From c815406610408583a9b35fc844958d55319339c5 Mon Sep 17 00:00:00 2001 From: Martynas Pumputis Date: Wed, 5 Aug 2020 13:16:12 +0200 Subject: [PATCH] daemon: Add --enable-loadbalancer-source-range-check flag Currently, the flag is noop. Signed-off-by: Martynas Pumputis --- Documentation/cmdref/cilium-agent.md | 1 + daemon/cmd/daemon_main.go | 3 +++ pkg/option/config.go | 8 ++++++++ 3 files changed, 12 insertions(+) diff --git a/Documentation/cmdref/cilium-agent.md b/Documentation/cmdref/cilium-agent.md index 3eccaaea42752..9668b2cbf6c2a 100644 --- a/Documentation/cmdref/cilium-agent.md +++ b/Documentation/cmdref/cilium-agent.md @@ -81,6 +81,7 @@ cilium-agent [flags] --enable-k8s-endpoint-slice Enables k8s EndpointSlice feature in Cilium if the k8s cluster supports it (default true) --enable-k8s-event-handover Enable k8s event handover to kvstore for improved scalability --enable-l7-proxy Enable L7 proxy for L7 policy enforcement (default true) + --enable-loadbalancer-source-range-check Enable check of loadBalancerSourceRanges --enable-local-node-route Enable installation of the route which points the allocation prefix of the local node (default true) --enable-monitor Enable the monitor unix domain socket server (default true) --enable-node-port Enable NodePort type services by Cilium (beta) diff --git a/daemon/cmd/daemon_main.go b/daemon/cmd/daemon_main.go index 4a8b43cf310cd..ea88fe6177af6 100644 --- a/daemon/cmd/daemon_main.go +++ b/daemon/cmd/daemon_main.go @@ -517,6 +517,9 @@ func init() { flags.Bool(option.EnableNodePort, false, "Enable NodePort type services by Cilium (beta)") option.BindEnv(option.EnableNodePort) + flags.Bool(option.EnableLoadBalancerSourceRangeCheck, false, "Enable check of loadBalancerSourceRanges") + option.BindEnv(option.EnableLoadBalancerSourceRangeCheck) + flags.String(option.NodePortMode, option.NodePortModeSNAT, "BPF NodePort mode (\"snat\", \"dsr\", \"hybrid\")") option.BindEnv(option.NodePortMode) diff --git a/pkg/option/config.go b/pkg/option/config.go index e1a9ddd1f6678..2bcf1fd9976d1 100644 --- a/pkg/option/config.go +++ b/pkg/option/config.go @@ -232,6 +232,9 @@ const ( // EnableNodePort enables NodePort services implemented by Cilium in BPF EnableNodePort = "enable-node-port" + // EnableLoadBalancerSourceRangeCheck enables check of loadBalancerSourceRanges + EnableLoadBalancerSourceRangeCheck = "enable-loadbalancer-source-range-check" + // NodePortMode indicates in which mode NodePort implementation should run // ("snat", "dsr" or "hybrid") NodePortMode = "node-port-mode" @@ -1053,6 +1056,7 @@ var HelpFlagSections = []FlagsSection{ Flags: []string{ KubeProxyReplacement, EnableNodePort, + EnableLoadBalancerSourceRangeCheck, EnableHostReachableServices, EnableExternalIPs, HostReachableServicesProtos, @@ -1711,6 +1715,9 @@ type DaemonConfig struct { // EnableNodePort enables k8s NodePort service implementation in BPF EnableNodePort bool + // EnableLoadBalancerSourceRangeCheck enables check of loadBalancerSourceRanges + EnableLoadBalancerSourceRangeCheck bool + // EnableHostPort enables k8s Pod's hostPort mapping through BPF EnableHostPort bool @@ -2319,6 +2326,7 @@ func (c *DaemonConfig) Populate() { c.EnableL7Proxy = viper.GetBool(EnableL7Proxy) c.EnableTracing = viper.GetBool(EnableTracing) c.EnableNodePort = viper.GetBool(EnableNodePort) + c.EnableLoadBalancerSourceRangeCheck = viper.GetBool(EnableLoadBalancerSourceRangeCheck) c.EnableHostPort = viper.GetBool(EnableHostPort) c.NodePortMode = viper.GetString(NodePortMode) c.NodePortAcceleration = viper.GetString(NodePortAcceleration)