Showing preview only (732K chars total). Download the full file or copy to clipboard to get everything.
Repository: flannel-io/flannel
Branch: master
Commit: 37203fabbeaf
Files: 175
Total size: 687.0 KB
Directory structure:
gitextract_7j0sgt1x/
├── .dockerignore
├── .github/
│ ├── ISSUE_TEMPLATE.md
│ ├── PULL_REQUEST_TEMPLATE.md
│ ├── dependabot.yml
│ ├── stale.yml
│ └── workflows/
│ ├── build.yaml
│ ├── codeql-analysis.yml
│ ├── e2eTests.yaml
│ ├── golangci-lint.yaml
│ ├── k3s-e2eTests.yml
│ ├── release.yml
│ ├── scorecard.yml
│ └── trivy.yml
├── .gitignore
├── ACTIVITY_SUMMARY_2025.md
├── CONTRIBUTING.md
├── DCO
├── Documentation/
│ ├── adrs/
│ │ └── add-nftables-implementation.md
│ ├── backends.md
│ ├── building.md
│ ├── configuration.md
│ ├── extension.md
│ ├── integrations.md
│ ├── kube-flannel.yml
│ ├── kubernetes.md
│ ├── kustomization/
│ │ └── kube-flannel/
│ │ ├── kube-flannel.yml
│ │ └── kustomization.yaml
│ ├── minikube.yml
│ ├── netpol.md
│ ├── reporting_bugs.md
│ ├── reservations.md
│ ├── running.md
│ ├── tencentcloud-vpc-backend.md
│ ├── troubleshooting.md
│ └── upgrade.md
├── LICENSE
├── Makefile
├── OWNERS
├── README.md
├── SECURITY.md
├── chart/
│ ├── README.md
│ └── kube-flannel/
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── templates/
│ │ ├── config.yaml
│ │ ├── daemonset.yaml
│ │ ├── rbac.yaml
│ │ └── serviceaccount.yaml
│ ├── tests/
│ │ └── daemonset_test.yaml
│ └── values.yaml
├── code-of-conduct.md
├── dist/
│ ├── extension-hostgw
│ ├── extension-vxlan
│ ├── extension-wireguard
│ ├── fake-node.yaml
│ ├── functional-test-k8s.sh
│ ├── functional-test.sh
│ ├── ipsec
│ ├── license-check.sh
│ ├── mk-docker-opts.sh
│ ├── mk-docker-opts_tests.sh
│ ├── sample_subnet.env
│ ├── snap/
│ │ ├── README.md
│ │ └── snapcraft.yaml
│ ├── test/
│ │ ├── ca-config.json
│ │ ├── ca-csr.json
│ │ ├── ca-key.pem
│ │ ├── ca.csr
│ │ ├── ca.pem
│ │ ├── client-key.pem
│ │ ├── client.csr
│ │ ├── client.json
│ │ ├── client.pem
│ │ ├── member1.json
│ │ ├── server-key.pem
│ │ ├── server.csr
│ │ ├── server.json
│ │ └── server.pem
│ └── wireguard
├── e2e/
│ ├── Dockerfile
│ ├── docker-compose.yml
│ ├── download-kubectl.sh
│ ├── e2e-functions.sh
│ ├── get-kubeconfig.sh
│ ├── run-e2e-tests.sh
│ └── version.sh
├── go.mod
├── go.sum
├── images/
│ ├── Dockerfile
│ └── iperf3/
│ ├── Dockerfile
│ └── Makefile
├── main.go
└── pkg/
├── backend/
│ ├── alloc/
│ │ └── alloc.go
│ ├── common.go
│ ├── extension/
│ │ ├── extension.go
│ │ └── extension_network.go
│ ├── hostgw/
│ │ ├── hostgw.go
│ │ └── hostgw_windows.go
│ ├── ipip/
│ │ ├── ipip.go
│ │ └── ipip_windows.go
│ ├── ipsec/
│ │ ├── handle_charon.go
│ │ ├── handle_xfrm.go
│ │ ├── ipsec.go
│ │ ├── ipsec_network.go
│ │ └── ipsec_windows.go
│ ├── manager.go
│ ├── route_network.go
│ ├── route_network_test.go
│ ├── route_network_windows.go
│ ├── simple_network.go
│ ├── tencentvpc/
│ │ ├── tencentvpc.go
│ │ └── tencentvpc_windows.go
│ ├── udp/
│ │ ├── cproxy_amd64.go
│ │ ├── proxy_amd64.c
│ │ ├── proxy_amd64.h
│ │ ├── udp.go
│ │ ├── udp_amd64.go
│ │ ├── udp_network.go
│ │ ├── udp_network_amd64.go
│ │ └── udp_windows.go
│ ├── vxlan/
│ │ ├── device.go
│ │ ├── device_windows.go
│ │ ├── vxlan.go
│ │ ├── vxlan_network.go
│ │ ├── vxlan_network_windows.go
│ │ └── vxlan_windows.go
│ └── wireguard/
│ ├── device.go
│ ├── wireguard.go
│ ├── wireguard_network.go
│ └── wireguard_windows.go
├── ip/
│ ├── endianess.go
│ ├── iface.go
│ ├── iface_test.go
│ ├── iface_windows.go
│ ├── iface_windows_test.go
│ ├── ip6net.go
│ ├── ip6net_test.go
│ ├── ipnet.go
│ ├── ipnet_test.go
│ └── tun.go
├── ipmatch/
│ ├── match.go
│ └── match_test.go
├── lease/
│ └── lease.go
├── mac/
│ ├── mac.go
│ └── mac_test.go
├── ns/
│ └── ns.go
├── powershell/
│ └── powershell.go
├── retry/
│ └── retry.go
├── routing/
│ ├── router.go
│ ├── router_windows.go
│ └── router_windows_test.go
├── subnet/
│ ├── config.go
│ ├── config_test.go
│ ├── etcd/
│ │ ├── local_manager.go
│ │ ├── mock_registry.go
│ │ ├── mock_subnet.go
│ │ ├── rand.go
│ │ ├── registry.go
│ │ ├── registry_test.go
│ │ └── subnet_test.go
│ ├── kube/
│ │ ├── annotations.go
│ │ ├── annotations_test.go
│ │ ├── kube.go
│ │ └── kube_test.go
│ ├── subnet.go
│ └── subnet_test.go
├── trafficmngr/
│ ├── iptables/
│ │ ├── iptables.go
│ │ ├── iptables_restore.go
│ │ ├── iptables_restore_test.go
│ │ ├── iptables_test.go
│ │ └── iptables_windows.go
│ ├── nftables/
│ │ ├── nftables.go
│ │ ├── nftables_windows.go
│ │ └── utils.go
│ └── trafficmngr.go
└── version/
└── version.go
================================================
FILE CONTENTS
================================================
================================================
FILE: .dockerignore
================================================
dist/*.aci
dist/*.docker
dist/*.tar.gz
.git
vendor
================================================
FILE: .github/ISSUE_TEMPLATE.md
================================================
<!--- Provide a general summary of the issue in the Title above -->
## Expected Behavior
<!--- If you're describing a bug, tell us what should happen -->
<!--- If you're suggesting a change/improvement, tell us how it should work -->
## Current Behavior
<!--- If describing a bug, tell us what happens instead of the expected behavior -->
<!--- If suggesting a change/improvement, explain the difference from current behavior -->
## Possible Solution
<!--- Not obligatory, but suggest a fix/reason for the bug, -->
<!--- or ideas how to implement the addition or change -->
## Steps to Reproduce (for bugs)
<!--- Provide a link to a live example, or an unambiguous set of steps to -->
<!--- reproduce this bug. Include code to reproduce, if relevant -->
1.
2.
3.
4.
## Context
<!--- How has this issue affected you? What are you trying to accomplish? -->
<!--- Providing context helps us come up with a solution that is most useful in the real world -->
## Your Environment
<!--- Include as many relevant details about the environment you experienced the bug in -->
* Flannel version:
* Backend used (e.g. vxlan or udp):
* Etcd version:
* Kubernetes version (if used):
* Operating System and version:
* Link to your project (optional):
================================================
FILE: .github/PULL_REQUEST_TEMPLATE.md
================================================
## Description
<!-- A few sentences describing the overall goals of the pull request's commits.
Please include
- the type of fix - (e.g. bug fix, new feature, documentation)
- some details on _why_ this PR should be merged
- the details of the testing you've done on it (both manual and automated)
- which components are affected by this PR
-->
## Todos
- [ ] Tests
- [ ] Documentation
- [ ] Release note
## Release Note
<!-- Writing a release note:
- By default, no release note action is required.
- If you're unsure whether or not your PR needs a note, ask your reviewer for guidance.
- If this PR requires a release note, update the block below to include a concise note describing
the change and any important impacts this PR may have.
-->
```release-note
None required
```
================================================
FILE: .github/dependabot.yml
================================================
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
- package-ecosystem: "docker"
directory: "images"
schedule:
interval: "weekly"
- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
groups:
k8s:
patterns: [ "k8s.io/*", "sigs.k8s.io/*" ]
update-types: [ "major", "minor", "patch" ]
etcd:
patterns: [ "go.etcd.io/*" ]
update-types: [ "major", "minor", "patch" ]
tencent:
patterns: [ "github.com/tencentcloud/*" ]
update-types: [ "major", "minor", "patch" ]
other-go-modules:
patterns: [ "*" ]
exclude-patterns:
- "k8s.io/*"
- "sigs.k8s.io/*"
- "go.etcd.io/*"
- "github.com/tencentcloud/*"
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
- package-ecosystem: docker
directory: /e2e
schedule:
interval: daily
- package-ecosystem: docker
directory: /images
schedule:
interval: daily
- package-ecosystem: docker
directory: /images/iperf3
schedule:
interval: daily
================================================
FILE: .github/stale.yml
================================================
# Number of days of inactivity before an issue becomes stale
daysUntilStale: 180
# Number of days of inactivity before a stale issue is closed
daysUntilClose: 21
# Issues with these labels will never be considered stale
exemptLabels:
- pinned
- security
# Label to use when marking an issue as stale
staleLabel: wontfix
# Comment to post when marking an issue as stale. Set to `false` to disable
markComment: >
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed if no further activity occurs. Thank you
for your contributions.
# Comment to post when closing a stale issue. Set to `false` to disable
closeComment: false
================================================
FILE: .github/workflows/build.yaml
================================================
name: build flannel
on: pull_request
env:
GO_VERSION: "1.24"
LINUX_ARCHES: "amd64 arm arm64 s390x ppc64le riscv64"
REPOSITORY: flannel/flannel
permissions:
contents: read
jobs:
build-images:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: set tag
run: echo "GIT_TAG=$(git describe --tags --always)" >> $GITHUB_ENV
- name: Set up Go 1.x
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
with:
go-version: ${{ env.GO_VERSION }}
- name: go mod vendor
run: go mod vendor
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
- name: Docker meta
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf #v6.0.0
with:
images: ${{ env.REPOSITORY }}
flavor: latest=false
tags: |
type=ref, event=branch
- name: Build multi-arch Docker image
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 #v6.15.0
with:
context: .
file: images/Dockerfile
push: false
platforms: linux/amd64,linux/arm64,linux/arm,linux/s390x,linux/ppc64le,linux/riscv64
tags: ${{ steps.meta.outputs.tags }}
build-args: TAG=${{ env.GIT_TAG }}
- name: build for windows
run: make dist/flanneld.exe
================================================
FILE: .github/workflows/codeql-analysis.yml
================================================
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
on:
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
schedule:
- cron: '30 20 * * 0'
env:
GO_VERSION: "1.24"
permissions:
contents: read
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'go' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: Set up Go 1.x
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
with:
go-version: ${{ env.GO_VERSION }}
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 #v4.32.6
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
- run: |
echo "Run, Build Application using script"
make dist/flanneld
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 #v4.32.6
================================================
FILE: .github/workflows/e2eTests.yaml
================================================
name: e2e tests for flannel
on: pull_request
permissions:
contents: read
jobs:
e2e-test:
name: test
runs-on: ubuntu-latest
timeout-minutes: 90
steps:
- name: Set up Go 1.x
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
with:
go-version: ^1.24
- name: Check out code into the Go module directory
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: set up modules
run: sudo modprobe br_netfilter overlay
- name: Run tests
id: testing
continue-on-error: true
run: git fetch --unshallow --all --tags && make test 2>&1 > errors.txt
- name: Show additional logs
if: steps.testing.outcome != 'success'
run: |
cat errors.txt
exit 1
================================================
FILE: .github/workflows/golangci-lint.yaml
================================================
name: run golangci-lint
on: pull_request
permissions:
contents: read
jobs:
golangci:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
with:
go-version: "1.24"
cache: false
- name: golangci-lint
uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 #v9.2.0
with:
version: v2.7.2
args: "--timeout=5m"
================================================
FILE: .github/workflows/k3s-e2eTests.yml
================================================
name: k3s e2e tests for flannel
on: pull_request
env:
ARCH: amd64
GO_VERSION: "1.24"
KUBECONFIG: ${HOME}/.kube/config
permissions:
contents: read
jobs:
k3s-e2e-tests:
name: test
runs-on: ubuntu-latest
timeout-minutes: 90
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: Set up Go 1.x
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
with:
go-version: ${{ env.GO_VERSION }}
- name: set up modules
run: sudo modprobe br_netfilter overlay
- name: build flannel image
run: make image
- name: run e2e tests with k3s
run: make k3s-e2e-test
================================================
FILE: .github/workflows/release.yml
================================================
name: release flannel and upload docker images
on:
release:
types: [published]
env:
GO_VERSION: "1.24"
LINUX_ARCHES: "amd64 arm arm64 s390x ppc64le riscv64"
REPOSITORY: flannel/flannel
IMAGE_NAME: flannel-io/flannel
REGISTRY: ghcr.io
permissions:
contents: read
jobs:
build-and-push-images:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: set tag
run: echo "GIT_TAG=$(git describe --tags --always)" >> $GITHUB_ENV
- name: Set up Go 1.x
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
with:
go-version: ${{ env.GO_VERSION }}
- name: go mod vendor
run: go mod vendor
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
- name: Docker meta
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf #v6.0.0
with:
images: ${{ env.REPOSITORY }}
flavor: latest=false
tags: |
type=ref,event=tag
- name: Log in to Docker Hub
if: github.repository_owner == 'flannel-io' && success()
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 #v4.0.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push Docker image
if: github.repository_owner == 'flannel-io' && success()
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 #v7.0.0
with:
context: .
file: images/Dockerfile
push: true
platforms: linux/amd64,linux/arm64,linux/arm,linux/s390x,linux/ppc64le,linux/riscv64
tags: ${{ steps.meta.outputs.tags }}
build-args: TAG=${{ env.GIT_TAG }}
build-and-push-images-github-registry:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
attestations: write
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: set tag
run: echo "GIT_TAG=$(git describe --tags --always)" >> $GITHUB_ENV
- name: Set up Go 1.x
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
with:
go-version: ${{ env.GO_VERSION }}
- name: go mod vendor
run: go mod vendor
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
- name: Log in to the Container registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 #v4.0.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf #v6.0.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
id: push
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 #v7.0.0
with:
context: .
file: images/Dockerfile
push: true
platforms: linux/amd64,linux/arm64,linux/arm,linux/s390x,linux/ppc64le,linux/riscv64
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: TAG=${{ env.GIT_TAG }}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 #v4.1.0
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
build-and-push-artifacts:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: set tag
run: echo "GIT_TAG=$(git describe --tags --always)" >> $GITHUB_ENV
- name: Set up Go 1.x
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
with:
go-version: ${{ env.GO_VERSION }}
- name: go mod vendor
run: go mod vendor
- name: Set up QEMU
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
- name: Build release artifacts
run: make release
- name: Upload flannel binaries to the release page
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload ${{ env.GIT_TAG }} dist/flannel*
publish-chart:
permissions:
contents: write
packages: write
pages: write # to deploy to Pages
id-token: write # to verify the deployment originates from an appropriate source
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
needs: build-and-push-images
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: set tag
run: echo "GIT_TAG=$(git describe --tags --always)" >> $GITHUB_ENV
- name: Package chart
run: make release-manifest release-helm
- name: Upload chart and manifests to the release page
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload ${{ env.GIT_TAG }} dist/flannel.tgz dist/kube-flannel.yml
- name: Setup Pages
uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b #v5.0.0
- name: Upload artifact
uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b #v4.0.0
with:
path: 'chart/'
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e #v4.0.5
================================================
FILE: .github/workflows/scorecard.yml
================================================
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.
name: Scorecard supply-chain security
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '19 11 * * 3'
push:
branches: [ "master" ]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
# `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
id-token: write
# Uncomment the permissions below if installing in a private repository.
# contents: read
# actions: read
steps:
- name: "Checkout code"
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
# - you want to enable the Branch-Protection check on a *public* repository, or
# - you are installing Scorecard on a *private* repository
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
# Public repositories:
# - Publish results to OpenSSF REST API for easy access by consumers
# - Allows the repository to include the Scorecard badge.
# - See https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories:
# - `publish_results` will always be set to `false`, regardless
# of the value entered here.
publish_results: true
# (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
# file_mode: git
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard (optional).
# Commenting out will disable upload of results to your repo's Code Scanning dashboard
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
sarif_file: results.sarif
================================================
FILE: .github/workflows/trivy.yml
================================================
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Vulnerability scan
on:
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
schedule:
- cron: '34 5 * * 2'
env:
GO_VERSION: "1.24"
REPOSITORY: flannel/flannel
permissions:
contents: read
jobs:
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
- name: Set up Go 1.x
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0
with:
go-version: ${{ env.GO_VERSION }}
- name: Build an image from Dockerfile
run: |
ARCH=amd64 TAG=${{ github.sha }} make image
- name: Run Trivy vulnerability scanner in tarball mode
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 #v0.35.0
with:
input: ./dist/flanneld-${{ github.sha }}-amd64.docker
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98
with:
sarif_file: 'trivy-results.sarif'
================================================
FILE: .gitignore
================================================
dist/*.tar.gz
dist/flanneld*
dist/*.docker
dist/here.txt
dist/flannel_oci.tar
cover.out
.editorconfig
.idea/
default.etcd/
flannel.exe
bash_unit
dist/qemu-*
.vscode/*
vendor/*
e2e/scratch/*
e2e/kube-flannel.yml
================================================
FILE: ACTIVITY_SUMMARY_2025.md
================================================
# Flannel Repository Activity Summary - 2025
## Overview
This document provides a comprehensive summary of the flannel-io/flannel repository activity during the year 2025.
---
## 📊 Key Statistics
### Releases
- **Total Releases in 2025:** 10
- **Release Details:**
1. v0.26.3 - January 8, 2025
2. v0.26.4 - February 4, 2025
3. v0.26.5 - March 6, 2025
4. v0.26.6 - April 8, 2025
5. v0.26.7 - April 15, 2025
6. v0.27.0 - June 4, 2025
7. v0.27.1 - July 10, 2025
8. v0.27.2 - July 21, 2025
9. v0.27.3 - September 1, 2025
10. v0.27.4 - October 2, 2025
### Pull Requests
- **Total PRs Merged in 2025:** 111
### Issues
- **Total Issues Created in 2025:** 40
- **Total Issues Resolved in 2025:** 52
---
## 👥 Most Active Contributors (by PRs merged in 2025)
| Rank | Contributor | PRs Merged |
|------|-------------|------------|
| 1 | dependabot[bot] | 54 |
| 2 | thomasferrandiz | 20 |
| 3 | rbrtbnfgl | 10 |
| 4 | pratikjagrut | 2 |
| 5 | lilioid | 2 |
| 6 | tyholling | 1 |
| 7 | sudheerv | 1 |
| 8 | philips | 1 |
| 9 | pgonin | 1 |
| 10 | np-13 | 1 |
*Note: Dependabot automated dependency updates account for approximately 49% of merged PRs.*
---
## 📈 Activity Highlights
- **Release Cadence:** The project maintained a consistent release schedule with 10 releases throughout the year, averaging about 1 release per month.
- **Version Progress:** The project progressed from v0.26.x to v0.27.x series during 2025.
- **Issue Resolution Rate:** 52 issues were resolved while 40 new issues were created, showing a positive net resolution (130% resolution rate).
- **PR Activity:** 111 PRs were merged, demonstrating active development and maintenance.
- **Automation:** Dependabot contributed significantly to keeping dependencies up to date with 54 automated PRs.
- **Human Contributors:** Excluding automated contributions, the top human contributors were thomasferrandiz (20 PRs) and rbrtbnfgl (10 PRs).
---
## 🔍 Summary
The flannel repository showed healthy activity in 2025 with:
- Consistent release schedule (10 releases)
- Active maintenance (111 PRs merged)
- Positive issue resolution trend (52 resolved vs 40 created)
- Strong community contributions from both automated tooling and human maintainers
- Two major contributors (thomasferrandiz and rbrtbnfgl) leading the development efforts
---
*Report generated on: January 21, 2026*
*Data source: GitHub API via flannel-io/flannel repository*
================================================
FILE: CONTRIBUTING.md
================================================
# How to Contribute
CoreOS projects are [Apache 2.0 licensed](LICENSE) and accept contributions via
GitHub pull requests. This document outlines some of the conventions on
development workflow, commit message formatting, contact points and other
resources to make it easier to get your contribution accepted.
# Certificate of Origin
By contributing to this project you agree to the Developer Certificate of
Origin (DCO). This document was created by the Linux Kernel community and is a
simple statement that you, as a contributor, have the legal right to make the
contribution. See the [DCO](DCO) file for details.
## Getting Started
- Fork the repository on GitHub
- Read the [README](README.md) for build and test instructions
- Play with the project, submit bugs, submit patches!
## Contribution Flow
This is a rough outline of what a contributor's workflow looks like:
- Create a topic branch from where you want to base your work (usually master).
- Make commits of logical units.
- Make sure your commit messages are in the proper format (see below).
- Push your changes to a topic branch in your fork of the repository.
- Make sure the tests pass, and add any new tests as appropriate.
- Submit a pull request to the original repository.
Thanks for your contributions!
### Format of the Commit Message
We follow a rough convention for commit messages that is designed to answer two
questions: what changed and why. The subject line should feature the what and
the body of the commit should describe the why.
```
scripts: add the test-cluster command
this uses tmux to setup a test cluster that you can easily kill and
start for debugging.
Fixes #38
```
The format can be described more formally as follows:
```
<subsystem>: <what changed>
<BLANK LINE>
<why this change was made>
<BLANK LINE>
<footer>
```
The first line is the subject and should be no longer than 70 characters, the
second line is always blank, and other lines should be wrapped at 80 characters.
This allows the message to be easier to read on GitHub as well as in various
git tools.
================================================
FILE: DCO
================================================
Developer Certificate of Origin
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
660 York Street, Suite 102,
San Francisco, CA 94110 USA
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
================================================
FILE: Documentation/adrs/add-nftables-implementation.md
================================================
# Add nftables implementation to flannel
Date: 2024-02-01
## Status
Writing
## Context
At the moment, flannel uses iptables to mask and route packets.
Our implementation is based on the library from coreos (https://github.com/coreos/go-iptables).
There are several issues with using iptables in flannel:
* performance: packets are matched using a list so performance is O(n). This isn't very important for flannel because use few iptables rules anyway.
* stability:
** rules must be purged then updated every time flannel needs to change a rule to keep the correct order
** there can be interferences with other k8s components using iptables as well (kube-proxy, kube-router...)
* deprecation: nftables is pushed as a replacement for iptables in the kernel and in future distros including the future RHEL.
References:
- https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/3866-nftables-proxy/README.md#motivation
## Current state
In flannel code, all references to iptables are wrapped in the `iptables` package.
The package provides the type `IPTableRule` to represent an individual rule. This type is almost entirely internal to the package so it would be easy to refactor the code to hide in favor of a more abstract type that would work for both iptables and nftables rules.
Unfortunately the package doesn't provide an interface so in order to provide both an iptables-based and an nftables-based implementation this needs to be refactored.
This package includes several Go interfaces (`IPTables`, `IPTablesError`) that are used for testing.
## Requirements
Ideally, flannel will include both iptables and nftables implementation. These need to coexist in the code but will be mutually exclusive at runtime.
The choice of which implementation to use will be triggered by an optional CLI flag.
iptables will remain the default for the time being.
Using nftables is an opportunity for optimising the rules deployed by flannel but we need to be careful about retro-compatibility with the current backend.
Starting flannel in either mode should reset the other mode as best as possible to ensure that users don't need to reboot if they need to change mode.
## Architecture
Currently, flannel uses two dedicated tables for its own rules: `FLANNEL-POSTRTG` and `FLANNEL-FWD`.
* flannel adds rules to the `FORWARD` and `POSTROUTING` tables to direct traffic to its own tables.
* rules in `FLANNEL-POSTRTG` are used to manage masquerading of the traffic to/from the pods
* rules in `FLANNEL-FWD` are used to ensure that traffic to and from the flannel network can be forwarded
With nftables, flannel would have its own dedicated table (`flannel`) with arbitrary chains and rules as needed.
see https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
```
# !! untested example
table flannel {
chain flannel-postrtg {
type nat hook postrouting priority 0;
# kube-proxy
meta mark 0x4000/0x4000 return
# don't NAT traffic within overlay network
ip saddr $pod_cidr ip daddr $cluster_cidr return
ip saddr $cluster_cidr ip daddr $pod_cidr return
# Prevent performing Masquerade on external traffic which arrives from a Node that owns the container/pod IP address
ip saddr != $pod_cidr ip daddr $cluster_cidr return
# NAT if it's not multicast traffic
ip saddr $cluster_cidr ip daddr != 224.0.0.0/4 nat
# Masquerade anything headed towards flannel from the host
ip saddr != $cluster_cidr ip daddr $cluster_cidr nat
}
chain flannel-fwd {
type filter hook input priority 0; policy drop;
# allow traffic to be forwarded if it is to or from the flannel network range
ip saddr flannelNetwork accept
ip daddr flannelNetwork accept
}
}
```
## nftables library
We can either:
* call the `nft` executable directly
* use https://github.com/kubernetes-sigs/knftables which is developed for kube-proxy and should cover our use case
## Implementation steps
* refactor current iptables code to better encapsulate iptables calls in the dedicated package
* implement nftables mode that is the exact equivalent of the current iptables code
* add similar unit tests and e2e test coverage
* try to optimize the code using nftables-specific feature
* integrate the new flag in k3s
## Decision
================================================
FILE: Documentation/backends.md
================================================
# Backends
Flannel may be paired with several different backends. Once set, the backend should not be changed at runtime.
VXLAN is the recommended choice. host-gw is recommended for more experienced users who want the performance improvement and whose infrastructure support it (typically it can't be used in cloud environments). UDP is suggested for debugging only or for very old kernels that don't support VXLAN.
In case `firewalld` is enabled on the node the port used by the backend needs to be enabled with `firewall-cmd`:
```
firewall-cmd --permanent --zone=public --add-port=[port]/udp
```
For more information on configuration options for Tencent see [TencentCloud VPC Backend for Flannel][tencentcloud-vpc]
## Recommended backends
### VXLAN
Use in-kernel VXLAN to encapsulate the packets.
Type and options:
* `Type` (string): `vxlan`
* `VNI` (number): VXLAN Identifier (VNI) to be used. On Linux, defaults to 1. On Windows should be greater than or equal to 4096.
* `Port` (number): UDP port to use for sending encapsulated packets. On Linux, defaults to kernel default, currently 8472, but on Windows, must be 4789.
* `GBP` (Boolean): Enable [VXLAN Group Based Policy](https://github.com/torvalds/linux/commit/3511494ce2f3d3b77544c79b87511a4ddb61dc89). Defaults to `false`. GBP is not supported on Windows
* `DirectRouting` (Boolean): Enable direct routes (like `host-gw`) when the hosts are on the same subnet. VXLAN will only be used to encapsulate packets to hosts on different subnets. Defaults to `false`. DirectRouting is not supported on Windows.
* `MTU` (number): Desired MTU for the outgoing packets if not defined the MTU of the external interface is used.
* `MacPrefix` (String): Only use on Windows, set to the MAC prefix. Defaults to `0E-2A`.
Starting with Ubuntu 21.10, vxlan support on Raspberry Pi has been moved into a separate kernel module.
```
sudo apt install linux-modules-extra-raspi
```
### host-gw
Use host-gw to create IP routes to subnets via remote machine IPs. Requires direct layer2 connectivity between hosts running flannel.
host-gw provides good performance, with few dependencies, and easy set up.
Type:
* `Type` (string): `host-gw`
### WireGuard
Use in-kernel [WireGuard](https://www.wireguard.com) to encapsulate and encrypt the packets.
Type:
* `Type` (string): `wireguard`
* `PSK` (string): Optional. The pre shared key to use. Use `wg genpsk` to generate a key.
* `ListenPort` (int): Optional. The udp port to listen on. Default is `51820`.
* `ListenPortV6` (int): Optional. The udp port to listen on for ipv6. Default is `51821`.
* `MTU` (number): Desired MTU for the outgoing packets if not defined the MTU of the external interface is used.
* `Mode` (string): Optional.
* separate - Use separate wireguard tunnels for ipv4 and ipv6 (default)
* auto - Single wireguard tunnel for both address families; autodetermine the preferred peer address
* ipv4 - Single wireguard tunnel for both address families; use ipv4 for
the peer addresses
* ipv6 - Single wireguard tunnel for both address families; use ipv6 for
the peer addresses
* `PersistentKeepaliveInterval` (int): Optional. Default is 0 (disabled).
If no private key was generated before the private key is written to `/run/flannel/wgkey`. You can use environment `WIREGUARD_KEY_FILE` to change this path.
The static names of the interfaces are `flannel-wg` and `flannel-wg-v6`. WireGuard tools like `wg show` can be used to debug interfaces and peers.
Users of kernels < 5.6 need to [install](https://www.wireguard.com/install/) an additional Wireguard package.
### UDP
Use UDP only for debugging if your network and kernel prevent you from using VXLAN or host-gw.
Type and options:
* `Type` (string): `udp`
* `Port` (number): UDP port to use for sending encapsulated packets. Defaults to 8285.
## Experimental backends
The following options are experimental and unsupported at this time.
### Alloc
Alloc performs subnet allocation with no forwarding of data packets.
Type:
* `Type` (string): `alloc`
### TencentCloud VPC
Use TencentCloud VPC to create IP routes in a [TencentCloud VPC route table](https://intl.cloud.tencent.com/product/vpc) when running in an TencentCloud VPC. This mitigates the need to create a separate flannel interface.
Requirements:
* Running on an CVM instance that is in an TencentCloud VPC.
* Permission require `accessid` and `keysecret`.
* `Type` (string): `tencent-vpc`
* `AccessKeyID` (string): API access key ID. Can also be configured with environment ACCESS_KEY_ID.
* `AccessKeySecret` (string): API access key secret. Can also be configured with environment ACCESS_KEY_SECRET.
Route Limits: TencentCloud VPC limits the number of entries per route table to 50.
[tencentcloud-vpc]: https://github.com/flannel-io/flannel/blob/master/Documentation/tencentcloud-vpc-backend.md
### IPIP
Use in-kernel IPIP to encapsulate the packets.
IPIP kind of tunnels is the simplest one. It has the lowest overhead, but can incapsulate only IPv4 unicast traffic, so you will not be able to setup OSPF, RIP or any other multicast-based protocol.
Type:
* `Type` (string): `ipip`
* `DirectRouting` (Boolean): Enable direct routes (like `host-gw`) when the hosts are on the same subnet. IPIP will only be used to encapsulate packets to hosts on different subnets. Defaults to `false`.
Note that there may exist two ipip tunnel device `tunl0` and `flannel.ipip`, this is expected and it's not a bug.
`tunl0` is automatically created per network namespace by ipip kernel module on modprobe ipip module. It is the namespace default IPIP device with attributes local=any and remote=any.
When receiving IPIP protocol packets, kernel will forward them to tunl0 as a fallback device if it can't find an option whose local/remote attribute matches their src/dst ip address more precisely.
`flannel.ipip` is created by flannel to achieve one to many ipip network.
### IPSec
Use in-kernel IPSec to encapsulate and encrypt the packets.
[Strongswan](https://www.strongswan.org) is used at the IKEv2 daemon. A single pre-shared key is used for the initial key exchange between hosts and then Strongswan ensures that keys are rotated at regular intervals.
Type:
* `Type` (string): `ipsec`
* `PSK` (string): Required. The pre shared key to use. It needs to be at least 96 characters long. One method for generating this key is to run `dd if=/dev/urandom count=48 bs=1 status=none | xxd -p -c 48`
* `UDPEncap` (Boolean): Optional, defaults to false. Forces the use UDP encapsulation of packets which can help with some NAT gateways.
* `ESPProposal` (string): Optional, defaults to `aes128gcm16-sha256-prfsha256-ecp256`. Change this string to choose another ESP Proposal.
Hint:
Add rules to your firewall: Open ports 50 (for ESP protocol), UDP 500 (for IKE, to manage encryption keys) and UDP 4500 (for IPSEC NAT-Traversal mode).
#### Troubleshooting
Logging
* When flannel is run from a container, the Strongswan tools are installed. `swanctl` can be used for interacting with the charon and it provides a logs command.
* Charon logs are also written to the stdout of the flannel process.
Troubleshooting
* `ip xfrm state` can be used to interact with the kernel's security association database. This can be used to show the current security associations (SA) and whether a host is successfully establishing ipsec connections to other hosts.
* `ip xfrm policy` can be used to show the installed policies. Flannel installs three policies for each host it connects to.
Flannel will not restore policies that are manually deleted (unless flannel is restarted). It will also not delete stale policies on startup. They can be removed by rebooting your host or by removing all ipsec state with `ip xfrm state flush && ip xfrm policy flush` and restarting flannel.
================================================
FILE: Documentation/building.md
================================================
# Building flannel
The most reliable way to build flannel is by using Docker.
## Building in a Docker container
To build flannel in a container run `make dist/flanneld-amd64`.
You will now have a `flanneld-amd64` binary in the `dist` directory.
## Building for other platforms
If you're not running `amd64` then you need to manually set `ARCH` before running `make`. For example, to produce a
`flanneld-s390x` binary and image, run
* ARCH=s390x make image
If you want to cross-compile for a different platform (e.g. you're running `amd64` but you want to produce `arm` binaries) then you need the qemu-static binaries to be present in `/usr/bin`. They can be installed on Ubuntu with
* `sudo apt-get install qemu-user-static`
Then you should be able to set the ARCH as above
* ARCH=arm make image
## Building a multi-arch image
To build the multi-arch image of flannel locally, you need to install [Docker buildx](https://github.com/docker/buildx).
Then you can use the following target:
```
make build-multi-arch
```
If you don't already have a builder running locally, you can this target to start it:
```
make buildx-create-builder
```
See the [buildx documentation](https://docs.docker.com/reference/cli/docker/buildx/) for more details.
## Running the tests locally
To run the end-to-end tests locally, you need to installl [Docker compose](https://docs.docker.com/compose/install/).
## Building manually
1. Make sure you have required dependencies installed on your machine.
* On Ubuntu, run `sudo apt-get install linux-libc-dev golang gcc`.
If the golang version installed is not 1.7 or higher. Download the newest golang and install manually.
To build the flannel.exe on windows, mingw-w64 is also needed. Run command `sudo apt-get install mingw-w64`
* On Fedora/Redhat, run `sudo yum install kernel-headers golang gcc glibc-static`.
2. Git clone the flannel repo. It MUST be placed in your GOPATH under `github.com/flannel-io/flannel`: `cd $GOPATH/src; git clone https://github.com/flannel-io/flannel.git`
3. Run the build script, ensuring that `CGO_ENABLED=1`: `cd flannel; CGO_ENABLED=1 make dist/flanneld` for linux usage.
Run the build script, ensuring that `CGO_ENABLED=1`: `cd flannel; CGO_ENABLED=1 make dist/flanneld.exe` for windows usage.
================================================
FILE: Documentation/configuration.md
================================================
# Configuration
If the --kube-subnet-mgr argument is true, flannel reads its configuration from `/etc/kube-flannel/net-conf.json`.
If the --kube-subnet-mgr argument is false, flannel reads its configuration from etcd.
By default, it will read the configuration from `/coreos.com/network/config` (which can be overridden using `--etcd-prefix`).
Use the `etcdctl` utility to set values in etcd.
The value of the config is a JSON dictionary with the following keys:
* `Network` (string): IPv4 network in CIDR format to use for the entire flannel network. (Mandatory if EnableIPv4 is true)
* `IPv6Network` (string): IPv6 network in CIDR format to use for the entire flannel network. (Mandatory if EnableIPv6 is true)
* `EnableIPv4` (bool): Enables ipv4 support
Defaults to `true`
* `EnableIPv6` (bool): Enables ipv6 support
Defaults to `false`
* `EnableNFTables` (bool): (EXPERIMENTAL) If set to true, flannel uses nftables instead of iptables to masquerade the traffic.
Default to `false`
* `SubnetLen` (integer): The size of the subnet allocated to each host.
Defaults to 24 (i.e. /24) unless `Network` was configured to be smaller than a /22 in which case it is two less than the network.
* `SubnetMin` (string): The beginning of IP range which the subnet allocation should start with.
Defaults to the second subnet of `Network`.
* `SubnetMax` (string): The end of the IP range at which the subnet allocation should end with.
Defaults to the last subnet of `Network`.
* `IPv6SubnetLen` (integer): The size of the ipv6 subnet allocated to each host.
Defaults to 64 (i.e. /64) unless `Ipv6Network` was configured to be smaller than a /62 in which case it is two less than the network.
* `IPv6SubnetMin` (string): The beginning of IPv6 range which the subnet allocation should start with.
Defaults to the second subnet of `Ipv6Network`.
* `IPv6SubnetMax` (string): The end of the IPv6 range at which the subnet allocation should end with.
Defaults to the last subnet of `Ipv6Network`.
* `Backend` (dictionary): Type of backend to use and specific configurations for that backend.
The list of available backends and the keys that can be put into the this dictionary are listed in [Backends](backends.md).
Defaults to `vxlan` backend.
Subnet leases have a duration of 24 hours. Leases are renewed within 1 hour of their expiration,
unless a different renewal margin is set with the ``--subnet-lease-renew-margin`` option.
## Example configuration JSON
The following configuration illustrates the use of most options with `udp` backend.
```json
{
"Network": "10.0.0.0/8",
"SubnetLen": 20,
"SubnetMin": "10.10.0.0",
"SubnetMax": "10.99.0.0",
"Backend": {
"Type": "udp",
"Port": 7890
}
}
```
## Key command line options
```bash
--public-ip="": IP accessible by other nodes for inter-host communication. Defaults to the IP of the interface being used for communication.
--etcd-endpoints=http://127.0.0.1:4001: a comma-delimited list of etcd endpoints.
--etcd-prefix=/coreos.com/network: etcd prefix.
--etcd-keyfile="": SSL key file used to secure etcd communication.
--etcd-certfile="": SSL certification file used to secure etcd communication.
--etcd-cafile="": SSL Certificate Authority file used to secure etcd communication.
--kube-subnet-mgr: Contact the Kubernetes API for subnet assignment instead of etcd.
--iface="": interface to use (IP or name) for inter-host communication. Defaults to the interface for the default route on the machine. This can be specified multiple times to check each option in order. Returns the first match found.
--iface-regex="": regex expression to match the first interface to use (IP or name) for inter-host communication. If unspecified, will default to the interface for the default route on the machine. This can be specified multiple times to check each regex in order. Returns the first match found. This option is superseded by the iface option and will only be used if nothing matches any option specified in the iface options.
--iface-can-reach="": detect interface to use (IP or name) for inter-host communication based on which will be used for provided IP. This is exactly the interface to use of command "ip route get <ip-address>" (example: --iface-can-reach=192.168.1.1 results the interface can be reached to 192.168.1.1 will be selected)
--iptables-forward-rules: Adds default ACCEPT rules to the iptables FORWARD chain to allow network traffic forwarding (default: true).
--iptables-resync=5: resync period for iptables rules, in seconds. Defaults to 5 seconds, if you see a large amount of contention for the iptables lock increasing this will probably help.
--subnet-file=/run/flannel/subnet.env: filename where env variables (subnet and MTU values) will be written to.
--net-config-path=/etc/kube-flannel/net-conf.json: path to the network configuration file to use
--subnet-lease-renew-margin=60: subnet lease renewal margin, in minutes.
--ip-masq=false: setup IP masquerade for traffic destined for outside the flannel network. Flannel assumes that the default policy is ACCEPT in the NAT POSTROUTING chain.
-v=0: log level for V logs. Set to 1 to see messages related to data path.
--healthz-ip="0.0.0.0": The IP address for healthz server to listen (default "0.0.0.0")
--healthz-port=0: The port for healthz server to listen(0 to disable)
--version: print version and exit
```
MTU is calculated and set automatically by flannel. It then reports that value in `subnet.env`. This value can be changed as [backend](backends.md) config.
## Environment variables
The command line options outlined above can also be specified via environment variables.
For example `--etcd-endpoints=http://10.0.0.2:2379` is equivalent to `FLANNELD_ETCD_ENDPOINTS=http://10.0.0.2:2379` environment variable.
Any command line option can be turned into an environment variable by prefixing it with `FLANNELD_`, stripping leading dashes, converting to uppercase and replacing all other dashes to underscores.
`EVENT_QUEUE_DEPTH` is another environment variable to indicate the kubernetes scale. Set `EVENT_QUEUE_DEPTH` to adapter your cluster node numbers. If not set, default value is 5000.
`CONT_WHEN_CACHE_NOT_READY` is environment variable to indicate if flanneld should continue even when the node informer cache is not fully sync'd yet. This can happen for large clusters (clusters with node capacity higher than `EVENT_QUEUE_DEPTH`). Set `CONT_WHEN_CACHE_NOT_READY` to "true" to let flanneld not fail startup for such large capacity clusters.
## Health Check
Flannel provides a health check http endpoint `healthz`. Currently this endpoint will blindly
return http status ok(i.e. 200) when flannel is running. This feature is by default disabled.
Set `healthz-port` to a non-zero value will enable a healthz server for flannel.
## Dual-stack
Flannel supports dual-stack mode. This means pods and services could use ipv4 and ipv6 at the same time. Currently, dual-stack is only supported for vxlan, wireguard or host-gw(linux) backends.
Requirements:
* v1.0.1 of flannel binary from [containernetworking/plugins](https://github.com/containernetworking/plugins)
* Nodes must have an ipv4 and ipv6 address in the main interface
* Nodes must have an ipv4 and ipv6 address default route
* vxlan support ipv6 tunnel require kernel version >= 3.12
* When public IPv6 addresses are used, routing of the "IPv6Network" towards the cluster must be configured externally from flannel (see [#2289](https://github.com/flannel-io/flannel/issues/2289) for details)
Configuration:
* Set "EnableIPv6": true and the "IPv6Network", for example "IPv6Network": * "2001:cafe:42:0::/56" in the net-conf.json of the kube-flannel-cfg ConfigMap or in `/coreos.com/network/config` for etcd
If everything works as expected, flanneld should generate a `/run/flannel/subnet.env` file with IPV6 subnet and network. For example:
```bash
FLANNEL_NETWORK=10.42.0.0/16
FLANNEL_SUBNET=10.42.0.1/24
FLANNEL_IPV6_NETWORK=2001:cafe:42::/56
FLANNEL_IPV6_SUBNET=2001:cafe:42::1/64
FLANNEL_MTU=1450
FLANNEL_IPMASQ=true
```
## IPv6 only
To use an IPv6-only environment use the same configuration of the Dual-stack section to enable IPv6 and add "EnableIPv4": false in the net-conf.json of the kube-flannel-cfg ConfigMap. In case of IPv6-only setup, please use the docker.io IPv6-only endpoint as described in the following link: https://www.docker.com/blog/beta-ipv6-support-on-docker-hub-registry/
## nftables mode
To enable `nftables` mode in flannel, set `EnableNFTables` to true in flannel configuration.
Note: to test with kube-proxy, use kubeadm with the following configuration:
```yaml
apiVersion: kubeadm.k8s.io/v1beta3
kind: ClusterConfiguration
kubernetesVersion: v1.29.0
controllerManager:
extraArgs:
feature-gates: NFTablesProxyMode=true
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
mode: "nftables"
featureGates:
NFTablesProxyMode: true
```
================================================
FILE: Documentation/extension.md
================================================
# Extension
The `extension` backend provides an easy way for prototyping new backend types for flannel.
It is _not_ recommended for production use, for example it doesn't have a built in retry mechanism.
This backend has the following configuration
* `Type` (string): `extension`
* `PreStartupCommand` (string): Command to run before allocating a network to this host
* The stdout of the process is captured and passed to the stdin of the SubnetAdd/Remove commands.
* `PostStartupCommand` (string): Command to run after allocating a network to this host
* The following environment variable is set
* SUBNET - The subnet of the remote host that was added.
* `SubnetAddCommand` (string): Command to run when a subnet is added
* stdin - The output from `PreStartupCommand` is passed in.
* The following environment variables are set
* SUBNET - The ipv4 subnet of the remote host that was added.
* IPV6SUBNET - The ipv6 subnet of the remote host that was added.
* PUBLIC_IP - The public IP of the remote host.
* PUBLIC_IPV6 - The public IPv6 of the remote host.
* `SubnetRemoveCommand`(string): Command to run when a subnet is removed
* stdin - The output from `PreStartupCommand` is passed in.
* The following environment variables are set
* SUBNET - The ipv4 subnet of the remote host that was removed.
* IPV6SUBNET - The ipv6 subnet of the remote host that was removed.
* PUBLIC_IP - The public IP of the remote host.
* PUBLIC_IPV6 - The public IPv6 of the remote host.
All commands are run through the `sh` shell and are run with the same permissions as the flannel daemon.
## Simple example (host-gw)
To replicate the functionality of the host-gw plugin, there's no need for a startup command.
The backend just needs to manage the route to subnets when they are added or removed.
An example
```json
{
"Network": "10.0.0.0/16",
"Backend": {
"Type": "extension",
"SubnetAddCommand": "ip route add $SUBNET via $PUBLIC_IP",
"SubnetRemoveCommand": "ip route del $SUBNET via $PUBLIC_IP"
}
}
```
## Complex example (vxlan)
VXLAN is more complex. It needs to store the MAC address of the vxlan device when it's created and to make it available to the flannel daemon running on other hosts.
The address of the vxlan device also needs to be set _after_ the subnet has been allocated.
An example
```json
{
"Network": "10.50.0.0/16",
"Backend": {
"Type": "extension",
"PreStartupCommand": "export VNI=1; export IF_NAME=flannel-vxlan; ip link del $IF_NAME 2>/dev/null; ip link add $IF_NAME type vxlan id $VNI dstport 8472 && cat /sys/class/net/$IF_NAME/address",
"PostStartupCommand": "export IF_NAME=flannel-vxlan; export SUBNET_IP=`echo $SUBNET | cut -d'/' -f 1`; ip addr add $SUBNET_IP/32 dev $IF_NAME && ip link set $IF_NAME up",
"SubnetAddCommand": "export SUBNET_IP=`echo $SUBNET | cut -d'/' -f 1`; export IF_NAME=flannel-vxlan; read VTEP; ip route add $SUBNET nexthop via $SUBNET_IP dev $IF_NAME onlink && ip neigh replace $SUBNET_IP dev $IF_NAME lladdr $VTEP && bridge fdb add $VTEP dev $IF_NAME self dst $PUBLIC_IP"
}
}
```
================================================
FILE: Documentation/integrations.md
================================================
# Integrations
This document tracks projects that integrate with flannel. [Join the community](https://github.com/flannel-io/flannel/) and help us keep the list current.
## Projects
[kube-network-policies](https://github.com/kubernetes-sigs/kube-network-policies): Network policies controller that can be deployed alongside Flannel.
[Canal](https://projectcalico.docs.tigera.io/getting-started/kubernetes/flannel/flannel): Kubernetes CNI plugin that uses Calico for network policies and intra-node communications and Flannel for inter-node communications.
[K3s](https://k3s.io/): Kubernetes distribution with flannel embedded as CNI.
[RKE2](https://docs.rke2.io/): Kubernetes distribution packed with Canal as default CNI and can be configured with Flannel with support for windows.
================================================
FILE: Documentation/kube-flannel.yml
================================================
---
kind: Namespace
apiVersion: v1
metadata:
name: kube-flannel
labels:
k8s-app: flannel
pod-security.kubernetes.io/enforce: privileged
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: flannel
name: flannel
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
k8s-app: flannel
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-flannel
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
k8s-app: flannel
name: flannel
namespace: kube-flannel
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-flannel
labels:
tier: node
k8s-app: flannel
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json: |
{
"Network": "10.244.0.0/16",
"EnableNFTables": false,
"Backend": {
"Type": "vxlan"
}
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds
namespace: kube-flannel
labels:
tier: node
app: flannel
k8s-app: flannel
spec:
selector:
matchLabels:
app: flannel
template:
metadata:
labels:
tier: node
app: flannel
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
hostNetwork: true
priorityClassName: system-node-critical
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni-plugin
image: ghcr.io/flannel-io/flannel-cni-plugin:v1.9.0-flannel1
command:
- cp
args:
- -f
- /flannel
- /opt/cni/bin/flannel
volumeMounts:
- name: cni-plugin
mountPath: /opt/cni/bin
- name: install-cni
image: ghcr.io/flannel-io/flannel:v0.28.1
command:
- cp
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
containers:
- name: kube-flannel
image: ghcr.io/flannel-io/flannel:v0.28.1
command:
- /opt/bin/flanneld
args:
- --ip-masq
- --kube-subnet-mgr
resources:
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: false
capabilities:
add: ["NET_ADMIN", "NET_RAW"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: EVENT_QUEUE_DEPTH
value: "5000"
- name: CONT_WHEN_CACHE_NOT_READY
value: "false"
volumeMounts:
- name: run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
- name: xtables-lock
mountPath: /run/xtables.lock
volumes:
- name: run
hostPath:
path: /run/flannel
- name: cni-plugin
hostPath:
path: /opt/cni/bin
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
================================================
FILE: Documentation/kubernetes.md
================================================
# kubeadm
For information on deploying flannel manually, using the Kubernetes installer toolkit kubeadm, see [Installing Kubernetes on Linux with kubeadm][kubeadm].
NOTE: If `kubeadm` is used, then pass `--pod-network-cidr=10.244.0.0/16` to `kubeadm init` to ensure that the `podCIDR` is set.
# kube-flannel.yaml
The `flannel` manifest defines five things:
1. A `kube-flannel` with PodSecurity level set to *privileged*.
2. A ClusterRole and ClusterRoleBinding for Role Based Access Control (RBAC).
3. A service account for `flannel` to use.
4. A ConfigMap containing both a CNI configuration and a `flannel` configuration. The `network` in the `flannel` configuration should match the pod network CIDR. The choice of `backend` is also made here and defaults to VXLAN.
5. A DaemonSet for every architecture to deploy the `flannel` pod on each Node. The pod has two containers 1) the `flannel` daemon itself, and 2) an initContainer for deploying the CNI configuration to a location that the `kubelet` can read.
When you run pods, they will be allocated IP addresses from the pod network CIDR. No matter which node those pods end up on, they will be able to communicate with each other.
# Notes on securing flannel deployment
As of Kubernetes v1.21, the [PodSecurityPolicy API was deprecated](https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/) and it will be removed in v1.25. Thus, the `flannel` manifest does not use PodSecurityPolicy anymore.
If you wish to use the [Pod Security Admission Controller](https://kubernetes.io/docs/concepts/security/pod-security-admission/) which was introduced to [replace PodSecurityPolicy](https://kubernetes.io/docs/tasks/configure-pod-container/migrate-from-psp/), you will need to deploy `flannel` in a namespace which allows the deployment of pods with `privileged` level. The `baseline` level is insufficient to deploy `flannel` and you will see the following error message:
```
Error creating: non-default capabilities (container "kube-flannel" must not include "NET_ADMIN", "NET_RAW" in securityContext.capabilities.add), host namespaces (hostNetwork=true), hostPath volumes (volumes "run", "cni-plugin", "cni", "xtables-lock")
```
The `kube-flannel.yaml` manifest deploys `flannel` in the `kube-flannel` namespace and enables the `privileged` level for this namespace.
Thus, you will need to restrict access to this namespace if you wish to secure your cluster.
If you want to deploy `flannel` securely in a shared namespace or want more fine-grained control over the pods deployed in your cluster, you can use a 3rd-party admission controller like [Kubewarden](https://kubewarden.io). Kubewarden provides policies that can replace features of PodSecurityPolicy like [capabilities-psp-policy](https://github.com/kubewarden/capabilities-psp-policy) and [hostpaths-psp-policy](https://github.com/kubewarden/hostpaths-psp-policy).
Other options include [Kyverno](https://kyverno.io/policies/pod-security/) and [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper).
# Annotations
Additional annotations can be configured on a specific node as parameters used when Flannel starts on that specific node
* `flannel.alpha.coreos.com/node-public-ip`, `flannel.alpha.coreos.com/node-public-ipv6`: Define the used IP of the node in case the node has multiple interface it selects the interface with the configured IP for the backend tunnel. If configured when Flannel starts it'll be used as the `public-ip` and `public-ipv6` flag.
* `flannel.alpha.coreos.com/public-ip-overwrite`, `flannel.alpha.coreos.com/public-ipv6-overwrite`: Allows to overwrite the public IP of a node that IP can be not configured on the node. Useful if the public IP can not determined from the node, e.G. because it is behind a NAT and the other nodes need to use it to create the tunnel. It can be automatically set to a nodes `ExternalIP` using the [flannel-node-annotator](https://github.com/alvaroaleman/flannel-node-annotator).
See also the "NAT" section in [troubleshooting](./troubleshooting.md) if UDP checksums seem corrupted.
## Older versions of Kubernetes
`kube-flannel.yaml` has some features that aren't compatible with older versions of Kubernetes, though flanneld itself should work with any version of Kubernetes.
### For Kubernetes v1.6~v1.15
If you see errors saying `found invalid field...` when you try to apply `kube-flannel.yaml` then you can try the "legacy" manifest file
* `kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-old-manifests/kube-flannel-legacy.yml`
This file does not bundle RBAC permissions. If you need those, run
* `kubectl apply -f https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-old-manifests/kube-flannel-rbac.yml`
If you didn't apply the `kube-flannel-rbac.yml` manifest and you need to, you'll see errors in your flanneld logs about failing to connect.
* `Failed to create SubnetManager: error retrieving pod spec...`
### For Kubernetes v1.16
`kube-flannel.yaml` uses `ClusterRole` & `ClusterRoleBinding` of `rbac.authorization.k8s.io/v1`. When you use Kubernetes v1.16, you should replace `rbac.authorization.k8s.io/v1` to `rbac.authorization.k8s.io/v1beta1` because `rbac.authorization.k8s.io/v1` had become GA from Kubernetes v1.17.
### For Kubernetes <= v1.24
As of Kubernetes v1.21, the [PodSecurityPolicy API was deprecated](https://kubernetes.io/blog/2021/04/06/podsecuritypolicy-deprecation-past-present-and-future/) and it will be removed in v1.25. Thus, the `flannel` manifest does not use PodSecurityPolicy anymore.
If you still wish to use it, you can use `kube-flannel-psp.yaml` instead of `kube-flannel.yaml`. Please note that if you use a Kubernetes version >= 1.21, you will see a deprecation warning for the PodSecurityPolicy API.
# Troubleshooting
See [troubleshooting](troubleshooting.md)
[kubeadm]: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/
================================================
FILE: Documentation/kustomization/kube-flannel/kube-flannel.yml
================================================
---
kind: Namespace
apiVersion: v1
metadata:
name: kube-flannel
labels:
pod-security.kubernetes.io/enforce: privileged
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: kube-flannel
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel
namespace: kube-flannel
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: kube-flannel
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
net-conf.json: |
{
"Network": "10.244.0.0/16",
"EnableNFTables": false,
"Backend": {
"Type": "vxlan"
}
}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds
namespace: kube-flannel
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
app: flannel
template:
metadata:
labels:
tier: node
app: flannel
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
hostNetwork: true
priorityClassName: system-node-critical
tolerations:
- operator: Exists
effect: NoSchedule
serviceAccountName: flannel
initContainers:
- name: install-cni-plugin
image: ghcr.io/flannel-io/flannel-cni-plugin:v1.9.0-flannel1
command:
- cp
args:
- -f
- /flannel
- /opt/cni/bin/flannel
volumeMounts:
- name: cni-plugin
mountPath: /opt/cni/bin
- name: install-cni
image: ghcr.io/flannel-io/flannel:v0.28.1
command:
- cp
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
containers:
- name: kube-flannel
image: ghcr.io/flannel-io/flannel:v0.28.1
command:
- /opt/bin/flanneld
args:
- --ip-masq
- --kube-subnet-mgr
resources:
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: false
capabilities:
add: ["NET_ADMIN", "NET_RAW"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: EVENT_QUEUE_DEPTH
value: "5000"
- name: CONT_WHEN_CACHE_NOT_READY
value: "false"
volumeMounts:
- name: run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
- name: xtables-lock
mountPath: /run/xtables.lock
volumes:
- name: run
hostPath:
path: /run/flannel
- name: cni-plugin
hostPath:
path: /opt/cni/bin
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
================================================
FILE: Documentation/kustomization/kube-flannel/kustomization.yaml
================================================
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
k8s-app: flannel
resources:
- kube-flannel.yml
images:
- name: ghcr.io/flannel-io/flannel
newTag: v0.28.1
================================================
FILE: Documentation/minikube.yml
================================================
# This manifest is intended for dev work, so there are some differences from the "normal" manifest
# - no namespace (make kubectl simpler)
# - special image name (flannel-minikube)
# - never pull the image
# - host-gw backend (since vxlan doesn't work in minikube)
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel
---
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
labels:
tier: node
app: flannel
data:
cni-conf.json: |
{
"name": "cbr0",
"cniVersion": "0.3.1",
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
}
net-conf.json: |
{
"Network": "10.33.0.0/16",
"Backend": {
"Type": "host-gw"
}
}
---
apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
name: kube-flannel-ds
labels:
tier: node
app: flannel
spec:
template:
metadata:
labels:
tier: node
app: flannel
spec:
hostNetwork: true
serviceAccountName: flannel
containers:
- name: kube-flannel
image: flannel/minikube
imagePullPolicy: Never
command:
- /opt/bin/flanneld
args:
- --ip-masq
- --kube-subnet-mgr
resources:
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: true
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- name: run
mountPath: /run
- name: flannel-cfg
mountPath: /etc/kube-flannel/
- name: install-cni
image: flannel/minikube
imagePullPolicy: Never
command: [ "/bin/sh", "-c", "set -e -x; cat /etc/kube-flannel/cni-conf.json; cp -f /etc/kube-flannel/cni-conf.json /etc/cni/net.d/10-flannel.conf; while true; do sleep 3600; done" ]
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
volumes:
- name: run
hostPath:
path: /run
- name: cni
hostPath:
path: /etc/cni/net.d
- name: flannel-cfg
configMap:
name: kube-flannel-cfg
================================================
FILE: Documentation/netpol.md
================================================
# Network policy controller
From v0.25.5 it is possible to deploy Flannel with https://github.com/kubernetes-sigs/kube-network-policies controller to provide a network policy controller within the Flannel CNI.
When deployed with the Helm chart it is enough to enable the `netpol.enabled` value.
```bash
helm install flannel --set netpol.enabled=true --namespace kube-flannel flannel/flannel
```
Flannel pod should start with an additional container and it is possible to configure Network policies.
Use the kube-network-poilicies documentation to find additional info.
================================================
FILE: Documentation/reporting_bugs.md
================================================
# Reporting bugs
If any part of the flannel project has bugs or documentation mistakes, please let us know by [opening an issue][flannel-issue]. Before creating a bug report, please check that an issue reporting the same problem does not already exist.
To make the bug report accurate and easy to understand, please try to create bug reports that are:
- Specific. Include as much details as possible: which version, what environment, what configuration, etc.
- Reproducible. Include the steps to reproduce the problem. We understand some issues might be hard to reproduce, please includes the steps that might lead to the problem.
- Isolated. Please try to isolate and reproduce the bug with minimum dependencies. It would significantly slow down the speed to fix a bug if too many dependencies are involved in a bug report. Debugging external systems that rely on flannel is out of scope, but we are happy to provide guidance in the right direction or help with using flannel itself.
- Unique. Do not duplicate an existing bug report.
- Scoped. One bug per report. Do not follow up with another bug inside one report.
It may be worthwhile to read [Elika Etemad’s article on filing good bug reports][filing-good-bugs] before creating a bug report.
We might ask for further information to locate a bug. A duplicated bug report will be closed.
## Frequently asked questions
### How to get a stack trace
``` bash
$ kill -QUIT $PID
```
### How to get flannel version
``` bash
$ flannel --version
```
[flannel-issue]: https://github.com/flannel-io/flannel/issues/new
[filing-good-bugs]: http://fantasai.inkedblade.net/style/talks/filing-good-bugs/
================================================
FILE: Documentation/reservations.md
================================================
# Leases and Reservations
## Leases
When flannel starts up, it ensures that the host has a subnet lease. If there is
an existing lease then it's used, otherwise one is assigned.
Leases can be viewed by checking the contents of etcd. e.g.
```
$ export ETCDCTL_API=3
$ etcdctl get /coreos.com/network/subnets --prefix --keys-only
/coreos.com/network/subnets/10.5.52.0-24
$ etcdctl get /coreos.com/network/subnets/10.5.52.0-24
/coreos.com/network/subnets/10.5.52.0-24
{"PublicIP":"192.168.64.3","PublicIPv6":null,"BackendType":"vxlan","BackendData":{"VNI":1,"VtepMAC":"c6:d2:32:6f:8f:44"}}
$ etcdctl lease list
found 1 leases
694d854330fc5110
$ etcdctl lease timetolive --keys 694d854330fc5110
lease 694d854330fc5110 granted with TTL(86400s), remaining(74737s), attached keys([/coreos.com/network/subnets/10.5.52.0-24])
```
This shows that there is a single lease (`10.5.52.0/24`) which will expire in 74737 seconds. flannel will attempt to renew the lease before it expires, but if flannel is not running for an extended period then the lease will be lost.
The `"PublicIP"` value is how flannel knows to reuse this lease when restarted.
This means that if the public IP changes, then the flannel subnet will change too.
In case a host is unable to renew its lease before the lease expires (e.g. a host takes a long time to restart and the timing lines up with when the lease would normally be renewed), flannel will then attempt to renew the last lease that it has saved in its subnet config file (which, unless specified, is located at `/var/run/flannel/subnet.env`)
```bash
cat /var/run/flannel/subnet.env
FLANNEL_NETWORK=10.5.0.0/16
FLANNEL_SUBNET=10.5.52.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=false
```
In this case, if flannel fails to retrieve an existing lease from etcd, it will attempt to renew lease specified in `FLANNEL_SUBNET` (`10.5.52.1/24`). It will only renew this lease if the subnet specified is valid for the current etcd network configuration otherwise it will allocate a new lease.
## Reservations
flannel also supports reservations for the subnet assigned to a host. Reservations
allow a fixed subnet to be used for a given host.
The only difference between a lease and reservation is the etcd TTL value. Simply
removing the TTL from a lease will convert it to a reservation. e.g.
```
# update the value without any lease option (--lease).
$ export ETCDCTL_API=3
$ etcdctl put /coreos.com/network/subnets/10.5.1.0-24 $(etcdctl get /coreos.com/network/subnets/10.5.1.0-24)
```
================================================
FILE: Documentation/running.md
================================================
# Running flannel
Once you have pushed configuration JSON to `etcd`, you can start `flanneld`. If you published your config at the default location, you can start `flanneld` with no arguments.
Flannel will acquire a subnet lease, configure its routes based on other leases in the overlay network and start routing packets.
It will also monitor `etcd` for new members of the network and adjust the routes accordingly.
After flannel has acquired the subnet and configured backend, it will write out an environment variable file (`/run/flannel/subnet.env` by default) with subnet address and MTU that it supports.
For more information on checking the IP range for a specific host, see [Leases and Reservations](https://github.com/flannel-io/flannel/blob/master/Documentation/reservations.md).
## Multiple networks
Flanneld does not support running multiple networks from a single daemon (it did previously as an experimental feature).
However, it does support running multiple daemons on the same host with different configurations. The `-subnet-file` and `-etcd-prefix` options should be used to "namespace" the different daemons.
For example
```
flanneld -subnet-file /vxlan.env -etcd-prefix=/vxlan/network
```
## Running manually
1. Download a `flannel` binary.
```bash
wget https://github.com/flannel-io/flannel/releases/latest/download/flanneld-amd64 && chmod +x flanneld-amd64
```
2. Run the binary.
```bash
sudo ./flanneld-amd64 # it will hang waiting to talk to etcd
```
3. Run `etcd`. Follow the instructions on the [etcd page](https://etcd.io/docs/v3.5/quickstart/), or, if you have docker just do
```bash
docker run --rm --net=host quay.io/coreos/etcd
```
4. Observe that `flannel` can now talk to `etcd`, but can't find any config. So write some config. Either get `etcdctl` from the [etcd page](https://etcd.io/docs/v3.5/quickstart/), or use `docker` again.
```bash
docker run --rm -e ETCDCTL_API=3 --net=host quay.io/coreos/etcd etcdctl put /coreos.com/network/config '{ "Network": "10.5.0.0/16", "Backend": {"Type": "vxlan"}}'
```
Now `flannel` is running, it has created a VXLAN tunnel device on the host and written a subnet config file
```bash
cat /run/flannel/subnet.env
FLANNEL_NETWORK=10.5.0.0/16
FLANNEL_SUBNET=10.5.72.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=false
```
Each time flannel is restarted, it will attempt to access the `FLANNEL_SUBNET` value written in this subnet config file. This prevents each host from needing to update its network information in case a host is unable to renew its lease before it expires (e.g. a host was restarting during the time flannel would normally renew its lease).
The `FLANNEL_SUBNET` value is also only used if it is valid for the etcd network config. For instance, a `FLANNEL_SUBNET` value of `10.5.72.1/24` will not be used if the etcd network value is set to `10.6.0.0/16` since it is not within that network range.
Subnet config value is `10.5.72.1/24`
```bash
cat /run/flannel/subnet.env
FLANNEL_NETWORK=10.5.0.0/16
FLANNEL_SUBNET=10.5.72.1/24
FLANNEL_MTU=1450
FLANNEL_IPMASQ=false
```
etcd network value is `10.6.0.0/16`. Since `10.5.72.1/24` is outside of this network, a new lease will be allocated.
```bash
export ETCDCTL_API=3
etcdctl get /coreos.com/network/config
{ "Network": "10.6.0.0/16", "Backend": {"Type": "vxlan"}}
```
## Interface selection
Flannel uses the interface selected to register itself in the datastore.
The important options are:
* `-iface string`: Interface to use (IP or name) for inter-host communication.
* `-public-ip string`: IP accessible by other nodes for inter-host communication.
The combination of the defaults, the autodetection and these two flags ultimately result in the following being determined:
* An interface (used for MTU detection and selecting the VTEP MAC in VXLAN).
* An IP address for that interface.
* A public IP that can be used for reaching this node. In `host-gw` it should match the interface address.
## Making changes at runtime
Please be aware of the following flannel runtime limitations.
* The datastore type cannot be changed.
* The backend type cannot be changed. (It can be changed if you stop all workloads and restart all flannel daemons.)
* You can change the subnetlen/subnetmin/subnetmax with a daemon restart. (Subnets can be changed with caution. If pods are already using IP addresses outside the new range they will stop working.)
* The clusterwide network range cannot be changed (without downtime).
## Docker integration
Docker daemon accepts `--bip` argument to configure the subnet of the docker0 bridge.
It also accepts `--mtu` to set the MTU for docker0 and veth devices that it will be creating.
Because flannel writes out the acquired subnet and MTU values into a file, the script starting Docker can source in the values and pass them to Docker daemon:
```bash
source /run/flannel/subnet.env
docker daemon --bip=${FLANNEL_SUBNET} --mtu=${FLANNEL_MTU} &
```
Systemd users can use `EnvironmentFile` directive in the `.service` file to pull in `/run/flannel/subnet.env`
If you want to leave default docker0 network as it is and instead create a new network that will be using flannel you do so like this:
```bash
source /run/flannel/subnet.env
docker network create --attachable=true --subnet=${FLANNEL_SUBNET} -o "com.docker.network.driver.mtu"=${FLANNEL_MTU} flannel
```
## Running on Vagrant
Vagrant has a tendency to give the default interface (one with the default route) a non-unique IP (often 10.0.2.15).
This causes flannel to register multiple nodes with the same IP.
To work around this issue, use `--iface` option to specify the interface that has a unique IP.
## Zero-downtime restarts
When running with a backend other than `udp`, the kernel is providing the data path with `flanneld` acting as the control plane.
As such, `flanneld` can be restarted (even to do an upgrade) without disturbing existing flows.
However in the case of `vxlan` backend, this needs to be done within a few seconds as ARP entries can start to timeout requiring the flannel daemon to refresh them.
Also, to avoid interruptions during restart, the configuration must not be changed (e.g. VNI, --iface values).
================================================
FILE: Documentation/tencentcloud-vpc-backend.md
================================================
# TencentCloud VPC Backend for Flannel
There are only two differences between the usage method and Alibaba Cloud:
1. Tencent Cloud needs to create a routing table, while Alibaba Cloud creates a switch
2. In network/config, backend-type is "tencent-vpc"
================================================
FILE: Documentation/troubleshooting.md
================================================
# Troubleshooting
# General
## Connectivity
In Docker v1.13 and later, the default iptables forwarding policy was changed to `DROP`. For more detail on the Docker change, see the Docker [documentation](https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#container-communication-between-hosts).
This problems manifests itself as connectivity problems between containers running on different hosts. To resolve it upgrade to the latest version of flannel.
## Logging
Flannel uses the `klog` library but only supports logging to stderr. The severity level can't be changed but the verbosity can be changed with the `-v` option. Flannel does not make extensive use of the verbosity level but increasing the value from `0` (the default) will result in some additional logs. To get the most detailed logs, use `-v=10`
```
-v value
log level for V logs
-vmodule value
comma-separated list of pattern=N settings for file-filtered logging
-log_backtrace_at value
when logging hits line file:N, emit a stack trace
```
When running under systemd (e.g. on CoreOS Container Linux) the logs can be viewed with `journalctl -u flanneld`
When flannel is running as a pod on Kubernetes, the logs can be viewed with `kubectl logs --namespace kube-flannel <POD_ID> -c kube-flannel`. You can find the pod IDs with `kubectl get pod --namespace kube-flannel -l app=flannel`
## Interface selection and the public IP.
Most backends require that each node has a unique "public IP" address. This address is chosen when flannel starts. Because leases are tied to the public address, if the address changes, flannel must be restarted.
The interface chosen and the public IP in use is logged out during startup, e.g.
```
I0629 14:28:35.866793 5522 main.go:386] Determining IP address of default interface
I0629 14:28:35.866987 5522 main.go:399] Using interface with name enp62s0u1u2 and address 172.24.17.174
I0629 14:28:35.867000 5522 main.go:412] Using 10.10.10.10 as external address
```
### Vagrant
Vagrant typically assigns two interfaces to all VMs. The first, for which all hosts are assigned the IP address `10.0.2.15`, is for external traffic that gets NATed.
This may lead to problems with flannel. By default, flannel selects the first interface on a host. This leads to all hosts thinking they have the same public IP address. To prevent this issue, pass the `--iface=eth1` flag to flannel so that the second interface is chosen.
## NAT
When the public IP is behind NAT, the UDP checksum fields of the VXLAN packets can be corrupted.
In that case, try running the following commands to avoid corrupted checksums:
```bash
/usr/sbin/ethtool -K flannel.1 tx-checksum-ip-generic off
```
To automate the command above via udev, create `/etc/udev/rules.d/90-flannel.rules` as follows:
```
SUBSYSTEM=="net", ACTION=="add|change|move", ENV{INTERFACE}=="flannel.1", RUN+="/usr/sbin/ethtool -K flannel.1 tx-checksum-ip-generic off"
```
<!--
ref:
- https://github.com/flannel-io/flannel/issues/1279
- https://github.com/kubernetes/kops/pull/9074
- https://github.com/karmab/kcli/commit/b1a8eff658d17cf4e28162f0fa2c8b2b10e5ad00
-->
## Permissions
Depending on the backend being used, flannel may need to run with super user permissions. Examples include creating VXLAN devices or programming routes. If you see errors similar to the following, confirm that the user running flannel has the right permissions (or try running with `sudo)`.
* `Error adding route...`
* `Add L2 failed`
* `Failed to set up IP Masquerade`
* `Error registering network: operation not permitted`
## Performance
### Control plane
Flannel is known to scale to a very large number of hosts. A delay in contacting pods in a newly created host may indicate control plane problems. Flannel doesn't need much CPU or RAM but the first thing to check would be that it has adequate resources available. Flannel is also reliant on the performance of the datastore, either etcd or the Kubernetes API server. Check that they are performing well.
### Data plane
Flannel relies on the underlying network so that's the first thing to check if you're seeing poor data plane performance.
There are two flannel specific choices that can have a big impact on performance
1) The type of backend. For example, if encapsulation is used, `vxlan` will always perform better than `udp`. For maximum data plane performance, avoid encapsulation.
2) The size of the MTU can have a large impact. To achieve maximum raw bandwidth, a network supporting a large MTU should be used. Flannel writes an MTU setting to the `subnet.env` file. This file is read by either the Docker daemon or the CNI flannel plugin which does the networking for individual containers. To troubleshoot, first ensure that the network interface that flannel is using has the right MTU. Then check that the correct MTU is written to the `subnet.env`. Finally, check that the containers have the correct MTU on their virtual ethernet device.
## Firewalls
When using `udp` backend, flannel uses UDP port 8285 for sending encapsulated packets.
When using `vxlan` backend, kernel uses UDP port 8472 for sending encapsulated packets.
Make sure that your firewall rules allow this traffic for all hosts participating in the overlay network.
Make sure that your firewall rules allow traffic from pod network cidr visit your kubernetes master node.
# Kubernetes Specific
The flannel kube subnet manager relies on the fact that each node already has a `podCIDR` defined.
You can check the podCidr for your nodes with one of the following two commands
* `kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}'`
* `kubectl get nodes -o template --template={{.spec.podCIDR}}`
If your nodes do not have a podCIDR, then either use the `--pod-cidr` kubelet command-line option or the `--allocate-node-cidrs=true --cluster-cidr=<cidr>` controller-manager command-line options.
If `kubeadm` is being used then pass `--pod-network-cidr=10.244.0.0/16` to `kubeadm init` which will ensure that all nodes are automatically assigned a `podCIDR`.
It's possible (but not generally recommended) to manually set the `podCIDR` to a fixed value for each node. The node subnet ranges must not overlap.
* `kubectl patch node <NODE_NAME> -p '{"spec":{"podCIDR":"<SUBNET>"}}'`
## Log messages
* `failed to read net conf` - flannel expects to be able to read the net conf from "/etc/kube-flannel/net-conf.json". In the provided manifest, this is set up in the `kube-flannel-cfg` ConfigMap.
* `error parsing subnet config` - The net conf is malformed. Double check that it has the right content and is valid JSON.
* `node <NODE_NAME> pod cidr not assigned` - The node doesn't have a `podCIDR` defined. See above for more info.
* `Failed to create SubnetManager: error retrieving pod spec for 'kube-system/kube-flannel-ds-abc123': the server does not allow access to the requested resource` - The kubernetes cluster has RBAC enabled. Run `https://raw.githubusercontent.com/coreos/flannel/master/Documentation/k8s-old-manifests/kube-flannel-rbac.yml`
================================================
FILE: Documentation/upgrade.md
================================================
# Upgrade
Flannel upgrade/downgrade procedure
There are different ways of changing flannel version in the running cluster:
## Remove old resources definitions and install a new one.
* Pros: Cleanest way of managing resources of the flannel deployment and no manual validation required as long as no additional resources was created by administrators/operators
* Cons: Massive networking outage within a cluster during the version change
*1. Delete all the flannel resources using kubectl*
```bash
kubectl -n kube-flannel delete daemonset kube-flannel-ds
kubectl -n kube-flannel delete configmap kube-flannel-cfg
kubectl -n kube-flannel delete serviceaccount flannel
kubectl delete clusterrolebinding.rbac.authorization.k8s.io flannel
kubectl delete clusterrole.rbac.authorization.k8s.io flannel
kubectl delete namespace kube-flannel
```
*2. Install the newer version of flannel and reboot the nodes*
## On the fly version
* Pros: Less disruptive way of changing flannel version, easier to do
* Cons: Some version may have changes which can't be just replaced and may need resources cleanup and/or rename, manual resources comparison required
If the update is done from newer version as 0.20.2 it can be done using kubectl
```bash
kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
```
In case of error on the labeling follow the previous way.
## Using the helm repository
From version 0.21.4 flannel is deployed on an helm repository at `https://flannel-io.github.io/flannel/` it will be possible to manage the update directly with helm.
```bash
helm upgrade flannel --set podCidr="10.244.0.0/16" --namespace kube-flannel flannel/flannel
```
================================================
FILE: LICENSE
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: Makefile
================================================
.PHONY: test unit-test e2e-test deps cover gofmt gofmt-fix license-check clean tar.gz release buildx-create-builder build-multi-arch release-manifest release-helm
# Registry used for publishing images
REGISTRY?=quay.io/coreos/flannel
QEMU_VERSION=v3.0.0
BASH_UNIT_VERSION=v2.3.0
# Default tag and architecture. Can be overridden
TAG?=$(shell git describe --tags --always)
ARCH?=amd64
# Only enable CGO (and build the UDP backend) on AMD64
ifeq ($(ARCH),amd64)
CGO_ENABLED=1
else
CGO_ENABLED=0
endif
# Go version to use for builds
GO_VERSION=1.24.7
# K8s version used for Makefile helpers
K8S_VERSION=1.32.5
GOARM=7
# These variables can be overridden by setting an environment variable.
TEST_PACKAGES?=pkg/ip pkg/subnet pkg/subnet/etcd pkg/subnet/kube pkg/trafficmngr pkg/backend
TEST_PACKAGES_EXPANDED=$(TEST_PACKAGES:%=github.com/flannel-io/flannel/%)
PACKAGES?=$(TEST_PACKAGES)
PACKAGES_EXPANDED=$(PACKAGES:%=github.com/flannel-io/flannel/%)
### BUILDING
clean:
rm -f dist/flanneld*
rm -f dist/*.aci
rm -f dist/*.docker
rm -f dist/*.tar.gz
rm -f dist/qemu-*
dist/flanneld: $(shell find . -type f -name '*.go')
CGO_ENABLED=$(CGO_ENABLED) go build -o dist/flanneld \
-ldflags '-s -w -X github.com/flannel-io/flannel/pkg/version.Version=$(TAG) -extldflags "-static"'
dist/flanneld.exe: $(shell find . -type f -name '*.go')
CXX=x86_64-w64-mingw32-g++ CC=x86_64-w64-mingw32-gcc CGO_ENABLED=1 GOOS=windows go build -o dist/flanneld.exe \
-ldflags '-s -w -X github.com/flannel-io/flannel/pkg/version.Version=$(TAG) -extldflags "-static"'
# This will build flannel natively using golang image
dist/flanneld-$(ARCH): deps dist/qemu-$(ARCH)-static
# valid values for ARCH are [amd64 arm arm64 ppc64le s390x riscv64]
docker run --rm -e CGO_ENABLED=$(CGO_ENABLED) -e GOARCH=$(ARCH) -e GOCACHE=/go \
-u $(shell id -u):$(shell id -g) \
-v $(CURDIR)/dist/qemu-$(ARCH)-static:/usr/bin/qemu-$(ARCH)-static \
-v $(CURDIR):/go/src/github.com/flannel-io/flannel:ro \
-v $(CURDIR)/dist:/go/src/github.com/flannel-io/flannel/dist \
golang:$(GO_VERSION) /bin/bash -c '\
cd /go/src/github.com/flannel-io/flannel && \
make -e dist/flanneld && \
mv dist/flanneld dist/flanneld-$(ARCH)'
## Create a docker image on disk for a specific arch and tag
image: deps dist/flanneld-$(TAG)-$(ARCH).docker
dist/flanneld-$(TAG)-$(ARCH).docker:
docker buildx build -f images/Dockerfile --platform=$(ARCH) --build-arg TAG=$(TAG) -t $(REGISTRY):$(TAG)-$(ARCH) --load .
docker save -o dist/flanneld-$(TAG)-$(ARCH).docker $(REGISTRY):$(TAG)-$(ARCH)
# amd64 gets an image without the suffix too (i.e. it's the default)
ifeq ($(ARCH),amd64)
docker build -f images/Dockerfile --platform=$(ARCH) --build-arg TAG=$(TAG) -t $(REGISTRY):$(TAG) .
endif
### TESTING
test: license-check gofmt deps verify-modules
make unit-test
# Test the docker-opts script
cd dist; ./mk-docker-opts_tests.sh
# Run the functional tests
make e2e-test
unit-test:
# Run the unit tests
# NET_ADMIN capacity is required to do some network operation
# SYS_ADMIN capacity is required to create network namespace
docker run --cap-add=NET_ADMIN \
--cap-add=SYS_ADMIN --rm \
-v $(shell pwd):/go/src/github.com/flannel-io/flannel \
golang:$(GO_VERSION) \
/bin/bash -c 'cd /go/src/github.com/flannel-io/flannel && go test -v -cover -timeout 5m $(TEST_PACKAGES_EXPANDED)'
e2e-test: bash_unit dist/flanneld-e2e-$(TAG)-$(ARCH).docker
$(MAKE) -C images/iperf3 ARCH=$(ARCH)
FLANNEL_DOCKER_IMAGE=$(REGISTRY):$(TAG)-$(ARCH) ./bash_unit dist/functional-test.sh
FLANNEL_DOCKER_IMAGE=$(REGISTRY):$(TAG)-$(ARCH) ./bash_unit dist/functional-test-k8s.sh
k3s-e2e-test: bash_unit dist/flanneld-e2e-$(TAG)-$(ARCH).docker
$(MAKE) -C images/iperf3 ARCH=$(ARCH)
./bash_unit ./e2e/run-e2e-tests.sh
cover:
# A single package must be given - e.g. 'PACKAGES=pkg/ip make cover'
go test -coverprofile cover.out $(PACKAGES_EXPANDED)
go tool cover -html=cover.out
license-check:
# run license-check script
dist/license-check.sh
# Throw an error if gofmt finds problems.
# "read" will return a failure return code if there is no output. This is inverted wth the "!"
gofmt:
# Running gofmt...
docker run --rm -e CGO_ENABLED=$(CGO_ENABLED) -e GOARCH=$(ARCH) \
-u $(shell id -u):$(shell id -g) \
-v $(CURDIR):/go/src/github.com/flannel-io/flannel \
-v $(CURDIR)/dist:/go/src/github.com/flannel-io/flannel/dist \
golang:$(GO_VERSION) /bin/bash -c '\
cd /go/src/github.com/flannel-io/flannel && \
! gofmt -d $(PACKAGES) 2>&1 | read'
verify-modules:
# Running verify-modules...
docker run --rm -e CGO_ENABLED=$(CGO_ENABLED) -e GOARCH=$(ARCH) \
-u $(shell id -u):$(shell id -g) \
-v $(CURDIR):/go/src/github.com/flannel-io/flannel \
-v $(CURDIR)/dist:/go/src/github.com/flannel-io/flannel/dist \
golang:$(GO_VERSION) /bin/bash -c '\
cd /go/src/github.com/flannel-io/flannel && \
!go mod tidy 2>&1|read && \
!go vet 2>&1|read'
bash_unit:
wget https://raw.githubusercontent.com/pgrange/bash_unit/$(BASH_UNIT_VERSION)/bash_unit
chmod +x bash_unit
# This will build flannel natively using golang image
dist/flanneld-e2e-$(TAG)-$(ARCH).docker:
ifneq ($(ARCH),amd64)
$(MAKE) dist/qemu-$(ARCH)-static
endif
# valid values for ARCH are [amd64 arm arm64 ppc64le s390x riscv64]
docker run --rm -e GOARM=$(GOARM) -e CGO_ENABLED=$(CGO_ENABLED) -e GOCACHE=/go \
-u $(shell id -u):$(shell id -g) \
-v $(CURDIR):/go/src/github.com/flannel-io/flannel:ro \
-v $(CURDIR)/dist:/go/src/github.com/flannel-io/flannel/dist \
golang:$(GO_VERSION) /bin/bash -c '\
cd /go/src/github.com/flannel-io/flannel && \
make -e dist/flanneld && \
mv dist/flanneld dist/flanneld-$(ARCH)'
docker build -f images/Dockerfile --platform=$(ARCH) --build-arg TAG=$(TAG) -t $(REGISTRY):$(TAG)-$(ARCH) .
# Make a release after creating a tag
# To build cross platform Docker images, the qemu-static binaries are needed. On ubuntu "apt-get install qemu-user-static"
release: tar.gz dist/qemu-s390x-static dist/qemu-ppc64le-static dist/qemu-arm64-static dist/qemu-arm-static dist/qemu-riscv64-static
ARCH=amd64 make dist/flanneld-$(TAG)-amd64.docker
ARCH=arm make dist/flanneld-$(TAG)-arm.docker
ARCH=arm64 make dist/flanneld-$(TAG)-arm64.docker
ARCH=ppc64le make dist/flanneld-$(TAG)-ppc64le.docker
ARCH=s390x make dist/flanneld-$(TAG)-s390x.docker
ARCH=riscv64 make dist/flanneld-$(TAG)-riscv64.docker
@echo "Everything should be built for $(TAG)"
@echo "Add all flanneld-* and *.tar.gz files from dist/ to the Github release"
@echo "Use make docker-push-all to push the images to a registry"
release-manifest:
sed -i 's/^ newTag: .*/ newTag: $(TAG)/' Documentation/kustomization/kube-flannel/kustomization.yaml
kubectl kustomize ./Documentation/kustomization/kube-flannel/ > dist/kube-flannel.yml
release-helm:
sed -i '0,/^ tag: .*/s// tag: $(TAG)/' ./chart/kube-flannel/values.yaml
helm package ./chart/kube-flannel/ --destination chart/ --version $(TAG) --app-version $(TAG)
cp chart/flannel-$(TAG).tgz dist/flannel.tgz
mv chart/flannel-$(TAG).tgz chart/flannel.tgz
wget https://flannel-io.github.io/flannel/index.yaml -O chart/index.yaml
helm repo index --merge chart/index.yaml --url https://github.com/flannel-io/flannel/releases/download/$(TAG)/ chart/
dist/qemu-%-static:
if [ "$(@F)" = "qemu-amd64-static" ]; then \
wget -O dist/qemu-amd64-static https://github.com/multiarch/qemu-user-static/releases/download/$(QEMU_VERSION)/qemu-x86_64-static; \
elif [ "$(@F)" = "qemu-arm64-static" ]; then \
wget -O dist/qemu-arm64-static https://github.com/multiarch/qemu-user-static/releases/download/$(QEMU_VERSION)/qemu-aarch64-static; \
else \
wget -O dist/$(@F) https://github.com/multiarch/qemu-user-static/releases/download/$(QEMU_VERSION)/$(@F); \
fi
## Build a .tar.gz for the amd64 ppc64le arm arm64 riscv64 flanneld binary
tar.gz:
ARCH=amd64 make dist/flanneld-amd64
tar --transform='flags=r;s|-amd64||' -zcvf dist/flannel-$(TAG)-linux-amd64.tar.gz -C dist flanneld-amd64 mk-docker-opts.sh ../README.md
tar -tvf dist/flannel-$(TAG)-linux-amd64.tar.gz
ARCH=amd64 make dist/flanneld.exe
tar --transform='flags=r;s|-amd64||' -zcvf dist/flannel-$(TAG)-windows-amd64.tar.gz -C dist flanneld.exe mk-docker-opts.sh ../README.md
tar -tvf dist/flannel-$(TAG)-windows-amd64.tar.gz
ARCH=ppc64le make dist/flanneld-ppc64le
tar --transform='flags=r;s|-ppc64le||' -zcvf dist/flannel-$(TAG)-linux-ppc64le.tar.gz -C dist flanneld-ppc64le mk-docker-opts.sh ../README.md
tar -tvf dist/flannel-$(TAG)-linux-ppc64le.tar.gz
ARCH=arm make dist/flanneld-arm
tar --transform='flags=r;s|-arm||' -zcvf dist/flannel-$(TAG)-linux-arm.tar.gz -C dist flanneld-arm mk-docker-opts.sh ../README.md
tar -tvf dist/flannel-$(TAG)-linux-arm.tar.gz
ARCH=arm64 make dist/flanneld-arm64
tar --transform='flags=r;s|-arm64||' -zcvf dist/flannel-$(TAG)-linux-arm64.tar.gz -C dist flanneld-arm64 mk-docker-opts.sh ../README.md
tar -tvf dist/flannel-$(TAG)-linux-arm64.tar.gz
ARCH=s390x make dist/flanneld-s390x
tar --transform='flags=r;s|-s390x||' -zcvf dist/flannel-$(TAG)-linux-s390x.tar.gz -C dist flanneld-s390x mk-docker-opts.sh ../README.md
tar -tvf dist/flannel-$(TAG)-linux-s390x.tar.gz
ARCH=riscv64 make dist/flanneld-riscv64
tar --transform='flags=r;s|-riscv64||' -zcvf dist/flannel-$(TAG)-linux-riscv64.tar.gz -C dist flanneld-riscv64 mk-docker-opts.sh ../README.md
tar -tvf dist/flannel-$(TAG)-linux-riscv64.tar.gz
install:
# This is intended as just a developer convenience to help speed up non-containerized builds
# It is NOT how you install flannel
CGO_ENABLED=$(CGO_ENABLED) go install -v github.com/flannel-io/flannel
deps:
go mod tidy
go mod vendor
buildx-create-builder:
docker buildx create --name mybuilder --use --bootstrap
build-multi-arch:
docker buildx build --platform linux/amd64,linux/arm64,linux/arm,linux/s390x,linux/ppc64le,linux/riscv64 -t $(REGISTRY):$(TAG) -f images/Dockerfile --build-arg TAG=$(TAG) -o type=oci,dest=dist/flannel_oci.tar --progress plain .
================================================
FILE: OWNERS
================================================
reviewers:
- manuelbuil (Manuel Buil)
- mgfritch (Michael Fritch)
- rbrtbnfgl (Roberto Bonafiglia)
- thomasferrandiz (Thomas Ferrandiz)
approvers:
- manuelbuil
- mgfritch
- rbrtbnfgl
- thomasferrandiz
================================================
FILE: README.md
================================================
# flannel
[](https://scorecard.dev/viewer/?uri=github.com%2Fflannel-io%2Fflannel)
Flannel is a simple and easy way to configure a layer 3 network fabric designed for Kubernetes.
## How it works
Flannel runs a small, single binary agent called `flanneld` on each host, and is responsible for allocating a subnet lease to each host out of a larger, preconfigured address space.
Flannel uses either the Kubernetes API or [etcd][etcd] directly to store the network configuration, the allocated subnets, and any auxiliary data (such as the host's public IP).
Packets are forwarded using one of several [backend mechanisms][backends] including VXLAN and various cloud integrations.
### Networking details
Platforms like Kubernetes assume that each container (pod) has a unique, routable IP inside the cluster.
The advantage of this model is that it removes the port mapping complexities that come from sharing a single host IP.
Flannel is responsible for providing a layer 3 IPv4 network between multiple nodes in a cluster. Flannel does not control how containers are networked to the host, only how the traffic is transported between hosts. However, flannel does provide a CNI plugin for Kubernetes and a guidance on integrating with Docker.
Flannel is focused on networking. For network policy, other projects such as [Calico][calico] can be used.
## Getting started on Kubernetes
The easiest way to deploy flannel with Kubernetes is to use one of several deployment tools and distributions that network clusters with flannel by default. For example, [K3s][k3s] sets up flannel in the Kubernetes clusters it creates using the open source [K3s Installer][k3s-installer] to drive the setup process.
Though not required, it's recommended that flannel uses the Kubernetes API as its backing store which avoids the need to deploy a discrete `etcd` cluster for `flannel`. This `flannel` mode is known as the *kube subnet manager*.
### Deploying flannel manually
Flannel can be added to any existing Kubernetes cluster though it's simplest to add `flannel` before any pods using the pod network have been started.
For Kubernetes v1.17+
#### Deploying Flannel with kubectl
```bash
kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
```
If you use custom `podCIDR` (not `10.244.0.0/16`) you first need to download the above manifest and modify the network to match your one.
#### Deploying Flannel with Helm
```bash
# Needs manual creation of namespace to avoid Helm error
kubectl create ns kube-flannel
kubectl label --overwrite ns kube-flannel pod-security.kubernetes.io/enforce=privileged
helm repo add flannel https://flannel-io.github.io/flannel/
helm install flannel --set podCidr="10.244.0.0/16" --namespace kube-flannel flannel/flannel
```
See [Kubernetes](Documentation/kubernetes.md) for more details.
In case a firewall is configured ensure to enable the right port used by the configured [backend][backends].
Flannel uses `portmap` as CNI network plugin by default; when deploying Flannel ensure that the [CNI Network plugins][Network-plugins] are installed in `/opt/cni/bin` the latest binaries can be downloaded with the following commands:
```bash
ARCH=$(uname -m)
case $ARCH in
armv7*) ARCH="arm";;
aarch64) ARCH="arm64";;
x86_64) ARCH="amd64";;
esac
mkdir -p /opt/cni/bin
curl -O -L https://github.com/containernetworking/plugins/releases/download/v1.7.1/cni-plugins-linux-$ARCH-v1.7.1.tgz
tar -C /opt/cni/bin -xzf cni-plugins-linux-$ARCH-v1.7.1.tgz
```
Flannel requires the br_netfilter module to start and from version 1.30 kubeadm doesn't check if the module is installed and Flannel will not rightly start in case the module is missing.
## Getting started on Docker
flannel is also widely used outside of Kubernetes. When deployed outside of Kubernetes, etcd is always used as the datastore. For more details integrating flannel with Docker see [Running](Documentation/running.md)
## Documentation
- [Building (and releasing)](Documentation/building.md)
- [Configuration](Documentation/configuration.md)
- [Backends](Documentation/backends.md)
- [Running](Documentation/running.md)
- [Troubleshooting](Documentation/troubleshooting.md)
- [Projects integrating with flannel](Documentation/integrations.md)
## Contact
- Slack:
- #k3s on [Rancher Users Slack](https://slack.rancher.io)
- #flannel-users on [Calico Users Slack](https://slack.projectcalico.org)
- Planning/Roadmap: [milestones][milestones], [roadmap][roadmap]
- Bugs: [issues][flannel-issues]
## Community Meeting
The Flannel Maintainer Community runs a meeting on the third Thursday of each month at 8:30 AM PST (16:30 UTC). This meeting is used to discuss issues, open pull requests, and other topics related to Flannel should the need arise.
The meeting agenda and Teams link can be found here: [Flannel Community Meeting Agenda](https://docs.google.com/document/d/1kPMMFDhljWL8_CUZajrfL8Q9sdntd9vvUpe-UGhX5z8)
## Contributing
See [CONTRIBUTING][contributing] for details on submitting patches and the contribution workflow.
## Reporting bugs & security vulnerabilities
See [reporting bugs][reporting] for details about reporting any issues.
For security issues, please first check our [security policy](SECURITY.md).
## Licensing
Flannel is under the Apache 2.0 license. See the [LICENSE][license] file for details.
[calico]: http://www.projectcalico.org
[etcd]: https://go.etcd.io/etcd/v3
[contributing]: CONTRIBUTING.md
[license]: https://github.com/flannel-io/flannel/blob/master/LICENSE
[milestones]: https://github.com/flannel-io/flannel/milestones
[flannel-issues]: https://github.com/flannel-io/flannel/issues
[backends]: Documentation/backends.md
[roadmap]: https://github.com/kubernetes/kubernetes/milestones
[reporting]: Documentation/reporting_bugs.md
[k3s-installer]: https://github.com/k3s-io/k3s/#quick-start---install-script
[k3s]: https://k3s.io/
[Network-plugins]: https://github.com/containernetworking/plugins
================================================
FILE: SECURITY.md
================================================
# Security Policy
## Supported Versions
The flannel project maintains security fixes for the **latest release** only.
Older releases are not actively patched. Users are encouraged to stay on the
latest stable release.
| Version | Supported |
|----------------|-----------|
| Latest stable | ✅ Yes |
| Older versions | ❌ No |
## Reporting a Vulnerability
The flannel maintainers take security vulnerabilities seriously and appreciate
responsible disclosure.
**Please do not report security vulnerabilities through public GitHub issues.**
To report a vulnerability, use **GitHub private vulnerability reporting**:
https://github.com/flannel-io/flannel/security/advisories/new
Please include as much detail as possible in your report:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any suggested mitigations or patches
## Disclosure Policy
We follow a **coordinated disclosure** process:
1. You report the vulnerability privately via GitHub's private vulnerability reporting.
2. The maintainers will acknowledge receipt of your report within **7 days**.
3. The maintainers will investigate and aim to produce a fix within **90 days**
of the initial report, depending on severity and complexity.
4. A security advisory and patched release will be published simultaneously.
5. You are credited in the advisory (unless you prefer to remain anonymous).
If a vulnerability is not resolved within 90 days, we encourage reporters to
disclose publicly while coordinating with the maintainers to minimize user risk.
## Embargoed Vulnerability Announcements
To receive advance notifications of embargoed security vulnerabilities before
public disclosure, subscribe to the flannel distributors mailing list:
**[flannel-distributors-announce@googlegroups.com](https://groups.google.com/g/flannel-distributors-announce)**
This list is intended for distributors and downstream consumers of flannel who
need early access to security information to prepare patches or advisories.
## Security Advisories
Published security advisories for flannel can be found at:
https://github.com/flannel-io/flannel/security/advisories
## Scope
The following are considered in scope for vulnerability reports:
- The `flanneld` daemon and its backends (VXLAN, host-gw, WireGuard, etc.)
- The CNI plugin
- The flannel container image (e.g. secrets exposure, privilege escalation)
- The release workflow and supply chain (e.g. tampered artifacts)
The following are generally **out of scope**:
- Vulnerabilities in upstream dependencies (please report those upstream)
- Issues requiring physical access to the host
- Social engineering attacks
## Security-Related Configuration
Flannel runs as a privileged daemonset with access to the host network. Users
are advised to:
- Follow the [principle of least privilege](https://kubernetes.io/docs/concepts/security/rbac-good-practices/) when deploying flannel
- Keep flannel updated to the latest release
- Review the [flannel documentation](https://github.com/flannel-io/flannel/blob/master/Documentation/) for secure deployment guidance
================================================
FILE: chart/README.md
================================================
Flannel Helm Repository
================================================
FILE: chart/kube-flannel/.helmignore
================================================
tests/
.helmignore
================================================
FILE: chart/kube-flannel/Chart.yaml
================================================
apiVersion: v1
appVersion: v0.28.1
description: Install Flannel Network Plugin.
keywords:
- Flannel
name: flannel
sources:
- https://github.com/flannel-io/flannel
version: v0.28.1
================================================
FILE: chart/kube-flannel/templates/config.yaml
================================================
kind: ConfigMap
apiVersion: v1
metadata:
name: kube-flannel-cfg
namespace: {{ .Release.Namespace }}
labels:
tier: node
app: flannel
data:
cni-conf.json: {{ .Values.flannel.cniConf | toJson }}
net-conf.json: |
{
{{- if .Values.podCidr }}
"Network": {{ .Values.podCidr | quote }},
{{- else }}
"EnableIPv4": false,
{{- end }}
{{- if .Values.podCidrv6 }}
"IPv6Network": {{ .Values.podCidrv6 | quote }},
"EnableIPv6": true,
{{- end }}
{{- if .Values.flannel.enableNFTables }}
"EnableNFTables": true,
{{- end }}
"Backend": {
{{- if eq .Values.flannel.backend "vxlan" }}
{{- if .Values.flannel.backendPort }}
"Port": {{ .Values.flannel.backendPort }},
{{- end }}
{{- if .Values.flannel.vni }}
"VNI": {{ .Values.flannel.vni }},
{{- end }}
{{- if .Values.flannel.GBP }}
"GBP": {{ .Values.flannel.GBP }},
{{- end }}
{{- if .Values.flannel.directRouting }}
"DirectRouting": {{ .Values.flannel.directRouting }},
{{- end }}
{{- if .Values.flannel.mtu }}
"MTU": {{ .Values.flannel.mtu }},
{{- end }}
{{- if .Values.flannel.macPrefix }}
"MacPrefix": {{ .Values.flannel.macPrefix | quote }},
{{- end }}
"Type": {{ .Values.flannel.backend | quote }}
{{- else if eq .Values.flannel.backend "wireguard" }}
{{- if .Values.flannel.backendPort }}
"ListenPort": {{ .Values.flannel.backendPort }},
{{- end }}
{{- if .Values.flannel.backendPortv6 }}
"ListenPortV6": {{ .Values.flannel.backendPortv6 }},
{{- end }}
{{- if .Values.flannel.psk }}
"PSK": {{ .Values.flannel.psk | quote }},
{{- end }}
{{- if .Values.flannel.mtu }}
"MTU": {{ .Values.flannel.mtu }},
{{- end }}
{{- if .Values.flannel.tunnelMode }}
"Mode": {{ .Values.flannel.tunnelMode }},
{{- end }}
{{- if .Values.flannel.keepaliveInterval }}
"PersistentKeepaliveInterval": {{ .Values.flannel.keepaliveInterval }},
{{- end }}
"Type": {{ .Values.flannel.backend | quote }}
{{- else if eq .Values.flannel.backend "udp" }}
{{- if .Values.flannel.backendPort }}
"Port": {{ .Values.flannel.backendPort }},
{{- end }}
"Type": {{ .Values.flannel.backend | quote }}
{{- else }}
"Type": {{ .Values.flannel.backend | quote }}
{{- end }}
}
}
================================================
FILE: chart/kube-flannel/templates/daemonset.yaml
================================================
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kube-flannel-ds
namespace: {{ .Release.Namespace }}
labels:
tier: node
app: flannel
spec:
selector:
matchLabels:
app: flannel
template:
metadata:
labels:
tier: node
app: flannel
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: In
values:
- linux
hostNetwork: true
priorityClassName: system-node-critical
{{- with .Values.flannel.tolerations }}
tolerations:
{{- toYaml . | trim | nindent 8 }}
{{- end }}
{{- with .Values.flannel.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: flannel
initContainers:
- name: install-cni-plugin
image: {{ .Values.flannel.image_cni.repository }}:{{ .Values.flannel.image_cni.tag }}
command:
- cp
args:
- -f
- /flannel
- /opt/cni/bin/flannel
volumeMounts:
- name: cni-plugin
mountPath: /opt/cni/bin
{{- if not .Values.flannel.skipCNIConfigInstallation }}
- name: install-cni
image: {{ .Values.flannel.image.repository }}:{{ .Values.flannel.image.tag }}
command:
- cp
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
volumeMounts:
- name: cni
mountPath: /etc/cni/net.d
- name: flannel-cfg
mountPath: /etc/kube-flannel/
{{- end }}
containers:
- name: kube-flannel
image: {{ .Values.flannel.image.repository }}:{{ .Values.flannel.image.tag }}
command:
- "/opt/bin/flanneld"
{{- range .Values.flannel.args }}
- {{ . | quote }}
{{- end }}
{{- with .Values.flannel.resources }}
resources:
{{- toYaml . | trim | nindent 10 }}
{{- end }}
securityContext:
privileged: false
capabilities:
add: ["NET_ADMIN", "NET_RAW"]
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: EVENT_QUEUE_DEPTH
value: "5000"
- name: CONT_WHEN_CACHE_NOT_READY
value: "false"
volumeMounts:
- name: run
mountPath: /run/flannel
- name: flannel-cfg
mountPath: /etc/kube-flannel/
- name: xtables-lock
mountPath: /run/xtables.lock
{{- if .Values.netpol.enabled }}
- name: kube-network-policies
image: {{ .Values.netpol.image.repository }}:{{ .Values.netpol.image.tag }}
command:
- "/bin/netpol"
{{- range .Values.netpol.args }}
- {{ . | quote }}
{{- end }}
env:
- name: MY_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: lib-modules
mountPath: /lib/modules
readOnly: true
resources:
requests:
cpu: "100m"
memory: "50Mi"
securityContext:
privileged: true
capabilities:
add: ["NET_ADMIN"]
{{- end }}
volumes:
{{- if .Values.netpol.enabled }}
- name: lib-modules
hostPath:
path: /lib/modules
{{- end }}
- name: run
hostPath:
path: /run/flannel
- name: cni-plugin
hostPath:
path: {{ .Values.flannel.cniBinDir }}
- name: cni
hostPath:
path: {{ .Values.flannel.cniConfDir }}
- name: flannel-cfg
configMap:
name: kube-flannel-cfg
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 6 }}
{{- end }}
================================================
FILE: chart/kube-flannel/templates/rbac.yaml
================================================
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
rules:
- apiGroups:
- ""
resources:
- pods
- nodes
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes/status
verbs:
- patch
{{- if .Values.netpol.enabled }}
- apiGroups:
- "networking.k8s.io"
resources:
- networkpolicies
verbs:
- list
- watch
- apiGroups:
- "policy.networking.k8s.io"
resources:
- adminnetworkpolicies
- baselineadminnetworkpolicies
verbs:
- list
- watch
{{- end }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: flannel
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: flannel
subjects:
- kind: ServiceAccount
name: flannel
namespace: {{ .Release.Namespace }}
================================================
FILE: chart/kube-flannel/templates/serviceaccount.yaml
================================================
apiVersion: v1
kind: ServiceAccount
metadata:
name: flannel
namespace: {{ .Release.Namespace }}
================================================
FILE: chart/kube-flannel/tests/daemonset_test.yaml
================================================
suite: test daemonset
templates:
- daemonset.yaml
tests:
- it: should have the correct api version
asserts:
- isKind:
of: DaemonSet
- isAPIVersion:
of: apps/v1
- equal:
path: metadata.name
value: kube-flannel-ds
- it: should have the correct image
set:
flannel.image.repository: cicker.io/flannel/flannel
flannel.image.tag: v555.44.3
asserts:
- equal:
path: spec.template.spec.containers[0].image
value: cicker.io/flannel/flannel:v555.44.3
- equal:
path: spec.template.spec.initContainers[1].image
value: cicker.io/flannel/flannel:v555.44.3
- it: should have the correct cni image
set:
flannel.image_cni.repository: cicker.io/flannel/flannel-cni-plugin
flannel.image_cni.tag: v777.66.5
asserts:
- equal:
path: spec.template.spec.initContainers[0].image
value: cicker.io/flannel/flannel-cni-plugin:v777.66.5
- it: should have the correct args
set:
flannel.args:
- "--ip-masq"
- "--kube-subnet-mgr"
asserts:
- equal:
path: spec.template.spec.containers[0].command
value:
- "/opt/bin/flanneld"
- "--ip-masq"
- "--kube-subnet-mgr"
- it: should have the correct image pull secrets
set:
global.imagePullSecrets:
- name: "a-test-secret"
asserts:
- equal:
path: spec.template.spec.imagePullSecrets
value:
- name: "a-test-secret"
- it: should add the install-cni init container when default values are used
asserts:
- contains:
path: spec.template.spec.initContainers
content:
name: install-cni
any: true
- it: should not add the install-cni init container when skipCNIConfigInstallation is set
set:
flannel.skipCNIConfigInstallation: true
asserts:
- notContains:
path: spec.template.spec.initContainers
content:
name: install-cni
any: true
- it: should render nodeSelector when set
set:
flannel.nodeSelector:
eks.amazonaws.com/compute-type: hybrid
asserts:
- equal:
path: spec.template.spec.nodeSelector["eks.amazonaws.com/compute-type"]
value: hybrid
================================================
FILE: chart/kube-flannel/values.yaml
================================================
---
global:
imagePullSecrets:
# - name: "a-secret-name"
# The IPv4 cidr pool to create on startup if none exists. Pod IPs will be
# chosen from this range.
podCidr: "10.244.0.0/16"
podCidrv6: ""
flannel:
# kube-flannel image
image:
repository: ghcr.io/flannel-io/flannel
tag: v0.28.1
image_cni:
repository: ghcr.io/flannel-io/flannel-cni-plugin
tag: v1.9.0-flannel1
# cniBinDir is the directory to which the flannel CNI binary is installed.
cniBinDir: "/opt/cni/bin"
# cniConfDir is the directory where the CNI configuration is located.
cniConfDir: "/etc/cni/net.d"
# skipCNIConfigInstallation skips the installation of the flannel CNI config. This is useful when the CNI config is
# provided externally.
skipCNIConfigInstallation: false
# flannel command arguments
enableNFTables: false
args:
- "--ip-masq"
- "--kube-subnet-mgr"
# Backend for kube-flannel. Backend should not be changed
# at runtime. (vxlan, host-gw, wireguard, udp)
# Documentation at https://github.com/flannel-io/flannel/blob/master/Documentation/backends.md
backend: "vxlan"
# Port used by the backend 0 means default value (VXLAN: 8472, Wireguard: 51821, UDP: 8285)
#backendPort: 0
# MTU to use for outgoing packets (VXLAN and Wiregurad) if not defined the MTU of the external interface is used.
# mtu: 1500
#
# VXLAN Configs:
#
# VXLAN Identifier to be used. On Linux default is 1.
#vni: 1
# Enable VXLAN Group Based Policy (Default false)
# GBP: false
# Enable direct routes (default is false)
# directRouting: false
# MAC prefix to be used on Windows. (Defaults is 0E-2A)
# macPrefix: "0E-2A"
#
# Wireguard Configs:
#
# UDP listen port used with IPv6
# backendPortv6: 51821
# Pre shared key to use
# psk: 0
# IP version to use on Wireguard
# tunnelMode: "separate"
# Persistent keep interval to use
# keepaliveInterval: 0
#
cniConf: |
{
"name": "cbr0",
"cniVersion": "0.3.1",
"plugins": [
{
"type": "flannel",
"delegate": {
"hairpinMode": true,
"isDefaultGateway": true
}
},
{
"type": "portmap",
"capabilities": {
"portMappings": true
}
}
]
}
#
# General daemonset configs
#
resources:
requests:
cpu: 100m
memory: 50Mi
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
nodeSelector: {}
netpol:
enabled: false
args:
- "--hostname-override=$(MY_NODE_NAME)"
- "--v=2"
image:
repository: registry.k8s.io/networking/kube-network-policies
tag: v1.0.0
================================================
FILE: code-of-conduct.md
================================================
## CoreOS Community Code of Conduct
### Contributor Code of Conduct
As contributors and maintainers of this project, and in the interest of
fostering an open and welcoming community, we pledge to respect all people who
contribute through reporting issues, posting feature requests, updating
documentation, submitting pull requests or patches, and other activities.
We are committed to making participation in this project a harassment-free
experience for everyone, regardless of level of experience, gender, gender
identity and expression, sexual orientation, disability, personal appearance,
body size, race, ethnicity, age, religion, or nationality.
Examples of unacceptable behavior by participants include:
* The use of sexualized language or imagery
* Personal attacks
* Trolling or insulting/derogatory comments
* Public or private harassment
* Publishing others' private information, such as physical or electronic addresses, without explicit permission
* Other unethical or unprofessional conduct.
Project maintainers have the right and responsibility to remove, edit, or
reject comments, commits, code, wiki edits, issues, and other contributions
that are not aligned to this Code of Conduct. By adopting this Code of Conduct,
project maintainers commit themselves to fairly and consistently applying these
principles to every aspect of managing this project. Project maintainers who do
not follow or enforce the Code of Conduct may be permanently removed from the
project team.
This code of conduct applies both within project spaces and in public spaces
when an individual is representing the project or its community.
Instances of abusive, harassing, or otherwise unacceptable behavior may be
reported by contacting a project maintainer, Brandon Philips
<brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.
This Code of Conduct is adapted from the Contributor Covenant
(http://contributor-covenant.org), version 1.2.0, available at
http://contributor-covenant.org/version/1/2/0/
### CoreOS Events Code of Conduct
CoreOS events are working conferences intended for professional networking and
collaboration in the CoreOS community. Attendees are expected to behave
according to professional standards and in accordance with their employer’s
policies on appropriate workplace behavior.
While at CoreOS events or related social networking opportunities, attendees
should not engage in discriminatory or offensive speech or actions including
but not limited to gender, sexuality, race, age, disability, or religion.
Speakers should be especially aware of these concerns.
CoreOS does not condone any statements by speakers contrary to these standards.
CoreOS reserves the right to deny entrance and/or eject from an event (without
refund) any individual found to be engaging in discriminatory or offensive
speech or actions.
Please bring any concerns to the immediate attention of designated on-site
staff, Brandon Philips <brandon.philips@coreos.com>, and/or Rithu John <rithu.john@coreos.com>.
================================================
FILE: dist/extension-hostgw
================================================
{
"Network": "10.50.0.0/16",
"Backend": {
"Type": "extension",
"SubnetAddCommand": "ip route add $SUBNET via $PUBLIC_IP",
"SubnetRemoveCommand": "ip route del $SUBNET via $PUBLIC_IP"
}
}
================================================
FILE: dist/extension-vxlan
================================================
{
"Network": "10.50.0.0/16",
"Backend": {
"Type": "extension",
"PreStartupCommand": "export VNI=1; export IF_NAME=flannel-vxlan; ip link del $IF_NAME 2>/dev/null; ip link add $IF_NAME type vxlan id $VNI dstport 8472 nolearning && ip link set mtu 1450 dev $IF_NAME && cat /sys/class/net/$IF_NAME/address",
"PostStartupCommand": "export IF_NAME=flannel-vxlan; export SUBNET_IP=`echo $SUBNET | cut -d'/' -f 1`; ip addr add $SUBNET_IP/32 dev $IF_NAME && ip link set $IF_NAME up",
"ShutdownCommand": "export IF_NAME=flannel-vxlan; ip link del $IF_NAME",
"SubnetAddCommand": "export SUBNET_IP=`echo $SUBNET | cut -d'/' -f 1`; export IF_NAME=flannel-vxlan; read VTEP; ip route add $SUBNET nexthop via $SUBNET_IP dev $IF_NAME onlink && ip neigh replace $SUBNET_IP dev $IF_NAME lladdr $VTEP && bridge fdb add $VTEP dev $IF_NAME self dst $PUBLIC_IP"
}
}
================================================
FILE: dist/extension-wireguard
================================================
// This is deprecated and should not be used. Please use the wireguard backend instead!
{
"Network": "10.50.0.0/16",
"Backend": {
"Type": "extension",
"PreStartupCommand": "wg genkey | tee privatekey | wg pubkey",
"PostStartupCommand": "export SUBNET_IP=`echo $SUBNET | cut -d'/' -f 1`; ip link del flannel-wg 2>/dev/null; ip link add flannel-wg type wireguard && wg set flannel-wg listen-port 51820 private-key privatekey && ip addr add $SUBNET_IP/32 dev flannel-wg && ip link set flannel-wg up && ip route add $NETWORK dev flannel-wg",
"ShutdownCommand": "ip link del flannel-wg",
"SubnetAddCommand": "read PUBLICKEY; wg set flannel-wg peer $PUBLICKEY endpoint $PUBLIC_IP:51820 allowed-ips $SUBNET",
"SubnetRemoveCommand": "read PUBLICKEY; wg set flannel-wg peer $PUBLICKEY remove"
}
}
================================================
FILE: dist/fake-node.yaml
================================================
apiVersion: v1
kind: Node
metadata:
name: test
annotations:
flannel.alpha.coreos.com/backend-data: '{"VtepMAC":"96:59:b2:3f:04:ee"}'
flannel.alpha.coreos.com/backend-type: vxlan
flannel.alpha.coreos.com/kube-subnet-manager: "true"
flannel.alpha.coreos.com/public-ip: 192.168.77.17
spec:
podCIDR: 10.244.7.0/24
================================================
FILE: dist/functional-test-k8s.sh
================================================
#!/bin/bash
ARCH="${ARCH:-amd64}"
ETCD_IMG="${ETCD_IMG:-quay.io/coreos/etcd:v3.6.2}"
ETCD_LOCATION="${ETCD_LOCATION:-etcd}"
FLANNEL_NET="${FLANNEL_NET:-10.10.0.0/16}"
TAG=`git describe --tags --always`
FLANNEL_DOCKER_IMAGE="${FLANNEL_DOCKER_IMAGE:-quay.io/coreos/flannel:$TAG}"
K8S_VERSION="${K8S_VERSION:-1.32.6}"
HYPERKUBE_IMG="docker.io/rancher/hyperkube"
HYPERKUBE_CMD="${HYPERKUBE_CMD:-" "}"
HYPERKUBE_APISERVER_CMD="${HYPERKUBE_APISERVER_CMD:-kube-apiserver}"
docker_ip=$(ip -o -f inet addr show docker0 | grep -Po 'inet \K[\d.]+')
etcd_endpt="http://$docker_ip:2379"
k8s_endpt="https://$docker_ip:6443"
# Set the proper imagename according to architecture
if [[ ${ARCH} == "ppc64le" ]]; then
ETCD_IMG+="-ppc64le"
elif [[ ${ARCH} == "arm64" ]]; then
ETCD_IMG+="-arm64"
fi
setup_suite() {
# Run etcd, killing any existing one that was running
# Start etcd
docker rm -f flannel-e2e-test-etcd >/dev/null 2>/dev/null
docker run --name=flannel-e2e-test-etcd -d -p 2379:2379 -e ETCD_UNSUPPORTED_ARCH=${ARCH} $ETCD_IMG etcd --listen-client-urls http://0.0.0.0:2379 --advertise-client-urls $etcd_endpt >/dev/null
sleep 1
# Start a kubernetes API server
docker rm -f flannel-e2e-k8s-apiserver >/dev/null 2>/dev/null
dir=$(mktemp -d)
mkdir $dir/pki
openssl genrsa -out $dir/pki/ca.key 2048
openssl req -new -key $dir/pki/ca.key -subj "/CN=KUBERNETES-CA/O=Kubernetes" -out $dir/pki/ca.csr
openssl x509 -req -in $dir/pki/ca.csr -signkey $dir/pki/ca.key -CAcreateserial -out $dir/pki/ca.crt -days 1000
cat > $dir/openssl.cnf <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = critical, CA:FALSE
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = kubernetes
DNS.2 = kubernetes.default
DNS.3 = kubernetes.default.svc
DNS.4 = kubernetes.default.svc.cluster
DNS.5 = kubernetes.default.svc.cluster.local
IP.1 = $docker_ip
IP.2 = 127.0.0.1
EOF
openssl genrsa -out $dir/pki/kube-apiserver.key 2048
openssl req -new -key $dir/pki/kube-apiserver.key \
-subj "/CN=kube-apiserver/O=Kubernetes" -out $dir/pki/kube-apiserver.csr -config $dir/openssl.cnf
openssl x509 -req -in $dir/pki/kube-apiserver.csr \
-CA $dir/pki/ca.crt -CAkey $dir/pki/ca.key -CAcreateserial -out $dir/pki/kube-apiserver.crt -extensions v3_req -extfile $dir/openssl.cnf -days 1000
openssl genrsa -out $dir/pki/service-account.key 2048
openssl req -new -key $dir/pki/service-account.key \
-subj "/CN=service-accounts/O=Kubernetes" -out $dir/pki/service-account.csr
openssl x509 -req -in $dir/pki/service-account.csr \
-CA $dir/pki/ca.crt -CAkey $dir/pki/ca.key -CAcreateserial -out $dir/pki/service-account.crt -days 100
openssl genrsa -out $dir/pki/admin.key 2048
openssl req -new -key $dir/pki/admin.key -subj "/CN=admin/O=system:masters" -out $dir/pki/admin.csr
openssl x509 -req -in $dir/pki/admin.csr -CA $dir/pki/ca.crt -CAkey $dir/pki/ca.key -CAcreateserial -out $dir/pki/admin.crt -days 1000
docker run -d --net=host -v $dir:/var/lib/kubernetes --name flannel-e2e-k8s-apiserver ${HYPERKUBE_IMG}:v$K8S_VERSION-rancher1 \
${HYPERKUBE_CMD} ${HYPERKUBE_APISERVER_CMD} --etcd-servers=$etcd_endpt --bind-address=$docker_ip \
--client-ca-file=/var/lib/kubernetes/pki/ca.crt \
--enable-admission-plugins=NodeRestriction,ServiceAccount \
--service-account-key-file=/var/lib/kubernetes/pki/service-account.crt \
--service-account-signing-key-file=/var/lib/kubernetes/pki/service-account.key \
--service-account-issuer=https://kubernetes.default.svc.local \
--tls-cert-file=/var/lib/kubernetes/pki/kube-apiserver.crt \
--tls-private-key-file=/var/lib/kubernetes/pki/kube-apiserver.key \
--service-cluster-ip-range=10.101.0.0/16 --allow-privileged >/dev/null
sleep 1
docker exec flannel-e2e-k8s-apiserver kubectl config set-cluster kubernetes-test-flannel \
--certificate-authority=/var/lib/kubernetes/pki/ca.crt \
--embed-certs=true \
--server="https://$docker_ip:6443" \
--kubeconfig=/var/lib/kubernetes/admin.kubeconfig
docker exec flannel-e2e-k8s-apiserver kubectl config set-credentials admin \
--client-certificate=/var/lib/kubernetes/pki/admin.crt \
--client-key=/var/lib/kubernetes/pki/admin.key \
--embed-certs=true \
--kubeconfig=/var/lib/kubernetes/admin.kubeconfig
docker exec flannel-e2e-k8s-apiserver kubectl config set-context default \
--cluster=kubernetes-test-flannel \
--user=admin \
--kubeconfig=/var/lib/kubernetes/admin.kubeconfig
docker exec flannel-e2e-k8s-apiserver kubectl config use-context default --kubeconfig=/var/lib/kubernetes/admin.kubeconfig
while ! cat <<EOF | docker exec -i flannel-e2e-k8s-apiserver ${HYPERKUBE_CMD} kubectl --kubeconfig=/var/lib/kubernetes/admin.kubeconfig create -f - >/dev/null 2>/dev/null
apiVersion: v1
kind: Node
metadata:
name: flannel1
annotations:
dummy: value
spec:
podCIDR: 10.10.1.0/24
EOF
do
sleep 1
done
cat <<EOF | docker exec -i flannel-e2e-k8s-apiserver ${HYPERKUBE_CMD} kubectl --kubeconfig=/var/lib/kubernetes/admin.kubeconfig create -f - >/dev/null 2>/dev/null
apiVersion: v1
kind: Node
metadata:
name: flannel2
annotations:
dummy: value
spec:
podCIDR: 10.10.2.0/24
EOF
}
teardown_suite() {
# Teardown the etcd server
docker rm -f flannel-e2e-test-etcd >/dev/null
docker rm -f flannel-e2e-k8s-apiserver >/dev/null
}
teardown() {
docker rm -f flannel-e2e-test-flannel1 >/dev/null 2>/dev/null
docker rm -f flannel-e2e-test-flannel2 >/dev/null 2>/dev/null
}
start_flannel() {
local backend=$1
flannel_conf="{ \"Network\": \"$FLANNEL_NET\", \"Backend\": { \"Type\": \"${backend}\" } }"
dir=$(mktemp -d)
docker exec -i flannel-e2e-k8s-apiserver cat /var/lib/kubernetes/admin.kubeconfig > $dir/admin.kubeconfig
for host_num in 1 2; do
docker rm -f flannel-e2e-test-flannel$host_num >/dev/null 2>/dev/null
docker run -id --privileged \
-v $dir:/var/lib/kubernetes/ \
-e NODE_NAME=flannel$host_num \
--name flannel-e2e-test-flannel$host_num \
--entrypoint "/bin/sh" \
$FLANNEL_DOCKER_IMAGE \
-c "mkdir -p /etc/kube-flannel && \
echo '$flannel_conf' > /etc/kube-flannel/net-conf.json && \
/opt/bin/flanneld --kube-subnet-mgr --ip-masq --kubeconfig-file /var/lib/kubernetes/admin.kubeconfig --kube-api-url $k8s_endpt" >/dev/null
while ! docker exec flannel-e2e-test-flannel$host_num ls /run/flannel/subnet.env >/dev/null 2>&1; do
status=$(docker inspect --format='{{.State.Status}}' flannel-e2e-test-flannel$host_num)
if [[ $status != "running" ]]; then
docker logs flannel-e2e-test-flannel$host_num
return
fi
sleep 0.1
done
done
}
create_ping_dest() {
# add a dummy interface with $FLANNEL_SUBNET so we have a known working IP to ping
for host_num in 1 2; do
# Use declare to allow the host_num variable to be part of the ping_dest variable name. -g is needed to make it global
declare -g ping_dest$host_num=$(docker "exec" --privileged flannel-e2e-test-flannel$host_num /bin/sh -c '\
source /run/flannel/subnet.env && \
ip link add name dummy0 type dummy && \
ip addr add $FLANNEL_SUBNET dev dummy0 && ip link set dummy0 up && \
echo $FLANNEL_SUBNET | cut -f 1 -d "/" ')
done
}
test_public-ip-overwrite(){
docker exec flannel-e2e-k8s-apiserver kubectl --kubeconfig=/var/lib/kubernetes/admin.kubeconfig annotate node flannel1 \
flannel.alpha.coreos.com/public-ip-overwrite=172.18.0.2 >/dev/null 2>&1
start_flannel vxlan
assert_equals "172.18.0.2" \
"$(docker exec flannel-e2e-k8s-apiserver kubectl --kubeconfig=/var/lib/kubernetes/admin.kubeconfig get node/flannel1 -o \
jsonpath='{.metadata.annotations.flannel\.alpha\.coreos\.com/public-ip}' 2>/dev/null)" \
"Overwriting public IP via annotation does not work"
# Remove annotation to not break all other tests
docker exec flannel-e2e-k8s-apiserver kubectl --kubeconfig=/var/lib/kubernetes/admin.kubeconfig annotate node flannel1 \
flannel.alpha.coreos.com/public-ip-overwrite- >/dev/null 2>&1
}
pings() {
# ping in both directions
assert "docker exec --privileged flannel-e2e-test-flannel1 /bin/ping -c 5 $ping_dest2" "Host 1 cannot ping host 2"
assert "docker exec --privileged flannel-e2e-test-flannel2 /bin/ping -c 5 $ping_dest1" "Host 2 cannot ping host 1"
}
check_iptables() {
read -r -d '' POSTROUTING_RULES_FLANNEL1 << EOM
-P POSTROUTING ACCEPT
-A POSTROUTING -m comment --comment "flanneld masq" -j FLANNEL-POSTRTG
-N FLANNEL-POSTRTG
-A FLANNEL-POSTRTG -m mark --mark 0x4000/0x4000 -m comment --comment "flanneld masq" -j RETURN
-A FLANNEL-POSTRTG -s 10.10.1.0/24 -d 10.10.0.0/16 -m comment --comment "flanneld masq" -j RETURN
-A FLANNEL-POSTRTG -s 10.10.0.0/16 -d 10.10.1.0/24 -m comment --comment "flanneld masq" -j RETURN
-A FLANNEL-POSTRTG ! -s 10.10.0.0/16 -d 10.10.1.0/24 -m comment --comment "flanneld masq" -j RETURN
-A FLANNEL-POSTRTG -s 10.10.0.0/16 ! -d 224.0.0.0/4 -m comment --comment "flanneld masq" -j MASQUERADE --random-fully
-A FLANNEL-POSTRTG ! -s 10.10.0.0/16 -d 10.10.0.0/16 -m comment --comment "flanneld masq" -j MASQUERADE --random-fully
EOM
read -r -d '' POSTROUTING_RULES_FLANNEL2 << EOM
-P POSTROUTING ACCEPT
-A POSTROUTING -m comment --comment "flanneld masq" -j FLANNEL-POSTRTG
-N FLANNEL-POSTRTG
-A FLANNEL-POSTRTG -m mark --mark 0x4000/0x4000 -m comment --comment "flanneld masq" -j RETURN
-A FLANNEL-POSTRTG -s 10.10.2.0/24 -d 10.10.0.0/16 -m comment --comment "flanneld masq" -j RETURN
-A FLANNEL-POSTRTG -s 10.10.0.0/16 -d 10.10.2.0/24 -m comment --comment "flanneld masq" -j RETURN
-A FLANNEL-POSTRTG ! -s 10.10.0.0/16 -d 10.10.2.0/24 -m comment --comment "flanneld masq" -j RETURN
-A FLANNEL-POSTRTG -s 10.10.0.0/16 ! -d 224.0.0.0/4 -m comment --comment "flanneld masq" -j MASQUERADE --random-fully
-A FLANNEL-POSTRTG ! -s 10.10.0.0/16 -d 10.10.0.0/16 -m comment --comment "flanneld masq" -j MASQUERADE --random-fully
EOM
read -r -d '' FORWARD_RULES << EOM
-P FORWARD ACCEPT
-A FORWARD -m comment --comment "flanneld forward" -j FLANNEL-FWD
-N FLANNEL-FWD
-A FLANNEL-FWD -s 10.10.0.0/16 -m comment --comment "flanneld forward" -j ACCEPT
-A FLANNEL-FWD -d 10.10.0.0/16 -m comment --comment "flanneld forward" -j ACCEPT
EOM
# check masquerade & forward rules
assert_equals "$POSTROUTING_RULES_FLANNEL1" \
"$(docker exec --privileged flannel-e2e-test-flannel1 /sbin/iptables -t nat -S POSTROUTING)
$(docker exec --privileged flannel-e2e-test-flannel1 /sbin/iptables -t nat -S FLANNEL-POSTRTG)" "Host 1 has not expected postrouting rules"
assert_equals "$POSTROUTING_RULES_FLANNEL2" \
"$(docker exec --privileged flannel-e2e-test-flannel2 /sbin/iptables -t nat -S POSTROUTING)
$(docker exec --privileged flannel-e2e-test-flannel2 /sbin/iptables -t nat -S FLANNEL-POSTRTG)" "Host 2 has not expected postrouting rules"
assert_equals "$FORWARD_RULES" \
"$(docker exec --privileged flannel-e2e-test-flannel1 /sbin/iptables -t filter -S FORWARD)
$(docker exec --privileged flannel-e2e-test-flannel1 /sbin/iptables -t filter -S FLANNEL-FWD)" "Host 1 has not expected forward rules"
assert_equals "$FORWARD_RULES" \
"$(docker exec --privileged flannel-e2e-test-flannel2 /sbin/iptables -t filter -S FORWARD)
$(docker exec --privileged flannel-e2e-test-flannel2 /sbin/iptables -t filter -S FLANNEL-FWD)" "Host 2 has not expected forward rules"
}
test_manifest() {
dir=$(mktemp -d)
docker exec -i flannel-e2e-k8s-apiserver cat /var/lib/kubernetes/admin.kubeconfig > $dir/admin.kubeconfig
# This just tests that the API server accepts the manifest, not that it actually acts on it correctly.
assert "cat ../Documentation/kube-flannel.yml | docker run -v $dir:/var/lib/kubernetes -i --rm --net=host ${HYPERKUBE_IMG}:v$K8S_VERSION-rancher1 ${HYPERKUBE_CMD} kubectl --kubeconfig=/var/lib/kubernetes/admin.kubeconfig create -f -"
}
================================================
FILE: dist/functional-test.sh
================================================
#!/bin/bash
#Add "set -xe" to get more information where the unit test fail
set -xe
ARCH="${ARCH:-amd64}"
ETCD_IMG="${ETCD_IMG:-quay.io/coreos/etcd:v3.6.2}"
# etcd might take a bit to come up - use a known etcd version so we know we have etcdctl available
ETCDCTL_IMG="quay.io/coreos/etcd:v3.6.2"
ETCD_LOCATION="${ETCD_LOCATION:-etcd}"
FLANNEL_NET="${FLANNEL_NET:-10.10.0.0/16}"
TAG=`git describe --tags --always`
FLANNEL_DOCKER_IMAGE="${FLANNEL_DOCKER_IMAGE:-quay.io/coreos/flannel:$TAG}"
# Set the proper imagename according to architecture
if [[ ${ARCH} == "ppc64le" ]]; then
ETCD_IMG+="-ppc64le"
ETCDCTL_IMG+="-ppc64le"
elif [[ ${ARCH} == "arm64" ]]; then
ETCD_IMG+="-arm64"
ETCDCTL_IMG+="-arm64"
fi
setup_suite() {
# Run etcd, killing any existing one that was running
docker_ip=$(ip -o -f inet addr show docker0 | grep -Po 'inet \K[\d.]+')
etcd_endpt="http://$docker_ip:2379"
# Start etcd
docker rm -f flannel-e2e-test-etcd >/dev/null 2>/dev/null
docker run --name=flannel-e2e-test-etcd -d --dns 8.8.8.8 -v "${PWD}/test:/certs" \
-e ETCD_UNSUPPORTED_ARCH=${ARCH} -p 2379:2379 $ETCD_IMG $ETCD_LOCATION \
--listen-client-urls http://0.0.0.0:2379 \
--cert-file=/certs/server.pem \
--key-file=/certs/server-key.pem \
--client-cert-auth \
--trusted-ca-file=/certs/ca.pem \
--advertise-client-urls $etcd_endpt >/dev/null
}
teardown_suite() {
# Teardown the etcd server
docker rm -f flannel-e2e-test-etcd >/dev/null
}
setup() {
# rm any old flannel container that maybe running, ignore error as it might not exist
docker rm -f flannel-e2e-test-flannel1 >/dev/null 2>/dev/null
assert "docker run -v ${PWD}/test:/certs --name=flannel-e2e-test-flannel1 -d --privileged $FLANNEL_DOCKER_IMAGE --etcd-cafile=/certs/ca.pem --etcd-certfile=/certs/client.pem --etcd-keyfile=/certs/client-key.pem --etcd-endpoints=$etcd_endpt -v 10"
# rm any old flannel container that maybe running, ignore error as it might not exist
docker rm -f flannel-e2e-test-flannel2 >/dev/null 2>/dev/null
assert "docker run -v ${PWD}/test:/certs --name=flannel-e2e-test-flannel2 -d --privileged $FLANNEL_DOCKER_IMAGE --etcd-cafile=/certs/ca.pem --etcd-certfile=/certs/client.pem --etcd-keyfile=/certs/client-key.pem --etcd-endpoints=$etcd_endpt -v 10"
}
teardown() {
echo "dumping subnets in etcd"
docker run --rm -e ETCDCTL_API=3 -v "${PWD}/test:/certs" $ETCDCTL_IMG etcdctl --endpoints=$etcd_endpt --cacert=/certs/ca.pem --cert=/certs/client.pem --key=/certs/client-key.pem get --prefix /coreos.com/network/subnets 2>&1
echo "########## logs for flannel-e2e-test-flannel1 container ##########" 2>&1
docker logs flannel-e2e-test-flannel1
echo "########## logs for flannel-e2e-test-flannel2 container ##########" 2>&1
docker logs flannel-e2e-test-flannel2
docker rm -f flannel-e2e-test-flannel1 flannel-e2e-test-flannel2 flannel-e2e-test-flannel1-iperf flannel-host1 flannel-host2 > /dev/null 2>&1
docker run --rm -e ETCDCTL_API=3 -v "${PWD}/test:/certs" $ETCDCTL_IMG etcdctl --endpoints=$etcd_endpt --cacert=/certs/ca.pem --cert=/certs/client.pem --key=/certs/client-key.pem del /coreos.com/network/config > /dev/null 2>&1
}
write_config_etcd() {
local backend=$1
if [ -e "$backend" ]; then
echo "Reading custom conf from $backend"
flannel_conf=`cat "$backend"`
else
flannel_conf="{ \"Network\": \"$FLANNEL_NET\", \"Backend\": { \"Type\": \"${backend}\" } }"
fi
while ! docker run --rm -e ETCDCTL_API=3 -v "${PWD}/test:/certs" $ETCDCTL_IMG etcdctl --endpoints=$etcd_endpt --cacert=/certs/ca.pem --cert=/certs/client.pem --key=/certs/client-key.pem put /coreos.com/network/config "$flannel_conf" >/dev/null
do
sleep 0.1
done
}
create_ping_dest() {
# add a dummy interface with $FLANNEL_SUBNET so we have a known working IP to ping
for host_num in 1 2; do
while ! docker exec flannel-e2e-test-flannel$host_num ls /run/flannel/subnet.env >/dev/null 2>&1; do
sleep 0.1
done
# Use declare to allow the host_num variable to be part of the ping_dest variable name. -g is needed to make it global
declare -g ping_dest$host_num=$(docker "exec" --privileged flannel-e2e-test-flannel$host_num /bin/sh -c '\
source /run/flannel/subnet.env && \
ip link add name dummy0 type dummy && \
ip addr add $FLANNEL_SUBNET dev dummy0 && ip link set dummy0 up && \
echo $FLANNEL_SUBNET | cut -f 1 -d "/" ')
done
}
#test_wireguard_ping() {
# write_config_etcd extension-wireguard
# create_ping_dest # creates ping_dest1 and ping_dest2 variables
# pings
#}
test_vxlan_ping() {
write_config_etcd vxlan
create_ping_dest # creates ping_dest1 and ping_dest2 variables
pings
}
if [[ ${ARCH} == "amd64" ]]; then
test_udp_ping() {
write_config_etcd udp
create_ping_dest # creates ping_dest1 and ping_dest2 variables
pings
}
fi
test_hostgw_ping() {
write_config_etcd host-gw
create_ping_dest # creates ping_dest1 and ping_dest2 variables
pings
}
test_ipip_ping() {
write_config_etcd ipip
create_ping_dest # creates ping_dest1 and ping_dest2 variables
pings
}
test_ipsec_ping() {
write_config_etcd ipsec
create_ping_dest # creates ping_dest1 and ping_dest2 variables
pings
}
test_wireguard_ping() {
write_config_etcd wireguard
create_ping_dest # creates ping_dest1 and ping_dest2 variables
pings
}
pings() {
# ping in both directions
assert "docker exec --privileged flannel-e2e-test-flannel1 /bin/ping -I $ping_dest1 -c 3 $ping_dest2" "Host 1 cannot ping host 2"
assert "docker exec --privileged flannel-e2e-test-flannel2 /bin/ping -I $ping_dest2 -c 3 $ping_dest1" "Host 2 cannot ping host 1"
}
test_ipsec_perf() {
write_config_etcd ipsec
create_ping_dest
perf
}
perf() {
# Perf test - run iperf server on flannel1 and client on flannel2
docker rm -f flannel-e2e-test-flannel1-iperf 2>/dev/null
docker run -d --name flannel-e2e-test-flannel1-iperf --net=container:flannel-e2e-test-flannel1 iperf3:latest >/dev/null
wait_for flannel-e2e-test-flannel1-iperf
docker run --rm --net=container:flannel-e2e-test-flannel2 iperf3:latest -c $ping_dest1 -B $ping_dest2
}
wait_for() {
while ! docker inspect --format='{{json .State.Status}}' $1 >/dev/null
do
sleep 1
done
}
test_multi() {
flannel_conf_vxlan='{"Network": "10.11.0.0/16", "Backend": {"Type": "vxlan"}}'
flannel_conf_host_gw='{"Network": "10.12.0.0/16", "Backend": {"Type": "host-gw"}}'
while ! docker run --rm -e ETCDCTL_API=3 -v "${PWD}/test:/certs" $ETCD_IMG etcdctl --endpoints=$etcd_endpt --cacert=/certs/ca.pem --cert=/certs/client.pem --key=/certs/client-key.pem put /vxlan/network/config "$flannel_conf_vxlan" >/dev/null
do
sleep 0.1
done
while ! docker run --rm -e ETCDCTL_API=3 -v "${PWD}/test:/certs" $ETCD_IMG etcdctl --endpoints=$etcd_endpt --cacert=/certs/ca.pem --cert=/certs/client.pem --key=/certs/client-key.pem put /hostgw/network/config "$flannel_conf_host_gw" >/dev/null
do
sleep 0.1
done
for host in 1 2; do
# rm any old flannel container, ignore error as it might not exist
docker rm -f flannel-host$host 2>/dev/null >/dev/null
# Start the hosts
docker run -v "${PWD}/test:/certs" --name=flannel-host$host -id --privileged --entrypoint /bin/sh $FLANNEL_DOCKER_IMAGE >/dev/null
# Start two flanneld instances
docker exec -d flannel-host$host sh -c "/opt/bin/flanneld -v 10 -subnet-file /vxlan.env -etcd-prefix=/vxlan/network --etcd-cafile=/certs/ca.pem --etcd-certfile=/certs/client.pem --etcd-keyfile=/certs/client-key.pem --etcd-endpoints=$etcd_endpt 2>vxlan.log"
docker exec -d flannel-host$host sh -c "/opt/bin/flanneld -v 10 -subnet-file /hostgw.env -etcd-prefix=/hostgw/network --etcd-cafile=/certs/ca.pem --etcd-certfile=/certs/client.pem --etcd-keyfile=/certs/client-key.pem --etcd-endpoints=$etcd_endpt 2>hostgw.log"
done
for host in 1 2; do
for backend_type in vxlan hostgw; do
while ! docker exec flannel-host$host ls /$backend_type.env >/dev/null 2>&1; do
sleep 0.1
done
done
done
# add dummy interface on host1 only so we have a known working IP to ping then ping it from host2
vxlan_ping_dest=$(docker exec flannel-host1 /bin/sh -c '\
source /vxlan.env &&
ip link add name dummy_vxlan type dummy && \
ip addr add $FLANNEL_SUBNET dev dummy_vxlan && \
ip link set dummy_vxlan up && \
echo $FLANNEL_SUBNET | cut -f 1 -d "/" ')
hostgw_ping_dest=$(docker exec flannel-host1 /bin/sh -c '\
source /hostgw.env &&
ip link add name dummy_hostgw type dummy && \
ip addr add $FLANNEL_SUBNET dev dummy_hostgw && \
ip link set dummy_hostgw up && \
echo $FLANNEL_SUBNET | cut -f 1 -d "/" ')
# Send some pings from host2. Make sure we can send traffic over vxlan or directly.
# If a particular (wrong) interface is forced then pings should fail
assert "docker exec flannel-host2 ping -c 3 $hostgw_ping_dest"
assert "docker exec flannel-host2 ping -c 3 $vxlan_ping_dest"
assert_fails "docker exec flannel-host2 ping -W 1 -c 1 -I flannel.1 $hostgw_ping_dest"
assert_fails "docker exec flannel-host2 ping -W 1 -c 1 -I eth0 $vxlan_ping_dest"
}
================================================
FILE: dist/ipsec
================================================
{
"Network": "10.50.0.0/16",
"Backend": {
"Type": "ipsec",
"PSK":"4bc1e570ff249cce3cc8cef5e2f8625bac76c7b02532f8bde9747196eb15a742480e265bbc0c60c265a8fe4eb6380cd1"
}
}
================================================
FILE: dist/license-check.sh
================================================
#!/usr/bin/env bash
licRes=$(for file in $(find . -type f -iname '*.go' ! -path './vendor/*'); do
head -n4 "${file}" | grep -Eq "(Copyright|generated|GENERATED)" || echo -e " ${file}"
done;)
if [ -n "${licRes}" ]; then
echo -e "license header checking failed:\n${licRes}"
exit 255
fi
================================================
FILE: dist/mk-docker-opts.sh
================================================
#!/bin/sh
usage() {
echo "$0 [-f FLANNEL-ENV-FILE] [-d DOCKER-ENV-FILE] [-i] [-c] [-m] [-k COMBINED-KEY]
Generate Docker daemon options based on flannel env file
OPTIONS:
-f Path to flannel env file. Defaults to /run/flannel/subnet.env
-d Path to Docker env file to write to. Defaults to /run/docker_opts.env
-i Output each Docker option as individual var. e.g. DOCKER_OPT_MTU=1500
-c Output combined Docker options into DOCKER_OPTS var
-k Set the combined options key to this value (default DOCKER_OPTS=)
-m Do not output --ip-masq (useful for older Docker version)
" >&2
exit 1
}
flannel_env="/run/flannel/subnet.env"
docker_env="/run/docker_opts.env"
combined_opts_key="DOCKER_OPTS"
indiv_opts=false
combined_opts=false
ipmasq=true
while getopts "f:d:icmk:?h" opt; do
case $opt in
f)
flannel_env=$OPTARG
;;
d)
docker_env=$OPTARG
;;
i)
indiv_opts=true
;;
c)
combined_opts=true
;;
m)
ipmasq=false
;;
k)
combined_opts_key=$OPTARG
;;
[\?h])
usage
;;
esac
done
if [ $indiv_opts = false ] && [ $combined_opts = false ]; then
indiv_opts=true
combined_opts=true
fi
if [ -f "$flannel_env" ]; then
. $flannel_env
fi
if [ -n "$FLANNEL_SUBNET" ]; then
DOCKER_OPT_BIP="--bip=$FLANNEL_SUBNET"
fi
if [ -n "$FLANNEL_MTU" ]; then
DOCKER_OPT_MTU="--mtu=$FLANNEL_MTU"
fi
if [ -n "$FLANNEL_IPMASQ" ] && [ $ipmasq = true ] ; then
if [ "$FLANNEL_IPMASQ" = true ] ; then
DOCKER_OPT_IPMASQ="--ip-masq=false"
elif [ "$FLANNEL_IPMASQ" = false ] ; then
DOCKER_OPT_IPMASQ="--ip-masq=true"
else
echo "Invalid value of FLANNEL_IPMASQ: $FLANNEL_IPMASQ" >&2
exit 1
fi
fi
eval docker_opts="\$${combined_opts_key}"
if [ "$docker_opts" ]; then
docker_opts="$docker_opts ";
fi
echo -n "" >$docker_env
for opt in $(set | grep "DOCKER_OPT_"); do
OPT_NAME=$(echo $opt | awk -F "=" '{print $1;}');
OPT_VALUE=$(eval echo "\$$OPT_NAME");
if [ "$indiv_opts" = true ]; then
echo "$OPT_NAME=\"$OPT_VALUE\"" >>$docker_env;
fi
docker_opts="$docker_opts $OPT_VALUE";
done
if [ "$combined_opts" = true ]; then
echo "${combined_opts_key}=\"${docker_opts}\"" >>$docker_env
fi
if [ -n "${FLANNEL_SUBNET}" ];then
dot_four=`echo ${FLANNEL_SUBNET}|cut -d. -f4|cut -d/ -f1`
dot_four=$((${dot_four}-1))
subnets_pre=`echo ${FLANNEL_SUBNET}|cut -d. -f 1,2,3`
subnets_lat=`echo ${FLANNEL_SUBNET}|cut -d/ -f2`
subnets=${subnets_pre}.${dot_four}/${subnets_lat}
route_invalid=`ip route show|grep ${subnets}|grep via`
if [ -n "${route_invalid}" ];then
echo "Your routing table already contains the subnet: ${route_invalid}" >&2
exit 1
fi
fi
================================================
FILE: dist/mk-docker-opts_tests.sh
================================================
#!/bin/bash
set -e
echo "### Dry run with input & output files set"
echo "$ ./mk-docker-opts.sh -f ./sample_subnet.env -d here.txt"
! read -d '' EXPECTED <<EOF
DOCKER_OPT_BIP="--bip=10.1.74.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=true"
DOCKER_OPT_MTU="--mtu=1472"
DOCKER_OPTS=" --bip=10.1.74.1/24 --ip-masq=true --mtu=1472"
EOF
./mk-docker-opts.sh -f ./sample_subnet.env -d here.txt
diff -B -b here.txt <(echo -e "${EXPECTED}")
echo
echo "### Individual vars only (Note DOCKER_OPTS= is missing)"
echo "$ ./mk-docker-opts.sh -f ./sample_subnet.env -d here.txt -i"
! read -d '' EXPECTED <<EOF
DOCKER_OPT_BIP="--bip=10.1.74.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=true"
DOCKER_OPT_MTU="--mtu=1472"
EOF
./mk-docker-opts.sh -f ./sample_subnet.env -d here.txt -i
diff -B -b here.txt <(echo -e "${EXPECTED}")
echo
echo "### Combined vars only (Note DOCKER_OPT_* vars are missing)"
echo "$ ./mk-docker-opts.sh -f ./sample_subnet.env -d here.txt -c"
! read -d '' EXPECTED <<EOF
DOCKER_OPTS=" --bip=10.1.74.1/24 --ip-masq=true --mtu=1472"
EOF
./mk-docker-opts.sh -f ./sample_subnet.env -d here.txt -c
diff -B -b here.txt <(echo -e "${EXPECTED}")
echo
echo "### Custom key test (Note DOCKER_OPTS= is substituted by CUSTOM_KEY=)"
echo "$ ./mk-docker-opts.sh -f ./sample_subnet.env -d here.txt -k CUSTOM_KEY"
! read -d '' EXPECTED <<EOF
DOCKER_OPT_BIP="--bip=10.1.74.1/24"
DOCKER_OPT_IPMASQ="--ip-masq=true"
DOCKER_OPT_MTU="--mtu=1472"
CUSTOM_KEY=" --bip=10.1.74.1/24 --ip-masq=true --mtu=1472"
EOF
./mk-docker-opts.sh -f ./sample_subnet.env -d here.txt -k CUSTOM_KEY
diff -B -b here.txt <(echo -e "${EXPECTED}")
echo
echo "### Ip-masq stripping test (Note DOCKER_OPT_IPMASQ and --ip-masq=true are missing)"
echo "$ ./mk-docker-opts.sh -f ./sample_subnet.env -d here.txt -m"
! read -d '' EXPECTED <<EOF
DOCKER_OPT_BIP="--bip=10.1.74.1/24"
DOCKER_OPT_MTU="--mtu=1472"
DOCKER_OPTS=" --bip=10.1.74.1/24 --mtu=1472"
EOF
./mk-docker-opts.sh -f ./sample_subnet.env -d here.txt -m
diff -B -b here.txt <(echo -e "${EXPECTED}")
================================================
FILE: dist/sample_subnet.env
================================================
FLANNEL_NETWORK=10.1.0.0/16
FLANNEL_SUBNET=10.1.74.1/24
FLANNEL_MTU=1472
FLANNEL_IPMASQ=false
================================================
FILE: dist/snap/README.md
================================================
<h1 align="center">
<img src="https://user-images.githubusercontent.com/45159366/61273381-36394c80-a75e-11e9-9a4a-7f3659ea32c8.png">
<br />
Flannel
</h1>
<p align="center"><b>This is the snap for Flannel, a network fabric for containers, designed for Kubernetes. It works on Ubuntu, Fedora, Debian, and other major Linux distributions. </p>
<!-- Uncomment and modify this when you are provided a build status badge
<p align="center">
<a href="https://build.snapcraft.io/user/snapcrafters/fork-and-rename-me"><img src="https://build.snapcraft.io/badge/snapcrafters/fork-and-rename-me.svg" alt="Snap Status"></a>
</p>
-->
<p align="center">Published for <img src="https://raw.githubusercontent.com/anythingcodes/slack-emoji-for-techies/gh-pages/emoji/tux.png" align="top" width="24" /> with 💝 by Snapcrafters</p>
## Install
sudo snap install flannel --classic
([Don't have snapd installed?](https://snapcraft.io/docs/core/install))
================================================
FILE: dist/snap/snapcraft.yaml
================================================
name: flannel
summary: A network fabric for containers.
description:| A simple and easy way to configure a layer 3 network fabric designed for Kubernetes.
adopt-info: flannel
grade: stable
confinement: classic
architectures:
- build-on: i386
- build-on: amd64
- build-on: armhf
- build-on: arm64
apps:
flannel:
command: bin/flannel
plugs:
- home
- network
- docker
- removable-media
parts:
flannel:
plugin: nil
source: https://github.com/flannel-io/flannel.git
source-type: git
override-pull: |
git clone https://github.com/flannel-io/flannel.git src/github.com/flannel-io/flannel
cd src/github.com/flannel-io/flannel
last_committed_tag="$(git describe --tags --abbrev=0)"
last_committed_tag_ver="$(echo ${last_committed_tag} | sed 's/v//')"
last_released_tag="$(snap info $SNAPCRAFT_PROJECT_NAME | awk '$1 == "beta:" { print $2 }')"
# If the latest tag from the upstream project has not been released to
# beta, build that tag instead of master.
if [ "${last_committed_tag_ver}" != "${last_released_tag}" ]; then
git fetch
git checkout "${last_committed_tag}"
fi
snapcraftctl set-version "$(git describe --tags | sed 's/v//')"
override-build: |
export GOPATH=$PWD
cd src/github.com/flannel-io/flannel
env CGO_ENABLED=0 GOOS=linux \
go build --ldflags "-s -w \
-X 'github.com/flannel-io/flannel/version.GitCommit=$(git rev-list -1 HEAD)' \
-X 'github.com/flannel-io/flannel/version.Version=$(git describe --tags --abbrev=0)'" \
-a -installsuffix cgo -o $SNAPCRAFT_PART_INSTALL/bin/flannel
build-snaps:
- go
build-packages:
- git
- sed
================================================
FILE: dist/test/ca-config.json
================================================
{
"signing": {
"default": {
"expiry": "43800h"
},
"profiles": {
"server": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "43800h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
================================================
FILE: dist/test/ca-csr.json
================================================
{
"CN": "My own CA",
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "US",
"L": "CA",
"O": "My Company Name",
"ST": "San Francisco",
"OU": "Org Unit 1",
"OU": "Org Unit 2"
}
]
}
================================================
FILE: dist/test/ca-key.pem
================================================
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAu5kCsujw2F5xuFSJ6GXpwa7WFBbcYiJD7bw+9irHL0BIUs9N
pNi8B6dev0DM7ReIPJCgrnJyT+5dhwmGsQ3u0MHr0wMQwnHDytvV445VQlYafooz
Mb2Wdc3rLfkATEudvCn9gcs0/6N4OfY8bGLVRFplWHfhD1a9SsSFvGFQvkjRKysI
1UaoEDj13LS8ZA63mS3xI1ovcCGq/nvNUTB30H3viGSxLc7jS3lqFJ56hMFIWqbo
z7g6NHUqbOgbOnKCVI1Dk/pmpczQoynbmY6ZpA31alhH9p5tluc+Vdg0z4LTTsWO
Es8GtXPWh0epgG+7rGyThbjTRVKl5WcIRIz7AQIDAQABAoIBAAn7+sjK3QanACZv
WWelBOvqAjrPfKs8Z6Efg7pWTIOXSEIgBmHfpyJBJinHqSB1QCr5B5RBQxQ9+3xU
ZXbG5w71QzfX0eyHYYRKbvfNe3wsWPyjHlZnYLqkWv/3YKyu2ZZKJdPinM9+Q8fR
8yVRnUgmB37N4oyOcUSpcPS1uTZnUmPYANk9MCbFdLGDc3dKw2imJQj0L2SO2ynj
e2jpyGQaa6CqOHJDx3gjW5JFZZBgTsafajTKQN91s/Bvue9Ggqw4K5MQ09058FIU
499dmeU8DBTZjJZNUe+MmLxPJo8bl0S6xeC3Xj9lZ3jEEUu1POyx+l+gvRKREoqS
Cz5wKIECgYEA4jv5++0Bn7DXYDJPQEPTk886AA9qstKq6PcCPA/tu7hLWijZJsmX
AX6NSjj5BJaDi892RMFX+2EOWmyfT2p3MzG5JAKgiQMW4VYnxFIZfi1dzL9e/zlK
StVA+puCkOGGaqa+LVVDSmkQIUtVC/aHKiAkE4pRcIaqZG/SKLu035sCgYEA1Eet
Lt8E7j9DYqif1cJqgE8fj60X+Z/w6CPB/GHCo5bRIqa/t0X2lJh1Pya7MpI2wLt4
NolZ9U44w86xuRjBn/aVUBBw1+goBeeiiOAChPGOAdmIcdn1lhGcQxMA4R8mN0/O
O35VyxFn5rCIMFgbmszzbj/faF+sk/sd10drj5MCgYBy+d5LbaFkokBjUE48r/vo
Y+nrO+qTJUPdECQfmEzPGZOaJ6Zs8wj+pm1yKlBMR55lQLOvr79iL2pXBFtWxhn8
d6nLJlamK17GeL3PJZZ1LOM9+ohyF5CtRYI3my8ZKLTioQmICowfVhPvh9SaNtls
zFbpY2OOV7JjRv083GDJPwKBgQChNZW1pLRv4idgg0Ju6WhL7MrBJ+ivL+GZyZ4F
9pAEAALu18d8fWtXSbiwrs83BocCMtyGPiTNAAxn105sjPpuaqrV1MZ9kNbkNRbf
7466O19m1Dakj6vLva/32DSwwiEZnEe4MqcgwiUvshya6i58juzHa0ZUU2QSNYBh
/uEWdQKBgGWTbt1fl89585SFldW73RxIjw7Jb4gSVq4k8fG3KUhOqhrMRlpZbtAi
ij3DrDl1M5g81NVZflOthoy3UoZjxfIx56hPUnbLPH/llU+HeIGjHEmyFWIcklmR
hyi5y1dzuxBB4zL1aExiO0mGI+Q/XtZdiwSEvYPFQJ7UYSX8NQsG
-----END RSA PRIVATE KEY-----
================================================
FILE: dist/test/ca.csr
================================================
-----BEGIN CERTIFICATE REQUEST-----
MIICujCCAaICAQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lz
Y28xCzAJBgNVBAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNV
BAsTCk9yZyBVbml0IDIxEjAQBgNVBAMTCU15IG93biBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALuZArLo8NhecbhUiehl6cGu1hQW3GIiQ+28PvYq
xy9ASFLPTaTYvAenXr9AzO0XiDyQoK5yck/uXYcJhrEN7tDB69MDEMJxw8rb1eOO
VUJWGn6KMzG9lnXN6y35AExLnbwp/YHLNP+jeDn2PGxi1URaZVh34Q9WvUrEhbxh
UL5I0SsrCNVGqBA49dy0vGQOt5kt8SNaL3Ahqv57zVEwd9B974hksS3O40t5ahSe
eoTBSFqm6M+4OjR1KmzoGzpyglSNQ5P6ZqXM0KMp25mOmaQN9WpYR/aebZbnPlXY
NM+C007FjhLPBrVz1odHqYBvu6xsk4W400VSpeVnCESM+wECAwEAAaAAMA0GCSqG
SIb3DQEBCwUAA4IBAQCBL1hc4uT1BhYZVVFqEXkFWxWpb7R+Ia9Z1ZBpz9isTE1F
RUqG7shpHrQDqY6uQsEyYC1zHVJDacCXkfQqAiKO7mnB09b4bIkLAxb7glDm83g+
5ur3lHTkJptWncvisV6B0I6fvPpNnUd9UlOt6EVYLSdMqIY15iISWXIvWPe/cxur
Gf0gc21oK+MHZZa8BdhQlnVGzU5tw1eqXoOsNynSoCdws+M/9kZXL6Nq1859RGMT
MgZZRDZAD1TBrDTw7LH4b0UE1uqyc2EsJ8FtRuVwQiTePyPPMR8jFh9iHixs52S8
z/71hCoj/gD0CElA+pnxgGn6hdbTQyjHJhNuGqmg
-----END CERTIFICATE REQUEST-----
================================================
FILE: dist/test/ca.pem
================================================
-----BEGIN CERTIFICATE-----
MIIDujCCAqKgAwIBAgIURksNLgjamSSvFUWdYjuUq9ML3EAwDQYJKoZIhvcNAQEL
BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV
BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV
bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0yMjA4MTkwODUzMDBaFw0yNzA4
MTgwODUzMDBaMHUxCzAJBgNVBAYTAlVTMRYwFAYDVQQIEw1TYW4gRnJhbmNpc2Nv
MQswCQYDVQQHEwJDQTEYMBYGA1UEChMPTXkgQ29tcGFueSBOYW1lMRMwEQYDVQQL
EwpPcmcgVW5pdCAyMRIwEAYDVQQDEwlNeSBvd24gQ0EwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC7mQKy6PDYXnG4VInoZenBrtYUFtxiIkPtvD72Kscv
QEhSz02k2LwHp16/QMztF4g8kKCucnJP7l2HCYaxDe7QwevTAxDCccPK29XjjlVC
Vhp+ijMxvZZ1zest+QBMS528Kf2ByzT/o3g59jxsYtVEWmVYd+EPVr1KxIW8YVC+
SNErKwjVRqgQOPXctLxkDreZLfEjWi9wIar+e81RMHfQfe+IZLEtzuNLeWoUnnqE
wUhapujPuDo0dSps6Bs6coJUjUOT+malzNCjKduZjpmkDfVqWEf2nm2W5z5V2DTP
gtNOxY4Szwa1c9aHR6mAb7usbJOFuNNFUqXlZwhEjPsBAgMBAAGjQjBAMA4GA1Ud
DwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBQubXe9u2GsXiEt
Y7fQM4iU7aRthjANBgkqhkiG9w0BAQsFAAOCAQEAVlffrW69znOxFhK6ieZinY75
z6mm6syfMTLI5QEOCNBaiHG5uFORwFjcA3hafQF59R8Honp2zLArycXnTBkl0v5M
QlttVmyywbo1k6AuQC3rJgSlGp6/zd0ElNhXRyQw3Y2WSlxmAFzmRlqxyQ+kGZ4e
FnNm7Fg2SgGrYMfRV1oZ0RNOan95FZFnQ0ZjX046eSTzSJ+k195cHaoLSwuix5ku
/veiVq13A3/0MBJm3lc3bKhhg/aM8DshDuNQEBSjEb9ULkoAdnyU3XQTiBSP4kLZ
2to7TbvPhXwpygeC+1vZH05a8F9WoJeGf3mLWG7TB+KeOOCo6pHfmYsDePKWog==
-----END CERTIFICATE-----
================================================
FILE: dist/test/client-key.pem
================================================
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIKih7JlJdm3jguVqkAFFRbaPrMNx+szw/3WWc4IJNJcBoAoGCCqGSM49
AwEHoUQDQgAEriOtzABDnRTaa7Nbp1ahmt7tK9nWWBcYC+THl76ThgeAqy+96524
ey+7DJ/d35MJPQOTpH+zAVlLuFxiZmqrBg==
-----END EC PRIVATE KEY-----
================================================
FILE: dist/test/client.csr
================================================
-----BEGIN CERTIFICATE REQUEST-----
MIIBHTCBwwIBADBDMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT
DVNhbiBGcmFuY2lzY28xDzANBgNVBAMTBmNsaWVudDBZMBMGByqGSM49AgEGCCqG
SM49AwEHA0IABK4jrcwAQ50U2muzW6dWoZre7SvZ1lgXGAvkx5e+k4YHgKsvveud
uHsvuwyf3d+TCT0Dk6R/swFZS7hcYmZqqwagHjAcBgkqhkiG9w0BCQ4xDzANMAsG
A1UdEQQEMAKCADAKBggqhkjOPQQDAgNJADBGAiEAsCnAZ35WWeMi6/pebNoi0Cmg
I9lwPxoTaE/oAYkWn6YCIQCuuvJ74dqdhFpzNfntujjIr74PNibwWS7CD6g+RCuN
tw==
-----END CERTIFICATE REQUEST-----
================================================
FILE: dist/test/client.json
================================================
{
"CN": "client",
"hosts": [
""
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Francisco"
}
]
}
================================================
FILE: dist/test/client.pem
================================================
-----BEGIN CERTIFICATE-----
MIIC/zCCAeegAwIBAgIUPL5Fd8zSYWlVplN9l26fa834S+cwDQYJKoZIhvcNAQEL
BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV
BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV
bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0yMjA4MTkwODU1MDBaFw0yNzA4
MTgwODU1MDBaMEMxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
U2FuIEZyYW5jaXNjbzEPMA0GA1UEAxMGY2xpZW50MFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAEriOtzABDnRTaa7Nbp1ahmt7tK9nWWBcYC+THl76ThgeAqy+96524
ey+7DJ/d35MJPQOTpH+zAVlLuFxiZmqrBqOBgzCBgDAOBgNVHQ8BAf8EBAMCBaAw
EwYDVR0lBAwwCgYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUu5kC
e6LAJHelXkPkCqFTVkRyzLcwHwYDVR0jBBgwFoAULm13vbthrF4hLWO30DOIlO2k
bYYwCwYDVR0RBAQwAoIAMA0GCSqGSIb3DQEBCwUAA4IBAQBz1LzcmNmK4VOJktJp
4UdIuysMIK+sAYd8wATaHl0/p9zKeWKresqPHR/5A+RuqZXTScnQf3HIllYvM2ak
xH4XdEWRtGSb1yl5XO8N0FnS2shiEDHI8kZ6sNu7xR+0iF4flGQSgsoDXk8QyPFV
s9cKQ3qytfm0cAIkmLmUxxlFHaDPK1x2B5BsVVdJv+ZzSDYH+dI3wVHSgZ8NxHWQ
s8wVzoOSBOp0pZe775HJjOTS5Jq51jJAWq8yAyErWOKwIF71qM2iYZ29J2o/Ibid
MXEXtiMUGD8Q2xOduV9L6/BRj7knxoHTtNyAdEa5y+qYswZwQogHpXd6BfXWld2w
rIw7
-----END CERTIFICATE-----
================================================
FILE: dist/test/member1.json
================================================
{
"CN": "member1",
"hosts": [
"127.0.0.1",
"172.17.0.1"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Francisco"
}
]
}
================================================
FILE: dist/test/server-key.pem
================================================
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIP8wt7txIaYwVQFNC5Wjr8MRmnCMUtrQirRwvLzTTPNyoAoGCCqGSM49
AwEHoUQDQgAE9t31xUASqx7TNXaczllMrzW0UyFGx6ypUiHXgm8pZt7D6Rxfjqfx
9Hfw044/2M3f0DPFiW0MTGM9CLYj4G9pbg==
-----END EC PRIVATE KEY-----
================================================
FILE: dist/test/server.csr
================================================
-----BEGIN CERTIFICATE REQUEST-----
MIIBJTCBywIBADBBMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT
DVNhbiBGcmFuY2lzY28xDTALBgNVBAMTBGV0Y2QwWTATBgcqhkjOPQIBBggqhkjO
PQMBBwNCAAT23fXFQBKrHtM1dpzOWUyvNbRTIUbHrKlSIdeCbylm3sPpHF+Op/H0
d/DTjj/Yzd/QM8WJbQxMYz0ItiPgb2luoCgwJgYJKoZIhvcNAQkOMRkwFzAVBgNV
HREEDjAMhwR/AAABhwSsEQABMAoGCCqGSM49BAMCA0kAMEYCIQCfNFr41VeK7brc
arHQsQMOCjZs9xuK2ZfJHu3iJL31fgIhAPDKgdTTyxfCIsWv0PSDUCkL2kpSMBGI
1LYOkLeB2uxI
-----END CERTIFICATE REQUEST-----
================================================
FILE: dist/test/server.json
================================================
{
"CN": "etcd",
"hosts": [
"127.0.0.1",
"172.17.0.1"
],
"key": {
"algo": "ecdsa",
"size": 256
},
"names": [
{
"C": "US",
"ST": "CA",
"L": "San Francisco"
}
]
}
================================================
FILE: dist/test/server.pem
================================================
-----BEGIN CERTIFICATE-----
MIIDBzCCAe+gAwIBAgIUIJ5xOJhQ5bqKWcVLHWixDOMWrDkwDQYJKoZIhvcNAQEL
BQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lzY28xCzAJBgNV
BAcTAkNBMRgwFgYDVQQKEw9NeSBDb21wYW55IE5hbWUxEzARBgNVBAsTCk9yZyBV
bml0IDIxEjAQBgNVBAMTCU15IG93biBDQTAeFw0yMjA4MTkwODU0MDBaFw0yNzA4
MTgwODU0MDBaMEExCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
U2FuIEZyYW5jaXNjbzENMAsGA1UEAxMEZXRjZDBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABPbd9cVAEqse0zV2nM5ZTK81tFMhRsesqVIh14JvKWbew+kcX46n8fR3
8NOOP9jN39AzxYltDExjPQi2I+BvaW6jgY0wgYowDgYDVR0PAQH/BAQDAgWgMBMG
A1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFOjrjTWJ
VmCV9EXfBQ7GJ/KHKoICMB8GA1UdIwQYMBaAFC5td727YaxeIS1jt9AziJTtpG2G
MBUGA1UdEQQOMAyHBH8AAAGHBKwRAAEwDQYJKoZIhvcNAQELBQADggEBAAc+Q117
h4IdK8WWudly/B54/MHP0urkIzx9Rx+X16GAttXyAVUiZB6rDk7kwArjlqkLDWeG
qHmHyvnV/qRzLFPCmt11adwotoMs+ND5ReT7fEZnvWvdAEw/m+Bb6ffiUXqeVzKl
WrWwHcL1lHs+50rNtx8BxoEkZrewS4Tig5iSGR0zF1Sjxn+Hv0gmRn2+Z/pJf4cy
fZGVjzbe1ryH6IW/WkeBAvdmvXAt95k06fJWRhmWeeR3i2DHXeHdYF8CLmFTyfSw
iDpyj27+zQlDtOZ3Cgy7nz5rPYvfIZHwzzZRsHwLgw6rJf3DcuqukWFMBGS91L7o
U9auptmH2ovKXEU=
-----END CERTIFICATE-----
================================================
FILE: dist/wireguard
================================================
{
"Network": "10.10.0.0/16",
"Backend": {
"Type": "wireguard",
"ListenPort": 51820,
"PSK": "H0Ad2yKBMgfGM6/Yt2dRxd8u+juyViCz3KdJfEdteJ8=",
"PersistentKeepaliveInterval": 300
}
}
================================================
FILE: e2e/Dockerfile
================================================
# Install the all-in-one binary so we can copy our run-time images into the image
# which helps avoid pulling them when running e2e tests.
ARG SLES="registry.suse.com/suse/sle15:15.7"
FROM ${SLES} AS k3s
ARG ARCH
ARG K3S_VERSION="v1.32.6+k3s1"
ARG CNI_VERSION="v1.8.0"
RUN set -x \
&& zypper -n in \
ca-certificates \
curl \
tar gzip\
iptables \
nftables \
iproute2 \
iputils \
&& if [ "${ARCH?required}" != "amd64" ]; then \
K3S_SUFFIX="-${ARCH}"; \
fi \
&& curl -fsSL "https://github.com/rancher/k3s/releases/download/${K3S_VERSION}/k3s${K3S_SUFFIX}" > /bin/k3s \
&& chmod +x /bin/k3s \
&& ln -s /bin/k3s /bin/kubectl \
&& ln -s /bin/k3s /bin/ctr \
&& k3s --version
#install cni plugins manually since we will only install flannel later
RUN mkdir -p /opt/cni/bin \
&& curl -L "https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-${ARCH}-${CNI_VERSION}.tgz" | tar -C /opt/cni/bin -xz
COPY scratch/*.tar /var/lib/rancher/k3s/agent/images/
RUN ls -l /var/lib/rancher/k3s/agent/images/
#ADD https://github.com/rancher/k3s/releases/download/${K3S_VERSION}/k3s-airgap-images-${ARCH}.tar /var/lib/rancher/k3s/agent/images/
VOLUME /var/lib/cni
VOLUME /var/lib/kubelet
VOLUME /var/lib/rancher/k3s
VOLUME /var/log
ENTRYPOINT ["k3s"]
CMD ["server"]
================================================
FILE: e2e/docker-compose.yml
================================================
version: "3.7"
volumes:
kubeconfig:
name: e2e-local-kubeconfig
services:
leader:
container_name: local-leader
image: "e2e/cluster/local/k3s"
build:
context: .
args:
- ARCH=amd64
command: server --disable=traefik,metrics-server --flannel-backend=none --disable-network-policy
environment:
- K3S_TOKEN=e2e
hostname: local-leader
privileged: true
ports:
- "6443:6443" # k3s
volumes:
- source: kubeconfig
target: /etc/rancher/k3s
type: volume
worker:
depends_on:
- leader
container_name: local-worker
image: "e2e/cluster/local/k3s"
build:
context: .
args:
- ARCH=amd64
command: agent --server https://local-leader:6443
environment:
- K3S_TOKEN=e2e
hostname: local-worker
privileged: true
================================================
FILE: e2e/download-kubectl.sh
================================================
#!/usr/bin/env bash
set -e -o pipefail
source $(dirname $0)/version.sh
RELEASE="$(curl -sSL https://dl.k8s.io/release/stable.txt)"
pushd /usr/local/bin
sudo curl -L --remote-name-all https://dl.k8s.io/release/${RELEASE}/bin/linux/${ARCH:-amd64}/kubectl
sudo chmod +x kubectl
popd
================================================
FILE: e2e/e2e-functions.sh
================================================
#!/usr/bin/env bash
# ---
e2e-wait-for-kubeconfig() {
set -e -o pipefail
# the `--insecure-skip-tls-verify` seems to be only needed here when run in dapper
while ! kubectl --kubeconfig="${HOME}/.kube/config" --insecure-skip-tls-verify get pods -A >/dev/null 2>&1 ; do
echo 'Waiting for kubeconfig to become available...' >&2
sleep 5
cluster-get-kubeconfig >/dev/null
done
}
export -f e2e-wait-for-kubeconfig
e2e-count-ready-nodes() {
kubectl --kubeconfig="${HOME}/.kube/config" get nodes -o json \
| jq '.items[].status.conditions[] | select(.type == "Ready" and .status == "True") | .type' \
| wc -l \
| tr -d '[:space:]'
}
export -f e2e-count-ready-nodes
e2e-wait-for-nodes() {
while [[ $(e2e-count-ready-nodes) -lt 2 ]]; do
echo 'Waiting for nodes to be ready...' >&2
echo "*** nodes:"
kubectl --kubeconfig="${HOME}/.kube/config" get nodes
# echo "*** events:"
# kubectl --kubeconfig="${HOME}/.kube/config" get events --sort-by='.lastTimestamp' -A
sleep 5
done
echo "*** nodes are ready:"
kubectl --kubeconfig="${HOME}/.kube/config" get nodes
}
export -f e2e-wait-for-nodes
e2e-pod-ready() {
kubectl --kubeconfig="${HOME}/.kube/config" get pods -A -o json \
| jq ".items[].status.containerStatuses[] | select(.name == \"$1\") | .ready" 2>/dev/null
}
export -f e2e-pod-ready
e2e-wait-for-services() {
for svc in ${WAIT_FOR_SERVICES:="coredns local-path-provisioner"}; do
while [[ "$(e2e-pod-ready $svc)" != 'true' ]]; do
echo "Waiting for service '$svc' to be ready..." >&2
sleep 5
done
echo "Service '$svc' is ready"
done
}
export -f e2e-wait-for-services
e2e-get-flannel-pod() {
local node_name=$1
kubectl --kubeconfig="${HOME}/.kube/config" get pods --field-selector "spec.nodeName=${node_name}" -n kube-flannel --no-headers
}
export -f e2e-get-flannel-pod
e2e-wait-for-test-pods() {
for pod in ${WAIT_FOR_PODS:="multitool1 multitool2"}; do
while [[ "$(e2e-pod-ready $pod)" != 'true' ]]; do
echo "Waiting for pod '$pod' to be ready..." >&2
sleep 5
done
echo "Pod '$pod' is ready"
done
}
export -f e2e-wait-for-test-pods
e2e-wait-for-ping() {
pod=$1
ip=$2
kubectl --kubeconfig="${HOME}/.kube/config" exec ${pod} -- ping -c 1 ${ip}
result=$?
while [ $result -ne 0 ]; do
echo "Waiting for ${ip} to reply to ping from ${pod}..." >&2
sleep 2
kubectl --kubeconfig="${HOME}/.kube/config" exec ${pod} -- ping -c 1 ${ip}
result=$?
done
echo "IP ${ip} is ready"
return 0
}
export -f e2e-wait-for-ping
# ---
================================================
FILE: e2e/get-kubeconfig.sh
================================================
#!/usr/bin/env bash
set -e -o pipefail
export KUBECONFIG="${HOME}/.kube/config"
mkdir -vp "$(dirname $KUBECONFIG)"
while ! kubectl --insecure-skip-tls-verify get pods -A >/dev/null 2>&1 ; do
echo 'Waiting for kubeconfig to become available...' >&2
sleep 5
docker exec local-leader kubectl config view --raw | sed -e "s/127.0.0.1/${KUBEHOST:=127.0.0.1}/g" > "${KUBECONFIG}"
done
================================================
FILE: e2e/run-e2e-tests.sh
================================================
#!/bin/bash
set -e -o pipefail
source $(dirname $0)/version.sh
source $(dirname $0)/e2e-functions.sh
FLANNEL_NET="${FLANNEL_NET:-10.42.0.0/16}"
FLANNEL_IP6NET="${FLANNEL_IP6NET:-2001:cafe:42:0::/56}"
# needs to be exported for yq
export FLANNEL_IMAGE="quay.io/coreos/flannel:${TAG}-${ARCH}"
setup_suite() {
# copy flannel image built by `make image` to docker compose context folder
rm -rf $(dirname $0)/scratch
mkdir -p $(dirname $0)/scratch
cp $(dirname $0)/../dist/${FLANNEL_IMAGE_FILE}.docker $(dirname $0)/scratch/${FLANNEL_IMAGE_FILE}.tar
$(dirname $0)/download-kubectl.sh
}
create_test_pod() {
local pod_name=$1
local worker_node=$2
cat <<EOF | kubectl --kubeconfig="${HOME}/.kube/config" apply -f -
apiVersion: v1
kind: Pod
metadata:
name: ${pod_name}
spec:
containers:
- name: ${pod_name}
image: wbitt/network-multitool:alpine-extra
nodeName: ${worker_node}
EOF
}
write-flannel-conf(){
local backend=$1
local enable_nftables=$2
cp ../Documentation/kube-flannel.yml ./kube-flannel.yml
yq -i 'select(.kind == "DaemonSet").spec.template.spec.containers[0].image |= strenv(FLANNEL_IMAGE)' ./kube-flannel.yml
yq -i 'select(.kind == "DaemonSet").spec.template.spec.initContainers[1].image |= strenv(FLANNEL_IMAGE)' ./kube-flannel.yml
export flannel_conf="{ \"Network\": \"$FLANNEL_NET\", \"Backend\": { \"Type\": \"${backend}\" },
gitextract_7j0sgt1x/
├── .dockerignore
├── .github/
│ ├── ISSUE_TEMPLATE.md
│ ├── PULL_REQUEST_TEMPLATE.md
│ ├── dependabot.yml
│ ├── stale.yml
│ └── workflows/
│ ├── build.yaml
│ ├── codeql-analysis.yml
│ ├── e2eTests.yaml
│ ├── golangci-lint.yaml
│ ├── k3s-e2eTests.yml
│ ├── release.yml
│ ├── scorecard.yml
│ └── trivy.yml
├── .gitignore
├── ACTIVITY_SUMMARY_2025.md
├── CONTRIBUTING.md
├── DCO
├── Documentation/
│ ├── adrs/
│ │ └── add-nftables-implementation.md
│ ├── backends.md
│ ├── building.md
│ ├── configuration.md
│ ├── extension.md
│ ├── integrations.md
│ ├── kube-flannel.yml
│ ├── kubernetes.md
│ ├── kustomization/
│ │ └── kube-flannel/
│ │ ├── kube-flannel.yml
│ │ └── kustomization.yaml
│ ├── minikube.yml
│ ├── netpol.md
│ ├── reporting_bugs.md
│ ├── reservations.md
│ ├── running.md
│ ├── tencentcloud-vpc-backend.md
│ ├── troubleshooting.md
│ └── upgrade.md
├── LICENSE
├── Makefile
├── OWNERS
├── README.md
├── SECURITY.md
├── chart/
│ ├── README.md
│ └── kube-flannel/
│ ├── .helmignore
│ ├── Chart.yaml
│ ├── templates/
│ │ ├── config.yaml
│ │ ├── daemonset.yaml
│ │ ├── rbac.yaml
│ │ └── serviceaccount.yaml
│ ├── tests/
│ │ └── daemonset_test.yaml
│ └── values.yaml
├── code-of-conduct.md
├── dist/
│ ├── extension-hostgw
│ ├── extension-vxlan
│ ├── extension-wireguard
│ ├── fake-node.yaml
│ ├── functional-test-k8s.sh
│ ├── functional-test.sh
│ ├── ipsec
│ ├── license-check.sh
│ ├── mk-docker-opts.sh
│ ├── mk-docker-opts_tests.sh
│ ├── sample_subnet.env
│ ├── snap/
│ │ ├── README.md
│ │ └── snapcraft.yaml
│ ├── test/
│ │ ├── ca-config.json
│ │ ├── ca-csr.json
│ │ ├── ca-key.pem
│ │ ├── ca.csr
│ │ ├── ca.pem
│ │ ├── client-key.pem
│ │ ├── client.csr
│ │ ├── client.json
│ │ ├── client.pem
│ │ ├── member1.json
│ │ ├── server-key.pem
│ │ ├── server.csr
│ │ ├── server.json
│ │ └── server.pem
│ └── wireguard
├── e2e/
│ ├── Dockerfile
│ ├── docker-compose.yml
│ ├── download-kubectl.sh
│ ├── e2e-functions.sh
│ ├── get-kubeconfig.sh
│ ├── run-e2e-tests.sh
│ └── version.sh
├── go.mod
├── go.sum
├── images/
│ ├── Dockerfile
│ └── iperf3/
│ ├── Dockerfile
│ └── Makefile
├── main.go
└── pkg/
├── backend/
│ ├── alloc/
│ │ └── alloc.go
│ ├── common.go
│ ├── extension/
│ │ ├── extension.go
│ │ └── extension_network.go
│ ├── hostgw/
│ │ ├── hostgw.go
│ │ └── hostgw_windows.go
│ ├── ipip/
│ │ ├── ipip.go
│ │ └── ipip_windows.go
│ ├── ipsec/
│ │ ├── handle_charon.go
│ │ ├── handle_xfrm.go
│ │ ├── ipsec.go
│ │ ├── ipsec_network.go
│ │ └── ipsec_windows.go
│ ├── manager.go
│ ├── route_network.go
│ ├── route_network_test.go
│ ├── route_network_windows.go
│ ├── simple_network.go
│ ├── tencentvpc/
│ │ ├── tencentvpc.go
│ │ └── tencentvpc_windows.go
│ ├── udp/
│ │ ├── cproxy_amd64.go
│ │ ├── proxy_amd64.c
│ │ ├── proxy_amd64.h
│ │ ├── udp.go
│ │ ├── udp_amd64.go
│ │ ├── udp_network.go
│ │ ├── udp_network_amd64.go
│ │ └── udp_windows.go
│ ├── vxlan/
│ │ ├── device.go
│ │ ├── device_windows.go
│ │ ├── vxlan.go
│ │ ├── vxlan_network.go
│ │ ├── vxlan_network_windows.go
│ │ └── vxlan_windows.go
│ └── wireguard/
│ ├── device.go
│ ├── wireguard.go
│ ├── wireguard_network.go
│ └── wireguard_windows.go
├── ip/
│ ├── endianess.go
│ ├── iface.go
│ ├── iface_test.go
│ ├── iface_windows.go
│ ├── iface_windows_test.go
│ ├── ip6net.go
│ ├── ip6net_test.go
│ ├── ipnet.go
│ ├── ipnet_test.go
│ └── tun.go
├── ipmatch/
│ ├── match.go
│ └── match_test.go
├── lease/
│ └── lease.go
├── mac/
│ ├── mac.go
│ └── mac_test.go
├── ns/
│ └── ns.go
├── powershell/
│ └── powershell.go
├── retry/
│ └── retry.go
├── routing/
│ ├── router.go
│ ├── router_windows.go
│ └── router_windows_test.go
├── subnet/
│ ├── config.go
│ ├── config_test.go
│ ├── etcd/
│ │ ├── local_manager.go
│ │ ├── mock_registry.go
│ │ ├── mock_subnet.go
│ │ ├── rand.go
│ │ ├── registry.go
│ │ ├── registry_test.go
│ │ └── subnet_test.go
│ ├── kube/
│ │ ├── annotations.go
│ │ ├── annotations_test.go
│ │ ├── kube.go
│ │ └── kube_test.go
│ ├── subnet.go
│ └── subnet_test.go
├── trafficmngr/
│ ├── iptables/
│ │ ├── iptables.go
│ │ ├── iptables_restore.go
│ │ ├── iptables_restore_test.go
│ │ ├── iptables_test.go
│ │ └── iptables_windows.go
│ ├── nftables/
│ │ ├── nftables.go
│ │ ├── nftables_windows.go
│ │ └── utils.go
│ └── trafficmngr.go
└── version/
└── version.go
SYMBOL INDEX (646 symbols across 79 files)
FILE: main.go
type flagSlice (line 61) | type flagSlice
method String (line 63) | func (t *flagSlice) String() string {
method Set (line 67) | func (t *flagSlice) Set(val string) error {
type CmdLineOpts (line 72) | type CmdLineOpts struct
function init (line 110) | func init() {
function copyFlag (line 166) | func copyFlag(name string) {
function usage (line 170) | func usage() {
function newSubnetManager (line 176) | func newSubnetManager(ctx context.Context) (subnet.Manager, error) {
function main (line 203) | func main() {
function shutdownHandler (line 499) | func shutdownHandler(ctx context.Context, sigs chan os.Signal, cancel co...
function getConfig (line 514) | func getConfig(ctx context.Context, sm subnet.Manager) (*subnet.Config, ...
function mustRunHealthz (line 535) | func mustRunHealthz(stopChan <-chan struct{}, wg *sync.WaitGroup) {
function ReadCIDRFromSubnetFile (line 574) | func ReadCIDRFromSubnetFile(path string, CIDRKey string) ip.IP4Net {
function ReadCIDRsFromSubnetFile (line 587) | func ReadCIDRsFromSubnetFile(path string, CIDRKey string) []ip.IP4Net {
function ReadIP6CIDRFromSubnetFile (line 609) | func ReadIP6CIDRFromSubnetFile(path string, CIDRKey string) ip.IP6Net {
function ReadIP6CIDRsFromSubnetFile (line 622) | func ReadIP6CIDRsFromSubnetFile(path string, CIDRKey string) []ip.IP6Net {
function newTrafficManager (line 644) | func newTrafficManager(useNftables bool) trafficmngr.TrafficManager {
FILE: pkg/backend/alloc/alloc.go
function init (line 28) | func init() {
type AllocBackend (line 32) | type AllocBackend struct
method RegisterNetwork (line 45) | func (be *AllocBackend) RegisterNetwork(ctx context.Context, wg *sync....
function New (line 37) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backen...
FILE: pkg/backend/common.go
type ExternalInterface (line 26) | type ExternalInterface struct
type Backend (line 39) | type Backend interface
type Network (line 44) | type Network interface
type BackendCtor (line 50) | type BackendCtor
FILE: pkg/backend/extension/extension.go
function init (line 34) | func init() {
type ExtensionBackend (line 38) | type ExtensionBackend struct
method Run (line 54) | func (*ExtensionBackend) Run(ctx context.Context) {
method RegisterNetwork (line 58) | func (be *ExtensionBackend) RegisterNetwork(ctx context.Context, wg *s...
function New (line 44) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backen...
function runCmd (line 144) | func runCmd(env []string, stdin string, name string, arg ...string) (str...
FILE: pkg/backend/extension/extension_network.go
type network (line 29) | type network struct
method Lease (line 39) | func (n *network) Lease() *lease.Lease {
method MTU (line 43) | func (n *network) MTU() int {
method Run (line 47) | func (n *network) Run(ctx context.Context) {
method handleSubnetEvents (line 70) | func (n *network) handleSubnetEvents(batch []lease.Event) {
FILE: pkg/backend/hostgw/hostgw.go
function init (line 32) | func init() {
type HostgwBackend (line 36) | type HostgwBackend struct
method RegisterNetwork (line 53) | func (be *HostgwBackend) RegisterNetwork(ctx context.Context, wg *sync...
function New (line 41) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backen...
FILE: pkg/backend/hostgw/hostgw_windows.go
function init (line 36) | func init() {
type HostgwBackend (line 40) | type HostgwBackend struct
method RegisterNetwork (line 58) | func (be *HostgwBackend) RegisterNetwork(ctx context.Context, wg *sync...
function New (line 45) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backen...
FILE: pkg/backend/ipip/ipip.go
constant backendType (line 36) | backendType = "ipip"
constant tunnelName (line 37) | tunnelName = "flannel.ipip"
function init (line 40) | func init() {
type IPIPBackend (line 44) | type IPIPBackend struct
method RegisterNetwork (line 57) | func (be *IPIPBackend) RegisterNetwork(ctx context.Context, wg *sync.W...
method configureIPIPDevice (line 128) | func (be *IPIPBackend) configureIPIPDevice(lease *lease.Lease, flannel...
function New (line 49) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backen...
FILE: pkg/backend/ipsec/handle_charon.go
type Uri (line 35) | type Uri struct
type CharonIKEDaemon (line 39) | type CharonIKEDaemon struct
method getClient (line 81) | func (charon *CharonIKEDaemon) getClient(wait bool) (client *goStrongs...
method run (line 105) | func (charon *CharonIKEDaemon) run(execPath string) (cmd *exec.Cmd, er...
method LoadSharedKey (line 118) | func (charon *CharonIKEDaemon) LoadSharedKey(remotePublicIP, password ...
method LoadConnection (line 155) | func (charon *CharonIKEDaemon) LoadConnection(localLease, remoteLease ...
method UnloadCharonConnection (line 222) | func (charon *CharonIKEDaemon) UnloadCharonConnection(localLease,
function NewCharonIKEDaemon (line 45) | func NewCharonIKEDaemon(ctx context.Context, wg *sync.WaitGroup, espProp...
function formatConnectionName (line 250) | func formatConnectionName(localLease, remoteLease *lease.Lease) string {
function formatChildSAConfName (line 255) | func formatChildSAConfName(localLease, remoteLease *lease.Lease) string {
function findExecPath (line 259) | func findExecPath() (string, error) {
FILE: pkg/backend/ipsec/handle_xfrm.go
function AddXFRMPolicy (line 30) | func AddXFRMPolicy(myLease, remoteLease *lease.Lease, dir netlink.Dir, r...
function DeleteXFRMPolicy (line 72) | func DeleteXFRMPolicy(localSubnet, remoteSubnet *net.IPNet, localPublicI...
FILE: pkg/backend/ipsec/ipsec.go
constant defaultESPProposal (line 50) | defaultESPProposal = "aes128gcm16-sha256-prfsha256-ecp256"
constant minPasswordLength (line 51) | minPasswordLength = 96
function init (line 54) | func init() {
type IPSECBackend (line 58) | type IPSECBackend struct
method RegisterNetwork (line 73) | func (be *IPSECBackend) RegisterNetwork(
function New (line 63) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (
FILE: pkg/backend/ipsec/ipsec_network.go
constant ipsecOverhead (line 44) | ipsecOverhead = 77
constant udpEncapOverhead (line 45) | udpEncapOverhead = 8
constant defaultReqID (line 47) | defaultReqID = 11
type network (line 50) | type network struct
method Run (line 75) | func (n *network) Run(ctx context.Context) {
method handleSubnetEvents (line 108) | func (n *network) handleSubnetEvents(batch []lease.Event) {
method MTU (line 162) | func (n *network) MTU() int {
method AddIPSECPolicies (line 171) | func (n *network) AddIPSECPolicies(remoteLease *lease.Lease, reqID int...
method DeleteIPSECPolicies (line 190) | func (n *network) DeleteIPSECPolicies(localSubnet, remoteSubnet *net.I...
function newNetwork (line 58) | func newNetwork(sm subnet.Manager, extIface *backend.ExternalInterface,
FILE: pkg/backend/manager.go
type Manager (line 28) | type Manager interface
type manager (line 32) | type manager struct
method GetBackend (line 50) | func (bm *manager) GetBackend(backendType string) (Backend, error) {
function NewManager (line 41) | func NewManager(ctx context.Context, sm subnet.Manager, extIface *Extern...
function Register (line 91) | func Register(name string, ctor BackendCtor) {
FILE: pkg/backend/route_network.go
constant routeCheckRetries (line 34) | routeCheckRetries = 10
type RouteNetwork (line 37) | type RouteNetwork struct
method MTU (line 49) | func (n *RouteNetwork) MTU() int {
method Run (line 53) | func (n *RouteNetwork) Run(ctx context.Context) {
method handleSubnetEvents (line 83) | func (n *RouteNetwork) handleSubnetEvents(batch []lease.Event) {
method addToRouteList (line 177) | func (n *RouteNetwork) addToRouteList(route netlink.Route) {
method addToV6RouteList (line 181) | func (n *RouteNetwork) addToV6RouteList(route netlink.Route) {
method removeFromV4RouteList (line 194) | func (n *RouteNetwork) removeFromV4RouteList(route netlink.Route) {
method removeFromV6RouteList (line 198) | func (n *RouteNetwork) removeFromV6RouteList(route netlink.Route) {
method removeFromRouteList (line 202) | func (n *RouteNetwork) removeFromRouteList(route *netlink.Route, route...
method routeCheck (line 212) | func (n *RouteNetwork) routeCheck(ctx context.Context) {
method checkSubnetExistInV4Routes (line 224) | func (n *RouteNetwork) checkSubnetExistInV4Routes() {
method checkSubnetExistInV6Routes (line 228) | func (n *RouteNetwork) checkSubnetExistInV6Routes() {
method checkSubnetExistInRoutes (line 232) | func (n *RouteNetwork) checkSubnetExistInRoutes(routes []netlink.Route...
function routeAdd (line 142) | func routeAdd(route *netlink.Route, ipFamily int, addToRouteList, remove...
function addToRouteList (line 185) | func addToRouteList(route *netlink.Route, routes []netlink.Route) []netl...
function routeEqual (line 263) | func routeEqual(x, y netlink.Route) bool {
FILE: pkg/backend/route_network_test.go
function TestRouteCache (line 29) | func TestRouteCache(t *testing.T) {
function TestV6RouteCache (line 81) | func TestV6RouteCache(t *testing.T) {
FILE: pkg/backend/route_network_windows.go
constant routeCheckRetries (line 30) | routeCheckRetries = 10
type RouteNetwork (line 33) | type RouteNetwork struct
method MTU (line 44) | func (n *RouteNetwork) MTU() int {
method Run (line 48) | func (n *RouteNetwork) Run(ctx context.Context) {
method handleSubnetEvents (line 80) | func (n *RouteNetwork) handleSubnetEvents(batch []lease.Event) {
method addToRouteList (line 144) | func (n *RouteNetwork) addToRouteList(newRoute *routing.Route) {
method removeFromRouteList (line 154) | func (n *RouteNetwork) removeFromRouteList(oldRoute *routing.Route) {
method routeCheck (line 163) | func (n *RouteNetwork) routeCheck(ctx context.Context) {
method checkSubnetExistInRoutes (line 174) | func (n *RouteNetwork) checkSubnetExistInRoutes() {
FILE: pkg/backend/simple_network.go
type SimpleNetwork (line 23) | type SimpleNetwork struct
method Lease (line 28) | func (n *SimpleNetwork) Lease() *lease.Lease {
method MTU (line 32) | func (n *SimpleNetwork) MTU() int {
method Run (line 36) | func (*SimpleNetwork) Run(ctx context.Context) {
FILE: pkg/backend/tencentvpc/tencentvpc.go
function init (line 38) | func init() {
type TencentVpcBackend (line 42) | type TencentVpcBackend struct
method RegisterNetwork (line 96) | func (be *TencentVpcBackend) RegisterNetwork(ctx context.Context, wg *...
function New (line 47) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backen...
function get_vm_metadata (line 55) | func get_vm_metadata(url string) (string, error) {
function get_vm_region (line 73) | func get_vm_region() (string, error) {
function get_vm_vpcid (line 78) | func get_vm_vpcid() (string, error) {
FILE: pkg/backend/udp/cproxy_amd64.go
function runCProxy (line 31) | func runCProxy(tun *os.File, conn *net.UDPConn, ctl *os.File, tunIP ip.I...
function writeCommand (line 59) | func writeCommand(f *os.File, cmd *C.command) {
function setRoute (line 69) | func setRoute(ctl *os.File, dst ip.IP4Net, nextHopIP ip.IP4, nextHopPort...
function removeRoute (line 81) | func removeRoute(ctl *os.File, dst ip.IP4Net) {
function stopProxy (line 91) | func stopProxy(ctl *os.File) {
FILE: pkg/backend/udp/proxy_amd64.c
type ip_net (line 35) | struct ip_net {
type route_entry (line 40) | struct route_entry {
type icmp_pkt (line 45) | typedef struct icmp_pkt {
type route_entry (line 56) | struct route_entry
function in_addr_t (line 65) | static inline in_addr_t netmask(int prefix_len) {
function contains (line 69) | static inline int contains(struct ip_net net, in_addr_t ip) {
function log_error (line 73) | static void log_error(const char *fmt, ...) {
function cksum (line 84) | static uint16_t cksum(aliasing_uint32_t *buf, int len) {
function send_net_unreachable (line 105) | static void send_net_unreachable(int tun, char *offender) {
function set_route (line 164) | static int set_route(struct ip_net dst, struct sockaddr_in *next_hop) {
function del_route (line 191) | static int del_route(struct ip_net dst) {
type sockaddr_in (line 205) | struct sockaddr_in
type route_entry (line 212) | struct route_entry
type in_addr (line 225) | struct in_addr
function tun_recv_packet (line 234) | static ssize_t tun_recv_packet(int tun, char *buf, size_t buflen) {
function sock_recv_packet (line 250) | static ssize_t sock_recv_packet(int sock, char *buf, size_t buflen) {
function sock_send_packet (line 266) | static void sock_send_packet(int sock, char *pkt, size_t pktlen, struct ...
function tun_send_packet (line 280) | static void tun_send_packet(int tun, char *pkt, size_t pktlen) {
function decrement_ttl (line 297) | inline static int decrement_ttl(struct iphdr *iph) {
function tun_to_udp (line 316) | static int tun_to_udp(int tun, int sock, char *buf, size_t buflen) {
function udp_to_tun (line 344) | static int udp_to_tun(int sock, int tun, char *buf, size_t buflen) {
function process_cmd (line 365) | static void process_cmd(int ctl) {
type PFD (line 398) | enum PFD {
function run_proxy (line 405) | void run_proxy(int tun, int sock, int ctl, in_addr_t tun_ip, size_t tun_...
FILE: pkg/backend/udp/proxy_amd64.h
type command (line 31) | typedef struct command {
FILE: pkg/backend/udp/udp.go
function init (line 26) | func init() {
function New (line 30) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backen...
FILE: pkg/backend/udp/udp_amd64.go
function init (line 31) | func init() {
constant defaultPort (line 36) | defaultPort = 8285
type UdpBackend (line 39) | type UdpBackend struct
method RegisterNetwork (line 52) | func (be *UdpBackend) RegisterNetwork(ctx context.Context, wg *sync.Wa...
function New (line 44) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backen...
FILE: pkg/backend/udp/udp_network.go
function newNetwork (line 28) | func newNetwork(sm subnet.Manager, extIface *backend.ExternalInterface, ...
FILE: pkg/backend/udp/udp_network_amd64.go
constant encapOverhead (line 37) | encapOverhead = 28
type network (line 40) | type network struct
method Run (line 81) | func (n *network) Run(ctx context.Context) {
method MTU (line 132) | func (n *network) MTU() int {
method initTun (line 147) | func (n *network) initTun() error {
method processSubnetEvents (line 201) | func (n *network) processSubnetEvents(batch []lease.Event) {
function newNetwork (line 51) | func newNetwork(sm subnet.Manager, extIface *backend.ExternalInterface, ...
function newCtlSockets (line 136) | func newCtlSockets() (*os.File, *os.File, error) {
function configureIface (line 160) | func configureIface(ifname string, ipn ip.IP4Net, mtu int) error {
FILE: pkg/backend/vxlan/device.go
type vxlanDeviceAttrs (line 32) | type vxlanDeviceAttrs struct
type vxlanDevice (line 44) | type vxlanDevice struct
method Configure (line 129) | func (dev *vxlanDevice) Configure(ipa ip.IP4Net, flannelnet ip.IP4Net)...
method ConfigureIPv6 (line 152) | func (dev *vxlanDevice) ConfigureIPv6(ipn ip.IP6Net, flannelnet ip.IP6...
method MACAddr (line 175) | func (dev *vxlanDevice) MACAddr() net.HardwareAddr {
method AddFDB (line 185) | func (dev *vxlanDevice) AddFDB(n neighbor) error {
method AddV6FDB (line 197) | func (dev *vxlanDevice) AddV6FDB(n neighbor) error {
method DelFDB (line 209) | func (dev *vxlanDevice) DelFDB(n neighbor) error {
method DelV6FDB (line 220) | func (dev *vxlanDevice) DelV6FDB(n neighbor) error {
method AddARP (line 231) | func (dev *vxlanDevice) AddARP(n neighbor) error {
method AddV6ARP (line 242) | func (dev *vxlanDevice) AddV6ARP(n neighbor) error {
method DelARP (line 253) | func (dev *vxlanDevice) DelARP(n neighbor) error {
method DelV6ARP (line 264) | func (dev *vxlanDevice) DelV6ARP(n neighbor) error {
function newVXLANDevice (line 49) | func newVXLANDevice(devAttrs *vxlanDeviceAttrs) (*vxlanDevice, error) {
function ensureLink (line 85) | func ensureLink(vxlan *netlink.Vxlan) (*netlink.Vxlan, error) {
type neighbor (line 179) | type neighbor struct
function vxlanLinksIncompat (line 275) | func vxlanLinksIncompat(l1, l2 netlink.Link) string {
FILE: pkg/backend/vxlan/device_windows.go
type vxlanDeviceAttrs (line 32) | type vxlanDeviceAttrs struct
type vxlanDevice (line 40) | type vxlanDevice struct
type NetAdapterNameSettings (line 46) | type NetAdapterNameSettings struct
function newVXLANDevice (line 50) | func newVXLANDevice(ctx context.Context, devAttrs *vxlanDeviceAttrs) (*v...
function ensureNetwork (line 104) | func ensureNetwork(ctx context.Context, expectedNetwork *hcn.HostCompute...
function getManagementIP (line 183) | func getManagementIP(network *hcn.HostComputeNetwork) string {
function createSubnet (line 197) | func createSubnet(AddressPrefix string, NextHop string, DestPrefix strin...
function addNetAdapterName (line 210) | func addNetAdapterName(network *hcn.HostComputeNetwork, netAdapterName s...
function checkHostNetworkReady (line 231) | func checkHostNetworkReady(ctx context.Context, network *hcn.HostCompute...
FILE: pkg/backend/vxlan/vxlan.go
function init (line 70) | func init() {
constant defaultVNI (line 75) | defaultVNI = 1
type VXLANBackend (line 78) | type VXLANBackend struct
method RegisterNetwork (line 122) | func (be *VXLANBackend) RegisterNetwork(ctx context.Context, wg *sync....
function New (line 83) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backen...
function newSubnetAttrs (line 92) | func newSubnetAttrs(publicIP net.IP, publicIPv6 net.IP, vnid uint32, dev...
type VXLANConfig (line 159) | type VXLANConfig struct
function parseVXLANConfig (line 168) | func parseVXLANConfig(config json.RawMessage, defaultMTU int) (VXLANConf...
function createVXLANDevice (line 182) | func createVXLANDevice(ctx context.Context,
function configureDeviceIPv4IPv6 (line 252) | func configureDeviceIPv4IPv6(dev *vxlanDevice, v6Dev *vxlanDevice, lease...
type hardwareAddr (line 277) | type hardwareAddr
method MarshalJSON (line 279) | func (hw hardwareAddr) MarshalJSON() ([]byte, error) {
method UnmarshalJSON (line 283) | func (hw *hardwareAddr) UnmarshalJSON(bytes []byte) error {
FILE: pkg/backend/vxlan/vxlan_network.go
type network (line 38) | type network struct
method Run (line 65) | func (nw *network) Run(ctx context.Context) {
method watchVXLANDevice (line 114) | func (nw *network) watchVXLANDevice(ctx context.Context, vxlanMissingC...
method reCreateVxlan (line 154) | func (nw *network) reCreateVxlan(ctx context.Context) error {
method MTU (line 251) | func (nw *network) MTU() int {
method handleSubnetEvents (line 260) | func (nw *network) handleSubnetEvents(batch []lease.Event) {
constant encapOverhead (line 47) | encapOverhead = 50
function newNetwork (line 50) | func newNetwork(subnetMgr subnet.Manager, extIface *backend.ExternalInte...
function retryAfterBackoff (line 238) | func retryAfterBackoff(backoff *time.Duration, maxBackoff time.Duration) {
function minDuration (line 244) | func minDuration(a, b time.Duration) time.Duration {
type vxlanLeaseAttrs (line 255) | type vxlanLeaseAttrs struct
FILE: pkg/backend/vxlan/vxlan_network_windows.go
type network (line 32) | type network struct
method Run (line 60) | func (nw *network) Run(ctx context.Context) {
method MTU (line 86) | func (nw *network) MTU() int {
method handleSubnetEvents (line 90) | func (nw *network) handleSubnetEvents(batch []lease.Event) {
type vxlanLeaseAttrs (line 38) | type vxlanLeaseAttrs struct
constant encapOverhead (line 44) | encapOverhead = 50
function newNetwork (line 47) | func newNetwork(subnetMgr subnet.Manager, extIface *backend.ExternalInte...
FILE: pkg/backend/vxlan/vxlan_windows.go
function init (line 43) | func init() {
constant defaultVNI (line 48) | defaultVNI = 4096
constant vxlanPort (line 49) | vxlanPort = 4789
type VXLANBackend (line 52) | type VXLANBackend struct
method RegisterNetwork (line 87) | func (be *VXLANBackend) RegisterNetwork(ctx context.Context, wg *sync....
function New (line 57) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backen...
function newSubnetAttrs (line 66) | func newSubnetAttrs(publicIP net.IP, vnid uint16, mac net.HardwareAddr) ...
type hardwareAddr (line 209) | type hardwareAddr
method MarshalJSON (line 211) | func (hw hardwareAddr) MarshalJSON() ([]byte, error) {
method UnmarshalJSON (line 215) | func (hw *hardwareAddr) UnmarshalJSON(bytes []byte) error {
FILE: pkg/backend/wireguard/device.go
type wgDeviceAttrs (line 37) | type wgDeviceAttrs struct
method setupKeys (line 82) | func (devAttrs *wgDeviceAttrs) setupKeys(psk string) error {
type wgDevice (line 47) | type wgDevice struct
method remove (line 216) | func (dev *wgDevice) remove() error {
method upAndAddRoute (line 224) | func (dev *wgDevice) upAndAddRoute(dst *net.IPNet) error {
method addRoute (line 237) | func (dev *wgDevice) addRoute(dst *net.IPNet) error {
method Configure (line 252) | func (dev *wgDevice) Configure(devIP ip.IP4, flannelnet ip.IP4Net) err...
method ConfigureV6 (line 266) | func (dev *wgDevice) ConfigureV6(devIP *ip.IP6, flannelnet ip.IP6Net) ...
method addPeer (line 280) | func (dev *wgDevice) addPeer(publicEndpoint string, peerPublicKeyRaw s...
method removePeer (line 325) | func (dev *wgDevice) removePeer(peerPublicKeyRaw string) error {
function writePrivateKey (line 52) | func writePrivateKey(path string, content string) error {
function newWGDevice (line 129) | func newWGDevice(devAttrs *wgDeviceAttrs, ctx context.Context, wg *sync....
function ensureLink (line 186) | func ensureLink(wglan *netlink.GenericLink) (*netlink.GenericLink, error) {
FILE: pkg/backend/wireguard/wireguard.go
type Mode (line 33) | type Mode
constant Separate (line 36) | Separate Mode = "separate"
constant Auto (line 37) | Auto Mode = "auto"
constant Ipv4 (line 38) | Ipv4 Mode = "ipv4"
constant Ipv6 (line 39) | Ipv6 Mode = "ipv6"
function init (line 42) | func init() {
type WireguardBackend (line 46) | type WireguardBackend struct
method RegisterNetwork (line 113) | func (be *WireguardBackend) RegisterNetwork(ctx context.Context, wg *s...
function New (line 51) | func New(sm subnet.Manager, extIface *backend.ExternalInterface) (backen...
function newSubnetAttrs (line 60) | func newSubnetAttrs(publicIP net.IP, publicIPv6 net.IP, enableIPv4, enab...
function createWGDev (line 99) | func createWGDev(ctx context.Context, wg *sync.WaitGroup, name string, p...
FILE: pkg/backend/wireguard/wireguard_network.go
constant overhead (line 43) | overhead = 80
type network (line 46) | type network struct
method Lease (line 70) | func (n *network) Lease() *lease.Lease {
method MTU (line 74) | func (n *network) MTU() int {
method Run (line 78) | func (n *network) Run(ctx context.Context) {
method selectMode (line 118) | func (n *network) selectMode(ip4 ip.IP4, ip6 *ip.IP6) Mode {
method handleSubnetEvents (line 131) | func (n *network) handleSubnetEvents(ctx context.Context, batch []leas...
function newNetwork (line 56) | func newNetwork(sm subnet.Manager, extIface *backend.ExternalInterface, ...
type wireguardLeaseAttrs (line 102) | type wireguardLeaseAttrs struct
FILE: pkg/ip/endianess.go
function init (line 28) | func init() {
function NativelyLittle (line 40) | func NativelyLittle() bool {
FILE: pkg/ip/iface.go
function getIfaceAddrs (line 32) | func getIfaceAddrs(iface *net.Interface) ([]netlink.Addr, error) {
function getIfaceV6Addrs (line 42) | func getIfaceV6Addrs(iface *net.Interface) ([]netlink.Addr, error) {
function GetInterfaceIP4Addrs (line 52) | func GetInterfaceIP4Addrs(iface *net.Interface) ([]net.IP, error) {
function GetInterfaceIP6Addrs (line 80) | func GetInterfaceIP6Addrs(iface *net.Interface) ([]net.IP, error) {
function GetInterfaceIP4AddrMatch (line 108) | func GetInterfaceIP4AddrMatch(iface *net.Interface, matchAddr net.IP) er...
function GetInterfaceIP6AddrMatch (line 127) | func GetInterfaceIP6AddrMatch(iface *net.Interface, matchAddr net.IP) er...
function GetDefaultGatewayInterface (line 146) | func GetDefaultGatewayInterface() (*net.Interface, error) {
function GetDefaultV6GatewayInterface (line 164) | func GetDefaultV6GatewayInterface() (*net.Interface, error) {
function GetInterfaceByIP (line 182) | func GetInterfaceByIP(ip net.IP) (*net.Interface, error) {
function GetInterfaceByIP6 (line 198) | func GetInterfaceByIP6(ip net.IP) (*net.Interface, error) {
function GetInterfaceBySpecificIPRouting (line 214) | func GetInterfaceBySpecificIPRouting(ip net.IP) (*net.Interface, net.IP,...
function DirectRouting (line 232) | func DirectRouting(ip net.IP) (bool, error) {
function EnsureV4AddressOnLink (line 245) | func EnsureV4AddressOnLink(ipa IP4Net, ipn IP4Net, link netlink.Link) er...
function EnsureV6AddressOnLink (line 279) | func EnsureV6AddressOnLink(ipa IP6Net, ipn IP6Net, link netlink.Link) er...
function AddBlackholeV4Route (line 315) | func AddBlackholeV4Route(ipV4Dest *net.IPNet) error {
function AddBlackholeV6Route (line 324) | func AddBlackholeV6Route(ipV6Dest *net.IPNet) error {
function compareAddrs (line 335) | func compareAddrs(a, b netlink.Addr) int {
FILE: pkg/ip/iface_test.go
function TestEnsureV4AddressOnLink (line 28) | func TestEnsureV4AddressOnLink(t *testing.T) {
function TestEnsureV6AddressOnLink (line 67) | func TestEnsureV6AddressOnLink(t *testing.T) {
FILE: pkg/ip/iface_windows.go
function GetInterfaceIP4Addrs (line 29) | func GetInterfaceIP4Addrs(iface *net.Interface) ([]net.IP, error) {
function GetDefaultGatewayInterface (line 59) | func GetDefaultGatewayInterface() (*net.Interface, error) {
function getDefaultGatewayInterfaceIndex (line 68) | func getDefaultGatewayInterfaceIndex() (int, error) {
function GetInterfaceByIP (line 86) | func GetInterfaceByIP(search net.IP) (*net.Interface, error) {
function EnableForwardingForInterface (line 118) | func EnableForwardingForInterface(iface *net.Interface) error {
function DisableForwardingForInterface (line 124) | func DisableForwardingForInterface(iface *net.Interface) error {
function setForwardingForInterface (line 128) | func setForwardingForInterface(iface *net.Interface, forwarding bool) er...
function IsForwardingEnabledForInterface (line 142) | func IsForwardingEnabledForInterface(iface *net.Interface) (bool, error) {
function GetInterfaceByIP6 (line 155) | func GetInterfaceByIP6(ip net.IP) (*net.Interface, error) ...
function GetInterfaceIP6Addrs (line 156) | func GetInterfaceIP6Addrs(iface *net.Interface) ([]net.IP, error) ...
function GetInterfaceBySpecificIPRouting (line 157) | func GetInterfaceBySpecificIPRouting(ip net.IP) (*net.Interface, net.IP,...
function GetDefaultV6GatewayInterface (line 158) | func GetDefaultV6GatewayInterface() (*net.Interface, error) ...
function AddBlackholeV4Route (line 159) | func AddBlackholeV4Route(ipV4Dest *net.IPNet) error ...
function AddBlackholeV6Route (line 160) | func AddBlackholeV6Route(ipV6Dest *net.IPNet) error ...
FILE: pkg/ip/iface_windows_test.go
function TestGetInterfaceIP4Addr (line 24) | func TestGetInterfaceIP4Addr(t *testing.T) {
function TestGetDefaultGatewayInterface (line 36) | func TestGetDefaultGatewayInterface(t *testing.T) {
function TestGetInterfaceByIP (line 43) | func TestGetInterfaceByIP(t *testing.T) {
function TestEnableForwardingForInterface (line 66) | func TestEnableForwardingForInterface(t *testing.T) {
FILE: pkg/ip/ip6net.go
type IP6 (line 25) | type IP6
method ToIP (line 81) | func (ip6 *IP6) ToIP() net.IP {
method String (line 90) | func (ip6 IP6) String() string {
method MarshalJSON (line 95) | func (ip6 IP6) MarshalJSON() ([]byte, error) {
method UnmarshalJSON (line 100) | func (ip6 *IP6) UnmarshalJSON(j []byte) error {
method Cmp (line 110) | func (ip6 *IP6) Cmp(other *IP6) int {
method IsPrivate (line 116) | func (ip6 *IP6) IsPrivate() bool {
function FromIP16Bytes (line 27) | func FromIP16Bytes(ip []byte) *IP6 {
function FromIP6 (line 31) | func FromIP6(ip net.IP) *IP6 {
function ParseIP6 (line 41) | func ParseIP6(s string) (*IP6, error) {
function Mask (line 49) | func Mask(prefixLen int) *big.Int {
function IsEmpty (line 54) | func IsEmpty(subnet *IP6) bool {
function GetIPv6SubnetMin (line 61) | func GetIPv6SubnetMin(networkIP *IP6, subnetSize *big.Int) *IP6 {
function GetIPv6SubnetMax (line 65) | func GetIPv6SubnetMax(networkIP *IP6, subnetSize *big.Int) *IP6 {
function CheckIPv6Subnet (line 69) | func CheckIPv6Subnet(subnetIP *IP6, mask *big.Int) bool {
function MustParseIP6 (line 73) | func MustParseIP6(s string) *IP6 {
type IP6Net (line 121) | type IP6Net struct
method String (line 126) | func (n IP6Net) String() string {
method StringSep (line 133) | func (n IP6Net) StringSep(hexSep, prefixSep string) string {
method Network (line 145) | func (n IP6Net) Network() IP6Net {
method Next (line 153) | func (n IP6Net) Next() IP6Net {
method IncrementIP (line 161) | func (n *IP6Net) IncrementIP() {
method ToIPNet (line 173) | func (n IP6Net) ToIPNet() *net.IPNet {
method Overlaps (line 180) | func (n IP6Net) Overlaps(other IP6Net) bool {
method Equal (line 191) | func (n IP6Net) Equal(other IP6Net) bool {
method Mask (line 196) | func (n IP6Net) Mask() *big.Int {
method Contains (line 201) | func (n IP6Net) Contains(ip *IP6) bool {
method ContainsCIDR (line 207) | func (n *IP6Net) ContainsCIDR(other *IP6Net) bool {
method Empty (line 213) | func (n IP6Net) Empty() bool {
method MarshalJSON (line 218) | func (n IP6Net) MarshalJSON() ([]byte, error) {
method UnmarshalJSON (line 223) | func (n *IP6Net) UnmarshalJSON(j []byte) error {
function MapIP6ToString (line 137) | func MapIP6ToString(nws []IP6Net) []string {
function FromIP6Net (line 165) | func FromIP6Net(n *net.IPNet) IP6Net {
FILE: pkg/ip/ip6net_test.go
function mkIP6Net (line 23) | func mkIP6Net(s string, plen uint) IP6Net {
function mkIP6 (line 31) | func mkIP6(s string) *IP6 {
function TestIP6 (line 39) | func TestIP6(t *testing.T) {
function TestIP6Net (line 101) | func TestIP6Net(t *testing.T) {
FILE: pkg/ip/ipnet.go
type IP4 (line 24) | type IP4
method Octets (line 59) | func (ip IP4) Octets() (a, b, c, d byte) {
method ToIP (line 64) | func (ip IP4) ToIP() net.IP {
method NetworkOrder (line 68) | func (ip IP4) NetworkOrder() uint32 {
method String (line 77) | func (ip IP4) String() string {
method StringSep (line 81) | func (ip IP4) StringSep(sep string) string {
method MarshalJSON (line 87) | func (ip IP4) MarshalJSON() ([]byte, error) {
method UnmarshalJSON (line 92) | func (ip *IP4) UnmarshalJSON(j []byte) error {
method IsPrivate (line 104) | func (ip IP4) IsPrivate() bool {
function FromBytes (line 26) | func FromBytes(ip []byte) IP4 {
function FromIP (line 33) | func FromIP(ip net.IP) IP4 {
function ParseIP4 (line 43) | func ParseIP4(s string) (IP4, error) {
function MustParseIP4 (line 51) | func MustParseIP4(s string) IP4 {
type IP4Net (line 111) | type IP4Net struct
method String (line 116) | func (n IP4Net) String() string {
method StringSep (line 120) | func (n IP4Net) StringSep(octetSep, prefixSep string) string {
method Network (line 132) | func (n IP4Net) Network() IP4Net {
method Next (line 139) | func (n IP4Net) Next() IP4Net {
method IncrementIP (line 147) | func (n *IP4Net) IncrementIP() {
method ToIPNet (line 159) | func (n IP4Net) ToIPNet() *net.IPNet {
method Overlaps (line 166) | func (n IP4Net) Overlaps(other IP4Net) bool {
method Equal (line 176) | func (n IP4Net) Equal(other IP4Net) bool {
method Mask (line 180) | func (n IP4Net) Mask() uint32 {
method Contains (line 185) | func (n IP4Net) Contains(ip IP4) bool {
method ContainsCIDR (line 189) | func (n *IP4Net) ContainsCIDR(other *IP4Net) bool {
method Empty (line 195) | func (n IP4Net) Empty() bool {
method MarshalJSON (line 200) | func (n IP4Net) MarshalJSON() ([]byte, error) {
method UnmarshalJSON (line 205) | func (n *IP4Net) UnmarshalJSON(j []byte) error {
function MapIP4ToString (line 124) | func MapIP4ToString(nws []IP4Net) []string {
function FromIPNet (line 151) | func FromIPNet(n *net.IPNet) IP4Net {
FILE: pkg/ip/ipnet_test.go
function mkIP4Net (line 23) | func mkIP4Net(s string, plen uint) IP4Net {
function mkIP4 (line 31) | func mkIP4(s string) IP4 {
function TestIP4 (line 39) | func TestIP4(t *testing.T) {
function TestIP4Net (line 100) | func TestIP4Net(t *testing.T) {
FILE: pkg/ip/tun.go
constant tunDevice (line 28) | tunDevice = "/dev/net/tun"
constant ifnameSize (line 29) | ifnameSize = 16
type ifreqFlags (line 32) | type ifreqFlags struct
function ioctl (line 37) | func ioctl(fd int, request, argp uintptr) error {
function fromZeroTerm (line 45) | func fromZeroTerm(s []byte) string {
function OpenTun (line 49) | func OpenTun(name string) (*os.File, string, error) {
FILE: pkg/ipmatch/match.go
constant ipv4Stack (line 31) | ipv4Stack int = iota
constant ipv6Stack (line 32) | ipv6Stack
constant dualStack (line 33) | dualStack
constant noneStack (line 34) | noneStack
type PublicIPOpts (line 37) | type PublicIPOpts struct
function GetIPFamily (line 42) | func GetIPFamily(autoDetectIPv4, autoDetectIPv6 bool) (int, error) {
function LookupExtIface (line 53) | func LookupExtIface(ifname string, ifregexS string, ifcanreach string, i...
function matchIP (line 318) | func matchIP(ifregex *regexp.Regexp, ifaceIPs []net.IP) net.IP {
FILE: pkg/ipmatch/match_test.go
function TestLookupExtIface (line 25) | func TestLookupExtIface(t *testing.T) {
FILE: pkg/lease/lease.go
constant EventAdded (line 28) | EventAdded EventType = iota
constant EventRemoved (line 29) | EventRemoved
type EventType (line 33) | type EventType
type Event (line 35) | type Event struct
type LeaseAttrs (line 42) | type LeaseAttrs struct
method String (line 76) | func (la *LeaseAttrs) String() string {
type Lease (line 51) | type Lease struct
type LeaseWatchResult (line 62) | type LeaseWatchResult struct
type LeaseWatcher (line 71) | type LeaseWatcher struct
method Reset (line 106) | func (lw *LeaseWatcher) Reset(leases []Lease) []Event {
method Update (line 141) | func (lw *LeaseWatcher) Update(events []Event) []Event {
method add (line 162) | func (lw *LeaseWatcher) add(lease *Lease) Event {
method remove (line 176) | func (lw *LeaseWatcher) remove(lease *Lease) Event {
function sameSubnet (line 189) | func sameSubnet(ipv4Enabled, ipv6Enabled bool, firstLease, secondLease L...
FILE: pkg/mac/mac.go
function NewHardwareAddr (line 25) | func NewHardwareAddr() (net.HardwareAddr, error) {
FILE: pkg/mac/mac_test.go
function TestNewHardwareAddr (line 21) | func TestNewHardwareAddr(t *testing.T) {
FILE: pkg/ns/ns.go
function SetUpNetlinkTest (line 27) | func SetUpNetlinkTest(t *testing.T) func() {
FILE: pkg/powershell/powershell.go
constant commandWrapper (line 29) | commandWrapper = `$ErrorActionPreference="Stop";try { %s } catch { Write...
function RunCommand (line 34) | func RunCommand(command string) ([]byte, error) {
function RunCommandf (line 53) | func RunCommandf(command string, a ...interface{}) ([]byte, error) {
function RunCommandWithJsonResult (line 63) | func RunCommandWithJsonResult(command string, v interface{}) error {
FILE: pkg/retry/retry.go
function Do (line 25) | func Do(f func() error) error {
FILE: pkg/routing/router.go
type Router (line 23) | type Router interface
type Route (line 38) | type Route struct
method Equal (line 44) | func (r *Route) Equal(other Route) bool {
FILE: pkg/routing/router_windows.go
type RouterWindows (line 29) | type RouterWindows struct
method GetAllRoutes (line 31) | func (r RouterWindows) GetAllRoutes() ([]Route, error) {
method GetRoutesFromInterfaceToSubnet (line 35) | func (r RouterWindows) GetRoutesFromInterfaceToSubnet(interfaceIndex i...
method CreateRoute (line 39) | func (r RouterWindows) CreateRoute(interfaceIndex int, destinationSubn...
method DeleteRoute (line 44) | func (r RouterWindows) DeleteRoute(interfaceIndex int, destinationSubn...
type winNetRoute (line 49) | type winNetRoute struct
function parseNetRoutes (line 55) | func parseNetRoutes(cmd string) ([]Route, error) {
FILE: pkg/routing/router_windows_test.go
function TestGetAllRoutes (line 27) | func TestGetAllRoutes(t *testing.T) {
function TestCreateAndRemoveRoute (line 39) | func TestCreateAndRemoveRoute(t *testing.T) {
FILE: pkg/subnet/config.go
type Config (line 26) | type Config struct
function parseBackendType (line 42) | func parseBackendType(be json.RawMessage) (string, error) {
function ParseConfig (line 56) | func ParseConfig(s string) (*Config, error) {
function CheckNetworkConfig (line 76) | func CheckNetworkConfig(config *Config) error {
FILE: pkg/subnet/config_test.go
function TestConfigDefaults (line 21) | func TestConfigDefaults(t *testing.T) {
function TestIPv6ConfigDefaults (line 51) | func TestIPv6ConfigDefaults(t *testing.T) {
function TestConfigOverrides (line 81) | func TestConfigOverrides(t *testing.T) {
function TestIPv6ConfigOverrides (line 107) | func TestIPv6ConfigOverrides(t *testing.T) {
FILE: pkg/subnet/etcd/local_manager.go
constant raceRetries (line 33) | raceRetries = 10
constant subnetTTL (line 34) | subnetTTL = 24 * time.Hour
type LocalManager (line 43) | type LocalManager struct
method GetStoredMacAddresses (line 82) | func (m *LocalManager) GetStoredMacAddresses(ctx context.Context) (str...
method GetStoredPublicIP (line 86) | func (m *LocalManager) GetStoredPublicIP(ctx context.Context) (string,...
method GetNetworkConfig (line 90) | func (m *LocalManager) GetNetworkConfig(ctx context.Context) (*subnet....
method AcquireLease (line 107) | func (m *LocalManager) AcquireLease(ctx context.Context, attrs *lease....
method tryAcquireLease (line 148) | func (m *LocalManager) tryAcquireLease(ctx context.Context, config *su...
method allocateSubnet (line 225) | func (m *LocalManager) allocateSubnet(config *subnet.Config, leases []...
method RenewLease (line 276) | func (m *LocalManager) RenewLease(ctx context.Context, lease *lease.Le...
method leaseWatchReset (line 304) | func (m *LocalManager) leaseWatchReset(ctx context.Context, sn ip.IP4N...
method WatchLease (line 316) | func (m *LocalManager) WatchLease(ctx context.Context, sn ip.IP4Net, s...
method WatchLeases (line 339) | func (m *LocalManager) WatchLeases(ctx context.Context, receiver chan ...
method CompleteLease (line 363) | func (m *LocalManager) CompleteLease(ctx context.Context, myLease *lea...
method Name (line 432) | func (m *LocalManager) Name() string {
method HandleSubnetFile (line 441) | func (m *LocalManager) HandleSubnetFile(path string, config *subnet.Co...
type watchCursor (line 50) | type watchCursor struct
method String (line 61) | func (c watchCursor) String() string {
function isErrEtcdNodeExist (line 54) | func isErrEtcdNodeExist(e error) bool {
function NewLocalManager (line 65) | func NewLocalManager(ctx context.Context, config *EtcdConfig, prevSubnet...
function newLocalManager (line 73) | func newLocalManager(r Registry, prevSubnet ip.IP4Net, prevIPv6Subnet ip...
function findLeaseByIP (line 128) | func findLeaseByIP(leases []lease.Lease, pubIP ip.IP4) *lease.Lease {
function findLeaseBySubnet (line 138) | func findLeaseBySubnet(leases []lease.Lease, subnet ip.IP4Net) *lease.Le...
function getNextIndex (line 286) | func getNextIndex(cursor interface{}) (int64, error) {
function isIndexTooSmall (line 409) | func isIndexTooSmall(err error) bool {
function isSubnetConfigCompat (line 413) | func isSubnetConfigCompat(config *subnet.Config, sn ip.IP4Net) bool {
function isIPv6SubnetConfigCompat (line 421) | func isIPv6SubnetConfigCompat(config *subnet.Config, sn6 ip.IP6Net) bool {
FILE: pkg/subnet/etcd/mock_registry.go
type netwk (line 32) | type netwk struct
method sendSubnetEvent (line 41) | func (n *netwk) sendSubnetEvent(sn ip.IP4Net, e event) {
method findSubnet (line 243) | func (n *netwk) findSubnet(sn ip.IP4Net) (lease.Lease, int, error) {
type event (line 55) | type event struct
type MockSubnetRegistry (line 60) | type MockSubnetRegistry struct
method getNetworkConfig (line 79) | func (msr *MockSubnetRegistry) getNetworkConfig(ctx context.Context) (...
method setConfig (line 83) | func (msr *MockSubnetRegistry) setConfig(config string) error {
method getSubnets (line 88) | func (msr *MockSubnetRegistry) getSubnets(ctx context.Context) ([]leas...
method getSubnet (line 98) | func (msr *MockSubnetRegistry) getSubnet(ctx context.Context, sn ip.IP...
method createSubnet (line 111) | func (msr *MockSubnetRegistry) createSubnet(ctx context.Context, sn ip...
method updateSubnet (line 146) | func (msr *MockSubnetRegistry) updateSubnet(ctx context.Context, sn ip...
method deleteSubnet (line 176) | func (msr *MockSubnetRegistry) deleteSubnet(ctx context.Context, sn ip...
method watchSubnets (line 200) | func (msr *MockSubnetRegistry) watchSubnets(ctx context.Context, lease...
method watchSubnet (line 227) | func (msr *MockSubnetRegistry) watchSubnet(ctx context.Context, since ...
method leasesWatchReset (line 231) | func (msr *MockSubnetRegistry) leasesWatchReset(ctx context.Context) (...
function NewMockRegistry (line 66) | func NewMockRegistry(config string, initialSubnets []lease.Lease) *MockS...
FILE: pkg/subnet/etcd/mock_subnet.go
function NewMockManager (line 22) | func NewMockManager(registry *MockSubnetRegistry) subnet.Manager {
function NewMockManagerWithSubnet (line 26) | func NewMockManagerWithSubnet(registry *MockSubnetRegistry, sn ip.IP4Net...
FILE: pkg/subnet/etcd/rand.go
function init (line 24) | func init() {
function randInt (line 29) | func randInt(lo, hi int) int {
FILE: pkg/subnet/etcd/registry.go
type Registry (line 45) | type Registry interface
type EtcdConfig (line 57) | type EtcdConfig struct
type etcdNewFunc (line 67) | type etcdNewFunc
type etcdSubnetRegistry (line 69) | type etcdSubnetRegistry struct
method getNetworkConfig (line 154) | func (esr *etcdSubnetRegistry) getNetworkConfig(ctx context.Context) (...
method getSubnets (line 171) | func (esr *etcdSubnetRegistry) getSubnets(ctx context.Context) ([]leas...
method getSubnet (line 201) | func (esr *etcdSubnetRegistry) getSubnet(ctx context.Context, sn ip.IP...
method createSubnet (line 220) | func (esr *etcdSubnetRegistry) createSubnet(ctx context.Context, sn ip...
method updateSubnet (line 255) | func (esr *etcdSubnetRegistry) updateSubnet(ctx context.Context, sn ip...
method deleteSubnet (line 281) | func (esr *etcdSubnetRegistry) deleteSubnet(ctx context.Context, sn ip...
method watchSubnets (line 287) | func (esr *etcdSubnetRegistry) watchSubnets(ctx context.Context, lease...
method watchSubnet (line 372) | func (esr *etcdSubnetRegistry) watchSubnet(ctx context.Context, since ...
method kv (line 444) | func (esr *etcdSubnetRegistry) kv() etcd.KV {
method leasesWatchReset (line 532) | func (esr *etcdSubnetRegistry) leasesWatchReset(ctx context.Context) (...
function newTlsConfig (line 78) | func newTlsConfig(c *EtcdConfig) (*tls.Config, error) {
function newEtcdClient (line 106) | func newEtcdClient(ctx context.Context, c *EtcdConfig) (*etcd.Client, et...
function newEtcdSubnetRegistry (line 134) | func newEtcdSubnetRegistry(ctx context.Context, config *EtcdConfig, cliN...
function parseSubnetWatchResponse (line 450) | func parseSubnetWatchResponse(ctx context.Context, cli *etcd.Client, ev ...
function kvToIPLease (line 500) | func kvToIPLease(kv *mvccpb.KeyValue, ttl int64) (*lease.Lease, error) {
FILE: pkg/subnet/etcd/registry_test.go
function newTestEtcdRegistry (line 31) | func newTestEtcdRegistry(t *testing.T, ctx context.Context, client *etcd...
function watchSubnets (line 49) | func watchSubnets(t *testing.T, r Registry, ctx context.Context, sn ip.I...
function TestEtcdRegistry (line 100) | func TestEtcdRegistry(t *testing.T) {
FILE: pkg/subnet/etcd/subnet_test.go
function initTestRegistry (line 33) | func initTestRegistry(ctx context.Context, t *testing.T, r Registry, kvA...
function newDummyRegistry (line 66) | func newDummyRegistry() *MockSubnetRegistry {
function TestAcquireLease (line 88) | func TestAcquireLease(t *testing.T) {
function TestConfigChanged (line 141) | func TestConfigChanged(t *testing.T) {
function acquireLease (line 176) | func acquireLease(ctx context.Context, t *testing.T, sm subnet.Manager) ...
function TestWatchLeaseAdded (line 190) | func TestWatchLeaseAdded(t *testing.T) {
function TestWatchLeaseRemoved (line 257) | func TestWatchLeaseRemoved(t *testing.T) {
function TestCompleteLease (line 335) | func TestCompleteLease(t *testing.T) {
type leaseData (line 394) | type leaseData struct
function TestRenewLease (line 398) | func TestRenewLease(t *testing.T) {
function inAllocatableRange (line 480) | func inAllocatableRange(ctx context.Context, sm subnet.Manager, ipn ip.I...
function generateKey (line 489) | func generateKey(ipv4Subnet ip.IP4Net, ipv6Subnet ip.IP6Net) string {
FILE: pkg/subnet/kube/annotations.go
type annotations (line 23) | type annotations struct
function newAnnotations (line 36) | func newAnnotations(prefix string) (annotations, error) {
FILE: pkg/subnet/kube/annotations_test.go
function Test_newAnnotations (line 19) | func Test_newAnnotations(t *testing.T) {
FILE: pkg/subnet/kube/kube.go
constant resyncPeriod (line 51) | resyncPeriod = 5 * time.Minute
constant nodeControllerSyncTimeout (line 52) | nodeControllerSyncTimeout = 10 * time.Minute
type subnetFileInfo (line 55) | type subnetFileInfo struct
type kubeSubnetManager (line 63) | type kubeSubnetManager struct
method enqueueLeaseEvent (line 250) | func (ksm *kubeSubnetManager) enqueueLeaseEvent(ctx context.Context, e...
method handleAddLeaseEvent (line 296) | func (ksm *kubeSubnetManager) handleAddLeaseEvent(ctx context.Context,...
method handleUpdateLeaseEvent (line 312) | func (ksm *kubeSubnetManager) handleUpdateLeaseEvent(ctx context.Conte...
method GetNetworkConfig (line 343) | func (ksm *kubeSubnetManager) GetNetworkConfig(ctx context.Context) (*...
method AcquireLease (line 350) | func (ksm *kubeSubnetManager) AcquireLease(ctx context.Context, attrs ...
method WatchLeases (line 521) | func (ksm *kubeSubnetManager) WatchLeases(ctx context.Context, receive...
method Run (line 536) | func (ksm *kubeSubnetManager) Run(ctx context.Context) {
method nodeToLease (line 542) | func (ksm *kubeSubnetManager) nodeToLease(n v1.Node) (l lease.Lease, e...
method RenewLease (line 619) | func (ksm *kubeSubnetManager) RenewLease(ctx context.Context, lease *l...
method WatchLease (line 623) | func (ksm *kubeSubnetManager) WatchLease(ctx context.Context, sn ip.IP...
method Name (line 627) | func (ksm *kubeSubnetManager) Name() string {
method CompleteLease (line 633) | func (ksm *kubeSubnetManager) CompleteLease(ctx context.Context, lease...
method HandleSubnetFile (line 680) | func (m *kubeSubnetManager) HandleSubnetFile(path string, config *subn...
method GetStoredMacAddresses (line 692) | func (ksm *kubeSubnetManager) GetStoredMacAddresses(ctx context.Contex...
method GetStoredPublicIP (line 728) | func (ksm *kubeSubnetManager) GetStoredPublicIP(ctx context.Context) (...
function NewSubnetManager (line 81) | func NewSubnetManager(ctx context.Context, apiUrl, kubeconfig, prefix, n...
function newKubeSubnetManager (line 171) | func newKubeSubnetManager(ctx context.Context, c clientset.Interface, sc...
function containsCIDR (line 671) | func containsCIDR(ipnet1, ipnet2 *net.IPNet) bool {
FILE: pkg/subnet/kube/kube_test.go
function TestContainsCIDR (line 23) | func TestContainsCIDR(t *testing.T) {
FILE: pkg/subnet/subnet.go
function ParseSubnetKey (line 37) | func ParseSubnetKey(s string) (*ip.IP4Net, *ip.IP6Net) {
function MakeSubnetKey (line 63) | func MakeSubnetKey(sn ip.IP4Net, sn6 ip.IP6Net) string {
function WriteSubnetFile (line 71) | func WriteSubnetFile(path string, config *Config, ipMasq bool, sn ip.IP4...
type Manager (line 106) | type Manager interface
function WatchLeases (line 124) | func WatchLeases(ctx context.Context, sm Manager, ownLease *lease.Lease,...
function WatchLease (line 165) | func WatchLease(ctx context.Context, sm Manager, sn ip.IP4Net, sn6 ip.IP...
FILE: pkg/subnet/subnet_test.go
function TestSubnetNodev4 (line 22) | func TestSubnetNodev4(t *testing.T) {
function TestSubnetNodev6 (line 49) | func TestSubnetNodev6(t *testing.T) {
function TestSubnetNodeInvalid (line 81) | func TestSubnetNodeInvalid(t *testing.T) {
FILE: pkg/trafficmngr/iptables/iptables.go
type IPTables (line 31) | type IPTables interface
type IPTablesError (line 39) | type IPTablesError interface
type IPTablesManager (line 44) | type IPTablesManager struct
method Init (line 49) | func (iptm *IPTablesManager) Init(ctx context.Context) error {
method CleanUp (line 58) | func (iptm *IPTablesManager) CleanUp(ctx context.Context) error {
method SetupAndEnsureMasqRules (line 92) | func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Conte...
method masqRules (line 135) | func (iptm *IPTablesManager) masqRules(ccidr ip.IP4Net, lease *lease.L...
method masqIP6Rules (line 171) | func (iptm *IPTablesManager) masqIP6Rules(ccidr ip.IP6Net, lease *leas...
method SetupAndEnsureForwardRules (line 210) | func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Co...
method forwardRules (line 223) | func (iptm *IPTablesManager) forwardRules(flannelNetwork string) []tra...
method CreateIP4Chain (line 233) | func (iptm *IPTablesManager) CreateIP4Chain(table, chain string) {
method CreateIP6Chain (line 248) | func (iptm *IPTablesManager) CreateIP6Chain(table, chain string) {
method setupAndEnsureIP4Tables (line 363) | func (iptm *IPTablesManager) setupAndEnsureIP4Tables(ctx context.Conte...
method setupAndEnsureIP6Tables (line 399) | func (iptm *IPTablesManager) setupAndEnsureIP6Tables(ctx context.Conte...
method deleteIP4Tables (line 435) | func (iptm *IPTablesManager) deleteIP4Tables(rules []trafficmngr.IPTab...
method deleteIP6Tables (line 457) | func (iptm *IPTablesManager) deleteIP6Tables(rules []trafficmngr.IPTab...
function ipTablesRulesExist (line 263) | func ipTablesRulesExist(ipt IPTables, rules []trafficmngr.IPTablesRule) ...
function ipTablesCleanAndBuild (line 296) | func ipTablesCleanAndBuild(ipt IPTables, rules []trafficmngr.IPTablesRul...
function ipTablesBootstrap (line 344) | func ipTablesBootstrap(ipt IPTables, iptRestore IPTablesRestore, rules [...
function ensureIPTables (line 479) | func ensureIPTables(ipt IPTables, iptRestore IPTablesRestore, rules []tr...
function teardownIPTables (line 499) | func teardownIPTables(ipt IPTables, iptr IPTablesRestore, rules []traffi...
FILE: pkg/trafficmngr/iptables/iptables_restore.go
constant ipTablesRestoreCmd (line 33) | ipTablesRestoreCmd string = "iptables-restore"
constant ip6TablesRestoreCmd (line 34) | ip6TablesRestoreCmd string = "ip6tables-restore"
constant ipTablesCmd (line 35) | ipTablesCmd string = "iptables"
constant ip6TablesCmd (line 36) | ip6TablesCmd string = "ip6tables"
type IPTablesRestore (line 40) | type IPTablesRestore interface
type ipTablesRestore (line 46) | type ipTablesRestore struct
method ApplyWithoutFlush (line 89) | func (iptr *ipTablesRestore) ApplyWithoutFlush(rules IPTablesRestoreRu...
method runWithOutput (line 104) | func (iptr *ipTablesRestore) runWithOutput(args []string, stdin io.Rea...
type IPTablesRestoreRules (line 57) | type IPTablesRestoreRules
type IPTablesRestoreRuleSpec (line 60) | type IPTablesRestoreRuleSpec
function NewIPTablesRestoreWithProtocol (line 63) | func NewIPTablesRestoreWithProtocol(protocol iptables.Protocol) (IPTable...
function buildIPTablesRestorePayload (line 124) | func buildIPTablesRestorePayload(tableRules IPTablesRestoreRules) string {
function getIptablesRestoreSupport (line 153) | func getIptablesRestoreSupport(path string) (hasWait bool, err error) {
function ipTablesHasWaitSupport (line 166) | func ipTablesHasWaitSupport(v1, v2, v3 int) bool {
function extractIptablesRestoreVersion (line 181) | func extractIptablesRestoreVersion(str string) (int, int, int, error) {
function getIptablesRestoreVersionString (line 206) | func getIptablesRestoreVersionString(path string) (string, error) {
function getIptablesRestoreCommand (line 218) | func getIptablesRestoreCommand(proto iptables.Protocol) string {
function getIptablesCommand (line 226) | func getIptablesCommand(proto iptables.Protocol) string {
FILE: pkg/trafficmngr/iptables/iptables_restore_test.go
function TestRules (line 21) | func TestRules(t *testing.T) {
FILE: pkg/trafficmngr/iptables/iptables_test.go
function testingLease (line 31) | func testingLease() *lease.Lease {
type MockIPTables (line 40) | type MockIPTables struct
method ruleIndex (line 73) | func (mock *MockIPTables) ruleIndex(table string, chain string, rulesp...
method ChainExists (line 82) | func (mock *MockIPTables) ChainExists(table, chain string) (bool, erro...
method ClearChain (line 86) | func (mock *MockIPTables) ClearChain(table, chain string) error {
method Delete (line 90) | func (mock *MockIPTables) Delete(table string, chain string, rulespec ...
method Exists (line 104) | func (mock *MockIPTables) Exists(table string, chain string, rulespec ...
method AppendUnique (line 112) | func (mock *MockIPTables) AppendUnique(table string, chain string, rul...
type MockIPTablesRestore (line 46) | type MockIPTablesRestore struct
method ApplyFully (line 63) | func (mock *MockIPTablesRestore) ApplyFully(rules IPTablesRestoreRules...
method ApplyWithoutFlush (line 68) | func (mock *MockIPTablesRestore) ApplyWithoutFlush(rules IPTablesResto...
type MockIPTablesError (line 51) | type MockIPTablesError struct
method IsNotExist (line 55) | func (mock *MockIPTablesError) IsNotExist() bool {
method Error (line 59) | func (mock *MockIPTablesError) Error() string {
function TestDeleteRules (line 120) | func TestDeleteRules(t *testing.T) {
function TestDeleteMoreRules (line 154) | func TestDeleteMoreRules(t *testing.T) {
function TestBootstrapRules (line 198) | func TestBootstrapRules(t *testing.T) {
function TestDeleteIP6Rules (line 260) | func TestDeleteIP6Rules(t *testing.T) {
function TestEnsureRules (line 290) | func TestEnsureRules(t *testing.T) {
function TestEnsureIP6Rules (line 340) | func TestEnsureIP6Rules(t *testing.T) {
function setupIPTables (line 383) | func setupIPTables(ipt IPTables, rules []trafficmngr.IPTablesRule) error {
function expectedTearDownIPTablesRestoreRules (line 394) | func expectedTearDownIPTablesRestoreRules(rules []trafficmngr.IPTablesRu...
function IP6Rules (line 406) | func IP6Rules(ipn ip.IP6Net, lease *lease.Lease) []trafficmngr.IPTablesR...
function IP6RestoreRules (line 418) | func IP6RestoreRules(ipn ip.IP6Net, lease *lease.Lease) IPTablesRestoreR...
function IP6RestoreDeleteRules (line 431) | func IP6RestoreDeleteRules(ipn ip.IP6Net, lease *lease.Lease) IPTablesRe...
FILE: pkg/trafficmngr/iptables/iptables_windows.go
type IPTablesManager (line 27) | type IPTablesManager struct
method Init (line 37) | func (iptm IPTablesManager) Init(ctx context.Context) error {
method CleanUp (line 42) | func (iptm *IPTablesManager) CleanUp(ctx context.Context) error {
method SetupAndEnsureForwardRules (line 46) | func (iptm *IPTablesManager) SetupAndEnsureForwardRules(ctx context.Co...
method SetupAndEnsureMasqRules (line 49) | func (iptm *IPTablesManager) SetupAndEnsureMasqRules(ctx context.Conte...
type IPTables (line 29) | type IPTables interface
FILE: pkg/trafficmngr/nftables/nftables.go
constant ipv4Table (line 31) | ipv4Table = "flannel-ipv4"
constant ipv6Table (line 32) | ipv6Table = "flannel-ipv6"
constant forwardChain (line 33) | forwardChain = "forward"
constant postrtgChain (line 34) | postrtgChain = "postrtg"
type NFTablesManager (line 37) | type NFTablesManager struct
method Init (line 42) | func (nftm *NFTablesManager) Init(ctx context.Context) error {
method SetupAndEnsureForwardRules (line 77) | func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Co...
method SetupAndEnsureMasqRules (line 149) | func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Conte...
method addMasqRules (line 208) | func (nftm *NFTablesManager) addMasqRules(ctx context.Context,
method CleanUp (line 279) | func (nftm *NFTablesManager) CleanUp(ctx context.Context) error {
function initTable (line 58) | func initTable(ctx context.Context, ipFamily knftables.Family, name stri...
FILE: pkg/trafficmngr/nftables/nftables_windows.go
type NFTablesManager (line 27) | type NFTablesManager struct
method Init (line 30) | func (nftm *NFTablesManager) Init(ctx context.Context) error {
method CleanUp (line 35) | func (nftm *NFTablesManager) CleanUp(ctx context.Context) error {
method SetupAndEnsureForwardRules (line 39) | func (nftm *NFTablesManager) SetupAndEnsureForwardRules(ctx context.Co...
method SetupAndEnsureMasqRules (line 43) | func (nftm *NFTablesManager) SetupAndEnsureMasqRules(ctx context.Conte...
FILE: pkg/trafficmngr/nftables/utils.go
constant masqueradeTestTable (line 27) | masqueradeTestTable = "masqueradeTest"
method checkRandomfully (line 31) | func (nftm *NFTablesManager) checkRandomfully(ctx context.Context) bool {
FILE: pkg/trafficmngr/trafficmngr.go
type IPTablesRule (line 25) | type IPTablesRule struct
constant KubeProxyMark (line 36) | KubeProxyMark string = "0x4000/0x4000"
type TrafficManager (line 38) | type TrafficManager interface
Condensed preview — 175 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (763K chars).
[
{
"path": ".dockerignore",
"chars": 51,
"preview": "dist/*.aci\ndist/*.docker\ndist/*.tar.gz\n.git\nvendor\n"
},
{
"path": ".github/ISSUE_TEMPLATE.md",
"chars": 1243,
"preview": "<!--- Provide a general summary of the issue in the Title above -->\n\n## Expected Behavior\n<!--- If you're describing a b"
},
{
"path": ".github/PULL_REQUEST_TEMPLATE.md",
"chars": 786,
"preview": "## Description\n<!-- A few sentences describing the overall goals of the pull request's commits. \nPlease include \n- the t"
},
{
"path": ".github/dependabot.yml",
"chars": 1465,
"preview": "# To get started with Dependabot version updates, you'll need to specify which\n# package ecosystems to update and where "
},
{
"path": ".github/stale.yml",
"chars": 686,
"preview": "# Number of days of inactivity before an issue becomes stale\ndaysUntilStale: 180\n# Number of days of inactivity before a"
},
{
"path": ".github/workflows/build.yaml",
"chars": 1560,
"preview": "name: build flannel\n\non: pull_request\n\nenv:\n GO_VERSION: \"1.24\"\n LINUX_ARCHES: \"amd64 arm arm64 s390x ppc64le riscv64\""
},
{
"path": ".github/workflows/codeql-analysis.yml",
"chars": 2771,
"preview": "# For most projects, this workflow file will not need changing; you simply need\n# to commit it to your repository.\n#\n# Y"
},
{
"path": ".github/workflows/e2eTests.yaml",
"chars": 810,
"preview": "name: e2e tests for flannel\n\non: pull_request\n\npermissions:\n contents: read\n\njobs:\n e2e-test:\n name: test\n runs-"
},
{
"path": ".github/workflows/golangci-lint.yaml",
"chars": 725,
"preview": "name: run golangci-lint\n\non: pull_request\n\npermissions:\n contents: read\n\njobs:\n golangci:\n permissions:\n conte"
},
{
"path": ".github/workflows/k3s-e2eTests.yml",
"chars": 719,
"preview": "name: k3s e2e tests for flannel\n\non: pull_request\n\nenv:\n ARCH: amd64\n GO_VERSION: \"1.24\"\n KUBECONFIG: ${HOME}/.kube/c"
},
{
"path": ".github/workflows/release.yml",
"chars": 6530,
"preview": "name: release flannel and upload docker images\n \non:\n release:\n types: [published]\n\nenv:\n GO_VERSION: \"1.24\"\n LIN"
},
{
"path": ".github/workflows/scorecard.yml",
"chars": 3478,
"preview": "# This workflow uses actions that are not certified by GitHub. They are provided\n# by a third-party and are governed by "
},
{
"path": ".github/workflows/trivy.yml",
"chars": 1630,
"preview": "# This workflow uses actions that are not certified by GitHub.\n# They are provided by a third-party and are governed by\n"
},
{
"path": ".gitignore",
"chars": 211,
"preview": "dist/*.tar.gz\ndist/flanneld*\ndist/*.docker\ndist/here.txt\ndist/flannel_oci.tar\ncover.out\n.editorconfig\n.idea/\ndefault.etc"
},
{
"path": "ACTIVITY_SUMMARY_2025.md",
"chars": 2438,
"preview": "# Flannel Repository Activity Summary - 2025\n\n## Overview\nThis document provides a comprehensive summary of the flannel-"
},
{
"path": "CONTRIBUTING.md",
"chars": 2077,
"preview": "# How to Contribute\n\nCoreOS projects are [Apache 2.0 licensed](LICENSE) and accept contributions via\nGitHub pull request"
},
{
"path": "DCO",
"chars": 1422,
"preview": "Developer Certificate of Origin\nVersion 1.1\n\nCopyright (C) 2004, 2006 The Linux Foundation and its contributors.\n660 Yor"
},
{
"path": "Documentation/adrs/add-nftables-implementation.md",
"chars": 4396,
"preview": "# Add nftables implementation to flannel\n\nDate: 2024-02-01\n\n## Status\n\nWriting\n\n## Context\nAt the moment, flannel uses i"
},
{
"path": "Documentation/backends.md",
"chars": 7857,
"preview": "# Backends\n\nFlannel may be paired with several different backends. Once set, the backend should not be changed at runtim"
},
{
"path": "Documentation/building.md",
"chars": 2298,
"preview": "# Building flannel\n\nThe most reliable way to build flannel is by using Docker.\n\n## Building in a Docker container\n\nTo bu"
},
{
"path": "Documentation/configuration.md",
"chars": 8968,
"preview": "# Configuration\n\nIf the --kube-subnet-mgr argument is true, flannel reads its configuration from `/etc/kube-flannel/net-"
},
{
"path": "Documentation/extension.md",
"chars": 3186,
"preview": "# Extension\n\nThe `extension` backend provides an easy way for prototyping new backend types for flannel.\n\nIt is _not_ re"
},
{
"path": "Documentation/integrations.md",
"chars": 789,
"preview": "# Integrations\n\nThis document tracks projects that integrate with flannel. [Join the community](https://github.com/flann"
},
{
"path": "Documentation/kube-flannel.yml",
"chars": 4415,
"preview": "---\nkind: Namespace\napiVersion: v1\nmetadata:\n name: kube-flannel\n labels:\n k8s-app: flannel\n pod-security.kubern"
},
{
"path": "Documentation/kubernetes.md",
"chars": 6002,
"preview": "# kubeadm\n\nFor information on deploying flannel manually, using the Kubernetes installer toolkit kubeadm, see [Installin"
},
{
"path": "Documentation/kustomization/kube-flannel/kube-flannel.yml",
"chars": 4259,
"preview": "---\nkind: Namespace\napiVersion: v1\nmetadata:\n name: kube-flannel\n labels:\n pod-security.kubernetes.io/enforce: priv"
},
{
"path": "Documentation/kustomization/kube-flannel/kustomization.yaml",
"chars": 188,
"preview": "apiVersion: kustomize.config.k8s.io/v1beta1\nkind: Kustomization\ncommonLabels:\n k8s-app: flannel\nresources:\n- kube-flann"
},
{
"path": "Documentation/minikube.yml",
"chars": 2442,
"preview": "# This manifest is intended for dev work, so there are some differences from the \"normal\" manifest\n# - no namespace (m"
},
{
"path": "Documentation/netpol.md",
"chars": 572,
"preview": "# Network policy controller\n\nFrom v0.25.5 it is possible to deploy Flannel with https://github.com/kubernetes-sigs/kube-"
},
{
"path": "Documentation/reporting_bugs.md",
"chars": 1658,
"preview": "# Reporting bugs\n\nIf any part of the flannel project has bugs or documentation mistakes, please let us know by [opening "
},
{
"path": "Documentation/reservations.md",
"chars": 2520,
"preview": "# Leases and Reservations\n\n## Leases\n\nWhen flannel starts up, it ensures that the host has a subnet lease. If there is\na"
},
{
"path": "Documentation/running.md",
"chars": 6179,
"preview": "# Running flannel\n\nOnce you have pushed configuration JSON to `etcd`, you can start `flanneld`. If you published your co"
},
{
"path": "Documentation/tencentcloud-vpc-backend.md",
"chars": 256,
"preview": "# TencentCloud VPC Backend for Flannel\n\nThere are only two differences between the usage method and Alibaba Cloud:\n1. Te"
},
{
"path": "Documentation/troubleshooting.md",
"chars": 7107,
"preview": "# Troubleshooting\n\n# General\n\n## Connectivity\nIn Docker v1.13 and later, the default iptables forwarding policy was chan"
},
{
"path": "Documentation/upgrade.md",
"chars": 1699,
"preview": "# Upgrade\n\nFlannel upgrade/downgrade procedure\n \nThere are different ways of changing flannel version in the running clu"
},
{
"path": "LICENSE",
"chars": 11358,
"preview": "\n Apache License\n Version 2.0, January 2004\n "
},
{
"path": "Makefile",
"chars": 10090,
"preview": ".PHONY: test unit-test e2e-test deps cover gofmt gofmt-fix license-check clean tar.gz release buildx-create-builder buil"
},
{
"path": "OWNERS",
"chars": 219,
"preview": "reviewers:\n - manuelbuil (Manuel Buil)\n - mgfritch (Michael Fritch)\n - rbrtbnfgl (Roberto Bonafiglia)\n - thomasferra"
},
{
"path": "README.md",
"chars": 6265,
"preview": "# flannel\n\n\n\n![Build Status](https://github.com/flannel-io/flannel/ac"
},
{
"path": "SECURITY.md",
"chars": 3139,
"preview": "# Security Policy\n\n## Supported Versions\n\nThe flannel project maintains security fixes for the **latest release** only.\n"
},
{
"path": "chart/README.md",
"chars": 24,
"preview": "Flannel Helm Repository\n"
},
{
"path": "chart/kube-flannel/.helmignore",
"chars": 19,
"preview": "tests/\n.helmignore\n"
},
{
"path": "chart/kube-flannel/Chart.yaml",
"chars": 180,
"preview": "apiVersion: v1\nappVersion: v0.28.1\ndescription: Install Flannel Network Plugin.\nkeywords:\n- Flannel\nname: flannel\nsource"
},
{
"path": "chart/kube-flannel/templates/config.yaml",
"chars": 2273,
"preview": "kind: ConfigMap\napiVersion: v1\nmetadata:\n name: kube-flannel-cfg\n namespace: {{ .Release.Namespace }}\n labels:\n ti"
},
{
"path": "chart/kube-flannel/templates/daemonset.yaml",
"chars": 4251,
"preview": "apiVersion: apps/v1\nkind: DaemonSet\nmetadata:\n name: kube-flannel-ds\n namespace: {{ .Release.Namespace }}\n labels:\n "
},
{
"path": "chart/kube-flannel/templates/rbac.yaml",
"chars": 815,
"preview": "kind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: flannel\nrules:\n- apiGroups:\n - \"\"\n resour"
},
{
"path": "chart/kube-flannel/templates/serviceaccount.yaml",
"chars": 100,
"preview": "apiVersion: v1\nkind: ServiceAccount\nmetadata:\n name: flannel\n namespace: {{ .Release.Namespace }}\n"
},
{
"path": "chart/kube-flannel/tests/daemonset_test.yaml",
"chars": 2363,
"preview": "suite: test daemonset\ntemplates:\n - daemonset.yaml\ntests:\n - it: should have the correct api version\n asserts:\n "
},
{
"path": "chart/kube-flannel/values.yaml",
"chars": 2692,
"preview": "---\nglobal:\n imagePullSecrets:\n# - name: \"a-secret-name\"\n\n# The IPv4 cidr pool to create on startup if none exists. Pod"
},
{
"path": "code-of-conduct.md",
"chars": 3037,
"preview": "## CoreOS Community Code of Conduct\n\n### Contributor Code of Conduct\n\nAs contributors and maintainers of this project, a"
},
{
"path": "dist/extension-hostgw",
"chars": 205,
"preview": "{\n \"Network\": \"10.50.0.0/16\",\n \"Backend\": {\n \"Type\": \"extension\",\n \"SubnetAddCommand\": \"ip route add $SUBNET via"
},
{
"path": "dist/extension-vxlan",
"chars": 870,
"preview": "{\n \"Network\": \"10.50.0.0/16\",\n \"Backend\": {\n \"Type\": \"extension\",\n \"PreStartupCommand\": \"export VNI=1; export IF"
},
{
"path": "dist/extension-wireguard",
"chars": 818,
"preview": "// This is deprecated and should not be used. Please use the wireguard backend instead!\n{\n \"Network\": \"10.50.0.0/16\",\n "
},
{
"path": "dist/fake-node.yaml",
"chars": 333,
"preview": "apiVersion: v1\nkind: Node\nmetadata:\n name: test\n annotations:\n flannel.alpha.coreos.com/backend-data: '{\"VtepMAC\":\""
},
{
"path": "dist/functional-test-k8s.sh",
"chars": 12274,
"preview": "#!/bin/bash\n\nARCH=\"${ARCH:-amd64}\"\nETCD_IMG=\"${ETCD_IMG:-quay.io/coreos/etcd:v3.6.2}\"\nETCD_LOCATION=\"${ETCD_LOCATION:-et"
},
{
"path": "dist/functional-test.sh",
"chars": 9494,
"preview": "#!/bin/bash\n\n#Add \"set -xe\" to get more information where the unit test fail\nset -xe\n\nARCH=\"${ARCH:-amd64}\"\nETCD_IMG=\"${"
},
{
"path": "dist/ipsec",
"chars": 182,
"preview": "{\n \"Network\": \"10.50.0.0/16\",\n \"Backend\": {\n \"Type\": \"ipsec\",\n \"PSK\":\"4bc1e570ff249cce3cc8cef5e2f8625bac76c7b025"
},
{
"path": "dist/license-check.sh",
"chars": 291,
"preview": "#!/usr/bin/env bash\n\nlicRes=$(for file in $(find . -type f -iname '*.go' ! -path './vendor/*'); do\n\t\thead -n4 \"${file}\" "
},
{
"path": "dist/mk-docker-opts.sh",
"chars": 2633,
"preview": "#!/bin/sh\n\nusage() {\n\techo \"$0 [-f FLANNEL-ENV-FILE] [-d DOCKER-ENV-FILE] [-i] [-c] [-m] [-k COMBINED-KEY]\n\nGenerate Doc"
},
{
"path": "dist/mk-docker-opts_tests.sh",
"chars": 2011,
"preview": "#!/bin/bash\nset -e\n\necho \"### Dry run with input & output files set\"\necho \"$ ./mk-docker-opts.sh -f ./sample_subnet.env "
},
{
"path": "dist/sample_subnet.env",
"chars": 94,
"preview": "FLANNEL_NETWORK=10.1.0.0/16\nFLANNEL_SUBNET=10.1.74.1/24\nFLANNEL_MTU=1472\nFLANNEL_IPMASQ=false\n"
},
{
"path": "dist/snap/README.md",
"chars": 945,
"preview": "<h1 align=\"center\">\n <img src=\"https://user-images.githubusercontent.com/45159366/61273381-36394c80-a75e-11e9-9a4a-7f36"
},
{
"path": "dist/snap/snapcraft.yaml",
"chars": 1759,
"preview": "name: flannel\nsummary: A network fabric for containers.\ndescription:| A simple and easy way to configure a layer 3 net"
},
{
"path": "dist/test/ca-config.json",
"chars": 832,
"preview": "{\n \"signing\": {\n \"default\": {\n \"expiry\": \"43800h\"\n },\n \"profiles\": {\n \"ser"
},
{
"path": "dist/test/ca-csr.json",
"chars": 312,
"preview": "{\n \"CN\": \"My own CA\",\n \"key\": {\n \"algo\": \"rsa\",\n \"size\": 2048\n },\n \"names\": [\n {\n "
},
{
"path": "dist/test/ca-key.pem",
"chars": 1675,
"preview": "-----BEGIN RSA PRIVATE KEY-----\nMIIEowIBAAKCAQEAu5kCsujw2F5xuFSJ6GXpwa7WFBbcYiJD7bw+9irHL0BIUs9N\npNi8B6dev0DM7ReIPJCgrnJ"
},
{
"path": "dist/test/ca.csr",
"chars": 1021,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIICujCCAaICAQAwdTELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDVNhbiBGcmFuY2lz\nY28xCzAJBgNVBAcTAkN"
},
{
"path": "dist/test/ca.pem",
"chars": 1354,
"preview": "-----BEGIN CERTIFICATE-----\nMIIDujCCAqKgAwIBAgIURksNLgjamSSvFUWdYjuUq9ML3EAwDQYJKoZIhvcNAQEL\nBQAwdTELMAkGA1UEBhMCVVMxFjA"
},
{
"path": "dist/test/client-key.pem",
"chars": 227,
"preview": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIKih7JlJdm3jguVqkAFFRbaPrMNx+szw/3WWc4IJNJcBoAoGCCqGSM49\nAwEHoUQDQgAEriOtzABDnRTa"
},
{
"path": "dist/test/client.csr",
"chars": 465,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBHTCBwwIBADBDMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT\nDVNhbiBGcmFuY2lzY28"
},
{
"path": "dist/test/client.json",
"chars": 243,
"preview": "{\n \"CN\": \"client\",\n \"hosts\": [\n \"\"\n ],\n \"key\": {\n \"algo\": \"ecdsa\",\n \"size\": 256\n },\n"
},
{
"path": "dist/test/client.pem",
"chars": 1099,
"preview": "-----BEGIN CERTIFICATE-----\nMIIC/zCCAeegAwIBAgIUPL5Fd8zSYWlVplN9l26fa834S+cwDQYJKoZIhvcNAQEL\nBQAwdTELMAkGA1UEBhMCVVMxFjA"
},
{
"path": "dist/test/member1.json",
"chars": 275,
"preview": "{\n \"CN\": \"member1\",\n \"hosts\": [\n \"127.0.0.1\",\n \"172.17.0.1\"\n ],\n \"key\": {\n \"algo\": \"ecd"
},
{
"path": "dist/test/server-key.pem",
"chars": 227,
"preview": "-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIP8wt7txIaYwVQFNC5Wjr8MRmnCMUtrQirRwvLzTTPNyoAoGCCqGSM49\nAwEHoUQDQgAE9t31xUASqx7T"
},
{
"path": "dist/test/server.csr",
"chars": 473,
"preview": "-----BEGIN CERTIFICATE REQUEST-----\nMIIBJTCBywIBADBBMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcT\nDVNhbiBGcmFuY2lzY28"
},
{
"path": "dist/test/server.json",
"chars": 274,
"preview": "{\n \"CN\": \"etcd\",\n \"hosts\": [\n \"127.0.0.1\",\n \"172.17.0.1\" \n ],\n \"key\": {\n \"algo\": \"ecdsa"
},
{
"path": "dist/test/server.pem",
"chars": 1111,
"preview": "-----BEGIN CERTIFICATE-----\nMIIDBzCCAe+gAwIBAgIUIJ5xOJhQ5bqKWcVLHWixDOMWrDkwDQYJKoZIhvcNAQEL\nBQAwdTELMAkGA1UEBhMCVVMxFjA"
},
{
"path": "dist/wireguard",
"chars": 200,
"preview": "{\n \"Network\": \"10.10.0.0/16\",\n \"Backend\": {\n \"Type\": \"wireguard\",\n \"ListenPort\": 51820,\n \"PSK\": \"H0Ad2yKBMgfG"
},
{
"path": "e2e/Dockerfile",
"chars": 1339,
"preview": "# Install the all-in-one binary so we can copy our run-time images into the image\n# which helps avoid pulling them when "
},
{
"path": "e2e/docker-compose.yml",
"chars": 852,
"preview": "version: \"3.7\"\n\nvolumes:\n kubeconfig:\n name: e2e-local-kubeconfig\n\nservices:\n\n leader:\n container_name: local-le"
},
{
"path": "e2e/download-kubectl.sh",
"chars": 283,
"preview": "#!/usr/bin/env bash\n\nset -e -o pipefail\n\nsource $(dirname $0)/version.sh\n\nRELEASE=\"$(curl -sSL https://dl.k8s.io/release"
},
{
"path": "e2e/e2e-functions.sh",
"chars": 2742,
"preview": "#!/usr/bin/env bash\n\n# ---\n\ne2e-wait-for-kubeconfig() {\n set -e -o pipefail\n # the `--insecure-skip-tls-verify` se"
},
{
"path": "e2e/get-kubeconfig.sh",
"chars": 393,
"preview": "#!/usr/bin/env bash\n\nset -e -o pipefail\n\nexport KUBECONFIG=\"${HOME}/.kube/config\"\n\nmkdir -vp \"$(dirname $KUBECONFIG)\"\nwh"
},
{
"path": "e2e/run-e2e-tests.sh",
"chars": 15544,
"preview": "#!/bin/bash\n\nset -e -o pipefail\n\nsource $(dirname $0)/version.sh\nsource $(dirname $0)/e2e-functions.sh\n\nFLANNEL_NET=\"${F"
},
{
"path": "e2e/version.sh",
"chars": 144,
"preview": "#!/bin/bash\n\nset -e -o pipefail\n\nexport TAG=$(git describe --tags --always)\nexport ARCH=amd64\nexport FLANNEL_IMAGE_FILE="
},
{
"path": "go.mod",
"chars": 6717,
"preview": "module github.com/flannel-io/flannel\n\ngo 1.24.7\n\n// replace github.com/dgrijalva/jwt-go => github.com/golang-jwt/jwt/v4 "
},
{
"path": "go.sum",
"chars": 41829,
"preview": "cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=\ngithub.com/BurntSushi/toml v0.3.1/go."
},
{
"path": "images/Dockerfile",
"chars": 1855,
"preview": "ARG XX_IMAGE=tonistiigi/xx:1.8.0\nARG GO_IMAGE=golang:alpine3.22\nARG RUN_IMAGE=alpine:3.22.2\n\nFROM --platform=$BUILDPLATF"
},
{
"path": "images/iperf3/Dockerfile",
"chars": 156,
"preview": "FROM BASEIMAGE\n\nRUN apk add --update \\\n iperf3 \\\n && rm -rf /var/cache/apk/*\n\nEXPOSE 5201\n\nENTRYPOINT [\"/usr/bin/ipe"
},
{
"path": "images/iperf3/Makefile",
"chars": 445,
"preview": "IPERF_IMG ?= iperf3:latest\n\nARCH ?= amd64\n\nTEMP_DIR := $(shell mktemp -d)\n\nifeq ($(ARCH),amd64)\n BASEIMAGE=amd64/"
},
{
"path": "main.go",
"chars": 22880,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/alloc/alloc.go",
"chars": 1645,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/common.go",
"chars": 1504,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/extension/extension.go",
"chars": 4376,
"preview": "// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/extension/extension_network.go",
"chars": 3721,
"preview": "// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/hostgw/hostgw.go",
"chars": 2683,
"preview": "//go:build !windows && !windows\n// +build !windows,!windows\n\n// Copyright 2015 flannel authors\n//\n// Licensed under the "
},
{
"path": "pkg/backend/hostgw/hostgw_windows.go",
"chars": 9457,
"preview": "// Copyright 2018 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/ipip/ipip.go",
"chars": 6879,
"preview": "//go:build !windows\n// +build !windows\n\n// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Versi"
},
{
"path": "pkg/backend/ipip/ipip_windows.go",
"chars": 643,
"preview": "// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/ipsec/handle_charon.go",
"chars": 6984,
"preview": "// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/ipsec/handle_xfrm.go",
"chars": 2653,
"preview": "// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/ipsec/ipsec.go",
"chars": 3473,
"preview": "// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/ipsec/ipsec_network.go",
"chars": 5651,
"preview": "// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/ipsec/ipsec_windows.go",
"chars": 607,
"preview": "// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/manager.go",
"chars": 2126,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/route_network.go",
"chars": 7483,
"preview": "//go:build !windows\n// +build !windows\n\n// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Versi"
},
{
"path": "pkg/backend/route_network_test.go",
"chars": 4814,
"preview": "// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/route_network_windows.go",
"chars": 5341,
"preview": "// Copyright 2018 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/simple_network.go",
"chars": 971,
"preview": "// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/tencentvpc/tencentvpc.go",
"chars": 5647,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/tencentvpc/tencentvpc_windows.go",
"chars": 612,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/udp/cproxy_amd64.go",
"chars": 2243,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/udp/proxy_amd64.c",
"chars": 10999,
"preview": "// Copyright 2015 CoreOS, Inc.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use "
},
{
"path": "pkg/backend/udp/proxy_amd64.h",
"chars": 1113,
"preview": "// Copyright 2015 CoreOS, Inc.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use "
},
{
"path": "pkg/backend/udp/udp.go",
"chars": 989,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/udp/udp_amd64.go",
"chars": 2203,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/udp/udp_network.go",
"chars": 1079,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/udp/udp_network_amd64.go",
"chars": 5334,
"preview": "//go:build !windows && !windows\n// +build !windows,!windows\n\n// Copyright 2015 flannel authors\n//\n// Licensed under the "
},
{
"path": "pkg/backend/udp/udp_windows.go",
"chars": 605,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/vxlan/device.go",
"chars": 8787,
"preview": "//go:build !windows\n// +build !windows\n\n// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Versi"
},
{
"path": "pkg/backend/vxlan/device_windows.go",
"chars": 7447,
"preview": "// Copyright 2018 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/vxlan/vxlan.go",
"chars": 10121,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/vxlan/vxlan_network.go",
"chars": 15505,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/vxlan/vxlan_network_windows.go",
"chars": 4718,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/vxlan/vxlan_windows.go",
"chars": 6762,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/backend/wireguard/device.go",
"chars": 8507,
"preview": "//go:build !windows\n// +build !windows\n\n// Copyright 2021 flannel authors\n//\n// Licensed under the Apache License, Versi"
},
{
"path": "pkg/backend/wireguard/wireguard.go",
"chars": 5363,
"preview": "//go:build !windows\n// +build !windows\n\n// Copyright 2021 flannel authors\n//\n// Licensed under the Apache License, Versi"
},
{
"path": "pkg/backend/wireguard/wireguard_network.go",
"chars": 9064,
"preview": "//go:build !windows\n// +build !windows\n\n// Copyright 2021 flannel authors\n//\n// Licensed under the Apache License, Versi"
},
{
"path": "pkg/backend/wireguard/wireguard_windows.go",
"chars": 644,
"preview": "//go:build windows\n// +build windows\n\n// Copyright 2021 flannel authors\n//\n// Licensed under the Apache License, Version"
},
{
"path": "pkg/ip/endianess.go",
"chars": 1157,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/ip/iface.go",
"chars": 10277,
"preview": "//go:build !windows\n// +build !windows\n\n// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Versi"
},
{
"path": "pkg/ip/iface_test.go",
"chars": 3074,
"preview": "//go:build !windows\n// +build !windows\n\n// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Versi"
},
{
"path": "pkg/ip/iface_windows.go",
"chars": 4615,
"preview": "//go:build windows\n// +build windows\n\n// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version"
},
{
"path": "pkg/ip/iface_windows_test.go",
"chars": 2008,
"preview": "//go:build windows\n// +build windows\n\n// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Version"
},
{
"path": "pkg/ip/ip6net.go",
"chars": 5364,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/ip/ip6net_test.go",
"chars": 3376,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/ip/ipnet.go",
"chars": 4586,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/ip/ipnet_test.go",
"chars": 3171,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/ip/tun.go",
"chars": 1613,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/ipmatch/match.go",
"chars": 9663,
"preview": "// Copyright 2022 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/ipmatch/match_test.go",
"chars": 6582,
"preview": "//go:build !windows\n// +build !windows\n\n// Copyright 2022 flannel authors\n//\n// Licensed under the Apache License, Versi"
},
{
"path": "pkg/lease/lease.go",
"chars": 5608,
"preview": "// Copyright 2022 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/mac/mac.go",
"chars": 1101,
"preview": "// Copyright 2021 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/mac/mac_test.go",
"chars": 841,
"preview": "// Copyright 2021 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/ns/ns.go",
"chars": 1133,
"preview": "//go:build !windows\n// +build !windows\n\n// Copyright 2017 flannel authors\n//\n// Licensed under the Apache License, Versi"
},
{
"path": "pkg/powershell/powershell.go",
"chars": 2723,
"preview": "//go:build windows\n// +build windows\n\n// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version"
},
{
"path": "pkg/retry/retry.go",
"chars": 962,
"preview": "// Copyright 2023 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/routing/router.go",
"chars": 1603,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/routing/router_windows.go",
"chars": 2815,
"preview": "//go:build windows\n// +build windows\n\n// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version"
},
{
"path": "pkg/routing/router_windows_test.go",
"chars": 2292,
"preview": "//go:build windows\n// +build windows\n\n// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version"
},
{
"path": "pkg/subnet/config.go",
"chars": 7510,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/config_test.go",
"chars": 3890,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/etcd/local_manager.go",
"chars": 12028,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/etcd/mock_registry.go",
"chars": 5918,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/etcd/mock_subnet.go",
"chars": 992,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/etcd/rand.go",
"chars": 822,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/etcd/registry.go",
"chars": 15821,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/etcd/registry_test.go",
"chars": 5585,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/etcd/subnet_test.go",
"chars": 15476,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/kube/annotations.go",
"chars": 2507,
"preview": "// Copyright 2018 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/kube/annotations_test.go",
"chars": 2401,
"preview": "// Copyright 2018 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/kube/kube.go",
"chars": 25796,
"preview": "// Copyright 2016 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/kube/kube_test.go",
"chars": 1578,
"preview": "// Copyright 2018 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/subnet.go",
"chars": 6107,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/subnet/subnet_test.go",
"chars": 2273,
"preview": "// Copyright 2022 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/trafficmngr/iptables/iptables.go",
"chars": 23169,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/trafficmngr/iptables/iptables_restore.go",
"chars": 6533,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/trafficmngr/iptables/iptables_restore_test.go",
"chars": 1956,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/trafficmngr/iptables/iptables_test.go",
"chars": 15964,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/trafficmngr/iptables/iptables_windows.go",
"chars": 1833,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/trafficmngr/nftables/nftables.go",
"chars": 8848,
"preview": "// Copyright 2024 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/trafficmngr/nftables/nftables_windows.go",
"chars": 1521,
"preview": "// Copyright 2024 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/trafficmngr/nftables/utils.go",
"chars": 1688,
"preview": "// Copyright 2024 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/trafficmngr/trafficmngr.go",
"chars": 2235,
"preview": "// Copyright 2024 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
},
{
"path": "pkg/version/version.go",
"chars": 630,
"preview": "// Copyright 2015 flannel authors\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not u"
}
]
About this extraction
This page contains the full source code of the flannel-io/flannel GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 175 files (687.0 KB), approximately 218.9k tokens, and a symbol index with 646 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.