From 40aef9394b6651bfe48f2b36bfb1a571ef5d0cab Mon Sep 17 00:00:00 2001 From: Serge Logvinov Date: Thu, 10 Nov 2022 07:29:12 +0000 Subject: [PATCH 1/2] feat: kubespan node endpoints filter This feature allows us to use only IPv4 or IPv6 stack to reach the peers. Also, it can help to not share the node-specific IPs, which cannot be accessible at all. Signed-off-by: Serge Logvinov --- .../definitions/kubespan/kubespan.proto | 1 + .../controllers/cluster/local_affiliate.go | 14 +- .../pkg/controllers/kubespan/config.go | 1 + .../definitions/kubespan/kubespan.pb.go | 151 ++++++++++-------- .../kubespan/kubespan_vtproto.pb.go | 47 ++++++ pkg/machinery/config/provider.go | 6 + .../types/v1alpha1/v1alpha1_provider.go | 18 +++ .../config/types/v1alpha1/v1alpha1_types.go | 9 ++ .../types/v1alpha1/v1alpha1_types_doc.go | 29 +++- .../types/v1alpha1/zz_generated.deepcopy.go | 26 +++ pkg/machinery/resources/kubespan/config.go | 2 + .../resources/kubespan/deep_copy.generated.go | 4 + website/content/v1.3/reference/api.md | 1 + .../content/v1.3/reference/configuration.md | 18 +++ 14 files changed, 254 insertions(+), 73 deletions(-) diff --git a/api/resource/definitions/kubespan/kubespan.proto b/api/resource/definitions/kubespan/kubespan.proto index 2bbc3d8b40..49dde3d95f 100755 --- a/api/resource/definitions/kubespan/kubespan.proto +++ b/api/resource/definitions/kubespan/kubespan.proto @@ -16,6 +16,7 @@ message ConfigSpec { bool force_routing = 4; bool advertise_kubernetes_networks = 5; uint32 mtu = 6; + repeated string filter_endpoints = 7; } // EndpointSpec describes Endpoint state. diff --git a/internal/app/machined/pkg/controllers/cluster/local_affiliate.go b/internal/app/machined/pkg/controllers/cluster/local_affiliate.go index c67ed24605..575be7a2b7 100644 --- a/internal/app/machined/pkg/controllers/cluster/local_affiliate.go +++ b/internal/app/machined/pkg/controllers/cluster/local_affiliate.go @@ -14,6 +14,7 @@ import ( "github.com/cosi-project/runtime/pkg/safe" "github.com/cosi-project/runtime/pkg/state" "github.com/siderolabs/go-pointer" + "github.com/siderolabs/net" "go.uber.org/zap" "github.com/siderolabs/talos/pkg/machinery/constants" @@ -216,9 +217,18 @@ func (ctrl *LocalAffiliateController) Run(ctx context.Context, r controller.Runt spec.KubeSpan.AdditionalAddresses = nil } - endpoints := make([]netip.AddrPort, 0, len(nodeIPs)) + endpointsIP := nodeIPs - for _, ip := range nodeIPs { + if len(kubespanConfig.TypedSpec().FilterEndpoints) > 0 { + endpointsIP, err = net.FilterIPs(nodeIPs, kubespanConfig.TypedSpec().FilterEndpoints) + if err != nil { + return fmt.Errorf("error filtering KubeSpanEndpoints IPs: %w", err) + } + } + + endpoints := make([]netip.AddrPort, 0, len(endpointsIP)) + + for _, ip := range endpointsIP { if ip == spec.KubeSpan.Address { // skip kubespan local address continue diff --git a/internal/app/machined/pkg/controllers/kubespan/config.go b/internal/app/machined/pkg/controllers/kubespan/config.go index 4a07da75fe..4da2cd670b 100644 --- a/internal/app/machined/pkg/controllers/kubespan/config.go +++ b/internal/app/machined/pkg/controllers/kubespan/config.go @@ -76,6 +76,7 @@ func (ctrl *ConfigController) Run(ctx context.Context, r controller.Runtime, log res.(*kubespan.Config).TypedSpec().ForceRouting = c.Machine().Network().KubeSpan().ForceRouting() res.(*kubespan.Config).TypedSpec().AdvertiseKubernetesNetworks = c.Machine().Network().KubeSpan().AdvertiseKubernetesNetworks() res.(*kubespan.Config).TypedSpec().MTU = c.Machine().Network().KubeSpan().MTU() + res.(*kubespan.Config).TypedSpec().FilterEndpoints = c.Machine().Network().KubeSpan().Filters().Endpoints() return nil }); err != nil { diff --git a/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go b/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go index 57428b2e61..1fc16f9f28 100644 --- a/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go +++ b/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go @@ -31,12 +31,13 @@ type ConfigSpec struct { sizeCache protoimpl.SizeCache unknownFields protoimpl.UnknownFields - Enabled bool `protobuf:"varint,1,opt,name=enabled,proto3" json:"enabled,omitempty"` - ClusterId string `protobuf:"bytes,2,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"` - SharedSecret string `protobuf:"bytes,3,opt,name=shared_secret,json=sharedSecret,proto3" json:"shared_secret,omitempty"` - ForceRouting bool `protobuf:"varint,4,opt,name=force_routing,json=forceRouting,proto3" json:"force_routing,omitempty"` - AdvertiseKubernetesNetworks bool `protobuf:"varint,5,opt,name=advertise_kubernetes_networks,json=advertiseKubernetesNetworks,proto3" json:"advertise_kubernetes_networks,omitempty"` - Mtu uint32 `protobuf:"varint,6,opt,name=mtu,proto3" json:"mtu,omitempty"` + Enabled bool `protobuf:"varint,1,opt,name=enabled,proto3" json:"enabled,omitempty"` + ClusterId string `protobuf:"bytes,2,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"` + SharedSecret string `protobuf:"bytes,3,opt,name=shared_secret,json=sharedSecret,proto3" json:"shared_secret,omitempty"` + ForceRouting bool `protobuf:"varint,4,opt,name=force_routing,json=forceRouting,proto3" json:"force_routing,omitempty"` + AdvertiseKubernetesNetworks bool `protobuf:"varint,5,opt,name=advertise_kubernetes_networks,json=advertiseKubernetesNetworks,proto3" json:"advertise_kubernetes_networks,omitempty"` + Mtu uint32 `protobuf:"varint,6,opt,name=mtu,proto3" json:"mtu,omitempty"` + FilterEndpoints []string `protobuf:"bytes,7,rep,name=filter_endpoints,json=filterEndpoints,proto3" json:"filter_endpoints,omitempty"` } func (x *ConfigSpec) Reset() { @@ -113,6 +114,13 @@ func (x *ConfigSpec) GetMtu() uint32 { return 0 } +func (x *ConfigSpec) GetFilterEndpoints() []string { + if x != nil { + return x.FilterEndpoints + } + return nil +} + // EndpointSpec describes Endpoint state. type EndpointSpec struct { state protoimpl.MessageState @@ -434,7 +442,7 @@ var file_resource_definitions_kubespan_kubespan_proto_rawDesc = []byte{ 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x26, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2f, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x22, 0xe5, 0x01, 0x0a, 0x0a, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63, + 0x6f, 0x22, 0x90, 0x02, 0x0a, 0x0a, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, @@ -448,69 +456,72 @@ var file_resource_definitions_kubespan_kubespan_proto_rawDesc = []byte{ 0x6f, 0x72, 0x6b, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x1b, 0x61, 0x64, 0x76, 0x65, 0x72, 0x74, 0x69, 0x73, 0x65, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x4e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, 0x73, 0x12, 0x10, 0x0a, 0x03, 0x6d, 0x74, 0x75, 0x18, 0x06, - 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x6d, 0x74, 0x75, 0x22, 0x60, 0x0a, 0x0c, 0x45, 0x6e, 0x64, - 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12, 0x21, 0x0a, 0x0c, 0x61, 0x66, 0x66, - 0x69, 0x6c, 0x69, 0x61, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x0b, 0x61, 0x66, 0x66, 0x69, 0x6c, 0x69, 0x61, 0x74, 0x65, 0x49, 0x64, 0x12, 0x2d, 0x0a, 0x08, - 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, - 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, - 0x74, 0x52, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x22, 0xaa, 0x01, 0x0a, 0x0c, - 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x2d, 0x0a, 0x07, - 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, - 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, - 0x69, 0x78, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x2b, 0x0a, 0x06, 0x73, - 0x75, 0x62, 0x6e, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, - 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, - 0x52, 0x06, 0x73, 0x75, 0x62, 0x6e, 0x65, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76, - 0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, - 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, - 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, - 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x22, 0xb4, 0x01, 0x0a, 0x0c, 0x50, 0x65, 0x65, - 0x72, 0x53, 0x70, 0x65, 0x63, 0x53, 0x70, 0x65, 0x63, 0x12, 0x27, 0x0a, 0x07, 0x61, 0x64, 0x64, - 0x72, 0x65, 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x63, 0x6f, 0x6d, - 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, - 0x73, 0x73, 0x12, 0x34, 0x0a, 0x0b, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, 0x69, 0x70, - 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, - 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x52, 0x0a, 0x61, 0x6c, - 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x49, 0x70, 0x73, 0x12, 0x2f, 0x0a, 0x09, 0x65, 0x6e, 0x64, 0x70, - 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, - 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x09, - 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, - 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x22, - 0xc7, 0x03, 0x0a, 0x0e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, - 0x65, 0x63, 0x12, 0x2d, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, - 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, - 0x74, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x12, 0x49, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, - 0x18, 0x03, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x33, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, - 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, - 0x6f, 0x6e, 0x73, 0x2e, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x4b, 0x75, 0x62, 0x65, 0x73, 0x70, - 0x61, 0x6e, 0x50, 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x73, 0x74, 0x61, - 0x74, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x5f, 0x62, 0x79, - 0x74, 0x65, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x72, 0x65, 0x63, 0x65, 0x69, - 0x76, 0x65, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, - 0x6d, 0x69, 0x74, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, - 0x0d, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6d, 0x69, 0x74, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x4a, - 0x0a, 0x13, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, - 0x5f, 0x74, 0x69, 0x6d, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, - 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x11, 0x6c, 0x61, 0x73, 0x74, 0x48, 0x61, 0x6e, - 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x3f, 0x0a, 0x12, 0x6c, 0x61, - 0x73, 0x74, 0x5f, 0x75, 0x73, 0x65, 0x64, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, - 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, - 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x10, 0x6c, 0x61, 0x73, 0x74, 0x55, - 0x73, 0x65, 0x64, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x4c, 0x0a, 0x14, 0x6c, - 0x61, 0x73, 0x74, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x5f, 0x63, 0x68, 0x61, - 0x6e, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, - 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, - 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x12, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x6e, 0x64, 0x70, 0x6f, - 0x69, 0x6e, 0x74, 0x43, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x42, 0x4d, 0x5a, 0x4b, 0x67, 0x69, 0x74, - 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, - 0x62, 0x73, 0x2f, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, - 0x68, 0x69, 0x6e, 0x65, 0x72, 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, - 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, - 0x6b, 0x75, 0x62, 0x65, 0x73, 0x70, 0x61, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x6d, 0x74, 0x75, 0x12, 0x29, 0x0a, 0x10, 0x66, 0x69, 0x6c, + 0x74, 0x65, 0x72, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x07, 0x20, + 0x03, 0x28, 0x09, 0x52, 0x0f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x45, 0x6e, 0x64, 0x70, 0x6f, + 0x69, 0x6e, 0x74, 0x73, 0x22, 0x60, 0x0a, 0x0c, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, + 0x53, 0x70, 0x65, 0x63, 0x12, 0x21, 0x0a, 0x0c, 0x61, 0x66, 0x66, 0x69, 0x6c, 0x69, 0x61, 0x74, + 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x66, 0x66, 0x69, + 0x6c, 0x69, 0x61, 0x74, 0x65, 0x49, 0x64, 0x12, 0x2d, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, + 0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, + 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x08, 0x65, 0x6e, + 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x22, 0xaa, 0x01, 0x0a, 0x0c, 0x49, 0x64, 0x65, 0x6e, 0x74, + 0x69, 0x74, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x2d, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, + 0x73, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, + 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x52, 0x07, 0x61, + 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x2b, 0x0a, 0x06, 0x73, 0x75, 0x62, 0x6e, 0x65, 0x74, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, + 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x52, 0x06, 0x73, 0x75, 0x62, + 0x6e, 0x65, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x5f, 0x6b, + 0x65, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x70, 0x72, 0x69, 0x76, 0x61, 0x74, + 0x65, 0x4b, 0x65, 0x79, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, + 0x65, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, + 0x4b, 0x65, 0x79, 0x22, 0xb4, 0x01, 0x0a, 0x0c, 0x50, 0x65, 0x65, 0x72, 0x53, 0x70, 0x65, 0x63, + 0x53, 0x70, 0x65, 0x63, 0x12, 0x27, 0x0a, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, + 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x0d, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, + 0x65, 0x74, 0x49, 0x50, 0x52, 0x07, 0x61, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x34, 0x0a, + 0x0b, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, 0x5f, 0x69, 0x70, 0x73, 0x18, 0x02, 0x20, 0x03, + 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, + 0x50, 0x50, 0x72, 0x65, 0x66, 0x69, 0x78, 0x52, 0x0a, 0x61, 0x6c, 0x6c, 0x6f, 0x77, 0x65, 0x64, + 0x49, 0x70, 0x73, 0x12, 0x2f, 0x0a, 0x09, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, + 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, + 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x09, 0x65, 0x6e, 0x64, 0x70, 0x6f, + 0x69, 0x6e, 0x74, 0x73, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x04, 0x20, + 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x22, 0xc7, 0x03, 0x0a, 0x0e, 0x50, + 0x65, 0x65, 0x72, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x53, 0x70, 0x65, 0x63, 0x12, 0x2d, 0x0a, + 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, 0x50, 0x6f, + 0x72, 0x74, 0x52, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x14, 0x0a, 0x05, + 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x6c, 0x61, 0x62, + 0x65, 0x6c, 0x12, 0x49, 0x0a, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x0e, 0x32, 0x33, 0x2e, 0x74, 0x61, 0x6c, 0x6f, 0x73, 0x2e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, + 0x63, 0x65, 0x2e, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x65, + 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x4b, 0x75, 0x62, 0x65, 0x73, 0x70, 0x61, 0x6e, 0x50, 0x65, 0x65, + 0x72, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x05, 0x73, 0x74, 0x61, 0x74, 0x65, 0x12, 0x23, 0x0a, + 0x0d, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x5f, 0x62, 0x79, 0x74, 0x65, 0x73, 0x18, 0x04, + 0x20, 0x01, 0x28, 0x03, 0x52, 0x0c, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x42, 0x79, 0x74, + 0x65, 0x73, 0x12, 0x25, 0x0a, 0x0e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x6d, 0x69, 0x74, 0x5f, 0x62, + 0x79, 0x74, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x03, 0x52, 0x0d, 0x74, 0x72, 0x61, 0x6e, + 0x73, 0x6d, 0x69, 0x74, 0x42, 0x79, 0x74, 0x65, 0x73, 0x12, 0x4a, 0x0a, 0x13, 0x6c, 0x61, 0x73, + 0x74, 0x5f, 0x68, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, 0x65, 0x5f, 0x74, 0x69, 0x6d, 0x65, + 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, + 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, + 0x6d, 0x70, 0x52, 0x11, 0x6c, 0x61, 0x73, 0x74, 0x48, 0x61, 0x6e, 0x64, 0x73, 0x68, 0x61, 0x6b, + 0x65, 0x54, 0x69, 0x6d, 0x65, 0x12, 0x3f, 0x0a, 0x12, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x75, 0x73, + 0x65, 0x64, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x11, 0x2e, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x4e, 0x65, 0x74, 0x49, 0x50, + 0x50, 0x6f, 0x72, 0x74, 0x52, 0x10, 0x6c, 0x61, 0x73, 0x74, 0x55, 0x73, 0x65, 0x64, 0x45, 0x6e, + 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x12, 0x4c, 0x0a, 0x14, 0x6c, 0x61, 0x73, 0x74, 0x5f, 0x65, + 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x5f, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x18, 0x08, + 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, + 0x52, 0x12, 0x6c, 0x61, 0x73, 0x74, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x43, 0x68, + 0x61, 0x6e, 0x67, 0x65, 0x42, 0x4d, 0x5a, 0x4b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, + 0x6f, 0x6d, 0x2f, 0x73, 0x69, 0x64, 0x65, 0x72, 0x6f, 0x6c, 0x61, 0x62, 0x73, 0x2f, 0x74, 0x61, + 0x6c, 0x6f, 0x73, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x72, + 0x79, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, + 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x6b, 0x75, 0x62, 0x65, 0x73, + 0x70, 0x61, 0x6e, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go b/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go index 40f644cbde..c4293d43f3 100644 --- a/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go +++ b/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go @@ -54,6 +54,15 @@ func (m *ConfigSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) { i -= len(m.unknownFields) copy(dAtA[i:], m.unknownFields) } + if len(m.FilterEndpoints) > 0 { + for iNdEx := len(m.FilterEndpoints) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.FilterEndpoints[iNdEx]) + copy(dAtA[i:], m.FilterEndpoints[iNdEx]) + i = encodeVarint(dAtA, i, uint64(len(m.FilterEndpoints[iNdEx]))) + i-- + dAtA[i] = 0x3a + } + } if m.Mtu != 0 { i = encodeVarint(dAtA, i, uint64(m.Mtu)) i-- @@ -549,6 +558,12 @@ func (m *ConfigSpec) SizeVT() (n int) { if m.Mtu != 0 { n += 1 + sov(uint64(m.Mtu)) } + if len(m.FilterEndpoints) > 0 { + for _, s := range m.FilterEndpoints { + l = len(s) + n += 1 + l + sov(uint64(l)) + } + } if m.unknownFields != nil { n += len(m.unknownFields) } @@ -914,6 +929,38 @@ func (m *ConfigSpec) UnmarshalVT(dAtA []byte) error { break } } + case 7: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field FilterEndpoints", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflow + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLength + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLength + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.FilterEndpoints = append(m.FilterEndpoints, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skip(dAtA[iNdEx:]) diff --git a/pkg/machinery/config/provider.go b/pkg/machinery/config/provider.go index a7ddaa42ca..0600b062ef 100644 --- a/pkg/machinery/config/provider.go +++ b/pkg/machinery/config/provider.go @@ -292,6 +292,12 @@ type KubeSpan interface { ForceRouting() bool AdvertiseKubernetesNetworks() bool MTU() uint32 + Filters() KubeSpanFilters +} + +// KubeSpanFilters configures KubeSpan filters. +type KubeSpanFilters interface { + Endpoints() []string } // NetworkDeviceSelector defines the set of fields that can be used to pick network a device. diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go index a71e4a32f2..ef355d1785 100644 --- a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go +++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go @@ -1024,6 +1024,24 @@ func (k *NetworkKubeSpan) MTU() uint32 { return pointer.SafeDeref(k.KubeSpanMTU) } +// Filters implements the KubeSpan interface. +func (k *NetworkKubeSpan) Filters() config.KubeSpanFilters { + if k.KubeSpanFilters == nil { + return &KubeSpanFilters{} + } + + return k.KubeSpanFilters +} + +// Endpoints implements the config.KubeSpanFilters interface. +func (k *KubeSpanFilters) Endpoints() []string { + if k.KubeSpanFiltersEndpoints == nil { + return []string{"0.0.0.0/0", "::/0"} + } + + return k.KubeSpanFiltersEndpoints +} + // Disabled implements the config.Provider interface. func (t *TimeConfig) Disabled() bool { return pointer.SafeDeref(t.TimeDisabled) diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go index d4de1f52fb..60f51ffb3b 100644 --- a/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go +++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go @@ -2505,6 +2505,15 @@ type NetworkKubeSpan struct { // KubeSpan link MTU size. // Default value is 1420. KubeSpanMTU *uint32 `yaml:"mtu,omitempty"` + // description: | + // KubeSpan filters. + KubeSpanFilters *KubeSpanFilters `yaml:"filters,omitempty"` +} + +// KubeSpanFilters struct describes KubeSpan filters. +type KubeSpanFilters struct { + // description: KubeSpanFiltersEndpoints list allowed node' IPs to make p2p connections. + KubeSpanFiltersEndpoints []string `yaml:"endpoints,omitempty"` } // NetworkDeviceSelector struct describes network device selector. diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go index 04a92f644d..396254cb08 100644 --- a/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go +++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go @@ -74,6 +74,7 @@ var ( VolumeMountConfigDoc encoder.Doc ClusterInlineManifestDoc encoder.Doc NetworkKubeSpanDoc encoder.Doc + KubeSpanFiltersDoc encoder.Doc NetworkDeviceSelectorDoc encoder.Doc ClusterDiscoveryConfigDoc encoder.Doc DiscoveryRegistriesConfigDoc encoder.Doc @@ -2468,7 +2469,7 @@ func init() { FieldName: "kubespan", }, } - NetworkKubeSpanDoc.Fields = make([]encoder.Doc, 4) + NetworkKubeSpanDoc.Fields = make([]encoder.Doc, 5) NetworkKubeSpanDoc.Fields[0].Name = "enabled" NetworkKubeSpanDoc.Fields[0].Type = "bool" NetworkKubeSpanDoc.Fields[0].Note = "" @@ -2489,6 +2490,27 @@ func init() { NetworkKubeSpanDoc.Fields[3].Note = "" NetworkKubeSpanDoc.Fields[3].Description = "KubeSpan link MTU size.\nDefault value is 1420." NetworkKubeSpanDoc.Fields[3].Comments[encoder.LineComment] = "KubeSpan link MTU size." + NetworkKubeSpanDoc.Fields[4].Name = "filters" + NetworkKubeSpanDoc.Fields[4].Type = "KubeSpanFilters" + NetworkKubeSpanDoc.Fields[4].Note = "" + NetworkKubeSpanDoc.Fields[4].Description = "KubeSpan filters." + NetworkKubeSpanDoc.Fields[4].Comments[encoder.LineComment] = "KubeSpan filters." + + KubeSpanFiltersDoc.Type = "KubeSpanFilters" + KubeSpanFiltersDoc.Comments[encoder.LineComment] = "KubeSpanFilters struct describes KubeSpan filters." + KubeSpanFiltersDoc.Description = "KubeSpanFilters struct describes KubeSpan filters." + KubeSpanFiltersDoc.AppearsIn = []encoder.Appearance{ + { + TypeName: "NetworkKubeSpan", + FieldName: "filters", + }, + } + KubeSpanFiltersDoc.Fields = make([]encoder.Doc, 1) + KubeSpanFiltersDoc.Fields[0].Name = "endpoints" + KubeSpanFiltersDoc.Fields[0].Type = "[]string" + KubeSpanFiltersDoc.Fields[0].Note = "" + KubeSpanFiltersDoc.Fields[0].Description = "KubeSpanFiltersEndpoints list allowed node' IPs to make p2p connections." + KubeSpanFiltersDoc.Fields[0].Comments[encoder.LineComment] = "KubeSpanFiltersEndpoints list allowed node' IPs to make p2p connections." NetworkDeviceSelectorDoc.Type = "NetworkDeviceSelector" NetworkDeviceSelectorDoc.Comments[encoder.LineComment] = "NetworkDeviceSelector struct describes network device selector." @@ -2952,6 +2974,10 @@ func (_ NetworkKubeSpan) Doc() *encoder.Doc { return &NetworkKubeSpanDoc } +func (_ KubeSpanFilters) Doc() *encoder.Doc { + return &KubeSpanFiltersDoc +} + func (_ NetworkDeviceSelector) Doc() *encoder.Doc { return &NetworkDeviceSelectorDoc } @@ -3058,6 +3084,7 @@ func GetConfigurationDoc() *encoder.FileDoc { &VolumeMountConfigDoc, &ClusterInlineManifestDoc, &NetworkKubeSpanDoc, + &KubeSpanFiltersDoc, &NetworkDeviceSelectorDoc, &ClusterDiscoveryConfigDoc, &DiscoveryRegistriesConfigDoc, diff --git a/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go b/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go index 0827b33c8c..bbe2b866d1 100644 --- a/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go @@ -1130,6 +1130,27 @@ func (in *KernelModuleConfig) DeepCopy() *KernelModuleConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeSpanFilters) DeepCopyInto(out *KubeSpanFilters) { + *out = *in + if in.KubeSpanFiltersEndpoints != nil { + in, out := &in.KubeSpanFiltersEndpoints, &out.KubeSpanFiltersEndpoints + *out = make([]string, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeSpanFilters. +func (in *KubeSpanFilters) DeepCopy() *KubeSpanFilters { + if in == nil { + return nil + } + out := new(KubeSpanFilters) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KubeletConfig) DeepCopyInto(out *KubeletConfig) { *out = *in @@ -1669,6 +1690,11 @@ func (in *NetworkKubeSpan) DeepCopyInto(out *NetworkKubeSpan) { *out = new(uint32) **out = **in } + if in.KubeSpanFilters != nil { + in, out := &in.KubeSpanFilters, &out.KubeSpanFilters + *out = new(KubeSpanFilters) + (*in).DeepCopyInto(*out) + } return } diff --git a/pkg/machinery/resources/kubespan/config.go b/pkg/machinery/resources/kubespan/config.go index 215543738c..0aa4d0be92 100644 --- a/pkg/machinery/resources/kubespan/config.go +++ b/pkg/machinery/resources/kubespan/config.go @@ -39,6 +39,8 @@ type ConfigSpec struct { AdvertiseKubernetesNetworks bool `yaml:"advertiseKubernetesNetworks" protobuf:"5"` // Force kubeSpan MTU size. MTU uint32 `yaml:"mtu,omitempty" protobuf:"6"` + // Allowed list of node endpoints. + FilterEndpoints []string `yaml:"filterEndpoints,omitempty" protobuf:"7"` } // NewConfig initializes a Config resource. diff --git a/pkg/machinery/resources/kubespan/deep_copy.generated.go b/pkg/machinery/resources/kubespan/deep_copy.generated.go index 8beec586de..7e8568f376 100644 --- a/pkg/machinery/resources/kubespan/deep_copy.generated.go +++ b/pkg/machinery/resources/kubespan/deep_copy.generated.go @@ -13,6 +13,10 @@ import ( // DeepCopy generates a deep copy of ConfigSpec. func (o ConfigSpec) DeepCopy() ConfigSpec { var cp ConfigSpec = o + if o.FilterEndpoints != nil { + cp.FilterEndpoints = make([]string, len(o.FilterEndpoints)) + copy(cp.FilterEndpoints, o.FilterEndpoints) + } return cp } diff --git a/website/content/v1.3/reference/api.md b/website/content/v1.3/reference/api.md index 6887f1097f..0bf94446b5 100644 --- a/website/content/v1.3/reference/api.md +++ b/website/content/v1.3/reference/api.md @@ -2176,6 +2176,7 @@ ConfigSpec describes KubeSpan configuration.. | force_routing | [bool](#bool) | | | | advertise_kubernetes_networks | [bool](#bool) | | | | mtu | [uint32](#uint32) | | | +| filter_endpoints | [string](#string) | repeated | | diff --git a/website/content/v1.3/reference/configuration.md b/website/content/v1.3/reference/configuration.md index 76bffaa446..3d6239e44d 100644 --- a/website/content/v1.3/reference/configuration.md +++ b/website/content/v1.3/reference/configuration.md @@ -2724,6 +2724,24 @@ enabled: true # Enable the KubeSpan feature. |`advertiseKubernetesNetworks` |bool |
Control whether Kubernetes pod CIDRs are announced over KubeSpan from the node.If disabled, CNI handles encapsulating pod-to-pod traffic into some node-to-node tunnel,
and KubeSpan handles the node-to-node traffic.
If enabled, KubeSpan will take over pod-to-pod traffic and send it over KubeSpan directly.
When enabled, KubeSpan should have a way to detect complete pod CIDRs of the node which
is not always the case with CNIs not relying on Kubernetes for IPAM.
| | |`allowDownPeerBypass` |bool |
Skip sending traffic via KubeSpan if the peer connection state is not up.This provides configurable choice between connectivity and security: either traffic is always
forced to go via KubeSpan (even if Wireguard peer connection is not up), or traffic can go directly
to the peer if Wireguard connection can't be established.
| | |`mtu` |uint32 |
KubeSpan link MTU size.Default value is 1420.
| | +|`filters` |KubeSpanFilters |KubeSpan filters. | | + + + +--- +## KubeSpanFilters +KubeSpanFilters struct describes KubeSpan filters. + +Appears in: + +- NetworkKubeSpan.filters + + + + +| Field | Type | Description | Value(s) | +|-------|------|-------------|----------| +|`endpoints` |[]string |KubeSpanFiltersEndpoints list allowed node' IPs to make p2p connections. | | From b8aad6cb8bad8f40b362f31c4a9e978c2c712bee Mon Sep 17 00:00:00 2001 From: Serge Logvinov Date: Sun, 13 Nov 2022 14:11:44 +0000 Subject: [PATCH 2/2] feat: kubespan native route Comments Signed-off-by: Serge Logvinov --- .../definitions/kubespan/kubespan.proto | 1 + .../pkg/controllers/kubespan/config.go | 1 + .../pkg/controllers/kubespan/manager.go | 8 ++++ .../definitions/kubespan/kubespan.pb.go | 15 +++++- .../kubespan/kubespan_vtproto.pb.go | 47 +++++++++++++++++++ pkg/machinery/config/provider.go | 1 + .../types/v1alpha1/v1alpha1_provider.go | 9 ++++ .../config/types/v1alpha1/v1alpha1_types.go | 13 ++++- .../types/v1alpha1/v1alpha1_types_doc.go | 15 ++++-- .../types/v1alpha1/zz_generated.deepcopy.go | 5 ++ pkg/machinery/resources/kubespan/config.go | 2 + .../resources/kubespan/deep_copy.generated.go | 4 ++ website/content/v1.3/reference/api.md | 1 + .../content/v1.3/reference/configuration.md | 9 +++- 14 files changed, 124 insertions(+), 7 deletions(-) diff --git a/api/resource/definitions/kubespan/kubespan.proto b/api/resource/definitions/kubespan/kubespan.proto index 49dde3d95f..7aa26f7fa7 100755 --- a/api/resource/definitions/kubespan/kubespan.proto +++ b/api/resource/definitions/kubespan/kubespan.proto @@ -17,6 +17,7 @@ message ConfigSpec { bool advertise_kubernetes_networks = 5; uint32 mtu = 6; repeated string filter_endpoints = 7; + repeated string filter_native_route = 8; } // EndpointSpec describes Endpoint state. diff --git a/internal/app/machined/pkg/controllers/kubespan/config.go b/internal/app/machined/pkg/controllers/kubespan/config.go index 4da2cd670b..d3c1b9502e 100644 --- a/internal/app/machined/pkg/controllers/kubespan/config.go +++ b/internal/app/machined/pkg/controllers/kubespan/config.go @@ -77,6 +77,7 @@ func (ctrl *ConfigController) Run(ctx context.Context, r controller.Runtime, log res.(*kubespan.Config).TypedSpec().AdvertiseKubernetesNetworks = c.Machine().Network().KubeSpan().AdvertiseKubernetesNetworks() res.(*kubespan.Config).TypedSpec().MTU = c.Machine().Network().KubeSpan().MTU() res.(*kubespan.Config).TypedSpec().FilterEndpoints = c.Machine().Network().KubeSpan().Filters().Endpoints() + res.(*kubespan.Config).TypedSpec().FilterNativeRoute = c.Machine().Network().KubeSpan().Filters().NativeRoute() return nil }); err != nil { diff --git a/internal/app/machined/pkg/controllers/kubespan/manager.go b/internal/app/machined/pkg/controllers/kubespan/manager.go index d678a12ef8..02c05f6071 100644 --- a/internal/app/machined/pkg/controllers/kubespan/manager.go +++ b/internal/app/machined/pkg/controllers/kubespan/manager.go @@ -17,6 +17,7 @@ import ( "github.com/cosi-project/runtime/pkg/state" "github.com/siderolabs/gen/value" "github.com/siderolabs/go-pointer" + "github.com/siderolabs/net" "go.uber.org/zap" "go4.org/netipx" "golang.zx2c4.com/wireguard/wgctrl" @@ -358,6 +359,13 @@ func (ctrl *ManagerController) Run(ctx context.Context, r controller.Runtime, lo // or if the peer connection state is up. if cfgSpec.ForceRouting || peerStatus.State == kubespan.PeerStateUp { for _, prefix := range peerSpec.AllowedIPs { + // For optimization purposes. + if cfgSpec.FilterNativeRoute != nil && prefix.IsSingleIP() { + if exist, err := net.FilterIPs([]netip.Addr{prefix.Addr()}, cfgSpec.FilterNativeRoute); err == nil && exist != nil { + continue + } + } + allowedIPsBuilder.AddPrefix(prefix) } } diff --git a/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go b/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go index 1fc16f9f28..c9417467b5 100644 --- a/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go +++ b/pkg/machinery/api/resource/definitions/kubespan/kubespan.pb.go @@ -38,6 +38,7 @@ type ConfigSpec struct { AdvertiseKubernetesNetworks bool `protobuf:"varint,5,opt,name=advertise_kubernetes_networks,json=advertiseKubernetesNetworks,proto3" json:"advertise_kubernetes_networks,omitempty"` Mtu uint32 `protobuf:"varint,6,opt,name=mtu,proto3" json:"mtu,omitempty"` FilterEndpoints []string `protobuf:"bytes,7,rep,name=filter_endpoints,json=filterEndpoints,proto3" json:"filter_endpoints,omitempty"` + FilterNativeRoute []string `protobuf:"bytes,8,rep,name=filter_native_route,json=filterNativeRoute,proto3" json:"filter_native_route,omitempty"` } func (x *ConfigSpec) Reset() { @@ -121,6 +122,13 @@ func (x *ConfigSpec) GetFilterEndpoints() []string { return nil } +func (x *ConfigSpec) GetFilterNativeRoute() []string { + if x != nil { + return x.FilterNativeRoute + } + return nil +} + // EndpointSpec describes Endpoint state. type EndpointSpec struct { state protoimpl.MessageState @@ -442,7 +450,7 @@ var file_resource_definitions_kubespan_kubespan_proto_rawDesc = []byte{ 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x26, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x2f, 0x64, 0x65, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2f, 0x65, 0x6e, 0x75, 0x6d, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x22, 0x90, 0x02, 0x0a, 0x0a, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63, + 0x6f, 0x22, 0xc0, 0x02, 0x0a, 0x0a, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x70, 0x65, 0x63, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x5f, 0x69, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, @@ -459,7 +467,10 @@ var file_resource_definitions_kubespan_kubespan_proto_rawDesc = []byte{ 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, 0x6d, 0x74, 0x75, 0x12, 0x29, 0x0a, 0x10, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x5f, 0x65, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x45, 0x6e, 0x64, 0x70, 0x6f, - 0x69, 0x6e, 0x74, 0x73, 0x22, 0x60, 0x0a, 0x0c, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, + 0x69, 0x6e, 0x74, 0x73, 0x12, 0x2e, 0x0a, 0x13, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x5f, 0x6e, + 0x61, 0x74, 0x69, 0x76, 0x65, 0x5f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x18, 0x08, 0x20, 0x03, 0x28, + 0x09, 0x52, 0x11, 0x66, 0x69, 0x6c, 0x74, 0x65, 0x72, 0x4e, 0x61, 0x74, 0x69, 0x76, 0x65, 0x52, + 0x6f, 0x75, 0x74, 0x65, 0x22, 0x60, 0x0a, 0x0c, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x53, 0x70, 0x65, 0x63, 0x12, 0x21, 0x0a, 0x0c, 0x61, 0x66, 0x66, 0x69, 0x6c, 0x69, 0x61, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x61, 0x66, 0x66, 0x69, 0x6c, 0x69, 0x61, 0x74, 0x65, 0x49, 0x64, 0x12, 0x2d, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f, diff --git a/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go b/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go index c4293d43f3..8363d9ecac 100644 --- a/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go +++ b/pkg/machinery/api/resource/definitions/kubespan/kubespan_vtproto.pb.go @@ -54,6 +54,15 @@ func (m *ConfigSpec) MarshalToSizedBufferVT(dAtA []byte) (int, error) { i -= len(m.unknownFields) copy(dAtA[i:], m.unknownFields) } + if len(m.FilterNativeRoute) > 0 { + for iNdEx := len(m.FilterNativeRoute) - 1; iNdEx >= 0; iNdEx-- { + i -= len(m.FilterNativeRoute[iNdEx]) + copy(dAtA[i:], m.FilterNativeRoute[iNdEx]) + i = encodeVarint(dAtA, i, uint64(len(m.FilterNativeRoute[iNdEx]))) + i-- + dAtA[i] = 0x42 + } + } if len(m.FilterEndpoints) > 0 { for iNdEx := len(m.FilterEndpoints) - 1; iNdEx >= 0; iNdEx-- { i -= len(m.FilterEndpoints[iNdEx]) @@ -564,6 +573,12 @@ func (m *ConfigSpec) SizeVT() (n int) { n += 1 + l + sov(uint64(l)) } } + if len(m.FilterNativeRoute) > 0 { + for _, s := range m.FilterNativeRoute { + l = len(s) + n += 1 + l + sov(uint64(l)) + } + } if m.unknownFields != nil { n += len(m.unknownFields) } @@ -961,6 +976,38 @@ func (m *ConfigSpec) UnmarshalVT(dAtA []byte) error { } m.FilterEndpoints = append(m.FilterEndpoints, string(dAtA[iNdEx:postIndex])) iNdEx = postIndex + case 8: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field FilterNativeRoute", wireType) + } + var stringLen uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflow + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLen |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLen := int(stringLen) + if intStringLen < 0 { + return ErrInvalidLength + } + postIndex := iNdEx + intStringLen + if postIndex < 0 { + return ErrInvalidLength + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + m.FilterNativeRoute = append(m.FilterNativeRoute, string(dAtA[iNdEx:postIndex])) + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skip(dAtA[iNdEx:]) diff --git a/pkg/machinery/config/provider.go b/pkg/machinery/config/provider.go index 0600b062ef..d512d2b083 100644 --- a/pkg/machinery/config/provider.go +++ b/pkg/machinery/config/provider.go @@ -298,6 +298,7 @@ type KubeSpan interface { // KubeSpanFilters configures KubeSpan filters. type KubeSpanFilters interface { Endpoints() []string + NativeRoute() []string } // NetworkDeviceSelector defines the set of fields that can be used to pick network a device. diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go index ef355d1785..927032f252 100644 --- a/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go +++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_provider.go @@ -1042,6 +1042,15 @@ func (k *KubeSpanFilters) Endpoints() []string { return k.KubeSpanFiltersEndpoints } +// NativeRoute implements the config.KubeSpanFilters interface. +func (k *KubeSpanFilters) NativeRoute() []string { + if k.KubeSpanFiltersNativeRoute == nil { + return nil + } + + return k.KubeSpanFiltersNativeRoute +} + // Disabled implements the config.Provider interface. func (t *TimeConfig) Disabled() bool { return pointer.SafeDeref(t.TimeDisabled) diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go index 60f51ffb3b..b854a68eaf 100644 --- a/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go +++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_types.go @@ -2512,8 +2512,19 @@ type NetworkKubeSpan struct { // KubeSpanFilters struct describes KubeSpan filters. type KubeSpanFilters struct { - // description: KubeSpanFiltersEndpoints list allowed node' IPs to make p2p connections. + // description: | + // CIDR list of node IPs, which will use for p2p connections. + // Default value: [0.0.0.0/0, ::/0] + // examples: + // - name: Uncomment this to use only IPv4 stack. + // value: '[]string{"0.0.0.0/0"}' KubeSpanFiltersEndpoints []string `yaml:"endpoints,omitempty"` + // description: | + // Skip sending traffic via KubeSpan if the destination in that CIDR list. + // examples: + // - name: Do not use KubeSpan to route 10.0.0.0/8 subnet. + // value: '[]string{"10.0.0.0/8"}' + KubeSpanFiltersNativeRoute []string `yaml:"nativeRoute,omitempty"` } // NetworkDeviceSelector struct describes network device selector. diff --git a/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go b/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go index 396254cb08..3a4ca41578 100644 --- a/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go +++ b/pkg/machinery/config/types/v1alpha1/v1alpha1_types_doc.go @@ -2505,12 +2505,21 @@ func init() { FieldName: "filters", }, } - KubeSpanFiltersDoc.Fields = make([]encoder.Doc, 1) + KubeSpanFiltersDoc.Fields = make([]encoder.Doc, 2) KubeSpanFiltersDoc.Fields[0].Name = "endpoints" KubeSpanFiltersDoc.Fields[0].Type = "[]string" KubeSpanFiltersDoc.Fields[0].Note = "" - KubeSpanFiltersDoc.Fields[0].Description = "KubeSpanFiltersEndpoints list allowed node' IPs to make p2p connections." - KubeSpanFiltersDoc.Fields[0].Comments[encoder.LineComment] = "KubeSpanFiltersEndpoints list allowed node' IPs to make p2p connections." + KubeSpanFiltersDoc.Fields[0].Description = "CIDR list of node IPs, which will use for p2p connections.\nDefault value: [0.0.0.0/0, ::/0]" + KubeSpanFiltersDoc.Fields[0].Comments[encoder.LineComment] = "CIDR list of node IPs, which will use for p2p connections." + + KubeSpanFiltersDoc.Fields[0].AddExample("Uncomment this to use only IPv4 stack.", []string{"0.0.0.0/0"}) + KubeSpanFiltersDoc.Fields[1].Name = "nativeRoute" + KubeSpanFiltersDoc.Fields[1].Type = "[]string" + KubeSpanFiltersDoc.Fields[1].Note = "" + KubeSpanFiltersDoc.Fields[1].Description = "Skip sending traffic via KubeSpan if the destination in that CIDR list." + KubeSpanFiltersDoc.Fields[1].Comments[encoder.LineComment] = "Skip sending traffic via KubeSpan if the destination in that CIDR list." + + KubeSpanFiltersDoc.Fields[1].AddExample("Do not use KubeSpan to route 10.0.0.0/8 subnet.", []string{"10.0.0.0/8"}) NetworkDeviceSelectorDoc.Type = "NetworkDeviceSelector" NetworkDeviceSelectorDoc.Comments[encoder.LineComment] = "NetworkDeviceSelector struct describes network device selector." diff --git a/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go b/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go index bbe2b866d1..92845f5764 100644 --- a/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/machinery/config/types/v1alpha1/zz_generated.deepcopy.go @@ -1138,6 +1138,11 @@ func (in *KubeSpanFilters) DeepCopyInto(out *KubeSpanFilters) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.KubeSpanFiltersNativeRoute != nil { + in, out := &in.KubeSpanFiltersNativeRoute, &out.KubeSpanFiltersNativeRoute + *out = make([]string, len(*in)) + copy(*out, *in) + } return } diff --git a/pkg/machinery/resources/kubespan/config.go b/pkg/machinery/resources/kubespan/config.go index 0aa4d0be92..2a86d4896b 100644 --- a/pkg/machinery/resources/kubespan/config.go +++ b/pkg/machinery/resources/kubespan/config.go @@ -41,6 +41,8 @@ type ConfigSpec struct { MTU uint32 `yaml:"mtu,omitempty" protobuf:"6"` // Allowed list of node endpoints. FilterEndpoints []string `yaml:"filterEndpoints,omitempty" protobuf:"7"` + // FilterNativeRoute skip destination CIDR list. + FilterNativeRoute []string `yaml:"filterNativeRoute,omitempty" protobuf:"8"` } // NewConfig initializes a Config resource. diff --git a/pkg/machinery/resources/kubespan/deep_copy.generated.go b/pkg/machinery/resources/kubespan/deep_copy.generated.go index 7e8568f376..d9d9e11a64 100644 --- a/pkg/machinery/resources/kubespan/deep_copy.generated.go +++ b/pkg/machinery/resources/kubespan/deep_copy.generated.go @@ -17,6 +17,10 @@ func (o ConfigSpec) DeepCopy() ConfigSpec { cp.FilterEndpoints = make([]string, len(o.FilterEndpoints)) copy(cp.FilterEndpoints, o.FilterEndpoints) } + if o.FilterNativeRoute != nil { + cp.FilterNativeRoute = make([]string, len(o.FilterNativeRoute)) + copy(cp.FilterNativeRoute, o.FilterNativeRoute) + } return cp } diff --git a/website/content/v1.3/reference/api.md b/website/content/v1.3/reference/api.md index 0bf94446b5..6a144d18e3 100644 --- a/website/content/v1.3/reference/api.md +++ b/website/content/v1.3/reference/api.md @@ -2177,6 +2177,7 @@ ConfigSpec describes KubeSpan configuration.. | advertise_kubernetes_networks | [bool](#bool) | | | | mtu | [uint32](#uint32) | | | | filter_endpoints | [string](#string) | repeated | | +| filter_native_route | [string](#string) | repeated | | diff --git a/website/content/v1.3/reference/configuration.md b/website/content/v1.3/reference/configuration.md index 3d6239e44d..9c341f3acd 100644 --- a/website/content/v1.3/reference/configuration.md +++ b/website/content/v1.3/reference/configuration.md @@ -2741,7 +2741,14 @@ Appears in: | Field | Type | Description | Value(s) | |-------|------|-------------|----------| -|`endpoints` |[]string |KubeSpanFiltersEndpoints list allowed node' IPs to make p2p connections. | | +|`endpoints` |[]string |
CIDR list of node IPs, which will use for p2p connections.Default value: [0.0.0.0/0, ::/0]
Show example(s){{< highlight yaml >}} +endpoints: + - 0.0.0.0/0 +{{< /highlight >}}
| | +|`nativeRoute` |[]string |Skip sending traffic via KubeSpan if the destination in that CIDR list.
Show example(s){{< highlight yaml >}} +nativeRoute: + - 10.0.0.0/8 +{{< /highlight >}}
| |