use endpoint (IP, port) tuple to track active endpoints of a service in use. Currently only endpoint IP (#842)

used so any change in port of the endpoint leaves stale ipvs server config

Fixes #841

populate pod CID in network routing controler to simulate reading from node spec once at begining (#844)

* fix router controller unhealthy on api server down

* import glog

* use  NetworkRoutingController  podCidr

* fix undefind

* add a --excluded-cidrs
* ignore deletion of ipvs rules with address in excluded cidrs
Signed-off-by: Arthur Outhenin-Chalandre <arthur@cri.epita.fr>

* Use SNAT instead of MASQUERADE to source NAT outbound IPVS traffic

* Perform cleanup of depreciated masquerade iptables rules (if needed)

restrict externalTrafficPolicy=Local interpretation only to NodePort and LoadBalancer services (#836)

* restrict externalTrafficPolicy=Local interpretation only to NodePort and LoadBalancer services

Fixes #818

* addressing review comments

* fix broken CI

* fix .travis.yml

* skip gomoqs

* fix multi arch image building

Revert "restrict externalTrafficPolicy=Local interpretation only to NodePort and LoadBalancer services (#819)" (#835)

This reverts commit 27ec314e.

restrict externalTrafficPolicy=Local interpretation only to NodePort and LoadBalancer services (#819)

* restrict externalTrafficPolicy=Local interpretation only to NodePort and LoadBalancer services

Fixes #818

* refactoring service controller sync() logic to be more modular

Currently we can have error on service proxy if we cannot set sysctl (in my case), but those errors are return and not shown. Just show them, like other controllers

For very busy tcp connections there is a small possibility to receive
a TCP RST during the iptables sync.

A default `REJECT` rule is chronologically added before the allow-`RELATED,ESTABLISHED` rule for ingress and
egress connections.
In between of the creation of these two rules a connection reset can happen for already established connections.

This commits swaps the order of rule insertion.

Signed-off-by: Oleg Selin <oleg.selin@renhealth.com>

* Added flag and condition for open input on iptables #797

* Adding flag to docs.

* Updated to remove INPUT/CHAIN entirely. Name changed to IpvsDenyAll.

* Updated README.

* Updated docstring on ipvs-deny-all

* ipvsDenyAll -> ipvsPermitAll

* Updating user guide.

* Descriptions updates per review

Signed-off-by: Andrew Sy Kim <kiman@vmware.com>

* Refactor: seperate fetching service VIPs from advertise/withdrawal decision

* Refactor: simplify advertise/withdrawal logic

* Pass svcDeleted param to getVIPsForService

* Don't advertise VIPs from deleted services

* Test for withdrawing VIPs from deleted service

* Refactor: use explicit handleServiceDelete functions

GoBGP's default value for deferral time is 360 seconds.
That means that the routes are not sent to the BGP peer until
this timer is elapsed, so a server is unreachable for 360
seconds, when kube-router restarts.

The new parameter is --bgp-graceful-restart-deferral-time duration_with_unit

For example '--bgp-graceful-restart-deferral-time 10s'

LGTM. Thanks for the pr @zerkms 

In reference to issue #725, we modified kube-router to send
heartbeats before starting policy sync to prevent missing
heartbeats while running iptables commands.
Signed-off-by: Jérôme Poulin <jeromepoulin@gmail.com>

* Make gobgp compile in an image

This patch adds Makefile logic, similar to the kube-router target,
allowing gobgp to be built in a container.

* Use unix.Epoll* functions

To be able to compile and run on the Linux@arm64 architecture
one has to use the `golang.org/x/sys/unix` package instead
the `syscall` package. This is because of these Go upstream
bugs that won't be fixed in the standard library:

- syscall: arm64: epoll_wait syscall not implemented
  https://github.com/golang/go/issues/25813

* rename export policies to make it direction independent

* split creating neighborsets and prefixsets from applying export policy

* add bgp import policy to deny service VIPs

* add tests for addition of import policy

Current implementation never considers the "kube-router.io/pod-cidr"
annotation when creating an ipset for the node pod network CIDR.
The Node.Spec.PodCIDR is always used instead.

This patch prefers the annotation PodCIDR over the Node.Spec.PodCIDR

* update netlink

* update libnetwork to get ipvs stats

* update gopkg.lock for libnetwork update

* update libnetwork

* add cli options

* make endpoints delete gracefully

* move conntrack flusher

* get some order in the mainloop

* update to alpine 3.9 & go 1.11.1

* revert to 1.10.3 just update alpine

* and revert travis.yml

* lock version

* test 1.12

* test

* support named port of network policy

* gofmt

This commit fixes a grammar mistake in a doc and some log messages.

* default cni config to list format

* change cni version field to 0.3.0

s/annotaion/annotation/

Introduces the option --overlay-type={subnet,full}, to be able to always generate IPIP tunnels regardless of node subnets (#666)

* Introduces the option --full-overlay, to always generate IPIP tunnels regardless of node subnets

* Use --overlay-type={subnet,full} instead of --full-overlay={true,false}