-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.go
279 lines (240 loc) · 9.64 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
//
// Copyright © 2016 Samsung CNCT
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
package main
import (
"os"
iptables "github.com/samsung-cnct/gci-iptables-conf-agent/iptables"
"bytes"
"fmt"
"io/ioutil"
"log"
"net/http"
"strconv"
"strings"
"time"
)
const (
// GCI Metadata Server Default Values
gciMetadataFlavorHeader = "Metadata-Flavor"
gciMetadataFlavorHeaderValue = "Google"
gciDefaultScheme = "http"
gciDefaultAuthority = ""
gciDefaultMetadataURN = "metadata.google.internal/computeMetadata/v1/"
gciInstanceResource = "instance/"
gciProjectResource = "project/"
gciAttriburtes = "attributes/"
// A directory of custom metadata values passed to the instance during startup or shutdown.
gciDefaultInstanceAttributes = gciDefaultMetadataURN + gciInstanceResource + gciAttriburtes
// A directory of custom metadata values set for this project
gciDefaultProjectAttributes = gciDefaultMetadataURN + gciProjectResource + gciAttriburtes
// kube-env instance attribute
gciDefaultKubeEnvAttribute = "kube-env"
// Optional query parameters
gciDefaultQueryAltFormat = "alt=json"
gciDefaultQueryRecursive = "recursive=true"
// Our primary attribute collection of interest.
gciDefaultURI = gciDefaultScheme + "://" + gciDefaultInstanceAttributes + gciDefaultKubeEnvAttribute
// The environment key we wish to locate
envClusterIPRangeCIDR = "CLUSTER_IP_RANGE"
// IP Tables NAT Table POSTROUTING MASQUERADE Chain Rule Elements
natPostRoutingPrefix = "-A POSTROUTING"
natPostRoutingSuffix = "-m addrtype ! --dst-type LOCAL -j MASQUERADE"
kubenetNATChainRule = natPostRoutingPrefix + " ! -d 10.0.0.0/8"
kubenetSNATComment = "kubenet: SNAT for outbound traffic from cluster"
clusterIPSNATComment = " -m comment --comment \"ClusterIP: SNAT for outbound traffic\" "
)
type Indicies struct {
kubenet, cluster int
}
var (
clusterIP string
interval int
)
func init() {
log.SetFlags(0)
log.Print("gci-iptables-conf-agent: initialization")
if !CheckIPTablesVersion() {
log.Fatal("Can't continue without a supported version of host system 'iptables' command")
}
body, err := getKubEnvInstanceAttributes()
if err != nil {
log.Fatal(err)
}
clusterIP = getBufferKeyValue(body, envClusterIPRangeCIDR)
if len(clusterIP) == 0 {
log.Fatal("Can't continue without a valid value for Cluster IP Range CIDR")
}
log.Print(fmt.Sprintf("Working Cluster IP Range CIDR: %s\n", clusterIP))
interval, err = strconv.Atoi(os.Getenv("IPTABLES_CHECK_INTERVAL"))
if err != nil {
interval = 60
}
log.Print(fmt.Sprintf("Working iptables check interval: %d seconds\n", interval))
}
func getKubEnvInstanceAttributes() ([]byte, error) {
req, err := http.NewRequest("GET", gciDefaultURI, nil)
if err != nil {
log.Print(fmt.Sprintf("getKubEnvInstanceAttributes: new client request error: %v\n", err))
return nil, err
}
req.Header.Add(gciMetadataFlavorHeader, gciMetadataFlavorHeaderValue)
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
log.Print(fmt.Sprintf("getKubEnvInstanceAttributes: client do error: %v\n", err))
return nil, err
}
b, err := ioutil.ReadAll(resp.Body)
defer resp.Body.Close()
if err != nil {
log.Print(fmt.Sprintf("getKubEnvInstanceAttributes: %s: %v\n", gciDefaultURI, err))
return nil, err
}
return b, nil
}
// searches a buffer for a specific key string. the buffer is a assumed to be a
// byte array composed of multiple input lines delinieated by \n's (e.g. stdout)
func getBufferKeyValue(body []byte, key string) string {
buf := bytes.Split(body, []byte("\n"))
keyBytes := []byte(key)
for i := range buf {
if bytes.Contains(buf[i], keyBytes) {
return string(bytes.Fields(buf[i])[1])
}
}
return ""
}
// CheckIPTablesVersion checks to ensure we are workign with a supported
// version of the iptables save and restore table/chain/rule formats.
func CheckIPTablesVersion() bool {
version := os.Getenv("IPTABLES_VERSION")
if len(version) == 0 {
version = iptables.DefaultVersion
}
match, outstr, err := iptables.VersionCheckCmd(version)
if err != nil {
log.Fatal("Can't execute system command 'iptables --version' - quitting!")
}
if match {
log.Print(fmt.Sprintf("Accepting actual version: %s, satisfies requested: %s", strings.TrimSpace(outstr), version))
return true
}
major := os.Getenv("IPTABLES_MAJOR")
minor := os.Getenv("IPTABLES_MINOR")
patch := os.Getenv("IPTABLES_PATCH")
if major == "*" || minor == "*" {
// If we don't care about the major or minor version, then
// that's good enough to continue on with.
log.Print(fmt.Sprintf("Accepting actual version: %s, by wildcarded major|minor numbers", strings.TrimSpace(outstr)))
return true
}
version = major + "." + minor + "."
if patch != "*" {
version += patch
}
log.Print(fmt.Sprintf("Checking version: %s, major: %s, minor: %s, patch: %s, version string: %s",
version, major, minor, patch, strings.TrimSpace(outstr)))
return strings.Contains(outstr, version)
}
// ValidateIPTables checks a iptables-save generated buffer for several
// chacteristics to determine if it meets the needs of our private IP
// address space VPN tunnel routing rules.
func ValidateIPTables(save []byte, clusterIP string) (Indicies, bool) {
// Validations:
// 0 - Only validate those rules in the '*nat' iptables-save output (not tested - implied)
// 1 - If the save buffer contains the 10.0.0.0/8 MASQUERADE rule, then
// 1.a The save buffer must also contain the derived Cluster IP MASQUERADE rule, and
// 1.b The 10.0.0.0/8 MASQUERADE rule must come after the Cluster IP MASQUERADE rule
// If any part of rule 1 is violated, then we make some additional checks to ensure
// that the rules exactly match the rule format that we expect.
// -- debug cruft
// fmt.Fprintf(os.Stdout, ">>>>>>>>>>>>>>>>>>>>>>>>> Begin Input iptables-save Buffer >>>>>>>>>>>>>>>>>>>>>>>>>\n")
// fmt.Fprintf(os.Stdout, "%s\n", string(save))
// fmt.Fprintf(os.Stdout, ">>>>>>>>>>>>>>>>>>>>>>>>>> End Input iptables-save Buffer >>>>>>>>>>>>>>>>>>>>>>>>>>\n")
saveBuf := bytes.Split(save, []byte("\n"))
clusterIPRule := natPostRoutingPrefix + " ! -d " + clusterIP
indicies := Indicies{
iptables.ContainsRulePart(saveBuf, kubenetNATChainRule),
iptables.ContainsRulePart(saveBuf, clusterIPRule)}
// Line 0 of every iptables-save buffer is a comment
// Check 1, 1.a, and 1.b
if indicies.kubenet > 0 && indicies.cluster > 0 && indicies.kubenet > indicies.cluster {
// do our extended checking now
if !strings.HasSuffix(string(saveBuf[indicies.kubenet]), natPostRoutingSuffix) {
log.Print("Failure: Cluster IP rule suffix is incorrect")
return indicies, false
}
if !strings.HasSuffix(string(saveBuf[indicies.cluster]), natPostRoutingSuffix) {
log.Print("Failure: Kubenet rule suffix is incorrect.")
return indicies, false
}
return indicies, true
}
return indicies, false
}
// ConfigureIPTables forces the iptables-save generated buffer to comply
// with the chacteristics required to meet the needs of our private IP
// address space VPN tunnel routing rules.
func ConfigureIPTables(save []byte, clusterIP string, indicies Indicies) ([]byte, bool) {
restoreBuf := bytes.Split(save, []byte("\n"))
// The first fix for all systems we expect to make is to find only the one Kubenet SNAT rule and no Cluster IP SNAT
if indicies.kubenet > 0 && indicies.cluster == -1 {
// In this case, we must insert the Cluster IP SNAT Rule, making sure to leave the Kubenet SNAT rule in place,
// as we know kubenet will forever try to reinsert this rule if it is not present.
restoreBuf = append(restoreBuf, []byte(""))
copy(restoreBuf[indicies.kubenet+1:], restoreBuf[indicies.kubenet:])
restoreBuf[indicies.kubenet] =
[]byte(natPostRoutingPrefix + " ! -d " + clusterIP + clusterIPSNATComment + natPostRoutingSuffix)
} else if indicies.kubenet > 0 && indicies.cluster > 0 && indicies.kubenet < indicies.cluster {
// The easiest of all fixes is to swap the position of Cluster IP SNAT Rule
// and the Kubenet SNAT rule if they are simply out of order.
restoreBuf[indicies.kubenet], restoreBuf[indicies.cluster] =
restoreBuf[indicies.cluster], restoreBuf[indicies.kubenet]
}
restore := bytes.Join(restoreBuf, []byte("\n"))
_, valid := ValidateIPTables(restore, clusterIP)
return restore, valid
}
func main() {
log.Print("gci-iptables-conf-agent: main service loop beginning...")
for {
time.Sleep(time.Duration(interval) * time.Second)
ipTables, err := iptables.Save()
if err != nil {
log.Print(err)
continue
}
indicies, valid := ValidateIPTables(ipTables, clusterIP)
log.Print(fmt.Sprintf("Kubenet Rule Index: %d, Cluster IP Rule Index: %d",
indicies.kubenet, indicies.cluster))
if valid {
log.Print("IP Tables NAT table check: ok")
} else {
log.Print("Found problem NAT table issue")
restore, valid := ConfigureIPTables(ipTables, clusterIP, indicies)
if valid {
log.Print("NAT table reconfiguration restore buffer created successfully")
if err := iptables.Restore(restore); err == nil {
log.Print("iptables-restore successful")
} else {
log.Print(fmt.Sprintf("iptables-restore failure: %v", err))
}
} else {
log.Print("NAT table reconfiguration restore buffer creation failed")
}
}
}
}