* feat(gitignore): don't track intellij files
* fact(network_policy): networkPoliciesInfo -> stack
Take networkPoliciesInfo off of the npc struct and convert it to a stack
variable that is easy to cleanup.
* fix(network_policy): k8s obj memory accumulation
Kubernetes informers will block on handler execution and will then begin
to accumulate cached Kubernetes object information into the heap. This
change moves the full sync logic into it's own goroutine where full
syncs are triggered and gated via writing to a single item channel.
This ensures that:
- Syncs will only happen one at a time (as they are full syncs and we
can't process multiple at once)
- Sync requests are only ever delayed and never lost as they will be
added to the request channel
- After we make a sync request we return fast to ensure that the handler
execution returns fast and that we don't block the Kubernetes
informers
* fact(network_policy): rework readyForUpdates
Now that we are better managing requests for full syncs we no longer
need to manage readyForUpdates on the npc controller. We already enforce
not blocking the handlers and a single sync execution chain, whether it
comes from the controller in the form of a periodic sync or whether it
comes from a Kubernetes informer, either way the result is a
non-blocking, single thread of execution, full sync.
* fix(network_policy): address PR feedback
(pod's traffic that is destined to node's local ip). with out this fix even
with network policy to drop all egress traffic, pod can reach host IP's.
Pod's can access any service hosted in host network as well
* in DeleteFunc handlers across the controllers handle the case where received object can be of
type DeletedFinalStateUnknown
fixes one of the symptoms (panic on receiving DeletedFinalStateUnknown objects) reported in #712
* address review comments
While --set is still ambiguous it can clash with other module options,
so it is better to be more specific and use the --match-set option. This
also more closely aligns with all other areas of the code that already
use --match-set.
From iptables-extensions man page:
The option --match-set can be replaced by --set if that does not clash
with an option of other extensions.
For very busy tcp connections there is a small possibility to receive
a TCP RST during the iptables sync.
A default `REJECT` rule is chronologically added before the allow-`RELATED,ESTABLISHED` rule for ingress and
egress connections.
In between of the creation of these two rules a connection reset can happen for already established connections.
This commits swaps the order of rule insertion.
In reference to issue #725, we modified kube-router to send
heartbeats before starting policy sync to prevent missing
heartbeats while running iptables commands.
Signed-off-by: Jérôme Poulin <jeromepoulin@gmail.com>
This fixes#642, which causes kube-router to crash on valid network
policies, and also implements support for ingress and egress rules
without a port specified.
* update metrics docs & dashboard
* renamed `namespace` label to `svc_namespace` for service metrics as it would be overwritten by most Prometheus setups
* Made histograms for all the controller sync times for better visualization
* added `controller_routes_sync_time`, `controller_bgp_advertisements_sent` & `controller_policy_chains_sync_time` metrics
* using ipset to manage multiple src CIDRs
* using ipset to manage multiple dst CIDRs
* soft-code the prefix of iptables chain name and ipset name
* gofmt
* Moved code for evaluation of policy peers into separate func to avoid code duplication
* Ensured fallback to policy namespace, if namespaceSelector is not set
* use strconv for converting int64 to string
* change order of pod-fw sync, chain items has to be added before jumping to the chain starts
* added logging of syncversion, decreased logging verbosity+severity for planned chain cleanups
* Instead of clearing the iptables firewall chains for each resync, new chains are now generated side-by-side with the existing ones.
* Chain naming now has an addition component, version, which ensures chain name uniqueness.
* Existing cleanup procedure for stale iptables rules will handle garbage collection of unused chains.
