-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow user defined endpoint to host action for Canal #3272
Allow user defined endpoint to host action for Canal #3272
Conversation
/assign @justinsb |
280f92e
to
2fd2db2
Compare
LGTM ... Side issue we need to look at getting it applied in a pre-existing cluster (even if only on delete, given it's a daemonet), I thought protokube unit applied the channels but maybe i'm mistaken .. |
222879b
to
d48b269
Compare
@gambol99 I've added validation to the Canal spec, please could you have another peek? |
pkg/apis/kops/validation/legacy.go
Outdated
// Check Canal Networking Spec if used | ||
if c.Spec.Networking.Canal != nil { | ||
action := c.Spec.Networking.Canal.DefaultEndpointToHostAction | ||
if action != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we could probably shorten this with a case statement instead
switch action {
case "", "ACCEPT", "DROP", "RETURN":
default:
return field.Invalid(fieldSpec.Child("Networking", "Canal", "DefaultEndpointToHostAction"), action, fmt.Sprintf("Unsupported value: %s, supports ACCEPT, DROP or RETURN", action))
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup good idea, will update.
d48b269
to
a627a83
Compare
other than the above comment ... lgtm |
a627a83
to
f254a06
Compare
@@ -119,7 +119,7 @@ spec: | |||
fieldPath: spec.nodeName | |||
# Set Felix endpoint to host default action to ACCEPT. | |||
- name: FELIX_DEFAULTENDPOINTTOHOSTACTION | |||
value: "ACCEPT" | |||
value: "{{- if eq .Networking.Canal.DefaultEndpointToHostAction "" }}ACCEPT{{- else -}}{{ .Networking.Canal.DefaultEndpointToHostAction }}{{- end -}}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you can also use {{- or .Networking.Canal.DefaultEndpointToHostAction "ACCEPT" }}
but this works :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep that works and cleaner, will update. :) Cheers!
/ok-to-test /lgtm |
There's a gotcha here for applying in an existing cluster ... we only apply if the version is different currently. But this is tricky, because this is a change that isn't described by a version. The "k8s way" would be to set a configmap, but we're still figuring that all out TBH. A trick would be to delete the calico manifest annotation on the kube-system namespace, then the manifest will be reapplied. |
f254a06
to
2ffc790
Compare
/lgtm cancel //PR changed after LGTM, removing LGTM. @KashifSaadat @justinsb |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: KashifSaadat, justinsb The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Test failure filed as kubernetes/kubernetes#51429 |
/test pull-kops-e2e-kubernetes-aws |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
Adds ability to define
Networking.Canal.DefaultEndpointToHostAction
in the Cluster Spec. This allows you to customise the behaviour of traffic routing from a pod to the host (after calico iptables chains have been processed).ACCEPT
is the default value and is left as-is.If you want to allow some or all traffic from endpoint to host, set this parameter to “RETURN” or “ACCEPT”. Use “RETURN” if you have your own rules in the iptables “INPUT” chain; Calico will insert its rules at the top of that chain, then “RETURN” packets to the “INPUT” chain once it has completed processing workload endpoint egress policy.