Remove not track DNS rule

kakao · Dec 19, 2020 · fbf8dd9 · fbf8dd9
1 parent 4aa2972
commit fbf8dd9
Show file tree

Hide file tree

Showing 6 changed files with 4 additions and 467 deletions.
diff --git a/README.md b/README.md
@@ -4,7 +4,6 @@ network-node-manager is a kubernetes controller that controls the network config
 
 * [Connection reset issue between pod and out of cluster](issues/connection_reset_issue_pod_out_cluster.md)
 * [External-IP access issue with IPVS proxy mode](issues/external_IP_access_issue_IPVS_proxy_mode.md)
-* [DNS packet dropped issue](issues/DNS_packet_dropped_issue.md) 
 
 ## Deploy
 
@@ -73,35 +72,6 @@ Off
 $ kubectl -n kube-system set env daemonset/network-node-manager RULE_EXTERNAL_CLUSTER_ENABLE=false
 ```
 
-### Enable Not Track DNS Packet Rule
-
-* Related issue : [DNS packet dropped issue](issues/DNS_packet_dropped_issue.md)   
-* Default : false
-* iptables proxy mode manifest : false
-* IPVS proxy mode manifest : false
-
-```
-On
-$ kubectl -n kube-system set env daemonset/network-node-manager RULE_NOT_TRACK_DNS_ENABLE=true
-
-Off
-$ kubectl -n kube-system set env daemonset/network-node-manager RULE_NOT_TRACK_DNS_ENABLE=false
-```
-
-### Set Kubernetes DNS Service Names for Not Track DNS Packet Rule
-
-* Related issue : [DNS packet dropped issue](issues/DNS_packet_dropped_issue.md)   
-* Default : "kube-dns"
-* Support multiple : "kube-dns,kube-dns-second"
-
-```
-Set kube-dns service
-$ kubectl -n kube-system set env daemonset/network-node-manager RULE_NOT_TRACK_DNS_SERVICES="kube-dns"
-
-Set multiple services
-$ kubectl -n kube-system set env daemonset/network-node-manager RULE_NOT_TRACK_DNS_SERVICES="kube-dns,kube-dns-second"
-```
-
 ## How it works?
 
 ![kpexec Architecture](img/network-node-manager_Architecture.PNG)

diff --git a/controllers/service_controller.go b/controllers/service_controller.go
@@ -22,7 +22,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	apierror "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -45,8 +44,6 @@ var (
 
 	configRuleDropInvalidInputEnabled bool
 	configRuleExternalClusterEnabled  bool
-	configRuleNotTrackDNSEnabled      bool
-	configRuleNotTrackDNSServices     []string
 
 	initFlag    = false
 	podCIDRIPv4 string
@@ -92,22 +89,8 @@ func (r *ServiceReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 			logger.Error(err, "config error")
 			os.Exit(1)
 		}
-		configRuleNotTrackDNSEnabled, err = configs.GetConfigRuleNotTrackDNSEnabled()
-		if err != nil {
-			logger.Error(err, "config error")
-			os.Exit(1)
-		}
-		configRuleNotTrackDNSServices, err = configs.GetConfigRuleNotTrackDNSServices()
-		if err != nil {
-			logger.Error(err, "config error")
-			os.Exit(1)
-		}
 		logger.WithValues("enabled", configRuleDropInvalidInputEnabled).Info("config rule drop invalid packet in INPUT chain")
 		logger.WithValues("enabled", configRuleExternalClusterEnabled).Info("config rule externalIP to clusterIP")
-		logger.WithValues("enabled", configRuleNotTrackDNSEnabled).Info("config rule not tracking DNS packet")
-		if configRuleNotTrackDNSEnabled {
-			logger.WithValues("services", configRuleNotTrackDNSServices).Info("config rule not tracking DNS packet")
-		}
 
 		// Init packages
 		rules.Init(configPodCIDRIPv4, configPodCIDRIPv6)
@@ -125,33 +108,6 @@ func (r *ServiceReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 			}
 		}
 
-		if configRuleNotTrackDNSEnabled {
-			if err := rules.InitRulesNotTrackDNS(logger); err != nil {
-				logger.Error(err, "failed to init rule not tracking DNS packet")
-				os.Exit(1)
-			}
-
-			// Set rules for DNS services
-			for _, dnsSvcName := range configRuleNotTrackDNSServices {
-				dnsSvc := &corev1.Service{}
-				if err := r.Client.Get(ctx, types.NamespacedName{Namespace: "kube-system", Name: dnsSvcName}, dnsSvc); err != nil {
-					logger.Error(err, "failed to get DNS service info")
-					os.Exit(1)
-				}
-				logger.WithValues("DNS Service", dnsSvc.Name).WithValues("clusterIP", dnsSvc.Spec.ClusterIP).Info("DNS service info")
-
-				if err := rules.CreateRulesNotTrackDNS(logger, dnsSvc.Spec.ClusterIP); err != nil {
-					logger.Error(err, "failed to create rule not tracking DNS packet for a DNS services")
-					os.Exit(1)
-				}
-			}
-		} else {
-			if err := rules.CleanupRulesNotTrackDNS(logger); err != nil {
-				logger.Error(err, "failed to cleanup rule not trackring DNS packet")
-				os.Exit(1)
-			}
-		}
-
 		if configRuleExternalClusterEnabled {
 			// Init externalIP to clusterIP rules
 			if err := rules.InitRulesExternalCluster(logger); err != nil {
@@ -190,25 +146,6 @@ func (r *ServiceReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
 						logger.Error(err, "failed to init rule drop invalid packet in INPUT chain")
 					}
 				}
-				if configRuleNotTrackDNSEnabled {
-					if err := rules.InitRulesNotTrackDNS(logger); err != nil {
-						logger.Error(err, "failed to init rule not tracking DNS packet")
-					}
-
-					// Set rules for DNS services
-					for _, dnsSvcName := range configRuleNotTrackDNSServices {
-						dnsSvc := &corev1.Service{}
-						if err := r.Client.Get(ctx, types.NamespacedName{Namespace: "kube-system", Name: dnsSvcName}, dnsSvc); err != nil {
-							logger.Error(err, "failed to get DNS service info")
-							os.Exit(1)
-						}
-
-						if err := rules.CreateRulesNotTrackDNS(logger, dnsSvc.Spec.ClusterIP); err != nil {
-							logger.Error(err, "failed to create rule not tracking DNS packet")
-							os.Exit(1)
-						}
-					}
-				}
 			}
 		}()
 	}

diff --git a/issues/DNS_packet_dropped_issue.md b/issues/DNS_packet_dropped_issue.md
diff --git a/pkg/configs/configs.go b/pkg/configs/configs.go
@@ -15,10 +15,8 @@ const (
 	EnvPodCIDRIPv4 = "POD_CIDR_IPV4"
 	EnvPodCIDRIPv6 = "POD_CIDR_IPV6"
 
-	EnvRuleDropInvalidInputEnable  = "RULE_DROP_INVALID_INPUT_ENABLE"
-	EnvRuleExternalClusterEnable   = "RULE_EXTERNAL_CLUSTER_ENABLE"
-	EnvRuleDropNotTrackDNSEnable   = "RULE_NOT_TRACK_DNS_ENABLE"
-	EnvRuleDropNotTrackDNSServices = "RULE_NOT_TRACK_DNS_SERVICES"
+	EnvRuleDropInvalidInputEnable = "RULE_DROP_INVALID_INPUT_ENABLE"
+	EnvRuleExternalClusterEnable  = "RULE_EXTERNAL_CLUSTER_ENABLE"
 )
 
 func GetConfigPodCIDRIPv4() (string, error) {
@@ -72,28 +70,3 @@ func GetConfigRuleExternalClusterEnabled() (bool, error) {
 	}
 	return false, fmt.Errorf("wrong config for externalIP to clusterIP DNAT : %s", config)
 }
-
-func GetConfigRuleNotTrackDNSEnabled() (bool, error) {
-	config := os.Getenv(EnvRuleDropNotTrackDNSEnable)
-	config = strings.ToLower(config)
-
-	if config == "" {
-		return false, nil
-	} else if config == EnvConfigFalse {
-		return false, nil
-	} else if config == EnvConfigTrue {
-		return true, nil
-	}
-	return false, fmt.Errorf("wrong config for externalIP to clusterIP DNAT : %s", config)
-}
-
-func GetConfigRuleNotTrackDNSServices() ([]string, error) {
-	configs := os.Getenv(EnvRuleDropNotTrackDNSServices)
-	configs = strings.Replace(configs, " ", "", -1)
-	configs = strings.ToLower(configs)
-
-	if configs == "" {
-		return []string{"kube-dns"}, nil
-	}
-	return strings.Split(configs, ","), nil
-}