daemon: Add --enable-loadbalancer-source-range-check flag

Currently, the flag is noop. Signed-off-by: Martynas Pumputis <m@lambda.lt>
aanm · Aug 20, 2020 · c815406 · c815406
1 parent c4e4263
commit c815406
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md
@@ -81,6 +81,7 @@ cilium-agent [flags]
       --enable-k8s-endpoint-slice                     Enables k8s EndpointSlice feature in Cilium if the k8s cluster supports it (default true)
       --enable-k8s-event-handover                     Enable k8s event handover to kvstore for improved scalability
       --enable-l7-proxy                               Enable L7 proxy for L7 policy enforcement (default true)
+      --enable-loadbalancer-source-range-check        Enable check of loadBalancerSourceRanges
       --enable-local-node-route                       Enable installation of the route which points the allocation prefix of the local node (default true)
       --enable-monitor                                Enable the monitor unix domain socket server (default true)
       --enable-node-port                              Enable NodePort type services by Cilium (beta)

diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go
@@ -517,6 +517,9 @@ func init() {
 	flags.Bool(option.EnableNodePort, false, "Enable NodePort type services by Cilium (beta)")
 	option.BindEnv(option.EnableNodePort)
 
+	flags.Bool(option.EnableLoadBalancerSourceRangeCheck, false, "Enable check of loadBalancerSourceRanges")
+	option.BindEnv(option.EnableLoadBalancerSourceRangeCheck)
+
 	flags.String(option.NodePortMode, option.NodePortModeSNAT, "BPF NodePort mode (\"snat\", \"dsr\", \"hybrid\")")
 	option.BindEnv(option.NodePortMode)
 

diff --git a/pkg/option/config.go b/pkg/option/config.go
@@ -232,6 +232,9 @@ const (
 	// EnableNodePort enables NodePort services implemented by Cilium in BPF
 	EnableNodePort = "enable-node-port"
 
+	// EnableLoadBalancerSourceRangeCheck enables check of loadBalancerSourceRanges
+	EnableLoadBalancerSourceRangeCheck = "enable-loadbalancer-source-range-check"
+
 	// NodePortMode indicates in which mode NodePort implementation should run
 	// ("snat", "dsr" or "hybrid")
 	NodePortMode = "node-port-mode"
@@ -1053,6 +1056,7 @@ var HelpFlagSections = []FlagsSection{
 		Flags: []string{
 			KubeProxyReplacement,
 			EnableNodePort,
+			EnableLoadBalancerSourceRangeCheck,
 			EnableHostReachableServices,
 			EnableExternalIPs,
 			HostReachableServicesProtos,
@@ -1711,6 +1715,9 @@ type DaemonConfig struct {
 	// EnableNodePort enables k8s NodePort service implementation in BPF
 	EnableNodePort bool
 
+	// EnableLoadBalancerSourceRangeCheck enables check of loadBalancerSourceRanges
+	EnableLoadBalancerSourceRangeCheck bool
+
 	// EnableHostPort enables k8s Pod's hostPort mapping through BPF
 	EnableHostPort bool
 
@@ -2319,6 +2326,7 @@ func (c *DaemonConfig) Populate() {
 	c.EnableL7Proxy = viper.GetBool(EnableL7Proxy)
 	c.EnableTracing = viper.GetBool(EnableTracing)
 	c.EnableNodePort = viper.GetBool(EnableNodePort)
+	c.EnableLoadBalancerSourceRangeCheck = viper.GetBool(EnableLoadBalancerSourceRangeCheck)
 	c.EnableHostPort = viper.GetBool(EnableHostPort)
 	c.NodePortMode = viper.GetString(NodePortMode)
 	c.NodePortAcceleration = viper.GetString(NodePortAcceleration)