-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No connectivity from client to server on the same host via kube-proxy ClusterIP when Cilium E/W LB is disabled #10567
Comments
@aanm Did it happen in the CI? The CI run for the commit which you linked to failed because of the different test case (the managed ETCD). If yes, can you attach the test dump? I was expecting that we have tests which check |
Created an issue to extend the tests: #10568. |
Backend is on same node where svc request is processed, Cilium is not handling any services at all since |
kube-proxy-replacement: disabled
kube-proxy-replacement: disabled
I've just managed to reproduce the issue on the kernel 5.6.0-rc2+ (ubuntu-next v45). The problem is that the rev-DNAT xlation is not performed for a reply. This happens because the service endpoint does skb_redirect to the client pod, which makes the reply to bypass the netfilter's conntrack module which is responsible for the xlation when Interestingly, I cannot reproduce the issue on the kernel 5.5.6-arch1-1 when running cilium-agent as a standalone process (i.e. not in a container). (OT: please ignore what I said about this issue during the community meeting - I mixed the issues) |
Did we apply any fix to resolve this issue? Are we seeing it in CI? These days we should be running effectively a Linux v5.7 RC kernel there so I would expect us to observe it regularly if it is some kind of kernel regression. |
AFAIK, noup.
We don't have any test which would test |
Context: Cilium 1.7 had hit this because of auto-disablement of k8s services implementation when kube-proxy replacement was disabled. We released a fix for this to not auto-disable the existing implementation. We have already deprecated --disable-k8s-services flag due to this issue. Unless something changes, we do not intend to fix this issue. |
Removing blocker for v1.9. @brb if you disagree, please reach out :-) |
kube-proxy-replacement: disabled
Closing this issue in favor of #16197. |
client-pod:
10.0.0.13:XXX
service-ip:
172.20.62.249:9090
backend:
10.0.0.115:9090
tcpdump -i any
:monitor output:
cilium config map
iptables rules
commit a734d81
The text was updated successfully, but these errors were encountered: