From 6f01c314589da76dd60789603d64c83a6818d2b2 Mon Sep 17 00:00:00 2001
From: Bryan Boreham <bjboreham@gmail.com>
Date: Tue, 2 Jan 2018 18:00:38 +0000
Subject: [PATCH 1/3] Extend kubernetes test to nodePort and virtual IP

---
 test/840_weave_kube_3_test.sh | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/test/840_weave_kube_3_test.sh b/test/840_weave_kube_3_test.sh
index e45fe476dd..a3cbfef864 100755
--- a/test/840_weave_kube_3_test.sh
+++ b/test/840_weave_kube_3_test.sh
@@ -134,6 +134,22 @@ spec:
     run: nettest
 EOF
 
+# And a NodePort service so we can test virtual IP access
+run_on $HOST1 "$KUBECTL create -f -" <<EOF
+apiVersion: v1
+kind: Service
+metadata:
+  name: netvirt
+spec:
+  type: NodePort
+  ports:
+  - port: 80
+    targetPort: 8080
+    nodePort: 31138
+  selector:
+    run: nettest
+EOF
+
 podName=$($SSH $HOST1 "$KUBECTL get pods -l run=nettest -o go-template='{{(index .items 0).metadata.name}}'")
 
 check_all_pods_communicate() {
@@ -170,6 +186,15 @@ assert_raises 'wait_for_x check_all_pods_communicate pods'
 # nettest-deny should still not be able to reach nettest pods
 assert_raises "! $SSH $HOST1 $KUBECTL exec $denyPodName -- curl -s -S -f -m 2 http://$DOMAIN:8080/status >/dev/null"
 
+# check access via virtual IP
+VIRTUAL_IP=$($SSH $HOST1 $KUBECTL get service netvirt -o template --template={{.spec.clusterIP}})
+assert_raises   "$SSH $HOST1 $KUBECTL exec     $podName -- curl -s -S -f -m 2 http://$VIRTUAL_IP/status >/dev/null"
+assert_raises "! $SSH $HOST1 $KUBECTL exec $denyPodName -- curl -s -S -f -m 2 http://$VIRTUAL_IP/status >/dev/null"
+
+# host should not be able to reach pods via service virtual IP or NodePort
+assert_raises "! $SSH $HOST1 curl -s -S -f -m 2 http://$VIRTUAL_IP/status >/dev/null"
+assert_raises "! $SSH $HOST1 curl -s -S -f -m 2 http://$HOST2:31138/status >/dev/null"
+
 # allow access for nettest-deny
 run_on $HOST1 "$KUBECTL apply -f -" <<EOF
 apiVersion: networking.k8s.io/v1
@@ -211,6 +236,10 @@ EOF
 
 assert_raises "$SSH $HOST1 $KUBECTL exec $denyPodName -- curl -s -S -f -m 2 http://$DOMAIN:8080/status >/dev/null"
 
+# Virtual IP and NodePort should now work
+assert_raises "$SSH $HOST1 curl -s -S -f -m 2 http://$VIRTUAL_IP/status >/dev/null"
+assert_raises "$SSH $HOST1 curl -s -S -f -m 2 http://$HOST2:31138/status >/dev/null"
+
 tear_down_kubeadm
 
 # Destroy our test ipset, and implicitly check it is still there

From 4d5172f67e040e7e35958c6fb9f3583516a2a9af Mon Sep 17 00:00:00 2001
From: Bryan Boreham <bjboreham@gmail.com>
Date: Wed, 3 Jan 2018 13:30:37 +0000
Subject: [PATCH 2/3] Run test with Kubernetes 1.8.5 and --cluster-cidr

---
 test/840_weave_kube_3_test.sh | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/test/840_weave_kube_3_test.sh b/test/840_weave_kube_3_test.sh
index a3cbfef864..89f65a47dd 100755
--- a/test/840_weave_kube_3_test.sh
+++ b/test/840_weave_kube_3_test.sh
@@ -18,6 +18,7 @@ NUM_HOSTS=$(howmany $HOSTS)
 SUCCESS="$(( $NUM_HOSTS * ($NUM_HOSTS-1) )) established"
 KUBECTL="sudo kubectl --kubeconfig /etc/kubernetes/admin.conf"
 KUBE_PORT=6443
+WEAVE_NETWORK=10.32.0.0/12
 IMAGE=weaveworks/network-tester:latest
 DOMAIN=nettest.default.svc.cluster.local.
 
@@ -28,12 +29,14 @@ docker_on $HOST1 run --rm --privileged --net=host --entrypoint=/usr/sbin/ipset w
 docker_on $HOST1 run --rm --privileged --net=host --entrypoint=/usr/sbin/ipset weaveworks/weave-npc add test_840_ipset 192.168.1.11
 
 # kubeadm init upgrades to latest Kubernetes version by default, therefore we try to lock the version using the below option:
-k8s_version="$(run_on $HOST1 "kubelet --version" | grep -oP "(?<=Kubernetes )v[\d\.\-beta]+")"
+#k8s_version="$(run_on $HOST1 "kubelet --version" | grep -oP "(?<=Kubernetes )v[\d\.\-beta]+")"
+# Hack! Override version here as installation via package is broken http://github.com/kubernetes/kubernetes/issues/57334
+k8s_version="v1.8.5"
 k8s_version_option="$([[ "$k8s_version" > "v1.6" ]] && echo "kubernetes-version" || echo "use-kubernetes-version")"
 
 for host in $HOSTS; do
     if [ $host = $HOST1 ] ; then
-	run_on $host "sudo systemctl start kubelet && sudo kubeadm init --$k8s_version_option=$k8s_version --token=$TOKEN"
+	run_on $host "sudo systemctl start kubelet && sudo kubeadm init --$k8s_version_option=$k8s_version --token=$TOKEN --pod-network-cidr=$WEAVE_NETWORK"
     else
 	run_on $host "sudo systemctl start kubelet && sudo kubeadm join --token=$TOKEN $HOST1IP:$KUBE_PORT"
     fi

From 5a1361167e5dd40a9738a5e97214938b3be47346 Mon Sep 17 00:00:00 2001
From: Bryan Boreham <bjboreham@gmail.com>
Date: Fri, 5 Jan 2018 12:44:33 +0000
Subject: [PATCH 3/3] Move our rules to the top of the FORWARD chain

We want our DROP rule to be executed ahead of any ACCEPT rules which
might have been added by another program on the system.
---
 net/bridge.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/bridge.go b/net/bridge.go
index f46c08c9ce..c084d7cd82 100644
--- a/net/bridge.go
+++ b/net/bridge.go
@@ -504,7 +504,7 @@ func linkSetUpByName(linkName string) error {
 // ensureRules ensures the presence of given iptables rules.
 //
 // If any rule from the list is missing, the function deletes all given
-// rules and re-appends them to ensure the order of the rules.
+// rules and re-inserts them to ensure the order of the rules.
 func ensureRules(table, chain string, rulespecs [][]string, ipt *iptables.IPTables) error {
 	allFound := true
 
@@ -524,13 +524,13 @@ func ensureRules(table, chain string, rulespecs [][]string, ipt *iptables.IPTabl
 		return nil
 	}
 
-	for _, rs := range rulespecs {
+	for pos, rs := range rulespecs {
 		// If any is missing, then delete all, as we need to preserve the order of
 		// given rules. Ignore errors, as rule might not exist.
 		if !allFound {
 			ipt.Delete(table, chain, rs...)
 		}
-		if err := ipt.Append(table, chain, rs...); err != nil {
+		if err := ipt.Insert(table, chain, pos+1, rs...); err != nil {
 			return errors.Wrapf(err, "ipt.Append(%s, %s, %s)", table, chain, rs)
 		}
 	}