Explore user network namespace for rootless network testing
#130,926 opened on 2025年3月19日
説明
Unprivileged network namespaces allow users to create network namespaces and behave as a root inside those namespaces.
This allows to create nftables rules , nested user namespaces and network interfaces
$ unshare -Urn
# ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
root@aojea:~/src/dranet/site# ip link add dummy0 type dummy
root@aojea:~/src/dranet/site# ip a
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 1e:3d:e6:21:85:
# ls -lh /proc/self
lrwxrwxrwx 1 nobody nogroup 0 Feb 28 13:46 /proc/self -> 153429
Currently, for our kube-proxy testing, for complex testing we rely on the great work done by @danwinship with the nftablesTracer, that allows to simulate the packet traversal of the installed nftables rules.
However, simulators will never be as reliable as the real thing and also can have the problem to drift if the simulated logic changes.
Using unprivileged network namespaces can COMPLEMENT current testing , not replacing, as these namespaces has some security issues and are relatively new, so maybe are not able to run in each system.
We can just create a predefined topology to emulate the most complex feature and run table tests and multiple combinations just with go test. ./pkg/proxy/nftables/... ... this can be very useful for things like endpoints termination or topology awareness, where all the possible combinations are hard to test with e2e
ns-pod1 ---- ns-kproxy. ---- ns-pod2
|
|
L----- ns-pod3
References
- https://github.com/kubernetes-sigs/kube-network-policies/pull/156
- https://blog.0x1b.me/posts/unprivileged-linux-netns-pt1/
/sig network /cool new thing
cc @aroradaman @adrianmoisey