Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

datapath: Decouple BPF-masq from NodePort BPF #13732

Open
brb opened this issue Oct 23, 2020 · 4 comments
Open

datapath: Decouple BPF-masq from NodePort BPF #13732

brb opened this issue Oct 23, 2020 · 4 comments
Labels
area/loadbalancing Impacts load-balancing and Kubernetes service implementations feature/snat Relates to SNAT or Masquerading of traffic kind/feature This introduces new functionality. kind/tech-debt Technical debt pinned These issues are not marked stale by our issue bot. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.

Comments

@brb
Copy link
Member

brb commented Oct 23, 2020

Currently, the BPF-masq implementation depends on NodePort BPF. This means that any interface which is used for masquerading exposes NodePort/LoadBalancer/etc services to outside. Such behavior might be unwanted due to e.g. security concerns.

Unfortunately, until #12508 has been resolved, we don't have any means to disable this behavior. In addition, running only the BPF-masq program on ifaces which are not intended to handle service requests would improve performance. Therefore, decouple BPF-masq implementation from NodePort BPF.
@brb brb added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. kind/feature This introduces new functionality. labels Oct 23, 2020
@brb brb added this to the v1.10 milestone Oct 23, 2020
@stale

This comment has been minimized.

Sign in to view
@stale stale bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Dec 25, 2020
@brb brb added pinned These issues are not marked stale by our issue bot. and removed stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. labels Jan 4, 2021
@joestringer joestringer changed the title datapath: Decoule BPF-masq from NodePort BPF datapath: Decouple BPF-masq from NodePort BPF Feb 19, 2021
@liuyuan10
Copy link
Contributor

I see this has a milestone of v1.10. Is that going to happen?

@brb
Copy link
Member Author

brb commented Mar 12, 2021

I see this has a milestone of v1.10. Is that going to happen?

Best effort, but very unlikely.

@joestringer joestringer modified the milestones: 1.10.0, 1.11 Apr 26, 2021
@brb brb added the kind/tech-debt Technical debt label Sep 28, 2021
@brb brb modified the milestones: 1.11, 1.12 Sep 28, 2021
@brb brb removed this from the 1.12 milestone Jan 21, 2022
@brb brb mentioned this issue Apr 27, 2022
Closed
@julianwiedmann julianwiedmann added area/loadbalancing Impacts load-balancing and Kubernetes service implementations feature/snat Relates to SNAT or Masquerading of traffic labels Sep 7, 2023
@julianwiedmann julianwiedmann mentioned this issue Mar 26, 2024
Merged
@Piccirello
Copy link

Can this be revisited now that #12508 has been resolved?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/loadbalancing Impacts load-balancing and Kubernetes service implementations feature/snat Relates to SNAT or Masquerading of traffic kind/feature This introduces new functionality. kind/tech-debt Technical debt pinned These issues are not marked stale by our issue bot. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@brb @joestringer @liuyuan10 @Piccirello @julianwiedmann