From e566e5545e0887b3be1f123e966465af0a4d5464 Mon Sep 17 00:00:00 2001 From: Trekkie Coder Date: Fri, 20 Oct 2023 14:15:24 +0900 Subject: [PATCH 1/3] manifests:fixed and organized --- .../{ => ext-cluster}/kube-loxilb-cidrv6.yaml | 0 .../kube-loxilb-secondaryIPs.yaml | 0 manifest/{ => ext-cluster}/kube-loxilb.yaml | 0 manifest/in-cluster/kube-loxilb.yaml | 134 ++++++++++++++++++ manifest/{ => in-cluster}/loxilb-peer.yml | 12 +- manifest/{ => in-cluster}/loxilb.yaml | 13 +- manifest/{ => workloads}/iperf.yaml | 0 manifest/{ => workloads}/nginx-liveness.yaml | 0 manifest/{ => workloads}/sctp.yaml | 0 manifest/{ => workloads}/udp-echo-svc-lb.yml | 0 10 files changed, 155 insertions(+), 4 deletions(-) rename manifest/{ => ext-cluster}/kube-loxilb-cidrv6.yaml (100%) rename manifest/{ => ext-cluster}/kube-loxilb-secondaryIPs.yaml (100%) rename manifest/{ => ext-cluster}/kube-loxilb.yaml (100%) create mode 100644 manifest/in-cluster/kube-loxilb.yaml rename manifest/{ => in-cluster}/loxilb-peer.yml (87%) rename manifest/{ => in-cluster}/loxilb.yaml (76%) rename manifest/{ => workloads}/iperf.yaml (100%) rename manifest/{ => workloads}/nginx-liveness.yaml (100%) rename manifest/{ => workloads}/sctp.yaml (100%) rename manifest/{ => workloads}/udp-echo-svc-lb.yml (100%) diff --git a/manifest/kube-loxilb-cidrv6.yaml b/manifest/ext-cluster/kube-loxilb-cidrv6.yaml similarity index 100% rename from manifest/kube-loxilb-cidrv6.yaml rename to manifest/ext-cluster/kube-loxilb-cidrv6.yaml diff --git a/manifest/kube-loxilb-secondaryIPs.yaml b/manifest/ext-cluster/kube-loxilb-secondaryIPs.yaml similarity index 100% rename from manifest/kube-loxilb-secondaryIPs.yaml rename to manifest/ext-cluster/kube-loxilb-secondaryIPs.yaml diff --git a/manifest/kube-loxilb.yaml b/manifest/ext-cluster/kube-loxilb.yaml similarity index 100% rename from manifest/kube-loxilb.yaml rename to manifest/ext-cluster/kube-loxilb.yaml diff --git a/manifest/in-cluster/kube-loxilb.yaml b/manifest/in-cluster/kube-loxilb.yaml new file mode 100644 index 0000000..9c90905 --- /dev/null +++ b/manifest/in-cluster/kube-loxilb.yaml @@ -0,0 +1,134 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-loxilb + namespace: kube-system +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kube-loxilb +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - watch + - list + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - watch + - list + - patch + - apiGroups: + - "" + resources: + - endpoints + - services + - services/status + verbs: + - get + - watch + - list + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - watch + - list + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create + - apiGroups: + - authorization.k8s.io + resources: + - subjectaccessreviews + verbs: + - create +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: kube-loxilb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-loxilb +subjects: + - kind: ServiceAccount + name: kube-loxilb + namespace: kube-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kube-loxilb + namespace: kube-system + labels: + app: kube-loxilb-app +spec: + replicas: 1 + selector: + matchLabels: + app: kube-loxilb-app + template: + metadata: + labels: + app: kube-loxilb-app + spec: + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + tolerations: + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + priorityClassName: system-node-critical + serviceAccountName: kube-loxilb + terminationGracePeriodSeconds: 0 + containers: + - name: kube-loxilb + image: ghcr.io/loxilb-io/kube-loxilb:latest + imagePullPolicy: Always + command: + - /bin/kube-loxilb + args: + #- --loxiURL=http://192.168.80.10:11111 + - --externalCIDR=123.123.123.1/24 + #- --externalSecondaryCIDRs=124.124.124.1/24,125.125.125.1/24 + - --setBGP=64512 + - --listenBGPPort=1791 + - --setRoles=0.0.0.0 + #- --monitor + #- --extBGPPeers=50.50.50.1:65101,51.51.51.1:65102 + #- --setLBMode=1 + #- --config=/opt/loxilb/agent/kube-loxilb.conf + resources: + requests: + cpu: "100m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "50Mi" + securityContext: + privileged: true + capabilities: + add: ["NET_ADMIN", "NET_RAW"] diff --git a/manifest/loxilb-peer.yml b/manifest/in-cluster/loxilb-peer.yml similarity index 87% rename from manifest/loxilb-peer.yml rename to manifest/in-cluster/loxilb-peer.yml index 6717f7b..5b35cd2 100644 --- a/manifest/loxilb-peer.yml +++ b/manifest/in-cluster/loxilb-peer.yml @@ -30,7 +30,8 @@ spec: command: [ "/root/loxilb-io/loxilb/loxilb", "--peer" ] ports: - containerPort: 11111 - - containerPort: 179 + - containerPort: 1791 + - containerPort: 50051 securityContext: privileged: true capabilities: @@ -52,7 +53,12 @@ spec: targetPort: 11111 protocol: TCP - name: loxilb-peer-bgp - port: 179 - targetPort: 179 + port: 1791 + targetPort: 1791 protocol: TCP + - name: loxilb-peer-gobgp + port: 50051 + targetPort: 50051 + protocol: TCP + diff --git a/manifest/loxilb.yaml b/manifest/in-cluster/loxilb.yaml similarity index 76% rename from manifest/loxilb.yaml rename to manifest/in-cluster/loxilb.yaml index 4c6587b..1009972 100644 --- a/manifest/loxilb.yaml +++ b/manifest/in-cluster/loxilb.yaml @@ -32,9 +32,12 @@ spec: containers: - name: loxilb-app image: "ghcr.io/loxilb-io/loxilb:latest" - command: [ "/root/loxilb-io/loxilb/loxilb" ] + imagePullPolicy: Always + command: [ "/root/loxilb-io/loxilb/loxilb", "--bgp", "--egr-hooks", "--blacklist=cni[0-9a-z]|veth.|flannel.|cali.|tunl.|vxlan[.]calico|" ] ports: - containerPort: 11111 + - containerPort: 179 + - containerPort: 50051 securityContext: privileged: true capabilities: @@ -55,3 +58,11 @@ spec: port: 11111 targetPort: 11111 protocol: TCP + - name: loxilb-app-bgp + port: 179 + targetPort: 179 + protocol: TCP + - name: loxilb-app-gobgp + port: 50051 + targetPort: 50051 + protocol: TCP diff --git a/manifest/iperf.yaml b/manifest/workloads/iperf.yaml similarity index 100% rename from manifest/iperf.yaml rename to manifest/workloads/iperf.yaml diff --git a/manifest/nginx-liveness.yaml b/manifest/workloads/nginx-liveness.yaml similarity index 100% rename from manifest/nginx-liveness.yaml rename to manifest/workloads/nginx-liveness.yaml diff --git a/manifest/sctp.yaml b/manifest/workloads/sctp.yaml similarity index 100% rename from manifest/sctp.yaml rename to manifest/workloads/sctp.yaml diff --git a/manifest/udp-echo-svc-lb.yml b/manifest/workloads/udp-echo-svc-lb.yml similarity index 100% rename from manifest/udp-echo-svc-lb.yml rename to manifest/workloads/udp-echo-svc-lb.yml From 4a138096c990ae8cf94ed969207c2ef0bdfd91dc Mon Sep 17 00:00:00 2001 From: Trekkie Coder Date: Fri, 20 Oct 2023 14:19:13 +0900 Subject: [PATCH 2/3] security fix for CVE-2023-44487 --- go.mod | 8 ++++---- go.sum | 20 ++++++++------------ 2 files changed, 12 insertions(+), 16 deletions(-) diff --git a/go.mod b/go.mod index 596bdda..a438351 100644 --- a/go.mod +++ b/go.mod @@ -45,11 +45,11 @@ require ( github.com/prometheus/client_model v0.3.0 // indirect github.com/prometheus/common v0.37.0 // indirect github.com/prometheus/procfs v0.8.0 // indirect - golang.org/x/net v0.10.0 // indirect + golang.org/x/net v0.17.0 // indirect golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect - golang.org/x/sys v0.8.0 // indirect - golang.org/x/term v0.8.0 // indirect - golang.org/x/text v0.9.0 // indirect + golang.org/x/sys v0.13.0 // indirect + golang.org/x/term v0.13.0 // indirect + golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.28.1 // indirect diff --git a/go.sum b/go.sum index 9479de0..4fc2475 100644 --- a/go.sum +++ b/go.sum @@ -180,10 +180,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/loxilb-io/loxilib v0.8.9-0.20230912151154-77916e85579d h1:5/t+GeKobAalffd2TBmv3opDCybbn5OKgDEzH2odz70= -github.com/loxilb-io/loxilib v0.8.9-0.20230912151154-77916e85579d/go.mod h1:LoQCxBz+N0fO9rGwRmPHrQPHol/jUf4MNpph63Cydkg= -github.com/loxilb-io/loxilib v0.8.9-0.20230912152221-ce487be25ba1 h1:/7p7pokrmfaZ2CKgd85xZ70tcp6C1ZJ4tLaG1da5xik= -github.com/loxilb-io/loxilib v0.8.9-0.20230912152221-ce487be25ba1/go.mod h1:LoQCxBz+N0fO9rGwRmPHrQPHol/jUf4MNpph63Cydkg= github.com/loxilb-io/loxilib v0.8.9-0.20230917073555-122edd7e0df4 h1:m8M42sDLZ6irtBLwBUY2arvU52vWmVvWiiE3mvMPAOM= github.com/loxilb-io/loxilib v0.8.9-0.20230917073555-122edd7e0df4/go.mod h1:LoQCxBz+N0fO9rGwRmPHrQPHol/jUf4MNpph63Cydkg= github.com/loxilb-io/sctp v0.0.0-20230519081703-6d1baec82fd4 h1:oDc2lsbfuQEcVP3k+Pw4v6Xdm3t4M9vBc1Y9egszv6g= @@ -336,8 +332,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= -golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M= -golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg= +golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= +golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -395,12 +391,12 @@ golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU= -golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= +golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols= -golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo= +golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= +golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -408,8 +404,8 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= -golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= +golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= +golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= From bf5152f1ea53dbed1815b4f8e7e183bf9e285df5 Mon Sep 17 00:00:00 2001 From: Trekkie Coder Date: Fri, 20 Oct 2023 14:38:02 +0900 Subject: [PATCH 3/3] manifests:fixed and organized --- manifest/in-cluster/loxilb.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifest/in-cluster/loxilb.yaml b/manifest/in-cluster/loxilb.yaml index 1009972..21bf2d3 100644 --- a/manifest/in-cluster/loxilb.yaml +++ b/manifest/in-cluster/loxilb.yaml @@ -33,7 +33,7 @@ spec: - name: loxilb-app image: "ghcr.io/loxilb-io/loxilb:latest" imagePullPolicy: Always - command: [ "/root/loxilb-io/loxilb/loxilb", "--bgp", "--egr-hooks", "--blacklist=cni[0-9a-z]|veth.|flannel.|cali.|tunl.|vxlan[.]calico|" ] + command: [ "/root/loxilb-io/loxilb/loxilb", "--bgp", "--egr-hooks", "--blacklist=cni[0-9a-z]|veth.|flannel.|cali.|tunl.|vxlan[.]calico" ] ports: - containerPort: 11111 - containerPort: 179