eriksywu · February 22, 2021 22:45
diff --git a/aks_ensure_no_dup_ds.yaml b/aks_ensure_no_dup_ds.yaml
 kind: DaemonSet
 apiVersion: apps/v1
 metadata:
  name: ensure-no-dup
  namespace: kube-system
  labels:
    app: ensure-no-dup
 spec:
  selector:
    matchLabels:
      name: ensure-no-dup
  template:
    metadata:
      labels:
        name: ensure-no-dup
    spec:
      hostPID: true
      hostNetwork: true
      nodeSelector:
        beta.kubernetes.io/os: linux
      containers:
        - name: nsenter
          image: mcr.microsoft.com/azure-policy/alpine:prod_20200505.1
          imagePullPolicy: IfNotPresent
          securityContext:
            privileged: true
          command:
            - nsenter
            - --target
            - "1"
            - --mount
            - --uts
            - --ipc
            - --net
            - --pid
            - --
            - sh
            - -c
            - |
              #! /bin/sh
              set -u
              echo "ensure-no-dup daemonset starting..."
              wait=false
              while true; do
                if [ "${wait}" = true ]; then
                  echo "sleeping for 60s"
                  sleep 60
                fi
                wait=true
                ls -s /var/run/docker.sock 2>/dev/null
                if [ $? -eq 0 ]; then
                  echo "this node runs docker. not going to do anything."
                  continue
                fi
                ebtables -t filter -L AKS-DEDUP 2>/dev/null
                if [ $? -eq 0 ]; then
                    echo "AKS-DEDUP chain already set. not going to do anything."
                    continue
                fi
                if [ ! -f /etc/cni/net.d/10-containerd-net.conflist ]; then
                  echo "cni config not up yet...checking again in 60s"
                  continue
                fi
                podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist  | jq -r ".plugins[] | select(.type == \"bridge\") | .ipam.subnet")
                if [ ! -f /sys/class/net/cbr0/address ]; then
                  echo "cbr0 bridge not up yet...checking again in 60s"
                  continue
                fi
                cbr0MAC=$(cat /sys/class/net/cbr0/address)
                cbr0IP=$(ip addr show cbr0 | grep -Eo "inet ([0-9]*\.){3}[0-9]*" | grep -Eo "([0-9]*\.){3}[0-9]*")
                if [ -z "${cbr0IP}" ]; then
                  echo "cbr0 bridge does not have an ipv4 address...checking again in 60s"
                  continue
                fi
                echo "setting ebtable rules"
                ebtables -t filter -N AKS-DEDUP # add new AKS-DEDUP chain
                ebtables -t filter -A OUTPUT -j AKS-DEDUP # add new rule to OUTPUT chain jump to AKS-DEDUP
                ebtables -t filter -A AKS-DEDUP -p IPv4 -s ${cbr0MAC} -o veth+ --ip-src ${cbr0IP} -j ACCEPT
                ebtables -t filter -A AKS-DEDUP -p IPv4 -s ${cbr0MAC} -o veth+ --ip-src ${podSubnetAddr} -j DROP
              done
	kind: DaemonSet
	apiVersion: apps/v1
	metadata:
	name: ensure-no-dup
	namespace: kube-system
	labels:
	app: ensure-no-dup
	spec:
	selector:
	matchLabels:
	name: ensure-no-dup
	template:
	metadata:
	labels:
	name: ensure-no-dup
	spec:
	hostPID: true
	hostNetwork: true
	nodeSelector:
	beta.kubernetes.io/os: linux
	containers:
	- name: nsenter
	image: mcr.microsoft.com/azure-policy/alpine:prod_20200505.1
	imagePullPolicy: IfNotPresent
	securityContext:
	privileged: true
	command:
	- nsenter
	- --target
	- "1"
	- --mount
	- --uts
	- --ipc
	- --net
	- --pid
	- --
	- sh
	- -c
	- \|
	#! /bin/sh
	set -u
	echo "ensure-no-dup daemonset starting..."
	wait=false
	while true; do
	if [ "${wait}" = true ]; then
	echo "sleeping for 60s"
	sleep 60
	fi
	wait=true
	ls -s /var/run/docker.sock 2>/dev/null
	if [ $? -eq 0 ]; then
	echo "this node runs docker. not going to do anything."
	continue
	fi
	ebtables -t filter -L AKS-DEDUP 2>/dev/null
	if [ $? -eq 0 ]; then
	echo "AKS-DEDUP chain already set. not going to do anything."
	continue
	fi
	if [ ! -f /etc/cni/net.d/10-containerd-net.conflist ]; then
	echo "cni config not up yet...checking again in 60s"
	continue
	fi
	podSubnetAddr=$(cat /etc/cni/net.d/10-containerd-net.conflist \| jq -r ".plugins[] \| select(.type == \"bridge\") \| .ipam.subnet")
	if [ ! -f /sys/class/net/cbr0/address ]; then
	echo "cbr0 bridge not up yet...checking again in 60s"
	continue
	fi
	cbr0MAC=$(cat /sys/class/net/cbr0/address)
	cbr0IP=$(ip addr show cbr0 \| grep -Eo "inet ([0-9]\.){3}[0-9]" \| grep -Eo "([0-9]\.){3}[0-9]")
	if [ -z "${cbr0IP}" ]; then
	echo "cbr0 bridge does not have an ipv4 address...checking again in 60s"
	continue
	fi
	echo "setting ebtable rules"
	ebtables -t filter -N AKS-DEDUP # add new AKS-DEDUP chain
	ebtables -t filter -A OUTPUT -j AKS-DEDUP # add new rule to OUTPUT chain jump to AKS-DEDUP
	ebtables -t filter -A AKS-DEDUP -p IPv4 -s ${cbr0MAC} -o veth+ --ip-src ${cbr0IP} -j ACCEPT
	ebtables -t filter -A AKS-DEDUP -p IPv4 -s ${cbr0MAC} -o veth+ --ip-src ${podSubnetAddr} -j DROP
	done