New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
datapath: Only NOTRACK proxy return traffic going to Cilium datapath #11899
Conversation
Proxy return traffic accessed via a k8s NodePort will not be routed back via Cilium bpf datapath, so such traffic needs to have possible reverse NAT applied. Setting NOTRACK prevented this. Fix this by setting NOTRACK only on packets heading back to the Cilium datapath (-o lxc+ and -o cilium_host). Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
test-me-please |
test-gke |
This fixed nodeport with L7 on GKE on manual testing. |
1.17 flake #10231 |
K8s test suite run locally against a private cluster passed on GKE with this PR:
|
retest-4.19 |
retest-gke |
Change makes sense, probably just worth considering whether to further gate one of the new rules per my feedback above. I don't think it makes sense to backport to v1.6, we're not hearing reports of issues on that release with eg. EKS. This fixes a known issue with the GKE mode which is the same on v1.7 and v1.8 so those backports make sense to me. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should agree on the previous comment before merging:
https://github.com/cilium/cilium/pull/11899/files#r436051065
Merging despite GKE failure since the GKE job seems entirely broken but Jarno had manually validated the fix in a GKE environment. |
#11899 made it possible to run NodePort BPF with L7 policies. Signed-off-by: Martynas Pumputis <m@lambda.lt>
#11899 made it possible to run NodePort BPF with L7 policies. Signed-off-by: Martynas Pumputis <m@lambda.lt>
Proxy return traffic accessed via a k8s NodePort will not be routed
back via Cilium bpf datapath, so such traffic needs to have possible
reverse NAT applied. Setting NOTRACK prevented this. Fix this by
setting NOTRACK only on packets heading back to the Cilium datapath
(
-o lxc+
and-o cilium_host
).Fixes: #8971
Fixes: #8945
Signed-off-by: Jarno Rajahalme jarno@covalent.io