Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated kube-router to move the default ACCEPT rule at the end of the chain #7218

Merged
merged 1 commit into from
Apr 6, 2023
Merged

Updated kube-router to move the default ACCEPT rule at the end of the chain #7218

merged 1 commit into from
Apr 6, 2023

Conversation

rbrtbnfgl
Copy link
Contributor

@rbrtbnfgl rbrtbnfgl commented Apr 5, 2023
edited by brandond
Loading

Proposed Changes

On the latest update we changed the default rule from ACCEPT to RETURN to fix #6691 this broke some setup where the INPUT chain has a DROP rule by default. Now the ACCEPT rule is removed from the KUBE-ROUTER chain at the begin of the main chain and appended at the end of that chain. As follow

Chain INPUT (policy ACCEPT 1466 packets, 423K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2463  653K KUBE-ROUTER-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kube-router netpol - 4IA2OSFRMVNDXBVV */
   11  1274 KUBE-PROXY-FIREWALL  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes load balancer firewall */
 1466  423K KUBE-NODEPORTS  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes health check service ports */
   11  1274 KUBE-EXTERNAL-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes externally-visible service portals */
 1466  423K KUBE-FIREWALL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  188  105K KUBE-ROUTER-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kube-router netpol - TEMCG2JMHZYE7H7T */
   36  3443 KUBE-PROXY-FIREWALL  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes load balancer firewall */
   36  3443 KUBE-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes forwarding rules */
   36  3443 KUBE-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes service portals */
   36  3443 KUBE-EXTERNAL-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes externally-visible service portals */
   36  3443 FLANNEL-FWD  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* flanneld forward */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000

Chain OUTPUT (policy ACCEPT 1564 packets, 452K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2703  567K KUBE-ROUTER-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kube-router netpol - VEAAIY32XVBHCSCY */
  101  7264 KUBE-PROXY-FIREWALL  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes load balancer firewall */
  101  7264 KUBE-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes service portals */
 1564  452K KUBE-FIREWALL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000

Types of Changes

Bugfix

Verification

Testing

Linked Issues

#7211 #7203

User-Facing Change

The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users.

Further Comments

@rbrtbnfgl
Updated kube-route version to move the iptables ACCEPT default rule a…
778dc8c 
…t the end of the chain

Signed-off-by: Roberto Bonafiglia <[email protected]>
@rbrtbnfgl rbrtbnfgl requested a review from a team as a code owner April 5, 2023 16:57
brandond
brandond approved these changes Apr 5, 2023
View reviewed changes
Copy link
Member

@brandond brandond left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I also added a release note.

This was referenced Apr 5, 2023
Merged
Merged
@rbrtbnfgl rbrtbnfgl merged commit 3e3512b into k3s-io:master Apr 6, 2023
@rbrtbnfgl rbrtbnfgl deleted the kube-routerv2.0 branch April 6, 2023 07:55
@cguertin14 cguertin14 mentioned this pull request Apr 25, 2023
Merged
@proligde proligde mentioned this pull request May 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briandowns briandowns briandowns approved these changes

@brandond brandond brandond approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Service with no backing application takes approx. 120s to fail (w/ weave CNI)
3 participants
@rbrtbnfgl @brandond @briandowns