Skip to content

Instantly share code, notes, and snippets.

@jaytaylor

jaytaylor/._MAINTAIN-IPTABLES-README.md Secret

Last active February 23, 2018 23:50
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jaytaylor/ddcc88cb4e3c2f260c7802414f85c43b to your computer and use it in GitHub Desktop.
Save jaytaylor/ddcc88cb4e3c2f260c7802414f85c43b to your computer and use it in GitHub Desktop.
Download ZIP
Kubernetes cluster iptables hacks maintainer service.
Raw
._MAINTAIN-IPTABLES-README.md

Kubernetes cluster iptables hacks maintainer service

Should only be installed on kbminion slave nodes.

Currently will only work on Jay's slc12 cluster.

Installation

Download all files individually via:

# Download all files in the gist (except those beginning with "._*"):
curl -sS --remote-name-all $( \
    curl -sS https://api.github.com/gists/ddcc88cb4e3c2f260c7802414f85c43b \
        | jq -r '.files[].raw_url' \
        | grep -v '\/\._' \
)
sudo bash ./install-maintain-iptables.sh
Raw
etc--maintain-iptables.sh
##
# @author Jay Taylor
#
# @date 2018-02-23
#
#
realMasterIp=10.242.243.25
fakeMasterIp=10.196.40.225
function maintain-iptables::dnat() {
local iptablesState
local chainAndRuleId
local chain
iptablesState="${1:-}"
chainAndRuleId="$( \
echo "${iptablesState}" \
| grep '\/\* default\/kubernetes:https \*\/' \
| awk '$2 == "DNAT" && /'"${fakeMasterIp}":/' { print }' \
| sed 's/^\([0-9]\+\).*SET name: \([^ ]\+\).*/\2 \1/' \
)"
if [ -z "${chainAndRuleId}" ] ; then
return 0
fi
# Note: iptables -C / --check gives false negatives for some reason on
# detecting the necessary rule.
local chain="$(echo "${chainAndRuleId}" | awk '{print $1}')"
echo 'DEBUG: Updating DNAT rule'
iptables \
-t nat \
-R ${chainAndRuleId} \
-p tcp \
-m comment --comment 'default/kubernetes:https' \
-m recent --set --name ${chain} \
--mask 255.255.255.255 \
--rsource \
-m tcp \
-j DNAT \
--to-destination ${realMasterIp}:6443 2>/dev/null
return $?
}
export -f maintain-iptables::dnat
function maintain-iptables::kube-mark-masq() {
local iptablesState
local chain
local rc
iptablesState="${1:-}"
chain="$( \
echo "${iptablesState}" \
| awk '
BEGIN {
found=0;
chain="";
}
{
if (found == 0 && match($0, "^Chain .+")) {
chain=$2
}
if (found == 0 && match($0, "KUBE-MARK-MASQ .* /\\* default/kubernetes:https \\*/")) {
found=1
}
}
END {
if (found == 1) {
print chain
}
}' \
)"
if [ -z "${chain}" ] ; then
echo 'ERROR: No matching chain found for KUBE-SEP-*' 1>&2
return 1
fi
iptables -t nat -C ${chain} -s ${realMasterIp}/32 -m comment --comment 'default/kubernetes:https' -j KUBE-MARK-MASQ 2>/dev/null
rc=$?
if [ ${rc} -ne 0 ] ; then
echo 'DEBUG: Adding KUBE-MARK-MASQ rule'
iptables -t nat -I ${chain} 1 -s ${realMasterIp}/32 -m comment --comment 'default/kubernetes:https' -j KUBE-MARK-MASQ
rc=$?
fi
return ${rc}
}
export -f maintain-iptables::kube-mark-masq
function maintain-iptables() {
local iptablesState
iptablesState="$(iptables --list -tnat --line-numbers --numeric)"
maintain-iptables::dnat "${iptablesState}"
maintain-iptables::kube-mark-masq "${iptablesState}"
}
export -f maintain-iptables
Raw
etc--systemd--system--maintain-iptables.service
[Unit]
Description=Jay's Kubrnetes iptables hack
Documentation=https://gist.github.com/jaytaylor/ddcc88cb4e3c2f260c7802414f85c43b
[Service]
User=root
ExecStart=/bin/bash -c 'source /etc/maintain-iptables.sh ; while [ true ] ; do maintain-iptables ; sleep 1 ; done'
Restart=always
StartLimitInterval=0
RestartSec=10
[Install]
WantedBy=multi-user.target
Raw
install-maintain-iptables.sh
#!/usr/bin/env bash
set -o errexit
set -o pipefail
set -o nounset
for f in etc--maintain-iptables.sh etc--systemd--system--maintain-iptables.service ; do
sudo chown root:root "${f}"
mv "${f}" "/$(echo "${f}" | sed 's/--/\//g')"
done
sudo systemctl daemon-reload
sudo systemctl enable maintain-iptables
sudo systemctl start maintain-iptables
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment