-
Notifications
You must be signed in to change notification settings - Fork 5.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support specifying NodePort IP range
- Loading branch information
m1093782566
committed
Dec 28, 2017
1 parent
a1ad4b7
commit 04ed9cf
Showing
1 changed file
with
64 additions
and
0 deletions.
There are no files selected for viewing
64 changes: 64 additions & 0 deletions
64
contributors/design-proposals/network/specify-nodeport-ip-range.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
# Support specifying NodePort IP range | ||
|
||
Author: @m1093782566 | ||
|
||
# Objective | ||
|
||
This document propose creating a flag for kube-proxy to specify NodePort IP range. | ||
|
||
# Background | ||
|
||
NodePort type service gives developers the freedom to set up their own load balancers, to expose one or more nodes’ IPs directly. The service will be visible as the nodes's IPs. For now, the NodePort addresses are the IPs from all available interfaces. | ||
|
||
With iptables magic, all the IPs whose `ADDRTYPE` matches `dst-type LOCAL` will be taken as the address of NodePort, which might look like, | ||
|
||
```shell | ||
Chain KUBE-SERVICES (2 references) | ||
target prot opt source destination | ||
KUBE-NODEPORTS all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL | ||
``` | ||
By default, kube-proxy accepts everything from NodePort without any filter. It can be a problem for nodes which has both public and private NICs, and people only want to provide a service in private network and avoid exposing any internal service on the public IPs. | ||
|
||
# Proposal | ||
|
||
This proposal builds off of earlier requests to [[proxy] Listening on a specific IP for nodePort ](https://github.com/kubernetes/kubernetes/issues/21070), but proposes that we should find a way to tell kube-proxy what the NodePort IP blocks are instead of a single IP. | ||
|
||
## Create new kube-proxy configuration flag | ||
|
||
There should be an admin flag to kube-proxy for specifying which IP to NodePort. The flag is a list of IP blocks, say `--nodeport-addresses`. These IP blocks as a parameter to select the interfaces where nodeport works. In case someone would like to expose a service on localhost for local visit and some other interfaces for particular purpose, an array of IP blocks would do that. People can populate it from their private subnets the same on every node. | ||
|
||
The `--nodeport-addresses` is defaulted to `0.0.0.0/0`, which means select all available interfaces and is compliance with current NodePort behaviour. | ||
|
||
If people set the `--nodeport-addresses` flag to empty, kube-proxy will select the "who has the default route" + loopback interfaces. It's the same heuristic we use for `--advertise-address` in kube-apiserver and others. | ||
|
||
If people provide a non-zero IP block for `--nodeport-addresses`, kube-proxy will filter that down to just the IPs that applied to the node. | ||
|
||
> NOTE: There is already a flag `--bind-address`, but it has nothing to do with nodeport and we need IP blocks instead of single IP. | ||
## Kube-proxy implementation suport | ||
|
||
The implementation is simple. | ||
|
||
### iptables | ||
|
||
iptables support specify multiple IPs in the destination parameter(`-d`). For example, | ||
|
||
```shell | ||
iptables -A PREROUTING -d 192.168.1.5,192.168.1.6 -p tcp --dport 22 -j ACCEPT | ||
``` | ||
|
||
### Linux userspace | ||
|
||
Same as iptables. | ||
|
||
### ipvs | ||
|
||
Create IPVS virutal services one by one according to provided node IPs, which is almost same as current behaviour(fetch all IPs from host). | ||
|
||
### Window userspace | ||
|
||
Create multiple goroutines, each goroutine listens on a specific node IP to serve NodePort. | ||
|
||
### winkernel | ||
|
||
Need to specify node IPs [here](https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/winkernel/proxier.go#L1053) - current behaviour is leave the VIP to be empty to automatically select the node IP. |