Skip to content

Commit

Permalink
Support specifying NodePort IP range
Browse files Browse the repository at this point in the history
  • Loading branch information
m1093782566 committed Dec 28, 2017
1 parent a1ad4b7 commit 04ed9cf
Showing 1 changed file with 64 additions and 0 deletions.
64 changes: 64 additions & 0 deletions contributors/design-proposals/network/specify-nodeport-ip-range.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# Support specifying NodePort IP range

Author: @m1093782566

# Objective

This document propose creating a flag for kube-proxy to specify NodePort IP range.

# Background

NodePort type service gives developers the freedom to set up their own load balancers, to expose one or more nodes’ IPs directly. The service will be visible as the nodes's IPs. For now, the NodePort addresses are the IPs from all available interfaces.

With iptables magic, all the IPs whose `ADDRTYPE` matches `dst-type LOCAL` will be taken as the address of NodePort, which might look like,

```shell
Chain KUBE-SERVICES (2 references)
target prot opt source destination
KUBE-NODEPORTS all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL
```
By default, kube-proxy accepts everything from NodePort without any filter. It can be a problem for nodes which has both public and private NICs, and people only want to provide a service in private network and avoid exposing any internal service on the public IPs.

# Proposal

This proposal builds off of earlier requests to [[proxy] Listening on a specific IP for nodePort ](https://github.com/kubernetes/kubernetes/issues/21070), but proposes that we should find a way to tell kube-proxy what the NodePort IP blocks are instead of a single IP.

## Create new kube-proxy configuration flag

There should be an admin flag to kube-proxy for specifying which IP to NodePort. The flag is a list of IP blocks, say `--nodeport-addresses`. These IP blocks as a parameter to select the interfaces where nodeport works. In case someone would like to expose a service on localhost for local visit and some other interfaces for particular purpose, an array of IP blocks would do that. People can populate it from their private subnets the same on every node.

The `--nodeport-addresses` is defaulted to `0.0.0.0/0`, which means select all available interfaces and is compliance with current NodePort behaviour.

If people set the `--nodeport-addresses` flag to empty, kube-proxy will select the "who has the default route" + loopback interfaces. It's the same heuristic we use for `--advertise-address` in kube-apiserver and others. 

If people provide a non-zero IP block for `--nodeport-addresses`, kube-proxy will filter that down to just the IPs that applied to the node. 

> NOTE: There is already a flag `--bind-address`, but it has nothing to do with nodeport and we need IP blocks instead of single IP.
## Kube-proxy implementation suport

The implementation is simple.

### iptables

iptables support specify multiple IPs in the destination parameter(`-d`). For example,

```shell
iptables -A PREROUTING -d 192.168.1.5,192.168.1.6 -p tcp --dport 22 -j ACCEPT
```

### Linux userspace

Same as iptables.

### ipvs

Create IPVS virutal services one by one according to provided node IPs, which is almost same as current behaviour(fetch all IPs from host).

### Window userspace

Create multiple goroutines, each goroutine listens on a specific node IP to serve NodePort.

### winkernel

Need to specify node IPs [here](https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/winkernel/proxier.go#L1053) - current behaviour is leave the VIP to be empty to automatically select the node IP.

0 comments on commit 04ed9cf

Please sign in to comment.