IPv4 Randomize SNAT support for IPv6 pods #1903
Conversation
| ipt, err := iptables.NewWithProtocol(iptables.ProtocolIPv4) | ||
| if err != nil { | ||
| return fmt.Errorf("failed to locate iptables: %v", err) | ||
| } | ||
|
|
||
| rules := iptRules4(target, src, chain, comment, ipt.HasRandomFully()) | ||
| useRandomFully := true | ||
| if randomizeSNAT == "none" { |
There was a problem hiding this comment.
- shall we support for "--random" as well? i.e. randomizeSNAT == "hashrandom"
- we should check ipt.HasRandomFully() as well, and if it's not supported, fallback to either "--random" or none. (depends on question 1)
Behavior currently documented under |
Sounds good. |
What type of PR is this?
Enhancement + Addresses few inconsistencies/bugs with IPv6 mode.
Which issue does this PR fix:
NA
What does this PR do / Why do we need it:
random-fullyby default if the underlying iptables version supports it. PR extends support forAWS_VPC_K8S_CNI_RANDOMIZESNATto theegress-v4-cni-pluginwhich will allow user to configure this.Testing done on this change:
random-fullyoption is only set ifAWS_VPC_K8S_CNI_RANDOMIZESNATis set toprngfor egress IPv4 flows.Will this PR introduce any new dependencies?:
No
Will this break upgrades or downgrades. Has updating a running cluster been tested?:
No
Does this change require updates to the CNI daemonset config files to work?:
No
Does this PR introduce any user-facing change?:
AWS_VPC_K8S_CNI_RANDOMIZESNATsupport toegress-v4-cni-plugin.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.