-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pod to ingress with backend hosted on the same node not working in certain configurations #31653
Comments
Ingress controller is having one requirement of kpr enabled (or at least nodeport enabled). The above configurations didn't seem to satisfy such requirement 🤔 |
|
Relates: #31653 Signed-off-by: Tam Mach <tam.mach@cilium.io>
Copied the comment here so that it will not get lost. In short, with the re-introduce of from proxy route 2005, there is still issue on the return traffic if bpf.masquerade is enabled, the workaround is to enable bpf.hostLegacyRouting as well. |
Just fyi, I'm seeing similar reproducible behavior in a Kind cluster environment but bpf.hostLegacyRouting doesn't appear to be a viable workaround for me...so far. I'll continue testing in #32525 |
[ upstream commit de9c87b ] After #22006, BPF host routing is enabled by default, this commit is to enable legacy host routing as a workaround, as the response packet might be dropped. Further investigation is tracked under #31653. Signed-off-by: Tam Mach <tam.mach@cilium.io> (cherry picked from commit aa44b70) Signed-off-by: Gilberto Bertin <jibi@cilium.io>
Is there an existing issue for this?
What happened?
Running an extended version of the connectivity tests to validate pod to ingress service with both the backend pod hosted on the same or a different node highlighted connectivity issues when the backend is hosted on the same node in certain configurations. In particular, this issue occurred on the Conformance Cluster Mesh E2E tests, although not clustermesh related (as the backend is hosted in the local cluster as well), and more specifically in the following configurations:
Differently, it didn't occur when
KPR was disabled(the ingress controller is not enabled in that case), or Cilium was configured in tunnel mode. I'm not sure why it didn't happen in the Conformance E2E tests.Link: https://github.com/cilium/cilium/actions/runs/8456333159
Cilium Version
Tip of main
Sysdump
cilium-sysdump-20240327-180128.zip
cilium-sysdump-20240327-180201.zip
Code of Conduct
The text was updated successfully, but these errors were encountered: