Some doubts about the iptables mode of kube-proxy

luzejia · May 28, 2024, 1:17pm

I have recently been modifying kube-proxy to support our internal business, and I have doubts about two places.

Why nodeport rules need to be inserted last after other rules？
Why does local access to lb service require masq?

Two problems are in the kube-proxy(v1.24.11-iptables mode)source code:

Why nodeport rules need to be inserted last after other rules？

kubernetes/kubernetes/blob/0f75679e3346160939924550fd3591462a4afec6/pkg/proxy/iptables/proxier.go#L1395


      
          				continue
          			}
          			// We must (as per iptables) write a chain-line for it, which has
          			// the nice effect of flushing the chain.  Then we can remove the
          			// chain.
          			proxier.natChains.WriteBytes(existingNATChains[chain])
          			proxier.natRules.Write("-X", chainString)
          		}
          	}
          
          	// Finally, tail-call to the nodeports chain.  This needs to be after all
          	// other service portal rules.
          	for address := range nodeAddresses {
          		if utilproxy.IsZeroCIDR(address) {
          			proxier.natRules.Write(
          				"-A", string(kubeServicesChain),
          				"-m", "comment", "--comment", `"kubernetes service nodeports; NOTE: this must be the last rule in this chain"`,
          				"-m", "addrtype", "--dst-type", "LOCAL",
          				"-j", string(kubeNodePortsChain))
          			// Nothing else matters after the zero CIDR.
          			break

Why does local access to lb service require masq?

github.com

kubernetes/kubernetes/blob/0f75679e3346160939924550fd3591462a4afec6/pkg/proxy/iptables/proxier.go#L1134


      
          					// traffic as a special-case.  It is subject to neither
          					// form of traffic policy, which simulates going up-and-out
          					// to an external load-balancer and coming back in.
          					proxier.natRules.Write(
          						"-A", string(externalTrafficChain),
          						"-m", "comment", "--comment", fmt.Sprintf(`"pod traffic for %s external destinations"`, svcNameString),
          						proxier.localDetector.IfLocal(),
          						"-j", string(clusterPolicyChain))
          				}
          
          				// Locally originated traffic (not a pod, but the host node)
          				// still needs masquerade because the LBIP itself is a local
          				// address, so that will be the chosen source IP.
          				proxier.natRules.Write(
          					"-A", string(externalTrafficChain),
          					"-m", "comment", "--comment", fmt.Sprintf(`"masquerade LOCAL traffic for %s external destinations"`, svcNameString),
          					"-m", "addrtype", "--src-type", "LOCAL",
          					"-j", string(KubeMarkMasqChain))
          
          				// Redirect all src-type=LOCAL -> external destination to the
          				// policy=cluster chain. This allows traffic originating

thockin · May 28, 2024, 2:59pm

Node parts are last because they don’t have an address match usually. If they went before other rules, then they could collide with services which are more specific because they have an address match.

IIRC That particular masquerade is to prevent hairpin traffic from the node from being flagged as Martian.

luzejia · May 29, 2024, 2:38am

Thank you for your answer!

I can understand question 1, but I still don’t understand question 2. Can you give a practical example of the difference between not doing masq and doing masq?

luzejia · May 29, 2024, 10:35am

Hi, when I deleted the following rules, I found that directly accessing the local loadbalancer ip on the node can still be accessed.

like this:

iptables -t nat -D KUBE-EXT-5J2MEIPCD4GMETYI -m comment --comment "masquerade LOCAL traffic for kubernetes-check/lb-nginx external destinations" -m addrtype --src-type LOCAL -j KUBE-MARK-MASQ

Before deleting the rule, I can be sure that this rule will be hit when accessing
So I don’t quite understand what kind of scenario this special masq rule is designed for

Topic		Replies	Views
Why do we need to do masq for the local lb on the host? General Discussions network	0	107	May 30, 2024
Add Iptables rule to the Kubernetes nodes General Discussions security , network	1	1025	December 12, 2022
Custom IPtables rules for input chain General Discussions	1	3075	November 13, 2018
Iptables rules not added after node restart General Discussions network	8	429	August 12, 2024
【Help】 Regarding the communication strategy and working principle between k8s service nodeport and iptables General Discussions	13	60	December 9, 2024

Some doubts about the iptables mode of kube-proxy

Related topics