Skip to content

Commit

Permalink
Add Pod lifecycle to remove redirect iptables rule
Browse files Browse the repository at this point in the history
Implement Pod lifecycle to remove redirect iptables rules to avoid
traffic be redirected to one port service that is not working anymore.

It is implemented using Pod Lifecycle preStop to remove the rule when
the kube2iam DaemonSet is deleted or the pod die somehow.
  • Loading branch information
Bruno Paiuca committed Nov 20, 2020
1 parent a1b6aa3 commit f21e1c8
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 0 deletions.
12 changes: 12 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,12 @@ different than `docker0` depending on which virtual network you use e.g.
* for [OpenShift](https://www.openshift.org/) use `tun0`
* for [Cilium](https://www.cilium.io) use `lxc+`

**Warning**: It is important ensure the iptables rule will be deleted when you delete the DaemonSet. Below is the command proposal to deal with it, we recommend to use the comand in the Pod Lifecycle:

```bash
eval `iptables-save | grep 169.254.169.254 | sed s/-A/'iptables -t nat -D'/g`
```

```yaml
apiVersion: apps/v1
kind: DaemonSet
Expand Down Expand Up @@ -192,6 +198,12 @@ spec:
name: http
securityContext:
privileged: true
lifecycle:
preStop:
exec:
command: [
"/bin/sh", "-c", "eval `iptables-save | grep 169.254.169.254 | sed s/-A/'iptables -t nat -D'/g`"
]
```

### kubernetes annotation
Expand Down
2 changes: 2 additions & 0 deletions charts/kube2iam/templates/daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,8 @@ spec:
{{- end }}
resources:
{{ toYaml .Values.resources | indent 12 }}
lifecycle:
{{ toYaml .Values.lifecycle | indent 12 }}
{{- if .Values.host.iptables }}
securityContext:
privileged: true
Expand Down
8 changes: 8 additions & 0 deletions charts/kube2iam/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,14 @@ resources: {}
# cpu: 4m
# memory: 16Mi

lifecycle:
preStop:
exec:
command: [
"/bin/sh", "-c", "eval `iptables-save | grep 169.254.169.254 | sed s/-A/'iptables -t nat -D'/g`"
]


## Strategy for DaemonSet updates (requires Kubernetes 1.6+)
## Ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
##
Expand Down
6 changes: 6 additions & 0 deletions examples/eks-example.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,12 @@ spec:
name: http
securityContext:
privileged: true
lifecycle:
preStop:
exec:
command: [
"/bin/sh", "-c", "eval `iptables-save | grep 169.254.169.254 | sed s/-A/'iptables -t nat -D'/g`"
]
volumeMounts:
- mountPath: /run/xtables.lock
name: xtables-lock
Expand Down

0 comments on commit f21e1c8

Please sign in to comment.