07 08:52:31 -05:00
Brad Davidson
aa107d6376 Make metrics registerer/gathererer replacable 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-10-07 08:52:31 -05:00
Erik Larsson
afdf553fa8 add loadbalancer address allocator 
This adds a simple controller that will watch for services of type LoadBalancer
and try to allocated addresses from the specified IPv4 and/or IPv6 ranges.
It's assumed that kube-router (or another network controller) will announce the addresses.

As the controller uses leases for leader election and updates the service status new
RBAC permissions are required.
 2023-10-07 08:52:31 -05:00
Aaron U'Ren
06f5f8babf feat(go): update package version to /v2 
Do the necessary to update kube-router to a new major version following
upstream documentation: https://go.dev/doc/modules/major-version
 2023-10-07 08:52:31 -05:00
Aaron U'Ren
b3e0768281 fix(options): make clusterIP specification similar to other options 2023-10-07 08:52:31 -05:00
Aaron U'Ren
a31511d987 fix(NPC): actually separate chain indices for ipv4 / ipv6 2023-10-07 08:52:31 -05:00
Aaron U'Ren
096da81f92 fact(NPC): pluralize newIPTablesHandler 2023-10-07 08:52:31 -05:00
Aaron U'Ren
ddb0e63c46 feat(NRC): make NRC dual stack 2023-10-07 08:52:31 -05:00
Aaron U'Ren
3db482be3b fix(NPC): separate chain indices for ipv4 / ipv6 
Without this, kube-router would end up sharing the index between ipv4
and ipv6 which would cause it to error out when one incremented beyond
the number of rules that actually existed in the chain.
 2023-10-07 08:52:31 -05:00
Thomas Ferrandiz
d7e2a146f3 fix golangci issues 2023-10-07 08:52:31 -05:00
Thomas Ferrandiz
4256a60705 syncPodFirewallChains: loop on all NodeIp 
to find the pods running on a given Node
- Load PodIp in podInfo struct and use it instead of pod.ips[0].IP
 2023-10-07 08:52:31 -05:00
Thomas Ferrandiz
92e91df9d2 refactor whitelisting of cluster IP Range 2023-10-07 08:52:31 -05:00
Thomas Ferrandiz
6fea9c2d19 Validate that ClusterIP service range type matches the configuration 
and update documentation
 2023-10-07 08:52:31 -05:00
Thomas Ferrandiz
26d06c40aa Turn IPTablesSaveRestore into an interface 2023-10-07 08:52:31 -05:00
Thomas Ferrandiz
3839ec1d8e init iptablesCmdHandlers and ipSetHandlers inside NewNetworkPolicyController 2023-10-07 08:52:31 -05:00
Michal Rostecki
5d04a9fd97 netpol: Add dual-stack support 
This change allows to define two cluster CIDRs for compatibility with
Kubernetes dual-stack, with an assumption that two CIDRs are usually
IPv4 and IPv6.

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
 2023-10-07 08:52:31 -05:00
Aaron U'Ren
b5028025b2 fix(NPC): add missing quotes 2022-04-05 17:13:34 -05:00
Xiang Liu
492e0d126b fix(NPC): make code more understandable 2022-03-15 12:06:22 -05:00
Aaron U'Ren
a9f0084665
Revert "feat(metrics): add more iptables sync metrics" (#1216) 
This reverts commit 22b031beaa3393f8f02812242a9f637ce525b4eb.

@MikeSpreitzer pointed out that these metrics are already present in the
histogram type as *_count and *_sum and these two added metrics just add
duplicates. I've also proved out in my own environments that these
metric values are identical to the ones already carried in the
histogram.
 2021-12-10 23:26:19 +05:30
Aaron U'Ren
419c078c60 feat(.golangci.yml): enable unparam linter and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
1d90e215e9 feat(.golangci.yml): enable stylecheck linter and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
85f28411dc feat(.golangci.yml): enable long lines linter and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
6208bfac46 feat(.golangci.yml): enable gomnd and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
f52fddddee feat(.golangci.yml): enable gocritic and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
d6ccc22519 feat(.golangci.yml): enable goconst and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
dc1960333d
fix(NPC): don't rely on exit code for chain check (#1157) 
Don't use the exit code of NewChain() to decide if the chain exists or
not as it doesn't appear to be consistent between nftables and legacy
iptables implementations.
 2021-08-18 23:06:02 +05:30
Aaron U'Ren
bffdc729cc
fix(npc): ordering of firewall / service rules (#1144) 2021-08-10 03:59:17 +05:30
Aaron U'Ren
1a8c354882 fix(NPC): Cleanup() function overhaul 
Use existing cleanupStale*() methods to cleanup NPC based iptables and
ipsets. This provides a more consistent method of cleanup, consolidates
the logic, and updates it for all of the changes NPC has gone through.
 2021-08-05 16:39:28 -05:00
Aaron U'Ren
9bc55dc1fa fix(NPC): missed ipset locking 
Somehow I missed adding ipset locking around cleanupStaleIPSets()
 2021-08-05 16:39:28 -05:00
Aaron U'Ren
031d75265b feat(NPC): minor performance improvement 
Don't continue the loop if we've already matched.
 2021-08-05 16:39:28 -05:00
Aaron U'Ren
e9be04ef2f
fix: add nil checking to ipsetMutex cleanup actions (#1129) 2021-07-20 01:22:48 +05:30
Murali Reddy
c8f7daf7ce fix lint errors 2021-06-28 12:45:43 -05:00
Murali Reddy
4c8cfc9c27 bug fix 2021-06-28 12:45:43 -05:00
Murali Reddy
93fe004ce6 bug fixes 2021-06-28 12:45:43 -05:00
Murali Reddy
d684ec0c65 add logic to explicitly ACCEPT traffic from/to the pod if its 
permitted by applicable network policies. If there are no network
policies then by default ACCEPT the pod traffic
 2021-06-28 12:45:43 -05:00
Ricardo Katz
21473edf05
Add support for kubernetes endport field (#1080) 2021-06-17 21:44:32 +05:30
Aaron U'Ren
fa8d69edd8 fix: add locking around ipset invocations 2021-06-01 10:42:08 -05:00
Aaron U'Ren
45b7fd1d94 fix(NPC): parse NodePorts as unsigned ints 
Also separates logic so that it can be tested more easily, and adds unit
tests to make sure there is no regression.

Fixes #1083
 2021-05-17 15:33:13 -05:00
Aaron U'Ren
be01f317c7 fact: other misc cleanups 2021-04-14 16:23:59 -05:00
Aaron U'Ren
53cfbe30eb fix: return early when we might be holding nil references 2021-04-14 16:23:59 -05:00
Aaron U'Ren
4efa5ccc48 fact: remove function parameters that are never referenced 2021-04-14 16:23:59 -05:00
Aaron U'Ren
96675e620b fix: don't capitalize error messages 
It is standard practice in Go to not capitalize error messages:
https://github.com/golang/go/wiki/CodeReviewComments#error-strings
 2021-04-14 16:23:59 -05:00
Aaron U'Ren
e9c77d0a35 fix(comments): misspellings and bad doc strings 2021-04-14 16:23:59 -05:00
Manuel Rüger
7d47aefe7d Replace github.com/golang/glog with k8s.io/klog/v2 
glog is effectively unmaintained and the kubernetes ecosystem is mainly
using its fork klog

Fixes: #1051
 2021-04-11 13:16:03 -05:00
Aaron U'Ren
22b031beaa feat(metrics): add more iptables sync metrics 2021-03-18 09:21:22 -05:00
Murali Reddy
afd866c0de use ipset save and restore to modify ipset to reduce exec calls 2021-03-18 09:21:22 -05:00
Murali Reddy
888cac9193 use iptables-save and iptables-restore commands to consolidate 
individual iptables command that are run during full network
policies sync
 2021-03-18 09:21:22 -05:00
Murali Reddy
e16f2077dd
npc code restructuring (#1007) 2020-12-16 18:40:00 +05:30
Murali Reddy
46e903aa13
remove deprecated netpol beta API support (#1001) 
* remove deprecated netpol beta API support

* removing unused function
 2020-11-26 21:24:32 +05:30
Aaron U'Ren
5a5e835d0f
fix(network_policy): mask mark reset on FW marks (#992) 
Don't resent all marks, only the mark that we originally set as part of
the firewall rules so that we don't affect other systems like hostPort
and other elements of the nat chain that may apply their own marks.
 2020-09-26 03:04:27 +05:30