New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds a new NOTRACK rule for node-local-dns #24230
Conversation
Manually tested in a GKE cluster with Cilium and NLD in non-host mode. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @Weil0ng! 👋
I'm trying to jog my memory about an issue where we had to add an accept rule to allow traffic in some cases. It'll be great if we could have a table that we can document in the code around which rules are added in input/output rules for node-local dns pods. Wdyt?
Have you given any thoughts to test this as part of CI, and verify that the changes are not breaking anything? We now have kind based tests where we could deploy node-local dns DS along with LRP. Happy to collaborate on this.
Hi @aditighag :) I believe you were refering to #17585 with the |
Friendly ping :) |
I'm okay with deferring the CI tests to a follow up PR, but it'll be great to have a plan of action. I'll file a new issue targeted for 1.14, and assign both of us as the assignees. Hope that sounds reasonable. As for this PR, thanks for adding more comments around the different rules. I'm a bit unclear about effects of having asymmetric iptable rules across cilium versions (e.g., upgrade). Could you share details of how you tested the change? |
Sg, thanks!
I manually updated the Cilium image in a running cluster with node-local-dns pods, Cilium upon restart will remove all rules/chains added previously by Cilium itself and reapply the rules and I can see on the node that the correct new set of NOTRACK rules are being placed. |
test-me-please |
When node-local-dns replies to non-host pod, it goes through the prerouting chain again (nld is non-host when deployed using LRP). - Adds a NOTRACK rule to exempt this path from kernel conntrack - Adds ACCEPT rule explicitly in forward chain to not rely on the default policy to be future-proof Fixes: 24229 Signed-off-by: Weilong Cui <cuiwl@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
As discussed, I've filed - #24510 for CI test follow-up.
/test |
When node-local-dns replies to non-host pod, it goes through the prerouting chain again (nld is non-host when deployed using LRP). Adds a NOTRACK rule to exempt this path from kernel conntrack too.
Fixes: #24229