kube-proxy: add a flag to disables the allowing NodePort services to be accessed via localhost

pkg/proxy/apis/config/fuzzer/fuzzer.go

@@ -42,6 +42,7 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} {
 			obj.FeatureGates = map[string]bool{c.RandString(): true}
 			obj.HealthzBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536))
 			obj.IPTables.MasqueradeBit = pointer.Int32(c.Int31())
+			obj.IPTables.LocalhostNodePorts = pointer.Bool(c.RandBool())
 			obj.MetricsBindAddress = fmt.Sprintf("%d.%d.%d.%d:%d", c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(256), c.Intn(65536))
 			obj.OOMScoreAdj = pointer.Int32(c.Int31())
 			obj.ClientConnection.ContentType = "bar"

pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/after/v1alpha1.yaml

@@ -22,6 +22,7 @@ enableProfiling: false
 healthzBindAddress: 0.0.0.0:10256
 hostnameOverride: ""
 iptables:
+  localhostNodePorts: true
   masqueradeAll: false
   masqueradeBit: 14
   minSyncPeriod: 1s

pkg/proxy/apis/config/scheme/testdata/KubeProxyConfiguration/roundtrip/default/v1alpha1.yaml

@@ -22,6 +22,7 @@ enableProfiling: false
 healthzBindAddress: 0.0.0.0:10256
 hostnameOverride: ""
 iptables:
+  localhostNodePorts: true
   masqueradeAll: false
   masqueradeBit: 14
   minSyncPeriod: 1s

pkg/proxy/apis/config/types.go

@@ -33,6 +33,9 @@ type KubeProxyIPTablesConfiguration struct {
 	MasqueradeBit *int32
 	// masqueradeAll tells kube-proxy to SNAT everything if using the pure iptables proxy mode.
 	MasqueradeAll bool
+	// LocalhostNodePorts tells kube-proxy to allow service NodePorts to be accessed via
+	// localhost (iptables mode only)
+	LocalhostNodePorts *bool
 	// syncPeriod is the period that iptables rules are refreshed (e.g. '5s', '1m',
 	// '2h22m').  Must be greater than 0.
 	SyncPeriod metav1.Duration

pkg/proxy/apis/config/v1alpha1/defaults.go

@@ -64,6 +64,9 @@ func SetDefaults_KubeProxyConfiguration(obj *kubeproxyconfigv1alpha1.KubeProxyCo
 	if obj.IPTables.MinSyncPeriod.Duration == 0 {
 		obj.IPTables.MinSyncPeriod = metav1.Duration{Duration: 1 * time.Second}
 	}
+	if obj.IPTables.LocalhostNodePorts == nil {
+		obj.IPTables.LocalhostNodePorts = pointer.Bool(true)
+	}
 	if obj.IPVS.SyncPeriod.Duration == 0 {
 		obj.IPVS.SyncPeriod = metav1.Duration{Duration: 30 * time.Second}
 	}

pkg/proxy/apis/config/v1alpha1/defaults_test.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	"k8s.io/utils/pointer"
 	"testing"
 	"time"
 
@@ -27,7 +28,6 @@ import (
 )
 
 func TestDefaultsKubeProxyConfiguration(t *testing.T) {
-	masqBit := int32(14)
 	oomScore := int32(-999)
 	ctMaxPerCore := int32(32768)
 	ctMin := int32(131072)
@@ -50,10 +50,11 @@ func TestDefaultsKubeProxyConfiguration(t *testing.T) {
 					Burst:       10,
 				},
 				IPTables: kubeproxyconfigv1alpha1.KubeProxyIPTablesConfiguration{
-					MasqueradeBit: &masqBit,
-					MasqueradeAll: false,
-					SyncPeriod:    metav1.Duration{Duration: 30 * time.Second},
-					MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second},
+					MasqueradeBit:      pointer.Int32(14),
+					MasqueradeAll:      false,
+					LocalhostNodePorts: pointer.Bool(true),
+					SyncPeriod:         metav1.Duration{Duration: 30 * time.Second},
+					MinSyncPeriod:      metav1.Duration{Duration: 1 * time.Second},
 				},
 				IPVS: kubeproxyconfigv1alpha1.KubeProxyIPVSConfiguration{
 					SyncPeriod: metav1.Duration{Duration: 30 * time.Second},
@@ -85,10 +86,11 @@ func TestDefaultsKubeProxyConfiguration(t *testing.T) {
 					Burst:       10,
 				},
 				IPTables: kubeproxyconfigv1alpha1.KubeProxyIPTablesConfiguration{
-					MasqueradeBit: &masqBit,
-					MasqueradeAll: false,
-					SyncPeriod:    metav1.Duration{Duration: 30 * time.Second},
-					MinSyncPeriod: metav1.Duration{Duration: 1 * time.Second},
+					MasqueradeBit:      pointer.Int32(14),
+					MasqueradeAll:      false,
+					LocalhostNodePorts: pointer.Bool(true),
+					SyncPeriod:         metav1.Duration{Duration: 30 * time.Second},
+					MinSyncPeriod:      metav1.Duration{Duration: 1 * time.Second},
 				},
 				IPVS: kubeproxyconfigv1alpha1.KubeProxyIPVSConfiguration{
 					SyncPeriod: metav1.Duration{Duration: 30 * time.Second},

pkg/proxy/apis/config/v1alpha1/zz_generated.conversion.go

@@ -237,6 +237,7 @@ func Convert_config_KubeProxyConntrackConfiguration_To_v1alpha1_KubeProxyConntra
 func autoConvert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTablesConfiguration(in *v1alpha1.KubeProxyIPTablesConfiguration, out *config.KubeProxyIPTablesConfiguration, s conversion.Scope) error {
 	out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit))
 	out.MasqueradeAll = in.MasqueradeAll
+	out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts))
 	out.SyncPeriod = in.SyncPeriod
 	out.MinSyncPeriod = in.MinSyncPeriod
 	return nil
@@ -250,6 +251,7 @@ func Convert_v1alpha1_KubeProxyIPTablesConfiguration_To_config_KubeProxyIPTables
 func autoConvert_config_KubeProxyIPTablesConfiguration_To_v1alpha1_KubeProxyIPTablesConfiguration(in *config.KubeProxyIPTablesConfiguration, out *v1alpha1.KubeProxyIPTablesConfiguration, s conversion.Scope) error {
 	out.MasqueradeBit = (*int32)(unsafe.Pointer(in.MasqueradeBit))
 	out.MasqueradeAll = in.MasqueradeAll
+	out.LocalhostNodePorts = (*bool)(unsafe.Pointer(in.LocalhostNodePorts))
 	out.SyncPeriod = in.SyncPeriod
 	out.MinSyncPeriod = in.MinSyncPeriod
 	return nil

pkg/proxy/apis/config/zz_generated.deepcopy.go

@@ -157,6 +157,11 @@ func (in *KubeProxyIPTablesConfiguration) DeepCopyInto(out *KubeProxyIPTablesCon
 		*out = new(int32)
 		**out = **in
 	}
+	if in.LocalhostNodePorts != nil {
+		in, out := &in.LocalhostNodePorts, &out.LocalhostNodePorts
+		*out = new(bool)
+		**out = **in
+	}
 	out.SyncPeriod = in.SyncPeriod
 	out.MinSyncPeriod = in.MinSyncPeriod
 	return