datapath: Decouple BPF-masq from NodePort BPF #13732
Labels
area/loadbalancing
Impacts load-balancing and Kubernetes service implementations
feature/snat
Relates to SNAT or Masquerading of traffic
kind/feature
This introduces new functionality.
kind/tech-debt
Technical debt
pinned
These issues are not marked stale by our issue bot.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Currently, the BPF-masq implementation depends on NodePort BPF. This means that any interface which is used for masquerading exposes NodePort/LoadBalancer/etc services to outside. Such behavior might be unwanted due to e.g. security concerns.
Unfortunately, until #12508 has been resolved, we don't have any means to disable this behavior. In addition, running only the BPF-masq program on ifaces which are not intended to handle service requests would improve performance. Therefore, decouple BPF-masq implementation from NodePort BPF.
The text was updated successfully, but these errors were encountered: