From bfa33b18a0843be9b045bc87fa7554ee3876c19a Mon Sep 17 00:00:00 2001 From: roc Date: Fri, 4 Jul 2025 15:58:06 +0800 Subject: [PATCH] fix(kube-proxy) avoid add zero-masked loadBalancerSourceRanges to ipset Signed-off-by: roc --- pkg/proxy/serviceport.go | 8 +++++++- pkg/proxy/util/nodeport_addresses.go | 2 +- pkg/proxy/util/utils.go | 9 +++++---- pkg/proxy/util/utils_test.go | 3 ++- 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/pkg/proxy/serviceport.go b/pkg/proxy/serviceport.go index 8e8f315b4f8..f7f33e0ca57 100644 --- a/pkg/proxy/serviceport.go +++ b/pkg/proxy/serviceport.go @@ -19,6 +19,7 @@ package proxy import ( "fmt" "net" + "slices" "strings" v1 "k8s.io/api/core/v1" @@ -205,7 +206,12 @@ func newBaseServiceInfo(service *v1.Service, ipFamily v1.IPFamily, port *v1.Serv } cidrFamilyMap := proxyutil.MapCIDRsByIPFamily(loadBalancerSourceRanges) - info.loadBalancerSourceRanges = cidrFamilyMap[ipFamily] + cidrs := cidrFamilyMap[ipFamily] + // zero-masked cidr means "allow any", which same as the empty loadBalancerSourceRanges. + if slices.ContainsFunc(cidrs, proxyutil.IsZeroCIDR) { + cidrs = []*net.IPNet{} + } + info.loadBalancerSourceRanges = cidrs // Filter Load Balancer Ingress IPs to correct IP family. While proxying load // balancers might choose to proxy connections from an LB IP of one family to a diff --git a/pkg/proxy/util/nodeport_addresses.go b/pkg/proxy/util/nodeport_addresses.go index c5332a07958..d03496d1844 100644 --- a/pkg/proxy/util/nodeport_addresses.go +++ b/pkg/proxy/util/nodeport_addresses.go @@ -68,7 +68,7 @@ func NewNodePortAddresses(family v1.IPFamily, cidrStrings []string) *NodePortAdd } } - if IsZeroCIDR(str) { + if IsZeroCIDR(cidr) { // Ignore everything else npa.cidrs = []*net.IPNet{cidr} npa.matchAll = true diff --git a/pkg/proxy/util/utils.go b/pkg/proxy/util/utils.go index 4aa642b2ebb..cfcce4834eb 100644 --- a/pkg/proxy/util/utils.go +++ b/pkg/proxy/util/utils.go @@ -45,11 +45,12 @@ const ( // IsZeroCIDR checks whether the input CIDR string is either // the IPv4 or IPv6 zero CIDR -func IsZeroCIDR(cidr string) bool { - if cidr == IPv4ZeroCIDR || cidr == IPv6ZeroCIDR { - return true +func IsZeroCIDR(cidr *net.IPNet) bool { + if cidr == nil { + return false } - return false + prefixLen, _ := cidr.Mask.Size() + return prefixLen == 0 } // ShouldSkipService checks if a given service should skip proxying diff --git a/pkg/proxy/util/utils_test.go b/pkg/proxy/util/utils_test.go index 1354844c5c3..46419c47cda 100644 --- a/pkg/proxy/util/utils_test.go +++ b/pkg/proxy/util/utils_test.go @@ -682,7 +682,8 @@ func TestIsZeroCIDR(t *testing.T) { } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - if got := IsZeroCIDR(tc.input); tc.expected != got { + _, cidr, _ := netutils.ParseCIDRSloppy(tc.input) + if got := IsZeroCIDR(cidr); tc.expected != got { t.Errorf("IsZeroCIDR() = %t, want %t", got, tc.expected) } })