Source file src/k8s.io/kubernetes/pkg/util/iptables/save_restore_test.go

Documentation: k8s.io/kubernetes/pkg/util/iptables

     1  //go:build linux
     2  // +build linux
     3  
     4  /*
     5  Copyright 2018 The Kubernetes Authors.
     6  
     7  Licensed under the Apache License, Version 2.0 (the "License");
     8  you may not use this file except in compliance with the License.
     9  You may obtain a copy of the License at
    10  
    11      http://www.apache.org/licenses/LICENSE-2.0
    12  
    13  Unless required by applicable law or agreed to in writing, software
    14  distributed under the License is distributed on an "AS IS" BASIS,
    15  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    16  See the License for the specific language governing permissions and
    17  limitations under the License.
    18  */
    19  
    20  package iptables
    21  
    22  import (
    23  	"testing"
    24  
    25  	"github.com/lithammer/dedent"
    26  
    27  	"k8s.io/apimachinery/pkg/util/sets"
    28  )
    29  
    30  func checkChains(t *testing.T, save []byte, expected sets.Set[Chain]) {
    31  	chains := GetChainsFromTable(save)
    32  	missing := expected.Difference(chains)
    33  	if len(missing) != 0 {
    34  		t.Errorf("GetChainsFromTable expected chains not present: %v", missing.UnsortedList())
    35  	}
    36  	extra := chains.Difference(expected)
    37  	if len(extra) != 0 {
    38  		t.Errorf("GetChainsFromTable expected chains unexpectedly present: %v", extra.UnsortedList())
    39  	}
    40  }
    41  
    42  func TestGetChainsFromTable(t *testing.T) {
    43  	iptablesSave := dedent.Dedent(`
    44  		# Generated by iptables-save v1.4.21 on Fri Aug  7 14:47:37 2015
    45  		*nat
    46  		:PREROUTING ACCEPT [2:138]
    47  		:INPUT ACCEPT [0:0]
    48  		:OUTPUT ACCEPT [0:0]
    49  		:POSTROUTING ACCEPT [0:0]
    50  		:DOCKER - [0:0]
    51  		:KUBE-NODEPORT-CONTAINER - [0:0]
    52  		:KUBE-NODEPORT-HOST - [0:0]
    53  		:KUBE-PORTALS-CONTAINER - [0:0]
    54  		:KUBE-PORTALS-HOST - [0:0]
    55  		:KUBE-SVC-1111111111111111 - [0:0]
    56  		:KUBE-SVC-2222222222222222 - [0:0]
    57  		:KUBE-SVC-3333333333333333 - [0:0]
    58  		:KUBE-SVC-4444444444444444 - [0:0]
    59  		:KUBE-SVC-5555555555555555 - [0:0]
    60  		:KUBE-SVC-6666666666666666 - [0:0]
    61  		-A PREROUTING -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-CONTAINER
    62  		-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
    63  		-A PREROUTING -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-CONTAINER
    64  		-A OUTPUT -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-HOST
    65  		-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
    66  		-A OUTPUT -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-HOST
    67  		-A POSTROUTING -s 10.246.1.0/24 ! -o cbr0 -j MASQUERADE
    68  		-A POSTROUTING -s 10.0.2.15 -d 10.0.2.15 -m comment --comment "handle pod connecting to self" -j MASQUERADE
    69  		-A KUBE-PORTALS-CONTAINER -d 10.247.0.1 -p tcp -m comment --comment "portal for default/kubernetes:" -m state --state NEW -m tcp --dport 443 -j KUBE-SVC-5555555555555555
    70  		-A KUBE-PORTALS-CONTAINER -d 10.247.0.10 -p udp -m comment --comment "portal for kube-system/kube-dns:dns" -m state --state NEW -m udp --dport 53 -j KUBE-SVC-6666666666666666
    71  		-A KUBE-PORTALS-CONTAINER -d 10.247.0.10 -p tcp -m comment --comment "portal for kube-system/kube-dns:dns-tcp" -m state --state NEW -m tcp --dport 53 -j KUBE-SVC-2222222222222222
    72  		-A KUBE-PORTALS-HOST -d 10.247.0.1 -p tcp -m comment --comment "portal for default/kubernetes:" -m state --state NEW -m tcp --dport 443 -j KUBE-SVC-5555555555555555
    73  		-A KUBE-PORTALS-HOST -d 10.247.0.10 -p udp -m comment --comment "portal for kube-system/kube-dns:dns" -m state --state NEW -m udp --dport 53 -j KUBE-SVC-6666666666666666
    74  		-A KUBE-PORTALS-HOST -d 10.247.0.10 -p tcp -m comment --comment "portal for kube-system/kube-dns:dns-tcp" -m state --state NEW -m tcp --dport 53 -j KUBE-SVC-2222222222222222
    75  		-A KUBE-SVC-1111111111111111 -p udp -m comment --comment "kube-system/kube-dns:dns" -m recent --set --name KUBE-SVC-1111111111111111 --mask 255.255.255.255 --rsource -j DNAT --to-destination 10.246.1.2:53
    76  		-A KUBE-SVC-2222222222222222 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SVC-3333333333333333
    77  		-A KUBE-SVC-3333333333333333 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m recent --set --name KUBE-SVC-3333333333333333 --mask 255.255.255.255 --rsource -j DNAT --to-destination 10.246.1.2:53
    78  		-A KUBE-SVC-4444444444444444 -p tcp -m comment --comment "default/kubernetes:" -m recent --set --name KUBE-SVC-4444444444444444 --mask 255.255.255.255 --rsource -j DNAT --to-destination 10.245.1.2:443
    79  		-A KUBE-SVC-5555555555555555 -m comment --comment "default/kubernetes:" -j KUBE-SVC-4444444444444444
    80  		-A KUBE-SVC-6666666666666666 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SVC-1111111111111111
    81  		COMMIT
    82  		`)
    83  
    84  	expected := sets.New(
    85  		ChainPrerouting,
    86  		Chain("INPUT"),
    87  		Chain("OUTPUT"),
    88  		ChainPostrouting,
    89  		Chain("DOCKER"),
    90  		Chain("KUBE-NODEPORT-CONTAINER"),
    91  		Chain("KUBE-NODEPORT-HOST"),
    92  		Chain("KUBE-PORTALS-CONTAINER"),
    93  		Chain("KUBE-PORTALS-HOST"),
    94  		Chain("KUBE-SVC-1111111111111111"),
    95  		Chain("KUBE-SVC-2222222222222222"),
    96  		Chain("KUBE-SVC-3333333333333333"),
    97  		Chain("KUBE-SVC-4444444444444444"),
    98  		Chain("KUBE-SVC-5555555555555555"),
    99  		Chain("KUBE-SVC-6666666666666666"),
   100  	)
   101  	checkChains(t, []byte(iptablesSave), expected)
   102  }
   103  

View as plain text