fix(kube-proxy) avoid add zero-masked loadBalancerSourceRanges to ipset

Signed-off-by: roc <roc@imroc.cc>
2026-01-27 18:19:28 +00:00 · 2025-07-04 15:58:06 +08:00
parent 033ffc73d6
commit bfa33b18a0
4 changed files with 15 additions and 7 deletions
--- a/pkg/proxy/serviceport.go
+++ b/pkg/proxy/serviceport.go
@@ -19,6 +19,7 @@ package proxy
 import (
 	"fmt"
 	"net"
+	"slices"
 	"strings"

 	v1 "k8s.io/api/core/v1"
@@ -205,7 +206,12 @@ func newBaseServiceInfo(service *v1.Service, ipFamily v1.IPFamily, port *v1.Serv
 	}

 	cidrFamilyMap := proxyutil.MapCIDRsByIPFamily(loadBalancerSourceRanges)
-	info.loadBalancerSourceRanges = cidrFamilyMap[ipFamily]
+	cidrs := cidrFamilyMap[ipFamily]
+	// zero-masked cidr means "allow any", which same as the empty loadBalancerSourceRanges.
+	if slices.ContainsFunc(cidrs, proxyutil.IsZeroCIDR) {
+		cidrs = []*net.IPNet{}
+	}
+	info.loadBalancerSourceRanges = cidrs

 	// Filter Load Balancer Ingress IPs to correct IP family. While proxying load
 	// balancers might choose to proxy connections from an LB IP of one family to a
--- a/pkg/proxy/util/nodeport_addresses.go
+++ b/pkg/proxy/util/nodeport_addresses.go
@@ -68,7 +68,7 @@ func NewNodePortAddresses(family v1.IPFamily, cidrStrings []string) *NodePortAdd
 			}
 		}

-		if IsZeroCIDR(str) {
+		if IsZeroCIDR(cidr) {
 			// Ignore everything else
 			npa.cidrs = []*net.IPNet{cidr}
 			npa.matchAll = true
--- a/pkg/proxy/util/utils.go
+++ b/pkg/proxy/util/utils.go
@@ -45,11 +45,12 @@ const (

 // IsZeroCIDR checks whether the input CIDR string is either
 // the IPv4 or IPv6 zero CIDR
-func IsZeroCIDR(cidr string) bool {
-	if cidr == IPv4ZeroCIDR || cidr == IPv6ZeroCIDR {
-		return true
+func IsZeroCIDR(cidr *net.IPNet) bool {
+	if cidr == nil {
+		return false
 	}
-	return false
+	prefixLen, _ := cidr.Mask.Size()
+	return prefixLen == 0
 }

 // ShouldSkipService checks if a given service should skip proxying
--- a/pkg/proxy/util/utils_test.go
+++ b/pkg/proxy/util/utils_test.go
@@ -682,7 +682,8 @@ func TestIsZeroCIDR(t *testing.T) {
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			if got := IsZeroCIDR(tc.input); tc.expected != got {
+			_, cidr, _ := netutils.ParseCIDRSloppy(tc.input)
+			if got := IsZeroCIDR(cidr); tc.expected != got {
 				t.Errorf("IsZeroCIDR() = %t, want %t", got, tc.expected)
 			}
 		})