Skip to content

[1.18] kubelet: block non-forwarded packets from crossing the localhost boundary #92038

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 11, 2020
Merged

[1.18] kubelet: block non-forwarded packets from crossing the localhost boundary #92038

merged 1 commit into from
Jun 11, 2020

Conversation

@joelsmith
Copy link
Contributor

@joelsmith joelsmith commented Jun 11, 2020
edited
Loading

Cherry pick of #91569 on release-1.18.

#91569: kubelet: block non-forwarded packets from crossing the

For details on the cherry pick process, see the cherry pick requests page.

NONE

@k8s-ci-robot k8s-ci-robot added the do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. label Jun 11, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.18 milestone Jun 11, 2020
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/kubelet labels Jun 11, 2020
@k8s-ci-robot k8s-ci-robot added sig/node Categorizes an issue or PR as relevant to SIG Node. release-note-none Denotes a PR that doesn't merit a release note. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jun 11, 2020
@joelsmith
Copy link
Contributor Author

joelsmith commented Jun 11, 2020

/priority important-soon
/kind bug
/sig network
/restest

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. kind/bug Categorizes issue or PR as related to a bug. sig/network Categorizes an issue or PR as relevant to SIG Network. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Jun 11, 2020
@joelsmith joelsmith changed the title Automated cherry pick of #91569: kubelet: block non-forwarded packets from crossing the [1.18] kubelet: block non-forwarded packets from crossing the localhost boundary Jun 11, 2020
@joelsmith joelsmith force-pushed the automated-cherry-pick-of-#91569-upstream-release-1.18 branch from ccfde10 to 0fe4d09 Compare June 11, 2020 15:25
@squeed @joelsmith
kubelet: block non-forwarded packets from crossing the localhost boun…
a8a673a 
…dary

We set route_localnet so that host-network processes can connect to
<127.0.0.1:NodePort> and it still works. This, however, is too
permissive.

So, block martians that are not already in conntrack.

See: kubernetes#90259
Signed-off-by: Casey Callendrello <cdc@redhat.com>
@joelsmith joelsmith force-pushed the automated-cherry-pick-of-#91569-upstream-release-1.18 branch from 0fe4d09 to a8a673a Compare June 11, 2020 15:26
@joelsmith
Copy link
Contributor Author

joelsmith commented Jun 11, 2020

/test pull-kubernetes-integration

@danwinship
Copy link
Contributor

danwinship commented Jun 11, 2020

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 11, 2020
@derekwaynecarr
Copy link
Member

derekwaynecarr commented Jun 11, 2020

kubelet change is lgtm.

/approve

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jun 11, 2020

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, joelsmith

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 11, 2020
saschagrunert
saschagrunert approved these changes Jun 11, 2020
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

markjacksonfishing
markjacksonfishing approved these changes Jun 11, 2020
View reviewed changes
Copy link

@markjacksonfishing markjacksonfishing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

hasheddan
hasheddan approved these changes Jun 11, 2020
View reviewed changes
Copy link
Contributor

@hasheddan hasheddan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tpepper tpepper added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jun 11, 2020
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. label Jun 11, 2020
@k8s-ci-robot k8s-ci-robot merged commit 2c8a86e into kubernetes:release-1.18 Jun 11, 2020
@joelsmith joelsmith deleted the automated-cherry-pick-of-#91569-upstream-release-1.18 branch June 17, 2020 19:27
@joelsmith joelsmith mentioned this pull request Jul 8, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saschagrunert saschagrunert saschagrunert approved these changes

@mattjmcnaughton mattjmcnaughton Awaiting requested review from mattjmcnaughton

@sjenning sjenning Awaiting requested review from sjenning

+2 more reviewers

@markjacksonfishing markjacksonfishing markjacksonfishing approved these changes

@hasheddan hasheddan hasheddan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@danwinship danwinship

@saschagrunert saschagrunert

@markjacksonfishing markjacksonfishing

@hasheddan hasheddan

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-none Denotes a PR that doesn't merit a release note. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/node Categorizes an issue or PR as relevant to SIG Node. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

v1.18

Development

Successfully merging this pull request may close these issues.

9 participants

@joelsmith @danwinship @derekwaynecarr @k8s-ci-robot @saschagrunert @markjacksonfishing @hasheddan @tpepper @squeed