mirror of
https://github.com/cloudnativelabs/kube-router.git
synced 2025-11-27 16:01:20 +01:00
afdf553fa8
This adds a simple controller that will watch for services of type LoadBalancer and try to allocated addresses from the specified IPv4 and/or IPv6 ranges. It's assumed that kube-router (or another network controller) will announce the addresses. As the controller uses leases for leader election and updates the service status new RBAC permissions are required.
250 lines
14 KiB
Go
250 lines
14 KiB
Go
package options
|
|
|
|
import (
|
|
"net"
|
|
"strconv"
|
|
"time"
|
|
|
|
"github.com/spf13/pflag"
|
|
)
|
|
|
|
const (
|
|
DefaultBgpPort = 179
|
|
DefaultBgpHoldTime = 90 * time.Second
|
|
defaultHealthCheckPort = 20244
|
|
defaultOverlayTunnelEncapPort uint16 = 5555
|
|
)
|
|
|
|
type KubeRouterConfig struct {
|
|
AdvertiseClusterIP bool
|
|
AdvertiseExternalIP bool
|
|
AdvertiseLoadBalancerIP bool
|
|
AdvertiseNodePodCidr bool
|
|
AutoMTU bool
|
|
BGPGracefulRestart bool
|
|
BGPGracefulRestartDeferralTime time.Duration
|
|
BGPGracefulRestartTime time.Duration
|
|
BGPHoldTime time.Duration
|
|
BGPPort uint32
|
|
CacheSyncTimeout time.Duration
|
|
CleanupConfig bool
|
|
ClusterAsn uint
|
|
ClusterIPCIDRs []string
|
|
DisableSrcDstCheck bool
|
|
EnableCNI bool
|
|
EnableiBGP bool
|
|
EnableIPv4 bool
|
|
EnableIPv6 bool
|
|
EnableOverlay bool
|
|
EnablePodEgress bool
|
|
EnablePprof bool
|
|
ExcludedCidrs []string
|
|
ExternalIPCIDRs []string
|
|
FullMeshMode bool
|
|
GlobalHairpinMode bool
|
|
HealthPort uint16
|
|
HelpRequested bool
|
|
HostnameOverride string
|
|
InjectedRoutesSyncPeriod time.Duration
|
|
IPTablesSyncPeriod time.Duration
|
|
IpvsGracefulPeriod time.Duration
|
|
IpvsGracefulTermination bool
|
|
IpvsPermitAll bool
|
|
IpvsSyncPeriod time.Duration
|
|
Kubeconfig string
|
|
LoadBalancerCIDRs []string
|
|
LoadBalancerDefaultClass bool
|
|
LoadBalancerSyncPeriod time.Duration
|
|
MasqueradeAll bool
|
|
Master string
|
|
MetricsEnabled bool
|
|
MetricsPath string
|
|
MetricsPort uint16
|
|
NodePortBindOnAllIP bool
|
|
NodePortRange string
|
|
OverlayType string
|
|
OverlayEncap string
|
|
OverlayEncapPort uint16
|
|
OverrideNextHop bool
|
|
PeerASNs []uint
|
|
PeerMultihopTTL uint8
|
|
PeerPasswords []string
|
|
PeerPasswordsFile string
|
|
PeerPorts []uint
|
|
PeerRouters []net.IP
|
|
RouterID string
|
|
RoutesSyncPeriod time.Duration
|
|
RunFirewall bool
|
|
RunRouter bool
|
|
RunServiceProxy bool
|
|
RunLoadBalancer bool
|
|
RuntimeEndpoint string
|
|
Version bool
|
|
VLevel string
|
|
// FullMeshPassword string
|
|
}
|
|
|
|
func NewKubeRouterConfig() *KubeRouterConfig {
|
|
//nolint:gomnd // Here we are specifying the names of the literals which is very similar to constant behavior
|
|
return &KubeRouterConfig{
|
|
BGPGracefulRestartDeferralTime: 360 * time.Second,
|
|
BGPGracefulRestartTime: 90 * time.Second,
|
|
BGPHoldTime: 90 * time.Second,
|
|
CacheSyncTimeout: 1 * time.Minute,
|
|
ClusterIPCIDRs: []string{"10.96.0.0/12"},
|
|
EnableOverlay: true,
|
|
IPTablesSyncPeriod: 5 * time.Minute,
|
|
IpvsGracefulPeriod: 30 * time.Second,
|
|
IpvsSyncPeriod: 5 * time.Minute,
|
|
LoadBalancerSyncPeriod: time.Minute,
|
|
NodePortRange: "30000-32767",
|
|
OverlayType: "subnet",
|
|
RoutesSyncPeriod: 5 * time.Minute,
|
|
InjectedRoutesSyncPeriod: 60 * time.Second,
|
|
}
|
|
}
|
|
|
|
func (s *KubeRouterConfig) AddFlags(fs *pflag.FlagSet) {
|
|
fs.BoolVar(&s.AdvertiseClusterIP, "advertise-cluster-ip", false,
|
|
"Add Cluster IP of the service to the RIB so that it gets advertises to the BGP peers.")
|
|
fs.BoolVar(&s.AdvertiseExternalIP, "advertise-external-ip", false,
|
|
"Add External IP of service to the RIB so that it gets advertised to the BGP peers.")
|
|
fs.BoolVar(&s.AdvertiseLoadBalancerIP, "advertise-loadbalancer-ip", false,
|
|
"Add LoadbBalancer IP of service status as set by the LB provider to the RIB so that it gets "+
|
|
"advertised to the BGP peers.")
|
|
fs.BoolVar(&s.AdvertiseNodePodCidr, "advertise-pod-cidr", true,
|
|
"Add Node's POD cidr to the RIB so that it gets advertised to the BGP peers.")
|
|
fs.BoolVar(&s.AutoMTU, "auto-mtu", true,
|
|
"Auto detect and set the largest possible MTU for kube-bridge and pod interfaces (also accounts for "+
|
|
"IPIP overlay network when enabled).")
|
|
fs.BoolVar(&s.BGPGracefulRestart, "bgp-graceful-restart", false,
|
|
"Enables the BGP Graceful Restart capability so that routes are preserved on unexpected restarts")
|
|
fs.DurationVar(&s.BGPGracefulRestartDeferralTime, "bgp-graceful-restart-deferral-time",
|
|
s.BGPGracefulRestartDeferralTime,
|
|
"BGP Graceful restart deferral time according to RFC4724 4.1, maximum 18h.")
|
|
fs.DurationVar(&s.BGPGracefulRestartTime, "bgp-graceful-restart-time", s.BGPGracefulRestartTime,
|
|
"BGP Graceful restart time according to RFC4724 3, maximum 4095s.")
|
|
fs.DurationVar(&s.BGPHoldTime, "bgp-holdtime", DefaultBgpHoldTime,
|
|
"This parameter is mainly used to modify the holdtime declared to BGP peer. When Kube-router goes down "+
|
|
"abnormally, the local saving time of BGP route will be affected. "+
|
|
"Holdtime must be in the range 3s to 18h12m16s.")
|
|
fs.Uint32Var(&s.BGPPort, "bgp-port", DefaultBgpPort,
|
|
"The port open for incoming BGP connections and to use for connecting with other BGP peers.")
|
|
fs.DurationVar(&s.CacheSyncTimeout, "cache-sync-timeout", s.CacheSyncTimeout,
|
|
"The timeout for cache synchronization (e.g. '5s', '1m'). Must be greater than 0.")
|
|
fs.BoolVar(&s.CleanupConfig, "cleanup-config", false,
|
|
"Cleanup iptables rules, ipvs, ipset configuration and exit.")
|
|
fs.UintVar(&s.ClusterAsn, "cluster-asn", s.ClusterAsn,
|
|
"ASN number under which cluster nodes will run iBGP.")
|
|
fs.BoolVar(&s.DisableSrcDstCheck, "disable-source-dest-check", true,
|
|
"Disable the source-dest-check attribute for AWS EC2 instances. When this option is false, it must be "+
|
|
"set some other way.")
|
|
fs.BoolVar(&s.EnableCNI, "enable-cni", true,
|
|
"Enable CNI plugin. Disable if you want to use kube-router features alongside another CNI plugin.")
|
|
fs.BoolVar(&s.EnableiBGP, "enable-ibgp", true,
|
|
"Enables peering with nodes with the same ASN, if disabled will only peer with external BGP peers")
|
|
fs.BoolVar(&s.EnableIPv4, "enable-ipv4", true, "Enables IPv4 support")
|
|
fs.BoolVar(&s.EnableIPv6, "enable-ipv6", false, "Enables IPv6 support")
|
|
fs.BoolVar(&s.EnableOverlay, "enable-overlay", true,
|
|
"When enable-overlay is set to true, IP-in-IP tunneling is used for pod-to-pod networking across "+
|
|
"nodes in different subnets. When set to false no tunneling is used and routing infrastructure is "+
|
|
"expected to route traffic for pod-to-pod networking across nodes in different subnets")
|
|
fs.BoolVar(&s.EnablePodEgress, "enable-pod-egress", true,
|
|
"SNAT traffic from Pods to destinations outside the cluster.")
|
|
fs.BoolVar(&s.EnablePprof, "enable-pprof", false,
|
|
"Enables pprof for debugging performance and memory leak issues.")
|
|
fs.StringSliceVar(&s.ExcludedCidrs, "excluded-cidrs", s.ExcludedCidrs,
|
|
"Excluded CIDRs are used to exclude IPVS rules from deletion.")
|
|
fs.BoolVar(&s.GlobalHairpinMode, "hairpin-mode", false,
|
|
"Add iptables rules for every Service Endpoint to support hairpin traffic.")
|
|
fs.Uint16Var(&s.HealthPort, "health-port", defaultHealthCheckPort, "Health check port, 0 = Disabled")
|
|
fs.BoolVarP(&s.HelpRequested, "help", "h", false,
|
|
"Print usage information.")
|
|
fs.StringVar(&s.HostnameOverride, "hostname-override", s.HostnameOverride,
|
|
"Overrides the NodeName of the node. Set this if kube-router is unable to determine your NodeName "+
|
|
"automatically.")
|
|
fs.DurationVar(&s.InjectedRoutesSyncPeriod, "injected-routes-sync-period", s.InjectedRoutesSyncPeriod,
|
|
"The delay between route table synchronizations (e.g. '5s', '1m', '2h22m'). Must be greater than 0.")
|
|
fs.DurationVar(&s.IPTablesSyncPeriod, "iptables-sync-period", s.IPTablesSyncPeriod,
|
|
"The delay between iptables rule synchronizations (e.g. '5s', '1m'). Must be greater than 0.")
|
|
fs.DurationVar(&s.IpvsGracefulPeriod, "ipvs-graceful-period", s.IpvsGracefulPeriod,
|
|
"The graceful period before removing destinations from IPVS services (e.g. '5s', '1m', '2h22m'). Must "+
|
|
"be greater than 0.")
|
|
fs.BoolVar(&s.IpvsGracefulTermination, "ipvs-graceful-termination", false,
|
|
"Enables the experimental IPVS graceful terminaton capability")
|
|
fs.BoolVar(&s.IpvsPermitAll, "ipvs-permit-all", true,
|
|
"Enables rule to accept all incoming traffic to service VIP's on the node.")
|
|
fs.DurationVar(&s.IpvsSyncPeriod, "ipvs-sync-period", s.IpvsSyncPeriod,
|
|
"The delay between ipvs config synchronizations (e.g. '5s', '1m', '2h22m'). Must be greater than 0.")
|
|
fs.StringVar(&s.Kubeconfig, "kubeconfig", s.Kubeconfig,
|
|
"Path to kubeconfig file with authorization information (the master location is set by the master flag).")
|
|
fs.BoolVar(&s.LoadBalancerDefaultClass, "loadbalancer-default-class", true,
|
|
"Handle loadbalancer services without a class")
|
|
fs.StringSliceVar(&s.LoadBalancerCIDRs, "loadbalancer-ip-range", s.LoadBalancerCIDRs,
|
|
"CIDR values from which loadbalancer services addresses are assigned (can be specified multiple times)")
|
|
fs.DurationVar(&s.LoadBalancerSyncPeriod, "loadbalancer-sync-period", s.LoadBalancerSyncPeriod,
|
|
"The delay between checking for missed services (e.g. '5s', '1m'). Must be greater than 0.")
|
|
fs.BoolVar(&s.MasqueradeAll, "masquerade-all", false,
|
|
"SNAT all traffic to cluster IP/node port.")
|
|
fs.StringVar(&s.Master, "master", s.Master,
|
|
"The address of the Kubernetes API server (overrides any value in kubeconfig).")
|
|
fs.StringVar(&s.MetricsPath, "metrics-path", "/metrics", "Prometheus metrics path")
|
|
fs.Uint16Var(&s.MetricsPort, "metrics-port", 0, "Prometheus metrics port, (Default 0, Disabled)")
|
|
fs.BoolVar(&s.NodePortBindOnAllIP, "nodeport-bindon-all-ip", false,
|
|
"For service of NodePort type create IPVS service that listens on all IP's of the node.")
|
|
fs.BoolVar(&s.FullMeshMode, "nodes-full-mesh", true,
|
|
"Each node in the cluster will setup BGP peering with rest of the nodes.")
|
|
fs.StringVar(&s.OverlayEncap, "overlay-encap", "ipip",
|
|
"Valid encapsulation types are \"ipip\" or \"fou\" "+
|
|
"(if set to \"fou\", the udp port can be specified via \"overlay-encap-port\")")
|
|
fs.Uint16Var(&s.OverlayEncapPort, "overlay-encap-port", defaultOverlayTunnelEncapPort,
|
|
"Overlay tunnel encapsulation port (only used for \"fou\" encapsulation)")
|
|
fs.StringVar(&s.OverlayType, "overlay-type", s.OverlayType,
|
|
"Possible values: subnet,full - "+
|
|
"When set to \"subnet\", the default, default \"--enable-overlay=true\" behavior is used. "+
|
|
"When set to \"full\", it changes \"--enable-overlay=true\" default behavior so that IP-in-IP tunneling "+
|
|
"is used for pod-to-pod networking across nodes regardless of the subnet the nodes are in.")
|
|
fs.BoolVar(&s.OverrideNextHop, "override-nexthop", false, "Override the next-hop in bgp "+
|
|
"routes sent to peers with the local ip.")
|
|
fs.UintSliceVar(&s.PeerASNs, "peer-router-asns", s.PeerASNs,
|
|
"ASN numbers of the BGP peer to which cluster nodes will advertise cluster ip and node's pod cidr.")
|
|
fs.IPSliceVar(&s.PeerRouters, "peer-router-ips", s.PeerRouters,
|
|
"The ip address of the external router to which all nodes will peer and advertise the cluster ip and "+
|
|
"pod cidr's.")
|
|
fs.Uint8Var(&s.PeerMultihopTTL, "peer-router-multihop-ttl", s.PeerMultihopTTL,
|
|
"Enable eBGP multihop supports -- sets multihop-ttl. (Relevant only if ttl >= 2)")
|
|
fs.StringSliceVar(&s.PeerPasswords, "peer-router-passwords", s.PeerPasswords,
|
|
"Password for authenticating against the BGP peer defined with \"--peer-router-ips\".")
|
|
fs.StringVar(&s.PeerPasswordsFile, "peer-router-passwords-file", s.PeerPasswordsFile,
|
|
"Path to file containing password for authenticating against the BGP peer defined with "+
|
|
"\"--peer-router-ips\". --peer-router-passwords will be preferred if both are set.")
|
|
fs.UintSliceVar(&s.PeerPorts, "peer-router-ports", s.PeerPorts,
|
|
"The remote port of the external BGP to which all nodes will peer. If not set, default BGP "+
|
|
"port ("+strconv.Itoa(DefaultBgpPort)+") will be used.")
|
|
fs.StringVar(&s.RouterID, "router-id", "", "BGP router-id. Must be specified in a ipv6 only "+
|
|
"cluster, \"generate\" can be specified to generate the router id.")
|
|
fs.DurationVar(&s.RoutesSyncPeriod, "routes-sync-period", s.RoutesSyncPeriod,
|
|
"The delay between route updates and advertisements (e.g. '5s', '1m', '2h22m'). Must be greater than 0.")
|
|
fs.BoolVar(&s.RunFirewall, "run-firewall", true,
|
|
"Enables Network Policy -- sets up iptables to provide ingress firewall for pods.")
|
|
fs.BoolVar(&s.RunLoadBalancer, "run-loadbalancer", false,
|
|
"Enable loadbalancer address allocator")
|
|
fs.BoolVar(&s.RunRouter, "run-router", true,
|
|
"Enables Pod Networking -- Advertises and learns the routes to Pods via iBGP.")
|
|
fs.BoolVar(&s.RunServiceProxy, "run-service-proxy", true,
|
|
"Enables Service Proxy -- sets up IPVS for Kubernetes Services.")
|
|
fs.StringVar(&s.RuntimeEndpoint, "runtime-endpoint", "",
|
|
"Path to CRI compatible container runtime socket (used for DSR mode). Currently known working with "+
|
|
"containerd.")
|
|
fs.StringSliceVar(&s.ClusterIPCIDRs, "service-cluster-ip-range", s.ClusterIPCIDRs,
|
|
"CIDR values from which service cluster IPs are assigned (can be specified up to 2 times)")
|
|
fs.StringSliceVar(&s.ExternalIPCIDRs, "service-external-ip-range", s.ExternalIPCIDRs,
|
|
"Specify external IP CIDRs that are used for inter-cluster communication "+
|
|
"(can be specified multiple times)")
|
|
fs.StringVar(&s.NodePortRange, "service-node-port-range", s.NodePortRange,
|
|
"NodePort range specified with either a hyphen or colon")
|
|
fs.StringVarP(&s.VLevel, "v", "v", "0", "log level for V logs")
|
|
fs.BoolVarP(&s.Version, "version", "V", false,
|
|
"Print version information.")
|
|
}
|