The behavior of iproute2 changed in 5.0 as described in #750: now if a
table has not been created, `ip route list table <table>` will produce a
non-zero exit code.
It's not really needed to check tables via `list` anyway, since they
will be created by iproute2 when needed on first use. So relax error
handling for `ip route list table`, and remove it completely when a
table might be missing.
This fixes#750
* honor the ClientIP session affinity timeout
* update moq file
* Fix unit test failure due to adding a new arg to ipvsAddService
Co-authored-by: Bumyong Choi <bchoi@digitalocean.com>
* in DeleteFunc handlers across the controllers handle the case where received object can be of
type DeletedFinalStateUnknown
fixes one of the symptoms (panic on receiving DeletedFinalStateUnknown objects) reported in #712
* address review comments
* restrict externalTrafficPolicy=Local interpretation only to NodePort and LoadBalancer services
Fixes#818
* refactoring service controller sync() logic to be more modular
Currently we can have error on service proxy if we cannot set sysctl (in my case), but those errors are return and not shown. Just show them, like other controllers
* Added flag and condition for open input on iptables #797
* Adding flag to docs.
* Updated to remove INPUT/CHAIN entirely. Name changed to IpvsDenyAll.
* Updated README.
* Updated docstring on ipvs-deny-all
* ipvsDenyAll -> ipvsPermitAll
* Updating user guide.
* Descriptions updates per review
In reference to issue #725, we modified kube-router to send
heartbeats before starting policy sync to prevent missing
heartbeats while running iptables commands.
Signed-off-by: Jérôme Poulin <jeromepoulin@gmail.com>
* update netlink
* update libnetwork to get ipvs stats
* update gopkg.lock for libnetwork update
* update libnetwork
* add cli options
* make endpoints delete gracefully
* move conntrack flusher
* get some order in the mainloop
* update to alpine 3.9 & go 1.11.1
* revert to 1.10.3 just update alpine
* and revert travis.yml
* lock version
* test 1.12
* test
* prevent host services from being accessible through service IPs
- on startup create ipsets and firewall rules
- on sync update ipsets
- on cleanup remove firewall rules and ipsets
Fixes#282.
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* ensure iptables rules are also available during cleanup
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* first check if chain exists
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* err not a new variable
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* more redeclared vars
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* maintain a ipset for local addresses and exclude those from our default deny rule
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* copy/paste errors
Signed-off-by: Steven Armstrong <steven.armstrong@id.ethz.ch>
* update metrics docs & dashboard
* renamed `namespace` label to `svc_namespace` for service metrics as it would be overwritten by most Prometheus setups
* Made histograms for all the controller sync times for better visualization
* added `controller_routes_sync_time`, `controller_bgp_advertisements_sent` & `controller_policy_chains_sync_time` metrics
* make IPVS proxier set net/ipv4/vs/conn_reuse_mode to 0 by default, which will fix the IPVS low throughput issue
* better error message
* check and inform if to old kernel to use feature
* Add to set ip_vs_mh scheduler and flags
Signed-off-by: Inju Song <inju.song@navercorp.com>
* Use scheduler flags when adding or updating service
Signed-off-by: Inju Song <inju.song@navercorp.com>
* Refactor with gofmt, generate moq file and fix test source
Signed-off-by: Inju Song <inju.song@navercorp.com>
`Cmd.CombinedOutput()` returns `[]byte` for the command output which, at least for `ip` commands should be a printable string. The output is now printed as string.
Furthermore the constant `KUBE_DUMMY_IF` is used for the interface name to reduce multiple definitions of the interface name.
Signed-off-by: Mathias Kaufmann <me@stei.gr>
