Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(cni): pass buffer to kuma net iptables engine to get logs out #4826

Merged
merged 1 commit into from
Aug 16, 2022
Merged

fix(cni): pass buffer to kuma net iptables engine to get logs out #4826

merged 1 commit into from
Aug 16, 2022

Conversation

slonka
Copy link
Contributor

@slonka slonka commented Aug 15, 2022

closes #4659

For some reason restoreIPTables returns an empty string when called inside a namespace. This PR uses RuntimeStdout to write to the buffer and then we print the contents of that buffer and that contains iptables rules.

Example log output:

2022-08-15T09:35:53.029Z        DEBUG   kuma-cni        generated iptables rules        {"pod": "test-server-84cdb5864-g4s5r", "namespace": "kuma-test", "podInfraContainerId": "06b35c8a192828555ce2585b6e2dd51ebacece4c70e2a21287c389636901024d", "ip": "", "containerId": "06b35c8a192828555ce2585b6e2dd51ebacece4c70e2a21287c389636901024d", "args": "K8S_POD_NAME=test-server-84cdb5864-g4s5r;K8S_POD_INFRA_CONTAINER_ID=06b35c8a192828555ce2585b6e2dd51ebacece4c70e2a21287c389636901024d;IgnoreUnknown=1;K8S_POD_NAMESPACE=kuma-test", "iptablesStdout": "kumactl is about to apply the iptables rules that will enable transparent proxying on the machine. The SSH connection may drop. If that happens, just reconnect again.
Writing following contents to rules file:  /tmp/iptables-rules-1660556153027488649.txt2074813965
* raw
-A PREROUTING -p udp --sport 53 -j CT --zone 1
-A OUTPUT -p udp --dport 53 -m owner --uid-owner 5678 -j CT --zone 1
-A OUTPUT -p udp --sport 15053 -m owner --uid-owner 5678 -j CT --zone 2
-A OUTPUT -p udp --dport 53 -j CT --zone 2
COMMIT
* nat
-N MESH_INBOUND
-N MESH_OUTBOUND
-N MESH_INBOUND_REDIRECT
-N MESH_OUTBOUND_REDIRECT
-A PREROUTING -p tcp -j MESH_INBOUND
-A OUTPUT -p udp --dport 53 -m owner --uid-owner 5678 -j RETURN
-A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 15053
-A OUTPUT -p tcp -j MESH_OUTBOUND
-A MESH_INBOUND -p tcp --dport 9901 -j RETURN
-A MESH_INBOUND -p tcp -j MESH_INBOUND_REDIRECT
-A MESH_OUTBOUND -p tcp --dport 9901 -j RETURN
-A MESH_OUTBOUND -s 127.0.0.6/32 -o lo -j RETURN
-A MESH_OUTBOUND -p tcp ! --dport 53 -o lo ! -d 127.0.0.1/32 -m owner --uid-owner 5678 -j MESH_INBOUND_REDIRECT
-A MESH_OUTBOUND -p tcp ! --dport 53 -o lo -m owner ! --uid-owner 5678 -j RETURN
-A MESH_OUTBOUND -m owner --uid-owner 5678 -j RETURN
-A MESH_OUTBOUND -p tcp --dport 53 -j REDIRECT --to-ports 15053
-A MESH_OUTBOUND -d 127.0.0.1/32 -j RETURN
-A MESH_OUTBOUND -j MESH_OUTBOUND_REDIRECT
-A MESH_INBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15006
-A MESH_OUTBOUND_REDIRECT -p tcp -j REDIRECT --to-ports 15001
COMMIT

iptables set to diverge the traffic to Envoy.
"}

Signed-off-by: slonka slonka@users.noreply.github.com

Checklist prior to review

  • Link to docs PR or issue -- no docs on new CNI yet
  • Link to UI issue or PR -- not ui issue
  • Is the issue worked on linked? --
  • The PR does not hardcode values that might break projects that depend on kuma (e.g. "kumahq" as a image registry) --
  • The PR will work for both Linux and Windows, system specific functions like syscall.Mkfifo have equivalent implementation on the other OS --
  • Unit Tests -- do I need to write this or E2E tests? I don't see anywhere tests that would stub / mock log so not sure how much effort is needed there - let me know if you want me to do this
  • E2E Tests --
  • Manual Universal Tests -- not a universal issue
  • Manual Kubernetes Tests -- tested manually (see example log above)
  • Do you need to update UPGRADE.md? -- no
  • Does it need to be backported according to the backporting policy? -- no

@slonka
fix(cni): pass buffer to kuma net iptables engine to get logs out
b0188fb 
Signed-off-by: slonka <slonka@users.noreply.github.com>
@slonka slonka requested a review from a team as a code owner August 15, 2022 09:55
@codecov-commenter
Copy link

codecov-commenter commented Aug 15, 2022
edited
Loading

Codecov Report

Merging #4826 (b0188fb) into master (767315c) will decrease coverage by 0.02%.
The diff coverage is 0.00%.

@@            Coverage Diff             @@
##           master    #4826      +/-   ##
==========================================
- Coverage   46.47%   46.45%   -0.03%     
==========================================
  Files         690      690              
  Lines       47059    47061       +2     
==========================================
- Hits        21873    21863      -10     
- Misses      23264    23274      +10     
- Partials     1922     1924       +2
Impacted Files Coverage Δ
app/cni/pkg/cni/injector_linux.go 0.00% <0.00%> (ø)
pkg/plugins/leader/postgres/leader_elector.go 82.97% <0.00%> (-6.39%) ⬇️
pkg/core/resources/manager/cache.go 83.11% <0.00%> (-5.20%) ⬇️
pkg/xds/cache/once/cache.go 82.05% <0.00%> (-5.13%) ⬇️
pkg/xds/cache/once/once.go 95.00% <0.00%> (-5.00%) ⬇️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

bartsmykla
bartsmykla approved these changes Aug 16, 2022
View reviewed changes
Copy link
Contributor

@bartsmykla bartsmykla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@slonka slonka merged commit eb582e2 into kumahq:master Aug 16, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartsmykla bartsmykla bartsmykla approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Output of log in cni with iptables rules is broken
3 participants
@slonka @codecov-commenter @bartsmykla