scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-03 19:58:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

kube-proxy ensure KUBE-MARK-DROP exist but not modify their rules

Browse Source
This commit is contained in:
Lion-Wei
2020-09-11 17:41:49 +08:00
parent b3d4b8ed8a
commit 1f7ea16560
2 changed files with 30 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
pkg/proxy/iptables/proxier.go
View File

@@ -399,6 +399,13 @@ var iptablesJumpChains = []iptablesJumpChain{
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil}, {utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
} }
var iptablesEnsureChains = []struct {
table utiliptables.Table
chain utiliptables.Chain
}{
{utiliptables.TableNAT, KubeMarkDropChain},
}
var iptablesCleanupOnlyChains = []iptablesJumpChain{} var iptablesCleanupOnlyChains = []iptablesJumpChain{}
// CleanupLeftovers removes all iptables rules and chains created by the Proxier // CleanupLeftovers removes all iptables rules and chains created by the Proxier
@@ -868,6 +875,14 @@ func (proxier *Proxier) syncProxyRules() {
} }
} }
// ensure KUBE-MARK-DROP chain exist but do not change any rules
for _, ch := range iptablesEnsureChains {
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
klog.Errorf("Failed to ensure that %s chain %s exists: %v", ch.table, ch.chain, err)
return
}
}
// //
// Below this point we will not return until we try to write the iptables rules. // Below this point we will not return until we try to write the iptables rules.
// //

16
pkg/proxy/ipvs/proxier.go
View File

@@ -117,10 +117,16 @@ var iptablesChains = []struct {
{utiliptables.TableNAT, KubeNodePortChain}, {utiliptables.TableNAT, KubeNodePortChain},
{utiliptables.TableNAT, KubeLoadBalancerChain}, {utiliptables.TableNAT, KubeLoadBalancerChain},
{utiliptables.TableNAT, KubeMarkMasqChain}, {utiliptables.TableNAT, KubeMarkMasqChain},
{utiliptables.TableNAT, KubeMarkDropChain},
{utiliptables.TableFilter, KubeForwardChain}, {utiliptables.TableFilter, KubeForwardChain},
} }
var iptablesEnsureChains = []struct {
table utiliptables.Table
chain utiliptables.Chain
}{
{utiliptables.TableNAT, KubeMarkDropChain},
}
var iptablesCleanupChains = []struct { var iptablesCleanupChains = []struct {
table utiliptables.Table table utiliptables.Table
chain utiliptables.Chain chain utiliptables.Chain
@@ -1858,6 +1864,14 @@ func (proxier *Proxier) createAndLinkeKubeChain() {
existingFilterChains := proxier.getExistingChains(proxier.filterChainsData, utiliptables.TableFilter) existingFilterChains := proxier.getExistingChains(proxier.filterChainsData, utiliptables.TableFilter)
existingNATChains := proxier.getExistingChains(proxier.iptablesData, utiliptables.TableNAT) existingNATChains := proxier.getExistingChains(proxier.iptablesData, utiliptables.TableNAT)
// ensure KUBE-MARK-DROP chain exist but do not change any rules
for _, ch := range iptablesEnsureChains {
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {
klog.Errorf("Failed to ensure that %s chain %s exists: %v", ch.table, ch.chain, err)
return
}
}
// Make sure we keep stats for the top-level chains // Make sure we keep stats for the top-level chains
for _, ch := range iptablesChains { for _, ch := range iptablesChains {
if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil { if _, err := proxier.iptables.EnsureChain(ch.table, ch.chain); err != nil {