cloudnativelabs#797 Conditionally disable "Allow All" input/chain on IPVS KUBE-ROUTER-SERVICES (cloudnativelabs#809)

* Added flag and condition for open input on iptables cloudnativelabs#797

* Adding flag to docs.

* Updated to remove INPUT/CHAIN entirely. Name changed to IpvsDenyAll.

* Updated README.

* Updated docstring on ipvs-deny-all

* ipvsDenyAll -> ipvsPermitAll

* Updating user guide.

* Descriptions updates per review

Author: DandyDeveloper

docs/user-guide.md

@@ -61,6 +61,7 @@ Usage of kube-router:
       --ipvs-graceful-period duration                 The graceful period before removing destinations from IPVS services (e.g. '5s', '1m', '2h22m'). Must be greater than 0. (default 30s)
       --ipvs-graceful-termination                     Enables the experimental IPVS graceful terminaton capability
       --ipvs-sync-period duration                     The delay between ipvs config synchronizations (e.g. '5s', '1m', '2h22m'). Must be greater than 0. (default 5m0s)
+      --ipvs-permit-all                               Permit all inbound traffic to the service VIP's
       --kubeconfig string                             Path to kubeconfig file with authorization information (the master location is set by the master flag).
       --masquerade-all                                SNAT all traffic to cluster IP/node port.
       --master string                                 The address of the Kubernetes API server (overrides any value in kubeconfig).

pkg/controllers/proxy/network_services_controller.go

@@ -212,6 +212,7 @@ type NetworkServicesController struct {
 	podCidr             string
 	masqueradeAll       bool
 	globalHairpin       bool
+	ipvsPermitAll       bool
 	client              kubernetes.Interface
 	nodeportBindOnAllIp bool
 	MetricsEnabled      bool
@@ -505,8 +506,14 @@ func (nsc *NetworkServicesController) setupIpvsFirewall() error {
 		return fmt.Errorf("Failed to run iptables command: %s", err.Error())
 	}
 
+	// config.IpvsPermitAll: true then create INPUT/KUBE-ROUTER-SERVICE Chain creation else return
+	if !config.ipvsPermitAll {
+		return nil
+	}
+
 	var comment string
 	var args []string
+	var exists bool
 
 	comment = "allow input traffic to ipvs services"
 	args = []string{"-m", "comment", "--comment", comment,
@@ -561,8 +568,8 @@ func (nsc *NetworkServicesController) setupIpvsFirewall() error {
 
 func (nsc *NetworkServicesController) cleanupIpvsFirewall() {
 	/*
-	   - delete firewall rules
-	   - delete ipsets
+		- delete firewall rules
+		- delete ipsets
 	*/
 	var err error
 
@@ -2446,6 +2453,8 @@ func NewNetworkServicesController(clientset kubernetes.Interface,
 	nsc.svcLister = svcInformer.GetIndexer()
 	nsc.ServiceEventHandler = nsc.newSvcEventHandler()
 
+	nsc.ipvsPermitAll = config.IpvsPermitAll
+
 	nsc.epLister = epInformer.GetIndexer()
 	nsc.EndpointsEventHandler = nsc.newEndpointsEventHandler()
 

pkg/controllers/proxy/network_services_controller_moq.go

@@ -39,6 +39,7 @@ type KubeRouterConfig struct {
 	IpvsSyncPeriod                 time.Duration
 	IpvsGracefulPeriod             time.Duration
 	IpvsGracefulTermination        bool
+	IpvsPermitAll                  bool
 	Kubeconfig                     string
 	MasqueradeAll                  bool
 	Master                         string
@@ -108,6 +109,8 @@ func (s *KubeRouterConfig) AddFlags(fs *pflag.FlagSet) {
 		"The graceful period before removing destinations from IPVS services (e.g. '5s', '1m', '2h22m'). Must be greater than 0.")
 	fs.BoolVar(&s.IpvsGracefulTermination, "ipvs-graceful-termination", false,
 		"Enables the experimental IPVS graceful terminaton capability")
+	fs.BoolVar(&s.IpvsPermitAll, "ipvs-permit-all", true,
+		"Enables rule to accept all incoming traffic to service VIP's on the node.")
 	fs.DurationVar(&s.RoutesSyncPeriod, "routes-sync-period", s.RoutesSyncPeriod,
 		"The delay between route updates and advertisements (e.g. '5s', '1m', '2h22m'). Must be greater than 0.")
 	fs.BoolVar(&s.AdvertiseClusterIp, "advertise-cluster-ip", false,