Add service proxy
This adds a service proxy based on nfproxy and changes to the service IP allocation to make it work.
Also adds support for masquerading outbound traffic for outbound network connectivity.
Test Plan:
Currently manually tested by creating an alpine pod and running 'apk add curl && curl -k https://192.168.188.1:443/'.
Will be covered later by CTS.
Bug: T810
X-Origin-Diff: phab/D580
GitOrigin-RevId: cace863fd8c2f045560f8abf84c40cc77bc275d4
diff --git a/third_party/go/patches/nfproxy.patch b/third_party/go/patches/nfproxy.patch
new file mode 100644
index 0000000..307d3d4
--- /dev/null
+++ b/third_party/go/patches/nfproxy.patch
@@ -0,0 +1,36 @@
+Copyright 2020 The Monogon Project Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+
+Fix nfproxy compatibility with our version of Kubernetes/utilproxy
+--- com_github_sbezverk_nfproxy.orig/pkg/proxy/proxy_service.go 2020-07-16 14:24:06.901176302 +0200
++++ com_github_sbezverk_nfproxy/pkg/proxy/proxy_service.go 2020-07-16 14:08:34.118927035 +0200
+@@ -22,7 +22,6 @@
+ utilnftables "github.com/google/nftables"
+ "github.com/sbezverk/nfproxy/pkg/nftables"
+ v1 "k8s.io/api/core/v1"
+- "k8s.io/apimachinery/pkg/types"
+ "k8s.io/klog"
+ utilproxy "k8s.io/kubernetes/pkg/proxy/util"
+ utilnet "k8s.io/utils/net"
+@@ -44,8 +43,7 @@
+ stickySeconds := int(*svc.Spec.SessionAffinityConfig.ClientIP.TimeoutSeconds)
+ klog.V(5).Infof("Service %s/%s has SessionAffinity set for %d seconds", svc.Namespace, svc.Name, stickySeconds)
+ }
+- svcName := types.NamespacedName{Namespace: svc.Namespace, Name: svc.Name}
+- if utilproxy.ShouldSkipService(svcName, svc) {
++ if utilproxy.ShouldSkipService(svc) {
+ return
+ }
+ for i := range svc.Spec.Ports {
diff --git a/third_party/go/repositories.bzl b/third_party/go/repositories.bzl
index c4e21c6..042aadb 100644
--- a/third_party/go/repositories.bzl
+++ b/third_party/go/repositories.bzl
@@ -1258,6 +1258,22 @@
sum = "h1:0U2s5loxrTy6/VgfVoLuVLFJcURKLH49ie0zSch7gh4=",
)
go_repository(
+ name = "com_github_sbezverk_nfproxy",
+ importpath = "github.com/sbezverk/nfproxy",
+ version = "v0.0.0-20200514180651-7fac5f39824e",
+ sum = "h1:fJ2lHQ7ZUjmgJbvVQ509ioBmrGHcbvlwfjUieExw/dU=",
+ patches = [
+ "//third_party/go/patches:nfproxy.patch",
+ ],
+ patch_args = ["-p1"],
+ )
+ go_repository(
+ name = "com_github_sbezverk_nftableslib",
+ importpath = "github.com/sbezverk/nftableslib",
+ version = "v0.0.0-20200402150358-c20bed91f482",
+ sum = "h1:k7gEZ/EwJhHDTRXFUZQlE4/p1cmoha7zL7PWCDG3ZHQ=",
+ )
+ go_repository(
name = "com_github_seccomp_libseccomp_golang",
importpath = "github.com/seccomp/libseccomp-golang",
version = "v0.9.1",
diff --git a/third_party/go/shelf.pb.text b/third_party/go/shelf.pb.text
index 85372be..9d77503 100644
--- a/third_party/go/shelf.pb.text
+++ b/third_party/go/shelf.pb.text
@@ -1959,6 +1959,20 @@
semver: "v0.2.1-0.20190427202633-1595213edefa"
>
entry: <
+ import_path: "github.com/sbezverk/nfproxy"
+ version: "7fac5f39824e7f34228b08ba8b7640770ca6a9f4"
+ bazel_name: "com_github_sbezverk_nfproxy"
+ sum: "h1:fJ2lHQ7ZUjmgJbvVQ509ioBmrGHcbvlwfjUieExw/dU="
+ semver: "v0.0.0-20200514180651-7fac5f39824e"
+>
+entry: <
+ import_path: "github.com/sbezverk/nftableslib"
+ version: "v0.0.0-20200402150358-c20bed91f482"
+ bazel_name: "com_github_sbezverk_nftableslib"
+ sum: "h1:k7gEZ/EwJhHDTRXFUZQlE4/p1cmoha7zL7PWCDG3ZHQ="
+ semver: "v0.0.0-20200402150358-c20bed91f482"
+>
+entry: <
import_path: "github.com/seccomp/libseccomp-golang"
version: "689e3c1541a84461afc49c1c87352a6cedf72e9c"
bazel_name: "com_github_seccomp_libseccomp_golang"
diff --git a/third_party/linux/linux-smalltown.config b/third_party/linux/linux-smalltown.config
index b4f2df1..e409a05 100644
--- a/third_party/linux/linux-smalltown.config
+++ b/third_party/linux/linux-smalltown.config
@@ -974,6 +974,8 @@
CONFIG_NFT_REJECT=y
CONFIG_NFT_REJECT_INET=y
CONFIG_NFT_HASH=y
+CONFIG_NFT_FIB=y
+# CONFIG_NFT_FIB_INET is not set
CONFIG_NFT_SOCKET=y
CONFIG_NFT_OSF=y
CONFIG_NFT_TPROXY=y
@@ -981,6 +983,7 @@
CONFIG_NF_DUP_NETDEV=y
CONFIG_NFT_DUP_NETDEV=y
CONFIG_NFT_FWD_NETDEV=y
+# CONFIG_NFT_FIB_NETDEV is not set
CONFIG_NF_FLOW_TABLE_INET=y
CONFIG_NF_FLOW_TABLE=y
# CONFIG_NETFILTER_XTABLES is not set
@@ -997,11 +1000,11 @@
CONFIG_NF_TPROXY_IPV4=y
CONFIG_NF_TABLES_IPV4=y
CONFIG_NFT_REJECT_IPV4=y
-# CONFIG_NFT_DUP_IPV4 is not set
-# CONFIG_NFT_FIB_IPV4 is not set
+CONFIG_NFT_DUP_IPV4=y
+CONFIG_NFT_FIB_IPV4=y
# CONFIG_NF_TABLES_ARP is not set
# CONFIG_NF_FLOW_TABLE_IPV4 is not set
-# CONFIG_NF_DUP_IPV4 is not set
+CONFIG_NF_DUP_IPV4=y
# CONFIG_NF_LOG_ARP is not set
# CONFIG_NF_LOG_IPV4 is not set
CONFIG_NF_REJECT_IPV4=y
@@ -1016,10 +1019,10 @@
CONFIG_NF_TPROXY_IPV6=y
CONFIG_NF_TABLES_IPV6=y
CONFIG_NFT_REJECT_IPV6=y
-# CONFIG_NFT_DUP_IPV6 is not set
-# CONFIG_NFT_FIB_IPV6 is not set
+CONFIG_NFT_DUP_IPV6=y
+CONFIG_NFT_FIB_IPV6=y
# CONFIG_NF_FLOW_TABLE_IPV6 is not set
-# CONFIG_NF_DUP_IPV6 is not set
+CONFIG_NF_DUP_IPV6=y
CONFIG_NF_REJECT_IPV6=y
# CONFIG_NF_LOG_IPV6 is not set
# CONFIG_IP6_NF_IPTABLES is not set