scottk/kubernetes
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/kubernetes.git synced 2025-11-03 03:38:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #119374 from danwinship/kep-3178-ga

Browse Source 
move KEP-3178 IPTablesOwnershipCleanup to GA
This commit is contained in:
Kubernetes Prow Robot
2023-07-17 15:53:47 -07:00
committed by GitHub
parent fab1f606dd f1e7386fbc
commit ff90c1cc73
10 changed files with 26 additions and 217 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
pkg/proxy/iptables/proxier.go
View File

@@ -370,6 +370,7 @@ var iptablesJumpChains = []iptablesJumpChain{
{utiliptables.TableFilter, kubeProxyFirewallChain, utiliptables.ChainForward, "kubernetes load balancer firewall", []string{"-m", "conntrack", "--ctstate", "NEW"}},
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainOutput, "kubernetes service portals", nil},
{utiliptables.TableNAT, kubeServicesChain, utiliptables.ChainPrerouting, "kubernetes service portals", nil},
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
}
// Duplicates of chains created in pkg/kubelet/kubelet_network_linux.go; we create these
@@ -377,10 +378,6 @@ var iptablesJumpChains = []iptablesJumpChain{
var iptablesKubeletJumpChains = []iptablesJumpChain{
{utiliptables.TableFilter, kubeletFirewallChain, utiliptables.ChainInput, "", nil},
{utiliptables.TableFilter, kubeletFirewallChain, utiliptables.ChainOutput, "", nil},
// Move this to iptablesJumpChains once IPTablesOwnershipCleanup is GA and kubelet
// no longer creates this chain,
{utiliptables.TableNAT, kubePostroutingChain, utiliptables.ChainPostrouting, "kubernetes postrouting rules", nil},
}
// When chains get removed from iptablesJumpChains, add them here so they get cleaned up
@@ -868,11 +865,6 @@ func (proxier *Proxier) syncProxyRules() {
// this so that it is easier to flush and change, for example if the mark
// value should ever change.
// NOTE: kubelet creates identical copies of these rules. If you want to change
// these rules in the future, you MUST do so in a way that will interoperate
// correctly with skewed versions of the rules created by kubelet. (Remove this
// comment once IPTablesOwnershipCleanup is GA.)
proxier.natRules.Write(
"-A", string(kubePostroutingChain),
"-m", "mark", "!", "--mark", fmt.Sprintf("%s/%s", proxier.masqueradeMark, proxier.masqueradeMark),