1#!/bin/bash -e
2
3export COMMENT_PREFIX="gateway"
4export SERVICE_CIDR="{{.ServiceNetworkCidr}}"
5export POD_CIDR="{{.PodNetworkCidr}}"
6
7if [[ ${DEBUG} -gt 0 ]]; then set -x; fi
8
9exec 3>&1 # make stdout available as fd 3 for the result
10exec &>> /var/log/gateway-cni-plugin.log
11
12case $CNI_COMMAND in
13ADD)
14 stdin=$(cat /dev/stdin)
15 hostif=$(echo "$stdin" | jq -r ".prevResult.interfaces[0].name")
16 gateway_annotation_value=$(echo "$stdin" | jq -r '.runtimeConfig."io.kubernetes.cri.pod-annotations"."cni.edge.ncr.com/gateway"')
17 exclude_addresses=$(echo "$stdin" | jq -r '.runtimeConfig."io.kubernetes.cri.pod-annotations"."cni.edge.ncr.com/gateway-exclude-destination-rules"')
18
19 printf '{"cni_containerid": "%s", "command": "add", "host_interface":"%s","cni.edge.ncr.com/gateway":"%s","cni.edge.ncr.com/gateway-exclude-destination-rules":"%s"}\n' "$CNI_CONTAINERID" "$hostif" "$gateway_annotation_value" "$exclude_addresses"
20
21 if [ "$SERVICE_CIDR" == "" ]
22 then
23 # error code 7 is invalid network config
24 printf '{"cniVersion": "1.0.0", "code": 7, "msg": "missing service cidr", "details": "service cidr was empty, check node agent logs for more detail"}'
25 echo "$stdin" | jq -r '.prevResult' >&3
26 exit 7
27 fi
28
29 if [ "$POD_CIDR" == "" ]
30 then
31 # error code 7 is invalid network config
32 printf '{"cniVersion": "1.0.0", "code": 7, "msg": "missing pod cidr", "details": "pod cidr was empty, check node agent logs for more detail"}'
33 echo "$stdin" | jq -r '.prevResult' >&3
34 exit 7
35 fi
36
37 if [ "$hostif" == "null" ]
38 then
39 printf '{"cniVersion": "1.0.0", "code": 7, "msg": "no interface name for cali interface was provided", "details": "host interface was set to null"}'
40 echo "$stdin" | jq -r '.prevResult' >&3
41 exit 7
42 elif [ "$gateway_annotation_value" != "disable" ]
43 then
44 # mark all packets with 512 (egress gateway)
45 iptables -t mangle -A PREROUTING -i "$hostif" -m comment -j MARK --set-mark 512 --comment "$COMMENT_PREFIX: $CNI_CONTAINERID"
46
47 # remove egress gateway mark for packets where destination is in service subnet
48 iptables -t mangle -A PREROUTING -i "$hostif" -d "$SERVICE_CIDR" -m comment -j MARK --set-mark 0/512 --comment "$COMMENT_PREFIX: $CNI_CONTAINERID"
49
50 # remote egress gateway mark for packets where destination is in cluster subnet
51 iptables -t mangle -A PREROUTING -i "$hostif" -d "$POD_CIDR" -m comment -j MARK --set-mark 0/512 --comment "$COMMENT_PREFIX: $CNI_CONTAINERID"
52
53 if [ "$exclude_addresses" != "null" ]
54 then
55 # remove egress gateway mark for packets where destination is excluded by workload
56 IFS=',' read -ra arr <<< "$exclude_addresses"
57 for i in "${arr[@]}"; do
58 IFS=':' read -r ip port <<< "$i"
59 iptables -t mangle -A PREROUTING -i "$hostif" -d "$ip" -m comment -p tcp --dport "$port" -j MARK --set-mark 0/512 --comment "$COMMENT_PREFIX: $CNI_CONTAINERID"
60 iptables -t mangle -A PREROUTING -i "$hostif" -d "$ip" -m comment -p udp --dport "$port" -j MARK --set-mark 0/512 --comment "$COMMENT_PREFIX: $CNI_CONTAINERID"
61 done
62 fi
63 fi
64
65 echo "$stdin" | jq -r '.prevResult' >&3
66;;
67
68DEL)
69 stdin=$(cat /dev/stdin)
70 printf '{"cni_containerid": "%s", "command": "delete"}\n' "$CNI_CONTAINERID"
71
72 NORULES=$(iptables --line-number -n -t mangle -L PREROUTING | grep "$COMMENT_PREFIX: $CNI_CONTAINERID" | awk '{print $1}' | tac)
73 for rul in $NORULES
74 do
75 if [ "$rul" != "" ]
76 then
77 iptables -t mangle -D PREROUTING "$rul" || true
78 sleep 0.1
79 fi
80 done
81
82 echo "$stdin" >&3
83;;
84
85GET)
86 echo "GET not supported"
87 exit 1
88;;
89
90VERSION)
91echo '{
92 "cniVersion": "1.0.0",
93 "supportedVersions": [ "0.1.0","0.2.0","0.3.0","0.3.1","0.4.0","1.0.0" ]
94}' >&3
95;;
96
97*)
98 echo "Unknown cni commandn: $CNI_COMMAND"
99 exit 1
100;;
101
102esacView as plain text