New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kube-proxy: add a flag to disable nodePortOnLocalhost #108250
Conversation
/retest |
d000b4f
to
6a2cc5b
Compare
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
3039fef
to
f8033e0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM, small picks
@danwinship you have been most active in here - do you want final LGTM? |
Release note still refers to this as legacy behavior:
suggest:
(Along with thockin's comment about renaming the flag) also, perhaps it makes more sense to have --disable-iptables-nodeport-loopback (default false)? I feel --boolean-flag=false is a bit awkward |
Thanks @thockin @BenTheElder .
@BenTheElder According to the discussion of #108250 (comment) with thockin and dan, we decide to make this flag to |
30b962e
to
5edff57
Compare
Just 1 nit! |
5edff57
to
497a564
Compare
/test pull-kubernetes-unit |
…be accessed via localhost
497a564
to
bef2070
Compare
/test pull-kubernetes-e2e-kind |
/test pull-kubernetes-e2e-gce-ubuntu-containerd |
/test pull-kubernetes-e2e-kind |
/retest |
@cyclinder: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
current failing tests don't seem to be related to the changes |
yeah, it was #113548 /retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cyclinder, thockin The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: cyclinder qifeng.guo@daocloud.io
What type of PR is this?
/kind feature
What this PR does / why we need it:
Adding a flag to disable NodePort services can be accessed on localhost. this will reduce security risks.
Which issue(s) this PR fixes:
refer to:
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: