mirrors/kube-router
1
0
Fork 0
mirror of https://github.com/cloudnativelabs/kube-router.git synced 2025-11-19 03:51:37 +01:00
Code Issues Packages Projects Releases Wiki Activity
749 Commits 23 Branches 102 Tags
Commit Graph

91 Commits

Author SHA1 Message Date
Aaron U'Ren
da5f8e0044 fix: address minor PR feedback and misspells 2021-09-11 16:20:07 -05:00
Aaron U'Ren
419c078c60 feat(.golangci.yml): enable unparam linter and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
d1218d15e0 feat(.golangci.yml): enable unconvert linter and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
1d90e215e9 feat(.golangci.yml): enable stylecheck linter and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
85f28411dc feat(.golangci.yml): enable long lines linter and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
874a746e30 feat(.golangci.yml): enable gosec and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
6208bfac46 feat(.golangci.yml): enable gomnd and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
1b4cc61e71 feat(.golangci.yml): enable exhaustive and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
f52fddddee feat(.golangci.yml): enable gocritic and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
d6ccc22519 feat(.golangci.yml): enable goconst and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
c5f4c00d63 feat(.golangci.yml): enable dupl and remediate 2021-09-11 16:20:07 -05:00
Aaron U'Ren
dc1960333d
fix(NPC): don't rely on exit code for chain check (#1157) 
Don't use the exit code of NewChain() to decide if the chain exists or
not as it doesn't appear to be consistent between nftables and legacy
iptables implementations.
 2021-08-18 23:06:02 +05:30
Aaron U'Ren
bffdc729cc
fix(npc): ordering of firewall / service rules (#1144) 2021-08-10 03:59:17 +05:30
Aaron U'Ren
1a8c354882 fix(NPC): Cleanup() function overhaul 
Use existing cleanupStale*() methods to cleanup NPC based iptables and
ipsets. This provides a more consistent method of cleanup, consolidates
the logic, and updates it for all of the changes NPC has gone through.
 2021-08-05 16:39:28 -05:00
Aaron U'Ren
9bc55dc1fa fix(NPC): missed ipset locking 
Somehow I missed adding ipset locking around cleanupStaleIPSets()
 2021-08-05 16:39:28 -05:00
Aaron U'Ren
031d75265b feat(NPC): minor performance improvement 
Don't continue the loop if we've already matched.
 2021-08-05 16:39:28 -05:00
Aaron U'Ren
e9be04ef2f
fix: add nil checking to ipsetMutex cleanup actions (#1129) 2021-07-20 01:22:48 +05:30
Murali Reddy
c8f7daf7ce fix lint errors 2021-06-28 12:45:43 -05:00
Murali Reddy
2c4dd7d584 addressing review comments 2021-06-28 12:45:43 -05:00
Murali Reddy
4c8cfc9c27 bug fix 2021-06-28 12:45:43 -05:00
Murali Reddy
93fe004ce6 bug fixes 2021-06-28 12:45:43 -05:00
Murali Reddy
3d407dc451 make rules to ACCPET related/established traffic as first entry in pod firewall chain 2021-06-28 12:45:43 -05:00
Murali Reddy
d684ec0c65 add logic to explicitly ACCEPT traffic from/to the pod if its 
permitted by applicable network policies. If there are no network
policies then by default ACCEPT the pod traffic
 2021-06-28 12:45:43 -05:00
Ricardo Katz
21473edf05
Add support for kubernetes endport field (#1080) 2021-06-17 21:44:32 +05:30
Aaron U'Ren
d90c753286 fact(NPC): refactor isPodUpdateNetPolRelevant 
Refactor this logic so that it can be more easily tested and expanded
without cluttering the pod.go file. Additionally, add some safe guards
around the pod cast to ensure that we're working with pods before we
pass them.
 2021-06-01 10:42:42 -05:00
Aaron U'Ren
1a82db7500 fix(NPC): check if new pod is actionable 
Previously, kube-router would do a full sync on a new pod whether or not
the pod was in an actionable state. This led to needless syncs as many
pods were missing PodIP addresses or other items necessary to apply
policy.

If a pod is missing these items it is better to wait for the next
message that comes via the UpdateFunc below so that we know that the pod
has all of the necessary items to apply policy to it.
 2021-06-01 10:42:42 -05:00
Aaron U'Ren
3dc5c3fbcd fix(NPC): remove HostNetwork check from OnPodUpdate 
With the previous logic, if a pod changed from having HostNetwork =
False to HostNetwork = True, NPC would not trigger a refresh to clear
out the rules that once applied. Now this check has been moved lower in
the fullPolicySync() logic so that it accounts for these pods naturally.
 2021-06-01 10:42:42 -05:00
Aaron U'Ren
13e0a39800 fix(NPC): check if pod is actionable 
Check if the Pod is actionable before taking NetworkPolicy actions which
includes both adding KUBE-POD-FW and KUBE-NWPLCY chains for it.

Checks have now been consolidated to a single isNetPolActionable()
function which checks for pod phases that we don't want NetworkPolicy
for like: Failed, Completed, and Succeeded, missing pod IP addresses,
and pods with HostNetwork enabled.

fixes #1056
 2021-06-01 10:42:42 -05:00
Aaron U'Ren
fa8d69edd8 fix: add locking around ipset invocations 2021-06-01 10:42:08 -05:00
Aaron U'Ren
45b7fd1d94 fix(NPC): parse NodePorts as unsigned ints 
Also separates logic so that it can be tested more easily, and adds unit
tests to make sure there is no regression.

Fixes #1083
 2021-05-17 15:33:13 -05:00
Murali Reddy
2460189afd skip host network pods when selecting pods to apply ingress/egress netpol 2021-04-28 16:38:55 -05:00
Murali Reddy
52551279a8 skip hostnetwok pod's from enforcing network policies 2021-04-28 16:38:55 -05:00
Aaron U'Ren
be01f317c7 fact: other misc cleanups 2021-04-14 16:23:59 -05:00
Aaron U'Ren
53cfbe30eb fix: return early when we might be holding nil references 2021-04-14 16:23:59 -05:00
Aaron U'Ren
4efa5ccc48 fact: remove function parameters that are never referenced 2021-04-14 16:23:59 -05:00
Aaron U'Ren
96675e620b fix: don't capitalize error messages 
It is standard practice in Go to not capitalize error messages:
https://github.com/golang/go/wiki/CodeReviewComments#error-strings
 2021-04-14 16:23:59 -05:00
Aaron U'Ren
e9c77d0a35 fix(comments): misspellings and bad doc strings 2021-04-14 16:23:59 -05:00
Manuel Rüger
7d47aefe7d Replace github.com/golang/glog with k8s.io/klog/v2 
glog is effectively unmaintained and the kubernetes ecosystem is mainly
using its fork klog

Fixes: #1051
 2021-04-11 13:16:03 -05:00
黄扬
f4b7d613c5
support egress to namedport without dst address (#1037) 2021-03-24 08:39:07 +05:30
Aaron U'Ren
1fb0820044
fix(npc): sync npc on pod label changes (#1046) 
fixes #1035
 2021-03-19 01:33:35 +05:30
Aaron U'Ren
187a3f23c5 fix(ipset): add type option to RefreshSet 2021-03-18 09:21:22 -05:00
Aaron U'Ren
fe515d1b52 fix(pod.go): ensure traffic at end of chain is only dropped once 2021-03-18 09:21:22 -05:00
Aaron U'Ren
22b031beaa feat(metrics): add more iptables sync metrics 2021-03-18 09:21:22 -05:00
Aaron U'Ren
95299a4cb5 fix(pod.go): comment quoting issues 2021-03-18 09:21:22 -05:00
Murali Reddy
afd866c0de use ipset save and restore to modify ipset to reduce exec calls 2021-03-18 09:21:22 -05:00
Murali Reddy
888cac9193 use iptables-save and iptables-restore commands to consolidate 
individual iptables command that are run during full network
policies sync
 2021-03-18 09:21:22 -05:00
Murali Reddy
c145885354 resolving merge conflicts of PR-964 2021-01-04 17:33:31 +05:30
Murali Reddy
e16f2077dd
npc code restructuring (#1007) 2020-12-16 18:40:00 +05:30
Murali Reddy
46e903aa13
remove deprecated netpol beta API support (#1001) 
* remove deprecated netpol beta API support

* removing unused function
 2020-11-26 21:24:32 +05:30
Aaron U'Ren
5a5e835d0f
fix(network_policy): mask mark reset on FW marks (#992) 
Don't resent all marks, only the mark that we originally set as part of
the firewall rules so that we don't affect other systems like hostPort
and other elements of the nat chain that may apply their own marks.
 2020-09-26 03:04:27 +05:30