From 83b65b358d10cde53446a8bb33048c9c9e40c017 Mon Sep 17 00:00:00 2001
From: Mark Burnett <mark.m.burnett@gmail.com>
Date: Wed, 26 Sep 2018 16:18:03 -0500
Subject: [PATCH] Fix: Workaround kube-proxy keeping stale IPs

This updates the liveness probe to fail when there are iptables rules
from kube-proxy that don't appear in existing endpoints.

Change-Id: I376be24566809a653417acfb84cac8f1c4e1a36e
---
 charts/proxy/templates/bin/_liveness-probe.sh.tpl | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/charts/proxy/templates/bin/_liveness-probe.sh.tpl b/charts/proxy/templates/bin/_liveness-probe.sh.tpl
index c00266aa..81cfa568 100644
--- a/charts/proxy/templates/bin/_liveness-probe.sh.tpl
+++ b/charts/proxy/templates/bin/_liveness-probe.sh.tpl
@@ -21,6 +21,17 @@ if [[ $(iptables-save {{- if .Values.livenessProbe.whitelist }} | grep -Ev "${WH
     FAILURE=1
 fi
 
+
+IPTABLES_IPS=$(iptables-save | grep -E 'KUBE-SEP.*to-destination' | sed 's/.*to-destination \(.*\):.*/\1/' | sort -u)
+KUBECTL_IPS=$(kubectl get --all-namespaces -o json endpoints | jq -r '.items | arrays | .[] | objects | .subsets | arrays | .[] | objects | .addresses | arrays | .[] | objects | .ip' | sort -u)
+
+if [[ $(comm -23 <(echo "${IPTABLES_IPS}") <(echo "${KUBECTL_IPS}")) ]]; then
+    FAILURE=1
+    echo "Found non-current Pod IPs in iptables rules:"
+    comm -23 <(echo "${IPTABLES_IPS}") <(echo "${KUBECTL_IPS}")
+fi
+
+
 if [[ "${FAILURE}" == "1" ]]; then
     exit 1
 fi