Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

daemon: Fix fallback to iptables-based masquerading #12081

Merged
merged 2 commits into from
Jun 16, 2020
Merged

daemon: Fix fallback to iptables-based masquerading #12081

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0ed8546
daemon: Fix fallback to iptables-based masquerading
brb Jun 15, 2020
4c61216
daemon: Fallback to iptables-based MASQ if egress iface is specified
brb Jun 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
23 changes: 14 additions & 9 deletions daemon/cmd/daemon.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -437,21 +437,26 @@ func NewDaemon(ctx context.Context, dp datapath.Datapath) (*Daemon, *endpointRes
}
// BPF masquerade depends on BPF NodePort, so the following checks should
// happen after invoking initKubeProxyReplacementOptions().
if option.Config.Masquerade && option.Config.EnableBPFMasquerade {
if option.Config.Masquerade && option.Config.EnableBPFMasquerade &&
(!option.Config.EnableNodePort || option.Config.EgressMasqueradeInterfaces != "") {
var msg string
if !option.Config.EnableNodePort {
// ipt.InstallRules() (called by Reinitialize()) happens later than
// this statement, so it's OK to fallback to iptables-based MASQ.
log.Warnf("BPF masquerade requires NodePort (--%s=\"true\"). "+
"Falling back to iptables-based masquerading.", option.EnableNodePort)
option.Config.EnableBPFMasquerade = false
msg = fmt.Sprintf("BPF masquerade requires NodePort (--%s=\"true\").",
option.EnableNodePort)
} else if option.Config.EgressMasqueradeInterfaces != "" {
msg = fmt.Sprintf("BPF masquerade does not allow to specify devices via --%s (use --%s instead).",
option.EgressMasqueradeInterfaces, option.Devices)
}
// ipt.InstallRules() (called by Reinitialize()) happens later than
// this statement, so it's OK to fallback to iptables-based MASQ.
option.Config.EnableBPFMasquerade = false
log.Warn(msg + " Falling back to iptables-based masquerading.")
}
if option.Config.Masquerade && option.Config.EnableBPFMasquerade {
// TODO(brb) nodeport + ipvlan constraints will be lifted once the SNAT BPF code has been refactored
if option.Config.DatapathMode == datapathOption.DatapathModeIpvlan {
log.Fatalf("BPF masquerade works only in veth mode (--%s=\"%s\"", option.DatapathMode, datapathOption.DatapathModeVeth)
}
if option.Config.EgressMasqueradeInterfaces != "" {
log.Fatalf("BPF masquerade does not allow to specify devices via --%s. Use --%s instead.", option.EgressMasqueradeInterfaces, option.Devices)
}
} else if option.Config.EnableIPMasqAgent {
log.Fatalf("BPF ip-masq-agent requires --%s=\"true\" and --%s=\"true\"", option.Masquerade, option.EnableBPFMasquerade)
}
Expand Down
2 changes: 1 addition & 1 deletion test/helpers/kubectl.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ var (
"global.ipv6.enabled": "true",
"global.psp.enabled": "true",
"global.ci.kubeCacheMutationDetector": "true",
"global.bpfMasquerade": "true",
// Disable by default, so that 4.9 CI build does not panic due to
// missing LRU support. On 4.19 and net-next we enable it with
// kubeProxyReplacement=strict.
Expand Down Expand Up @@ -2176,7 +2177,6 @@ func (kub *Kubectl) overwriteHelmOptions(options map[string]string) error {
return err
}
devices = fmt.Sprintf(`'{%s,%s}'`, privateIface, defaultIface)
opts["global.bpfMasquerade"] = "true"
}

opts["global.devices"] = devices
Expand Down