Prevent masquerading pod -> NodeIP traffic (#174)

* Move getNodeIP logic to utils package

Remove redundant ipset lookups

utils.NewIPSet() does this for us.

* Don't masquerade pod -> nodeAddrsIPSet traffic

Previously with Pod egress enabled, this would get masqueraded.
This change also adds cleanup for said ipset.

* Enhanced cleanup of Pod egress, overlay networking

- Delete old/bad pod egress iptables rule(s) from old versions
- When pod egress or overlay are disabled, cleanup as needed

* Update IPSet.Sets to map type

* ipset enhancements

- Avoid providing method that would delete all ipset sets on a system
- New method DestroyAllWithin() destroys sets tracked by an IPSet
- Create() now handles cases where Sets/System state are not in sync
- Refresh() now handles leftover -temp set gracefully
- Swap() now uses ipset swap
- Delete() improved sync of Sets and system state
- Get() now validates if map element exists before trying
- etc

* Update routes controller to reflect ipset changes

Author: bzub

app/controllers/network_policy_controller.go

@@ -7,7 +7,6 @@ import (
 	"errors"
 	"fmt"
 	"net"
-	"os/exec"
 	"strconv"
 	"strings"
 	"sync"
@@ -20,7 +19,6 @@ import (
 	"github.com/golang/glog"
 	"k8s.io/client-go/kubernetes"
 	api "k8s.io/client-go/pkg/api/v1"
-	apiv1 "k8s.io/client-go/pkg/api/v1"
 	apiextensions "k8s.io/client-go/pkg/apis/extensions/v1beta1"
 	networking "k8s.io/client-go/pkg/apis/networking/v1"
 )
@@ -45,7 +43,7 @@ type NetworkPolicyController struct {
 
 	// list of all active network policies expressed as networkPolicyInfo
 	networkPoliciesInfo *[]networkPolicyInfo
-	ipset               *utils.IPSet
+	ipSetHandler        *utils.IPSet
 }
 
 // internal structure to represent a network policy
@@ -168,11 +166,6 @@ func (npc *NetworkPolicyController) Sync() error {
 	npc.mu.Lock()
 	defer npc.mu.Unlock()
 
-	_, err = exec.LookPath("ipset")
-	if err != nil {
-		return errors.New("Ensure ipset package is installed: " + err.Error())
-	}
-
 	start := time.Now()
 	defer func() {
 		glog.Infof("sync iptables took %v", time.Since(start))
@@ -239,7 +232,7 @@ func (npc *NetworkPolicyController) syncNetworkPolicyChains() (map[string]bool,
 
 		// create a ipset for all destination pod ip's matched by the policy spec PodSelector
 		destPodIpSetName := policyDestinationPodIpSetName(policy.namespace, policy.name)
-		destPodIpSet, err := npc.ipset.Create(destPodIpSetName, utils.TypeHashIP, utils.OptionTimeout, "0")
+		destPodIpSet, err := npc.ipSetHandler.Create(destPodIpSetName, utils.TypeHashIP, utils.OptionTimeout, "0")
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to create ipset: %s", err.Error())
 		}
@@ -274,7 +267,7 @@ func (npc *NetworkPolicyController) syncNetworkPolicyChains() (map[string]bool,
 
 			if len(ingressRule.srcPods) != 0 {
 				srcPodIpSetName := policySourcePodIpSetName(policy.namespace, policy.name, i)
-				srcPodIpSet, err := npc.ipset.Create(srcPodIpSetName, utils.TypeHashIP, utils.OptionTimeout, "0")
+				srcPodIpSet, err := npc.ipSetHandler.Create(srcPodIpSetName, utils.TypeHashIP, utils.OptionTimeout, "0")
 				if err != nil {
 					return nil, nil, fmt.Errorf("failed to create ipset: %s", err.Error())
 				}
@@ -869,21 +862,6 @@ func policySourcePodIpSetName(namespace, policyName string, ingressRuleNo int) s
 	return "KUBE-SRC-" + encoded[:16]
 }
 
-func getNodeIP(node *apiv1.Node) (net.IP, error) {
-	addresses := node.Status.Addresses
-	addressMap := make(map[apiv1.NodeAddressType][]apiv1.NodeAddress)
-	for i := range addresses {
-		addressMap[addresses[i].Type] = append(addressMap[addresses[i].Type], addresses[i])
-	}
-	if addresses, ok := addressMap[apiv1.NodeInternalIP]; ok {
-		return net.ParseIP(addresses[0].Address), nil
-	}
-	if addresses, ok := addressMap[apiv1.NodeExternalIP]; ok {
-		return net.ParseIP(addresses[0].Address), nil
-	}
-	return nil, errors.New("host IP unknown")
-}
-
 // Cleanup cleanup configurations done
 func (npc *NetworkPolicyController) Cleanup() {
 
@@ -961,7 +939,7 @@ func (npc *NetworkPolicyController) Cleanup() {
 	}
 
 	// delete all ipsets
-	err = npc.ipset.Destroy()
+	err = npc.ipSetHandler.DestroyAllWithin()
 	if err != nil {
 		glog.Errorf("Failed to clean up ipsets: " + err.Error())
 	}
@@ -989,7 +967,7 @@ func NewNetworkPolicyController(clientset *kubernetes.Clientset, config *options
 
 	npc.nodeHostName = node.Name
 
-	nodeIP, err := getNodeIP(node)
+	nodeIP, err := utils.GetNodeIP(node)
 	if err != nil {
 		return nil, err
 	}
@@ -1003,7 +981,7 @@ func NewNetworkPolicyController(clientset *kubernetes.Clientset, config *options
 	if err != nil {
 		return nil, err
 	}
-	npc.ipset = ipset
+	npc.ipSetHandler = ipset
 
 	watchers.PodWatcher.RegisterHandler(&npc)
 	watchers.NetworkPolicyWatcher.RegisterHandler(&npc)