istio
210 строк · 8.0 Кб
1// Copyright Istio Authors2//3// Licensed under the Apache License, Version 2.0 (the "License");4// you may not use this file except in compliance with the License.5// You may obtain a copy of the License at6//7// http://www.apache.org/licenses/LICENSE-2.08//9// Unless required by applicable law or agreed to in writing, software10// distributed under the License is distributed on an "AS IS" BASIS,11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.12// See the License for the specific language governing permissions and13// limitations under the License.14package cmd16import (18"fmt"19"os"20"github.com/spf13/cobra"22"istio.io/istio/pkg/flag"24"istio.io/istio/pkg/log"25"istio.io/istio/tools/istio-iptables/pkg/capture"26"istio.io/istio/tools/istio-iptables/pkg/config"27"istio.io/istio/tools/istio-iptables/pkg/constants"28dep "istio.io/istio/tools/istio-iptables/pkg/dependencies"29"istio.io/istio/tools/istio-iptables/pkg/validation"30)31const InvalidDropByIptables = "INVALID_DROP"33func handleErrorWithCode(err error, code int) {35log.Error(err)36os.Exit(code)37}38func bindCmdlineFlags(cfg *config.Config, cmd *cobra.Command) {40fs := cmd.Flags()41flag.Bind(fs, constants.EnvoyPort, "p", "Specify the envoy port to which redirect all TCP traffic.", &cfg.ProxyPort)42flag.BindEnv(fs, constants.InboundCapturePort, "z",44"Port to which all inbound TCP traffic to the pod/VM should be redirected to.",45&cfg.InboundCapturePort)46flag.BindEnv(fs, constants.InboundTunnelPort, "e",48"Specify the istio tunnel port for inbound tcp traffic.",49&cfg.InboundTunnelPort)50flag.BindEnv(fs, constants.ProxyUID, "u",52"Specify the UID of the user for which the redirection is not applied. Typically, this is the UID of the proxy container.",53&cfg.ProxyUID)54flag.BindEnv(fs, constants.ProxyGID, "g",56"Specify the GID of the user for which the redirection is not applied (same default value as -u param).",57&cfg.ProxyGID)58flag.BindEnv(fs, constants.InboundInterceptionMode, "m",60"The mode used to redirect inbound connections to Envoy, either \"REDIRECT\" or \"TPROXY\".",61&cfg.InboundInterceptionMode)62flag.BindEnv(fs, constants.InboundPorts, "b",64"Comma separated list of inbound ports for which traffic is to be redirected to Envoy (optional). "+65"The wildcard character \"*\" can be used to configure redirection for all ports. An empty list will disable.",66&cfg.InboundPortsInclude)67flag.BindEnv(fs, constants.LocalExcludePorts, "d",69"Comma separated list of inbound ports to be excluded from redirection to Envoy (optional). "+70"Only applies when all inbound traffic (i.e. \"*\") is being redirected.",71&cfg.InboundPortsExclude)72flag.BindEnv(fs, constants.ExcludeInterfaces, "c",74"Comma separated list of NIC (optional). Neither inbound nor outbound traffic will be captured.",75&cfg.ExcludeInterfaces)76flag.BindEnv(fs, constants.ServiceCidr, "i",78"Comma separated list of IP ranges in CIDR form to redirect to envoy (optional). "+79"The wildcard character \"*\" can be used to redirect all outbound traffic. An empty list will disable all outbound.",80&cfg.OutboundIPRangesInclude)81flag.BindEnv(fs, constants.ServiceExcludeCidr, "x",83"Comma separated list of IP ranges in CIDR form to be excluded from redirection. "+84"Only applies when all outbound traffic (i.e. \"*\") is being redirected.",85&cfg.OutboundIPRangesExclude)86flag.BindEnv(fs, constants.OutboundPorts, "q",88"Comma separated list of outbound ports to be explicitly included for redirection to Envoy.",89&cfg.OutboundPortsInclude)90flag.BindEnv(fs, constants.LocalOutboundPortsExclude, "o",92"Comma separated list of outbound ports to be excluded from redirection to Envoy.",93&cfg.OutboundPortsExclude)94flag.BindEnv(fs, constants.KubeVirtInterfaces, "k",96"Comma separated list of virtual interfaces whose inbound traffic (from VM) will be treated as outbound.",97&cfg.KubeVirtInterfaces)98flag.BindEnv(fs, constants.InboundTProxyMark, "t", "", &cfg.InboundTProxyMark)100flag.BindEnv(fs, constants.InboundTProxyRouteTable, "r", "", &cfg.InboundTProxyRouteTable)102flag.BindEnv(fs, constants.DryRun, "n", "Do not call any external dependencies like iptables.",104&cfg.DryRun)105flag.BindEnv(fs, constants.TraceLogging, "", "Insert tracing logs for each iptables rules, using the LOG chain.", &cfg.TraceLogging)107flag.BindEnv(fs, constants.RestoreFormat, "f", "Print iptables rules in iptables-restore interpretable format.",109&cfg.RestoreFormat)110flag.BindEnv(fs, constants.IptablesProbePort, "", "Set listen port for failure detection.", &cfg.IptablesProbePort)112flag.BindEnv(fs, constants.ProbeTimeout, "", "Failure detection timeout.", &cfg.ProbeTimeout)114flag.BindEnv(fs, constants.SkipRuleApply, "", "Skip iptables apply.", &cfg.SkipRuleApply)116flag.BindEnv(fs, constants.RunValidation, "", "Validate iptables.", &cfg.RunValidation)118flag.BindEnv(fs, constants.RedirectDNS, "", "Enable capture of dns traffic by istio-agent.", &cfg.RedirectDNS)120// Allow binding to a different var, for consistency with other components121flag.AdditionalEnv(fs, constants.RedirectDNS, "ISTIO_META_DNS_CAPTURE")122flag.BindEnv(fs, constants.DropInvalid, "", "Enable invalid drop in the iptables rules.", &cfg.DropInvalid)124// This could have just used the default but for backwards compat we support the old env.125flag.AdditionalEnv(fs, constants.DropInvalid, InvalidDropByIptables)126flag.BindEnv(fs, constants.DualStack, "", "Enable ipv4/ipv6 redirects for dual-stack.", &cfg.DualStack)128// Allow binding to a different var, for consistency with other components129flag.AdditionalEnv(fs, constants.DualStack, "ISTIO_DUAL_STACK")130flag.BindEnv(fs, constants.CaptureAllDNS, "",132"Instead of only capturing DNS traffic to DNS server IP, capture all DNS traffic at port 53. This setting is only effective when redirect dns is enabled.",133&cfg.CaptureAllDNS)134flag.BindEnv(fs, constants.NetworkNamespace, "", "The network namespace that iptables rules should be applied to.",136&cfg.NetworkNamespace)137flag.BindEnv(fs, constants.CNIMode, "", "Whether to run as CNI plugin.", &cfg.CNIMode)139}140func GetCommand(logOpts *log.Options) *cobra.Command {142cfg := config.DefaultConfig()143cmd := &cobra.Command{144Use: "istio-iptables",145Short: "Set up iptables rules for Istio Sidecar",146Long: "istio-iptables is responsible for setting up port forwarding for Istio Sidecar.",147PreRunE: func(cmd *cobra.Command, args []string) error {148if err := log.Configure(logOpts); err != nil {149return err150}151return nil152},153Run: func(cmd *cobra.Command, args []string) {154cfg.FillConfigFromEnvironment()155if err := cfg.Validate(); err != nil {156handleErrorWithCode(err, 1)157}158if err := ProgramIptables(cfg); err != nil {159handleErrorWithCode(err, 1)160}161if cfg.RunValidation {163validator := validation.NewValidator(cfg)164if err := validator.Run(); err != nil {166// nolint: revive, stylecheck167msg := fmt.Errorf(`iptables validation failed; workload is not ready for Istio.168When using Istio CNI, this can occur if a pod is scheduled before the node is ready.169If installed with 'cni.repair.deletePods=true', this pod should automatically be deleted and retry.171Otherwise, this pod will need to be manually removed so that it is scheduled on a node with istio-cni running, allowing iptables rules to be established.172`)173handleErrorWithCode(msg, constants.ValidationErrorCode)174}175}176},177}178bindCmdlineFlags(cfg, cmd)179return cmd180}181type IptablesError struct {183Error error184ExitCode int185}186func ProgramIptables(cfg *config.Config) error {188var ext dep.Dependencies189if cfg.DryRun {190log.Info("running iptables in dry-run mode, no rule changes will be made")191ext = &dep.DependenciesStub{}192} else {193ext = &dep.RealDependencies{194CNIMode: cfg.CNIMode,195NetworkNamespace: cfg.NetworkNamespace,196}197}198iptConfigurator := capture.NewIptablesConfigurator(cfg, ext)200if !cfg.SkipRuleApply {202if err := iptConfigurator.Run(); err != nil {203return err204}205if err := capture.ConfigureRoutes(cfg); err != nil {206return fmt.Errorf("failed to configure routes: %v", err)207}208}209return nil210}211