Allow user defined endpoint to host action for Canal

kubernetes · Aug 25, 2017 · 2fd2db2 · 2fd2db2
1 parent b20584a
commit 2fd2db2
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 5 deletions.
diff --git a/pkg/apis/kops/networking.go b/pkg/apis/kops/networking.go
@@ -67,8 +67,12 @@ type CalicoNetworkingSpec struct {
 	CrossSubnet bool `json:"crossSubnet,omitempty"` // Enables Calico's cross-subnet mode when set to true
 }
 
-// Canal declares that we want Canal networking
+// CanalNetworkingSpec declares that we want Canal networking
 type CanalNetworkingSpec struct {
+	// DefaultEndpointToHostAction allows users to configure the default behaviour
+	// for traffic between pod to host after calico rules have been processed.
+	// Default: ACCEPT (other options: DROP, RETURN)
+	DefaultEndpointToHostAction string `json:"defaultEndpointToHostAction,omitempty"`
 }
 
 // Kuberouter declares that we want Kube-router networking

diff --git a/pkg/apis/kops/v1alpha1/networking.go b/pkg/apis/kops/v1alpha1/networking.go
@@ -67,8 +67,12 @@ type CalicoNetworkingSpec struct {
 	CrossSubnet bool `json:"crossSubnet,omitempty"` // Enables Calico's cross-subnet mode when set to true
 }
 
-// Canal declares that we want Canal networking
+// CanalNetworkingSpec declares that we want Canal networking
 type CanalNetworkingSpec struct {
+	// DefaultEndpointToHostAction allows users to configure the default behaviour
+	// for traffic between pod to host after calico rules have been processed.
+	// Default: ACCEPT (other options: DROP, RETURN)
+	DefaultEndpointToHostAction string `json:"defaultEndpointToHostAction,omitempty"`
 }
 
 // Kuberouter declares that we want Canal networking

diff --git a/pkg/apis/kops/v1alpha1/zz_generated.conversion.go b/pkg/apis/kops/v1alpha1/zz_generated.conversion.go
@@ -361,6 +361,7 @@ func Convert_kops_CalicoNetworkingSpec_To_v1alpha1_CalicoNetworkingSpec(in *kops
 }
 
 func autoConvert_v1alpha1_CanalNetworkingSpec_To_kops_CanalNetworkingSpec(in *CanalNetworkingSpec, out *kops.CanalNetworkingSpec, s conversion.Scope) error {
+	out.DefaultEndpointToHostAction = in.DefaultEndpointToHostAction
 	return nil
 }
 
@@ -370,6 +371,7 @@ func Convert_v1alpha1_CanalNetworkingSpec_To_kops_CanalNetworkingSpec(in *CanalN
 }
 
 func autoConvert_kops_CanalNetworkingSpec_To_v1alpha1_CanalNetworkingSpec(in *kops.CanalNetworkingSpec, out *CanalNetworkingSpec, s conversion.Scope) error {
+	out.DefaultEndpointToHostAction = in.DefaultEndpointToHostAction
 	return nil
 }
 

diff --git a/pkg/apis/kops/v1alpha2/networking.go b/pkg/apis/kops/v1alpha2/networking.go
@@ -67,8 +67,12 @@ type CalicoNetworkingSpec struct {
 	CrossSubnet bool `json:"crossSubnet,omitempty"` // Enables Calico's cross-subnet mode when set to true
 }
 
-// Canal declares that we want Canal networking
+// CanalNetworkingSpec declares that we want Canal networking
 type CanalNetworkingSpec struct {
+	// DefaultEndpointToHostAction allows users to configure the default behaviour
+	// for traffic between pod to host after calico rules have been processed.
+	// Default: ACCEPT (other options: DROP, RETURN)
+	DefaultEndpointToHostAction string `json:"defaultEndpointToHostAction,omitempty"`
 }
 
 // Kuberouter declares that we want Canal networking

diff --git a/pkg/apis/kops/v1alpha2/zz_generated.conversion.go b/pkg/apis/kops/v1alpha2/zz_generated.conversion.go
@@ -389,6 +389,7 @@ func Convert_kops_CalicoNetworkingSpec_To_v1alpha2_CalicoNetworkingSpec(in *kops
 }
 
 func autoConvert_v1alpha2_CanalNetworkingSpec_To_kops_CanalNetworkingSpec(in *CanalNetworkingSpec, out *kops.CanalNetworkingSpec, s conversion.Scope) error {
+	out.DefaultEndpointToHostAction = in.DefaultEndpointToHostAction
 	return nil
 }
 
@@ -398,6 +399,7 @@ func Convert_v1alpha2_CanalNetworkingSpec_To_kops_CanalNetworkingSpec(in *CanalN
 }
 
 func autoConvert_kops_CanalNetworkingSpec_To_v1alpha2_CanalNetworkingSpec(in *kops.CanalNetworkingSpec, out *CanalNetworkingSpec, s conversion.Scope) error {
+	out.DefaultEndpointToHostAction = in.DefaultEndpointToHostAction
 	return nil
 }
 

diff --git a/.../models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.6.yaml.template b/.../models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.6.yaml.template
@@ -119,7 +119,7 @@ spec:
                   fieldPath: spec.nodeName
             # Set Felix endpoint to host default action to ACCEPT.
             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
-              value: "ACCEPT"
+              value: "{{- if eq .Networking.Canal.DefaultEndpointToHostAction "" }}ACCEPT{{- else -}}{{ .Networking.Canal.DefaultEndpointToHostAction }}{{- end -}}"
           securityContext:
             privileged: true
           resources:

diff --git a/...els/cloudup/resources/addons/networking.projectcalico.org.canal/pre-k8s-1.6.yaml.template b/...els/cloudup/resources/addons/networking.projectcalico.org.canal/pre-k8s-1.6.yaml.template
@@ -111,7 +111,7 @@ spec:
                   fieldPath: spec.nodeName
             # Set Felix endpoint to host default action to ACCEPT.
             - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
-              value: "ACCEPT"
+              value: "{{- if eq .Networking.Canal.DefaultEndpointToHostAction "" }}ACCEPT{{- else -}}{{ .Networking.Canal.DefaultEndpointToHostAction }}{{- end -}}"
           securityContext:
             privileged: true
           resources: