Initial version of iptables-wrapper in Go #5
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rikatz The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/L
| ) | ||
|
|
||
| var ( | ||
| regexChain = regexp.MustCompile(`(?s):(KUBE-IPTABLES-HINT|KUBE-KUBELET-CANARY)`) |
There was a problem hiding this comment.
(?s) makes it so that . can match \n, but you aren't using ..
The regexp functions will match within multi-line strings without needing any flags. (?s) and (?m) just affect how you're able to match/not match line boundaries.
| // As we are going directly to distroless, we can assume the binary will be at | ||
| // `/usr/sbin` |
There was a problem hiding this comment.
| // As we are going directly to distroless, we can assume the binary will be at | |
| // `/usr/sbin` | |
| // As we only support distroless, we can assume the binary will be at `/usr/sbin` |
| iptablesNFTPath = "/usr/sbin/xtables-nft-multi" | ||
| iptablesLegacyPath = "/usr/sbin/xtables-legacy-multi" | ||
| iptablesNFTMode string = "nft" | ||
| iptablesLegacyMode string = "legacy" |
There was a problem hiding this comment.
(weird to use string on some of the constants but not others)
| Assuming that when assembling the container the following binaries will be linked to | ||
| this wrapper: | ||
| * iptables | ||
| * iptables-wrapper |
There was a problem hiding this comment.
weird to put iptables-wrapper in this list...
| 1) This binary will try to detect which iptables mode was being used by kubelet, | ||
| calling `xtables-<mode>-multi` and checking if the kubelet rules exists in this path |
There was a problem hiding this comment.
| 1) This binary will try to detect which iptables mode was being used by kubelet, | |
| calling `xtables-<mode>-multi` and checking if the kubelet rules exists in this path | |
| 1) This binary will try to detect which iptables mode was being used by kubelet, | |
| calling `xtables-<mode>-multi` and checking if the kubelet rules exists in this | |
| iptables mode. |
| outNft, err := exec.Command(iptablesNFTPath, "iptables-save", | ||
| "-t", "mangle").Output() |
There was a problem hiding this comment.
You can put this on one line... kube code generally seems to wrap at 90 or 100 characters or so
| if hasKubernetesChains(outNft) || hasKubernetesChains(outNftv6) { | ||
| return iptablesNFTMode, nil | ||
| } |
There was a problem hiding this comment.
If you have to make separate calls anyway you might as well just do the hasKubernetesChains(outNft) after the ipv4 iptables-save, and not even bother doing the ipv6 save if you find the right chains in the ipv4 one.
(and then you only need a single out variable)
| // Per @danwinship comment, we can deprecate the logic of getting NFT vs Legacy | ||
| // rules and assume if it's not NFT, then it's legacy and the rules should have | ||
| // been created in Legacy |
There was a problem hiding this comment.
This comment only makes sense if you know that the shell script version does something different.
You also dropped the comment from the shell script version that explains why we don't use "-t" here:
# Check for kubernetes 1.17-or-later with iptables-legacy. We
# can't pass "-t mangle" to iptables-legacy-save because it would
# cause the kernel to create that table if it didn't already
# exist, which we don't want. So we have to grab all the rules
I'd put that here, and then at the end of the function you can have a comment about "the shell script version has further checks here for older versions of kubernetes, but the binary version doesn't support that" or something
| return "", errors.New("no rule could be detected") | ||
|
|
There was a problem hiding this comment.
the shell version never returns an error; if it can't detect, it just guesses. (Specifically, it guesses "nft".)
| "bytes" | ||
| "errors" | ||
| "fmt" | ||
| "os" | ||
| "os/exec" | ||
| "path/filepath" | ||
| "regexp" |
There was a problem hiding this comment.
I don't know how much the final binary size is affected by the imports, but you might want to experiment with that.
In particular, you could probably get rid of "regexp" and just use strings.Contains...
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/lifecycle active |
k8s-ci-robot
added
lifecycle/active
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Creates the initial version of iptables-wrapper in Go
Related to #4