mirror of
https://github.com/optim-enterprises-bv/kubernetes.git
synced 2025-11-04 12:18:16 +00:00
Merge pull request #120864 from uablrek/kube-proxy-init
kube-proxy: Optionally do privileged configs only
This commit is contained in:
Kubernetes Prow Robot
@@ -108,6 +108,8 @@ type Options struct {
|
|||||||
WriteConfigTo string
|
WriteConfigTo string
|
||||||
// CleanupAndExit, when true, makes the proxy server clean up iptables and ipvs rules, then exit.
|
// CleanupAndExit, when true, makes the proxy server clean up iptables and ipvs rules, then exit.
|
||||||
CleanupAndExit bool
|
CleanupAndExit bool
|
||||||
|
// InitAndExit, when true, makes the proxy server makes configurations that need privileged access, then exit.
|
||||||
|
InitAndExit bool
|
||||||
// WindowsService should be set to true if kube-proxy is running as a service on Windows.
|
// WindowsService should be set to true if kube-proxy is running as a service on Windows.
|
||||||
// Its corresponding flag only gets registered in Windows builds
|
// Its corresponding flag only gets registered in Windows builds
|
||||||
WindowsService bool
|
WindowsService bool
|
||||||
@@ -168,7 +170,7 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
|
|||||||
"The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, "+
|
"The purpose of this format is make sure you have the opportunity to notice if the next release hides additional metrics, "+
|
||||||
"rather than being surprised when they are permanently removed in the release after that. "+
|
"rather than being surprised when they are permanently removed in the release after that. "+
|
||||||
"This parameter is ignored if a config file is specified by --config.")
|
"This parameter is ignored if a config file is specified by --config.")
|
||||||
|
fs.BoolVar(&o.InitAndExit, "init-only", o.InitAndExit, "If true, perform any initialization steps that must be done with full root privileges, and then exit. After doing this, you can run kube-proxy again with only the CAP_NET_ADMIN capability.")
|
||||||
fs.Var(&o.config.Mode, "proxy-mode", "Which proxy mode to use: on Linux this can be 'iptables' (default) or 'ipvs'. On Windows the only supported value is 'kernelspace'."+
|
fs.Var(&o.config.Mode, "proxy-mode", "Which proxy mode to use: on Linux this can be 'iptables' (default) or 'ipvs'. On Windows the only supported value is 'kernelspace'."+
|
||||||
"This parameter is ignored if a config file is specified by --config.")
|
"This parameter is ignored if a config file is specified by --config.")
|
||||||
|
|
||||||
@@ -376,10 +378,13 @@ func (o *Options) Run() error {
|
|||||||
return cleanupAndExit()
|
return cleanupAndExit()
|
||||||
}
|
}
|
||||||
|
|
||||||
proxyServer, err := newProxyServer(o.config, o.master)
|
proxyServer, err := newProxyServer(o.config, o.master, o.InitAndExit)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
if o.InitAndExit {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
o.proxyServer = proxyServer
|
o.proxyServer = proxyServer
|
||||||
return o.runLoop()
|
return o.runLoop()
|
||||||
@@ -589,7 +594,7 @@ type ProxyServer struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// newProxyServer creates a ProxyServer based on the given config
|
// newProxyServer creates a ProxyServer based on the given config
|
||||||
func newProxyServer(config *kubeproxyconfig.KubeProxyConfiguration, master string) (*ProxyServer, error) {
|
func newProxyServer(config *kubeproxyconfig.KubeProxyConfiguration, master string, initOnly bool) (*ProxyServer, error) {
|
||||||
s := &ProxyServer{Config: config}
|
s := &ProxyServer{Config: config}
|
||||||
|
|
||||||
cz, err := configz.New(kubeproxyconfig.GroupName)
|
cz, err := configz.New(kubeproxyconfig.GroupName)
|
||||||
@@ -653,7 +658,7 @@ func newProxyServer(config *kubeproxyconfig.KubeProxyConfiguration, master strin
|
|||||||
klog.ErrorS(err, "Kube-proxy configuration may be incomplete or incorrect")
|
klog.ErrorS(err, "Kube-proxy configuration may be incomplete or incorrect")
|
||||||
}
|
}
|
||||||
|
|
||||||
s.Proxier, err = s.createProxier(config, dualStackSupported)
|
s.Proxier, err = s.createProxier(config, dualStackSupported, initOnly)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -125,7 +125,7 @@ func (s *ProxyServer) platformCheckSupported() (ipv4Supported, ipv6Supported, du
|
|||||||
}
|
}
|
||||||
|
|
||||||
// createProxier creates the proxy.Provider
|
// createProxier creates the proxy.Provider
|
||||||
func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStack bool) (proxy.Provider, error) {
|
func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStack, initOnly bool) (proxy.Provider, error) {
|
||||||
var proxier proxy.Provider
|
var proxier proxy.Provider
|
||||||
var err error
|
var err error
|
||||||
|
|
||||||
@@ -175,6 +175,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
|
|||||||
s.Recorder,
|
s.Recorder,
|
||||||
s.HealthzServer,
|
s.HealthzServer,
|
||||||
config.NodePortAddresses,
|
config.NodePortAddresses,
|
||||||
|
initOnly,
|
||||||
)
|
)
|
||||||
} else {
|
} else {
|
||||||
// Create a single-stack proxier if and only if the node does not support dual-stack (i.e, no iptables support).
|
// Create a single-stack proxier if and only if the node does not support dual-stack (i.e, no iptables support).
|
||||||
@@ -201,6 +202,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
|
|||||||
s.Recorder,
|
s.Recorder,
|
||||||
s.HealthzServer,
|
s.HealthzServer,
|
||||||
config.NodePortAddresses,
|
config.NodePortAddresses,
|
||||||
|
initOnly,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -247,6 +249,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
|
|||||||
config.IPVS.Scheduler,
|
config.IPVS.Scheduler,
|
||||||
config.NodePortAddresses,
|
config.NodePortAddresses,
|
||||||
kernelHandler,
|
kernelHandler,
|
||||||
|
initOnly,
|
||||||
)
|
)
|
||||||
} else {
|
} else {
|
||||||
var localDetector proxyutiliptables.LocalTrafficDetector
|
var localDetector proxyutiliptables.LocalTrafficDetector
|
||||||
@@ -279,6 +282,7 @@ func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguratio
|
|||||||
config.IPVS.Scheduler,
|
config.IPVS.Scheduler,
|
||||||
config.NodePortAddresses,
|
config.NodePortAddresses,
|
||||||
kernelHandler,
|
kernelHandler,
|
||||||
|
initOnly,
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@@ -79,7 +79,10 @@ func (s *ProxyServer) platformCheckSupported() (ipv4Supported, ipv6Supported, du
|
|||||||
}
|
}
|
||||||
|
|
||||||
// createProxier creates the proxy.Provider
|
// createProxier creates the proxy.Provider
|
||||||
func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStackMode bool) (proxy.Provider, error) {
|
func (s *ProxyServer) createProxier(config *proxyconfigapi.KubeProxyConfiguration, dualStackMode, initOnly bool) (proxy.Provider, error) {
|
||||||
|
if initOnly {
|
||||||
|
return nil, fmt.Errorf("--init-only is not implemented on Windows")
|
||||||
|
}
|
||||||
var healthzPort int
|
var healthzPort int
|
||||||
if len(config.HealthzBindAddress) > 0 {
|
if len(config.HealthzBindAddress) > 0 {
|
||||||
_, port, _ := net.SplitHostPort(config.HealthzBindAddress)
|
_, port, _ := net.SplitHostPort(config.HealthzBindAddress)
|
||||||
|
|||||||
@@ -233,6 +233,7 @@ func NewProxier(ipFamily v1.IPFamily,
|
|||||||
recorder events.EventRecorder,
|
recorder events.EventRecorder,
|
||||||
healthzServer *healthcheck.ProxierHealthServer,
|
healthzServer *healthcheck.ProxierHealthServer,
|
||||||
nodePortAddressStrings []string,
|
nodePortAddressStrings []string,
|
||||||
|
initOnly bool,
|
||||||
) (*Proxier, error) {
|
) (*Proxier, error) {
|
||||||
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings)
|
nodePortAddresses := proxyutil.NewNodePortAddresses(ipFamily, nodePortAddressStrings)
|
||||||
|
|
||||||
@@ -257,6 +258,11 @@ func NewProxier(ipFamily v1.IPFamily,
|
|||||||
klog.InfoS("nf_conntrack_tcp_be_liberal set, not installing DROP rules for INVALID packets")
|
klog.InfoS("nf_conntrack_tcp_be_liberal set, not installing DROP rules for INVALID packets")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if initOnly {
|
||||||
|
klog.InfoS("System initialized and --init-only specified")
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
// Generate the masquerade mark to use for SNAT rules.
|
// Generate the masquerade mark to use for SNAT rules.
|
||||||
masqueradeValue := 1 << uint(masqueradeBit)
|
masqueradeValue := 1 << uint(masqueradeBit)
|
||||||
masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue)
|
masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue)
|
||||||
@@ -330,21 +336,25 @@ func NewDualStackProxier(
|
|||||||
recorder events.EventRecorder,
|
recorder events.EventRecorder,
|
||||||
healthzServer *healthcheck.ProxierHealthServer,
|
healthzServer *healthcheck.ProxierHealthServer,
|
||||||
nodePortAddresses []string,
|
nodePortAddresses []string,
|
||||||
|
initOnly bool,
|
||||||
) (proxy.Provider, error) {
|
) (proxy.Provider, error) {
|
||||||
// Create an ipv4 instance of the single-stack proxier
|
// Create an ipv4 instance of the single-stack proxier
|
||||||
ipv4Proxier, err := NewProxier(v1.IPv4Protocol, ipt[0], sysctl,
|
ipv4Proxier, err := NewProxier(v1.IPv4Protocol, ipt[0], sysctl,
|
||||||
exec, syncPeriod, minSyncPeriod, masqueradeAll, localhostNodePorts, masqueradeBit, localDetectors[0], hostname,
|
exec, syncPeriod, minSyncPeriod, masqueradeAll, localhostNodePorts, masqueradeBit, localDetectors[0], hostname,
|
||||||
nodeIPs[v1.IPv4Protocol], recorder, healthzServer, nodePortAddresses)
|
nodeIPs[v1.IPv4Protocol], recorder, healthzServer, nodePortAddresses, initOnly)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err)
|
return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
ipv6Proxier, err := NewProxier(v1.IPv6Protocol, ipt[1], sysctl,
|
ipv6Proxier, err := NewProxier(v1.IPv6Protocol, ipt[1], sysctl,
|
||||||
exec, syncPeriod, minSyncPeriod, masqueradeAll, false, masqueradeBit, localDetectors[1], hostname,
|
exec, syncPeriod, minSyncPeriod, masqueradeAll, false, masqueradeBit, localDetectors[1], hostname,
|
||||||
nodeIPs[v1.IPv6Protocol], recorder, healthzServer, nodePortAddresses)
|
nodeIPs[v1.IPv6Protocol], recorder, healthzServer, nodePortAddresses, initOnly)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err)
|
return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err)
|
||||||
}
|
}
|
||||||
|
if initOnly {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
return metaproxier.NewMetaProxier(ipv4Proxier, ipv6Proxier), nil
|
return metaproxier.NewMetaProxier(ipv4Proxier, ipv6Proxier), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -340,6 +340,7 @@ func NewProxier(ipFamily v1.IPFamily,
|
|||||||
scheduler string,
|
scheduler string,
|
||||||
nodePortAddressStrings []string,
|
nodePortAddressStrings []string,
|
||||||
kernelHandler KernelHandler,
|
kernelHandler KernelHandler,
|
||||||
|
initOnly bool,
|
||||||
) (*Proxier, error) {
|
) (*Proxier, error) {
|
||||||
// Set the conntrack sysctl we need for
|
// Set the conntrack sysctl we need for
|
||||||
if err := proxyutil.EnsureSysctl(sysctl, sysctlVSConnTrack, 1); err != nil {
|
if err := proxyutil.EnsureSysctl(sysctl, sysctlVSConnTrack, 1); err != nil {
|
||||||
@@ -402,6 +403,11 @@ func NewProxier(ipFamily v1.IPFamily,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if initOnly {
|
||||||
|
klog.InfoS("System initialized and --init-only specified")
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
// Generate the masquerade mark to use for SNAT rules.
|
// Generate the masquerade mark to use for SNAT rules.
|
||||||
masqueradeValue := 1 << uint(masqueradeBit)
|
masqueradeValue := 1 << uint(masqueradeBit)
|
||||||
masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue)
|
masqueradeMark := fmt.Sprintf("%#08x", masqueradeValue)
|
||||||
@@ -490,6 +496,7 @@ func NewDualStackProxier(
|
|||||||
scheduler string,
|
scheduler string,
|
||||||
nodePortAddresses []string,
|
nodePortAddresses []string,
|
||||||
kernelHandler KernelHandler,
|
kernelHandler KernelHandler,
|
||||||
|
initOnly bool,
|
||||||
) (proxy.Provider, error) {
|
) (proxy.Provider, error) {
|
||||||
|
|
||||||
safeIpset := newSafeIpset(ipset)
|
safeIpset := newSafeIpset(ipset)
|
||||||
@@ -499,7 +506,7 @@ func NewDualStackProxier(
|
|||||||
exec, syncPeriod, minSyncPeriod, filterCIDRs(false, excludeCIDRs), strictARP,
|
exec, syncPeriod, minSyncPeriod, filterCIDRs(false, excludeCIDRs), strictARP,
|
||||||
tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit,
|
tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit,
|
||||||
localDetectors[0], hostname, nodeIPs[v1.IPv4Protocol],
|
localDetectors[0], hostname, nodeIPs[v1.IPv4Protocol],
|
||||||
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler)
|
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler, initOnly)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err)
|
return nil, fmt.Errorf("unable to create ipv4 proxier: %v", err)
|
||||||
}
|
}
|
||||||
@@ -508,10 +515,13 @@ func NewDualStackProxier(
|
|||||||
exec, syncPeriod, minSyncPeriod, filterCIDRs(true, excludeCIDRs), strictARP,
|
exec, syncPeriod, minSyncPeriod, filterCIDRs(true, excludeCIDRs), strictARP,
|
||||||
tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit,
|
tcpTimeout, tcpFinTimeout, udpTimeout, masqueradeAll, masqueradeBit,
|
||||||
localDetectors[1], hostname, nodeIPs[v1.IPv6Protocol],
|
localDetectors[1], hostname, nodeIPs[v1.IPv6Protocol],
|
||||||
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler)
|
recorder, healthzServer, scheduler, nodePortAddresses, kernelHandler, initOnly)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err)
|
return nil, fmt.Errorf("unable to create ipv6 proxier: %v", err)
|
||||||
}
|
}
|
||||||
|
if initOnly {
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
// Return a meta-proxier that dispatch calls between the two
|
// Return a meta-proxier that dispatch calls between the two
|
||||||
// single-stack proxier instances
|
// single-stack proxier instances
|
||||||
|
|||||||
@@ -109,6 +109,7 @@ func NewHollowProxyOrDie(
|
|||||||
recorder,
|
recorder,
|
||||||
nil,
|
nil,
|
||||||
[]string{},
|
[]string{},
|
||||||
|
false,
|
||||||
)
|
)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, fmt.Errorf("unable to create proxier: %v", err)
|
return nil, fmt.Errorf("unable to create proxier: %v", err)
|
||||||
|
|||||||
Reference in New Issue
Block a user