diff --git a/net/bridge.go b/net/bridge.go index f46c08c9ce..c084d7cd82 100644 --- a/net/bridge.go +++ b/net/bridge.go @@ -504,7 +504,7 @@ func linkSetUpByName(linkName string) error { // ensureRules ensures the presence of given iptables rules. // // If any rule from the list is missing, the function deletes all given -// rules and re-appends them to ensure the order of the rules. +// rules and re-inserts them to ensure the order of the rules. func ensureRules(table, chain string, rulespecs [][]string, ipt *iptables.IPTables) error { allFound := true @@ -524,13 +524,13 @@ func ensureRules(table, chain string, rulespecs [][]string, ipt *iptables.IPTabl return nil } - for _, rs := range rulespecs { + for pos, rs := range rulespecs { // If any is missing, then delete all, as we need to preserve the order of // given rules. Ignore errors, as rule might not exist. if !allFound { ipt.Delete(table, chain, rs...) } - if err := ipt.Append(table, chain, rs...); err != nil { + if err := ipt.Insert(table, chain, pos+1, rs...); err != nil { return errors.Wrapf(err, "ipt.Append(%s, %s, %s)", table, chain, rs) } } diff --git a/test/840_weave_kube_3_test.sh b/test/840_weave_kube_3_test.sh index e45fe476dd..89f65a47dd 100755 --- a/test/840_weave_kube_3_test.sh +++ b/test/840_weave_kube_3_test.sh @@ -18,6 +18,7 @@ NUM_HOSTS=$(howmany $HOSTS) SUCCESS="$(( $NUM_HOSTS * ($NUM_HOSTS-1) )) established" KUBECTL="sudo kubectl --kubeconfig /etc/kubernetes/admin.conf" KUBE_PORT=6443 +WEAVE_NETWORK=10.32.0.0/12 IMAGE=weaveworks/network-tester:latest DOMAIN=nettest.default.svc.cluster.local. @@ -28,12 +29,14 @@ docker_on $HOST1 run --rm --privileged --net=host --entrypoint=/usr/sbin/ipset w docker_on $HOST1 run --rm --privileged --net=host --entrypoint=/usr/sbin/ipset weaveworks/weave-npc add test_840_ipset 192.168.1.11 # kubeadm init upgrades to latest Kubernetes version by default, therefore we try to lock the version using the below option: -k8s_version="$(run_on $HOST1 "kubelet --version" | grep -oP "(?<=Kubernetes )v[\d\.\-beta]+")" +#k8s_version="$(run_on $HOST1 "kubelet --version" | grep -oP "(?<=Kubernetes )v[\d\.\-beta]+")" +# Hack! Override version here as installation via package is broken http://github.com/kubernetes/kubernetes/issues/57334 +k8s_version="v1.8.5" k8s_version_option="$([[ "$k8s_version" > "v1.6" ]] && echo "kubernetes-version" || echo "use-kubernetes-version")" for host in $HOSTS; do if [ $host = $HOST1 ] ; then - run_on $host "sudo systemctl start kubelet && sudo kubeadm init --$k8s_version_option=$k8s_version --token=$TOKEN" + run_on $host "sudo systemctl start kubelet && sudo kubeadm init --$k8s_version_option=$k8s_version --token=$TOKEN --pod-network-cidr=$WEAVE_NETWORK" else run_on $host "sudo systemctl start kubelet && sudo kubeadm join --token=$TOKEN $HOST1IP:$KUBE_PORT" fi @@ -134,6 +137,22 @@ spec: run: nettest EOF +# And a NodePort service so we can test virtual IP access +run_on $HOST1 "$KUBECTL create -f -" </dev/null" +# check access via virtual IP +VIRTUAL_IP=$($SSH $HOST1 $KUBECTL get service netvirt -o template --template={{.spec.clusterIP}}) +assert_raises "$SSH $HOST1 $KUBECTL exec $podName -- curl -s -S -f -m 2 http://$VIRTUAL_IP/status >/dev/null" +assert_raises "! $SSH $HOST1 $KUBECTL exec $denyPodName -- curl -s -S -f -m 2 http://$VIRTUAL_IP/status >/dev/null" + +# host should not be able to reach pods via service virtual IP or NodePort +assert_raises "! $SSH $HOST1 curl -s -S -f -m 2 http://$VIRTUAL_IP/status >/dev/null" +assert_raises "! $SSH $HOST1 curl -s -S -f -m 2 http://$HOST2:31138/status >/dev/null" + # allow access for nettest-deny run_on $HOST1 "$KUBECTL apply -f -" </dev/null" +# Virtual IP and NodePort should now work +assert_raises "$SSH $HOST1 curl -s -S -f -m 2 http://$VIRTUAL_IP/status >/dev/null" +assert_raises "$SSH $HOST1 curl -s -S -f -m 2 http://$HOST2:31138/status >/dev/null" + tear_down_kubeadm # Destroy our test ipset, and implicitly check it is still there