-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BPF MASQ for veth, ip-masq-agent and multi-dev NodePort #10878
Changes from all commits
9599c4e
b428ac3
f6eb947
adcad29
0f1e039
b7d38f7
8663a12
ec4a1a7
cbc4c1b
ca66961
8f40a64
738b777
7067619
8c0f828
4cc6da7
1b7b012
3bfb3cf
143e91d
bede087
4a48e62
c76dd35
62a9dfe
9bd896f
851c6cc
703147e
023eb20
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<!-- This file was autogenerated via cilium cmdref, do not edit manually--> | ||
|
||
## cilium bpf ipmasq | ||
|
||
ip-masq-agent CIDRs | ||
|
||
### Synopsis | ||
|
||
ip-masq-agent CIDRs | ||
|
||
### Options | ||
|
||
``` | ||
-h, --help help for ipmasq | ||
``` | ||
|
||
### Options inherited from parent commands | ||
|
||
``` | ||
--config string config file (default is $HOME/.cilium.yaml) | ||
-D, --debug Enable debug messages | ||
-H, --host string URI to server-side API | ||
``` | ||
|
||
### SEE ALSO | ||
|
||
* [cilium bpf](../cilium_bpf) - Direct access to local BPF maps | ||
* [cilium bpf ipmasq list](../cilium_bpf_ipmasq_list) - List ip-masq-agent CIDRs | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
<!-- This file was autogenerated via cilium cmdref, do not edit manually--> | ||
|
||
## cilium bpf ipmasq list | ||
|
||
List ip-masq-agent CIDRs | ||
|
||
### Synopsis | ||
|
||
List ip-masq-agent CIDRs. Packets sent from pods to IPs from the CIDRs avoid masquerading | ||
|
||
``` | ||
cilium bpf ipmasq list [flags] | ||
``` | ||
|
||
### Options | ||
|
||
``` | ||
-h, --help help for list | ||
-o, --output string json| jsonpath='{}' | ||
``` | ||
|
||
### Options inherited from parent commands | ||
|
||
``` | ||
--config string config file (default is $HOME/.cilium.yaml) | ||
-D, --debug Enable debug messages | ||
-H, --host string URI to server-side API | ||
``` | ||
|
||
### SEE ALSO | ||
|
||
* [cilium bpf ipmasq](../cilium_bpf_ipmasq) - ip-masq-agent CIDRs | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -73,13 +73,7 @@ connect to kube-apiserver. | |
|
||
Masquerading with iptables in L3-only mode is not possible since netfilter | ||
hooks are bypassed in the kernel in this mode, hence L3S (symmetric) had | ||
to be introduced in the kernel at the cost of performance. However, Cilium | ||
supports its own BPF-based masquerading which does not rely in any way on | ||
iptables masquerading. If the ``global.installIptablesRules`` parameter is set | ||
to ``"false"`` and ``global.masquerade`` set to ``"true"``, then Cilium will | ||
use the more efficient BPF-based masquerading where ipvlan can remain in | ||
L3 mode as well (instead of L3S). A Linux kernel v4.16 or higher would be | ||
required for BPF-based masquerading. | ||
to be introduced in the kernel at the cost of performance. | ||
|
||
Example ConfigMap extract for ipvlan in pure L3 mode: | ||
|
||
|
@@ -107,20 +101,6 @@ masquerading all traffic leaving the node: | |
--set global.masquerade=true \\ | ||
--set global.autoDirectNodeRoutes=true | ||
|
||
Example ConfigMap extract for ipvlan in L3 mode with more efficient | ||
BPF-based masquerading instead of iptables-based: | ||
|
||
.. parsed-literal:: | ||
|
||
helm install cilium |CHART_RELEASE| \\ | ||
--namespace kube-system \\ | ||
--set global.datapathMode=ipvlan \\ | ||
--set global.ipvlan.masterDevice=bond0 \\ | ||
--set global.tunnel=disabled \\ | ||
--set global.masquerade=true \\ | ||
--set global.installIptablesRules=false \\ | ||
--set global.autoDirectNodeRoutes=true | ||
|
||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do you plan to re-add the documentation here on how to use ipvlan in L3-only mode with the ip masq agent? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yep, but only after we have tested that the ipvlan masq actually works (in a follow up). |
||
Verify that it has come up correctly: | ||
|
||
.. parsed-literal:: | ||
|
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe an aside from this PR as a whole, but where does this
(first device should be one used for direct routing if tunneling is disabled)
restriction come from? Why can't we just detect the default route to determine which device that is?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a default route, but a device with NodeIP. Please see #10878 (comment).
The restriction comes from the fact that we cannot forward a packet to a remote node via a device which it came to if it doesn't have a podCIDR route.