-
Notifications
You must be signed in to change notification settings - Fork 40k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
set config.BindAddress to IPv4 address "127.0.0.1" if not specified #83822
Conversation
/kind bug |
/retest |
@@ -278,11 +278,6 @@ func NewProxier(ipt utiliptables.Interface, | |||
masqueradeValue := 1 << uint(masqueradeBit) | |||
masqueradeMark := fmt.Sprintf("%#08x/%#08x", masqueradeValue, masqueradeValue) | |||
|
|||
if nodeIP == nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been present for ~4 years (1acaa1d#diff-d51765b83fe795b469e8a86276b12dc9R218-R221). Can you explain why this is correct to remove?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been present for ~4 years (1acaa1d#diff-d51765b83fe795b469e8a86276b12dc9R218-R221). Can you explain why this is correct to remove?
At first, I thought that iptables.NewProxier
was only used here, if so, it might be redundant to validate nodeIP
again. Later, I found that it was used by https://github.com/kubernetes/kubernetes/blob/master/pkg/kubemark/hollow_proxy.go#L82, so I withdrew the modification here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is this different from simply rolling back #77167 ? I thought the point of that was to force kube-proxy not to proceed with a wrong IP address?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/assign @freehan |
@@ -137,7 +137,8 @@ func newProxyServer( | |||
if nodeIP.IsUnspecified() { | |||
nodeIP = utilnode.GetNodeIP(client, hostname) | |||
if nodeIP == nil { | |||
return nil, fmt.Errorf("unable to get node IP for hostname %s", hostname) | |||
klog.Warning("invalid nodeIP, initializing kube-proxy with 127.0.0.1 as nodeIP") | |||
nodeIP = net.ParseIP("127.0.0.1") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The proxier implementations already sets node IP to 127.0.0.1 if it's nil, wondering if it makes more sense to remove this nil check altogether (see #84071 -- closed in favor of this PR).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change may now impact ipvs.NewProxier()
(I can't tell for sure currently as I'm on mobile only) which used to not necessarily come with a set node IP.
Is there a reason we cannot just drop line 140 without adding anything else? That's what the code originally used to do, so it seems like the cleaner approach to me with regards to addressing the bug.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IPVS proxier has the same behavior as iptables for nil nodeIP
(see https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/proxier.go#L406-L409) so agreed with @timoreimann this can just be
if nodeIP.IsUnspecified() {
nodeIP = utilnode.GetNodeIP(client, hostname)
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we remove the code in NewProxier implementations that checks for and handles nil? This is kind of a contract change - they can assume it is non-nil.
So I guess from a compat POV this is correct. From a correctness POV, this is wrong. At least the iptables module will make a wrong decision based on this information. IPVS seems only to log it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having the user set the --bind-address seems like the RIGHT answer, but I acknowledge that this is a breaking change and we should fix it.
Can we enhance the log message to say something like:
klog.V(0).Infof("can't determine this node's IP, assuming 127.0.0.1; if this is incorrect, set the --bind-address flag")
```
Of course, flags are passe and config files are vogue, and it's harder to reference config file fields. This is also wrongish in the case of IPv6.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we remove the code in NewProxier implementations that checks for and handles nil? This is kind of a contract change - they can assume it is non-nil.
If iptables.NewProxier was only used here, it might be redundant to validate nodeIP nil
again. But, I found that it was used by https://github.com/kubernetes/kubernetes/blob/master/pkg/kubemark/hollow_proxy.go#L82, so I withdrew the modification here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we fix that do explicitly pass 127.0.0.1 and remove it from NewProxier?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we fix that do explicitly pass 127.0.0.1 and remove it from NewProxier?
Done.PTAL
/priority important-soon |
@zouyee: Those labels are not set on the issue: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@zouyee: Those labels are not set on the issue: In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@zouyee: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@zouyee: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
1 similar comment
@zouyee: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retest |
Signed-off-by: Zou Nengren <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: thockin, zouyee The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@zouyee can you cherry-pick this to v1.16 please? |
…-upstream-release-1.16 Automated cherry pick of #83822: set config.BindAddress to IPv4 address "127.0.0.1" if not
SetDefaults_KubeProxyConfiguration will set config.BindAddress to IPv4 address "0.0.0.0" if not specified
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #83791
Special notes for your reviewer:
SetDefaults_KubeProxyConfiguration will set config.BindAddress to IPv4 address "0.0.0.0" if not specified
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: