New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
agent/datapath: Do not explicitly expose NodePort via cilium_host #11692
Conversation
test-me-please |
@@ -21,7 +21,7 @@ For installing ``kubeadm`` and for more provisioning options please refer to | |||
|
|||
Cilium's kube-proxy replacement depends on the :ref:`host-services` feature, | |||
therefore a v4.19.57, v5.1.16, v5.2.0 or more recent Linux kernel is required. | |||
We recommend a v5.3 or even more recent Linux kernel such as v5.8 as Cilium | |||
We recommend a v5.3 or even more recent Linux kernel such as v5.7 as Cilium |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why changing? 5.8 will have the getpeername hook which is why I stated it here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Considering that it will take a while until v5.8 has been released, it might discourage users to try the replacement. We could update the docs after the release.
The same logic applies to 5.7 - it hasn't been released yet. However, considering that it's in rc7, it should be released before we release Cilium v1.8.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would probably be less ambiguous if we just stated the facts:
"Linux kernels 5.3 and 5.8 add additional features that Cilium can use to further optimize the kube-proxy replacement implementation."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, will add it in a separate PR.
8479382
to
0302aa3
Compare
As we are planning to get rid of cilium_host and accessing a NodePort svc via its IP addr doesn't make sense (because the IP addr is not static), do not expose "ipv{4,6}(cilium_host):NodePort" in the BPF LB maps. Unfortunately, the service is still reachable via the cilium_host IP addr because of the wildcard lookup in bpf_sock. However, remove this svc access from the docs to avoid any surprises after cilium_host has been removed. Signed-off-by: Martynas Pumputis <m@lambda.lt>
As we are planning to get rid of cilium_host and accessing a NodePort
svc via its IP addr doesn't make sense (because the IP addr is not
static), do not expose "ipv{4,6}(cilium_host):NodePort" in the BPF LB
maps.
Unfortunately, the service is still reachable via the cilium_host IP
addr because of the wildcard lookup in bpf_sock. However, remove this
svc access from the docs to avoid any surprises after cilium_host has
been removed.