New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bpf: fix in-cluster connectivity for externalTrafficPolicy=Local #12311
Conversation
8f90365
to
7a409c6
Compare
3be22fd
to
ee7e264
Compare
824df7d
to
d345586
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good so far! One issue with regards to HealthCheckNodePort
672c047
to
e7ac2a0
Compare
test-me-please |
test-focus K8sService* |
77325b3
to
aa73fd9
Compare
(don't merge yet, still debugging on sth) |
465a50e
to
4675fe0
Compare
test-me-please |
test-focus K8sService* |
(ready to merge once CI is green) |
Runtime-4.9 looks unrelated:
|
test-focus had vbox error:
|
4.19 bailed on HealthCheckNodePort ... looking into it: |
test-me-please |
Finally, wire-up Kubernetes side to add surrogate entries for cluster-internal communication in case of externalTrafficPolicy=Local. We only filter local backends for ScopeExternal. ScopeInternal will have everything. Example from nginx deployment with externalTrafficPolicy=Local, listing from node apoc: # ./cilium/cilium service list ID Frontend Service Type Backend 4 10.100.125.187:80 ClusterIP 1 => 10.217.0.252:80 2 => 10.217.1.86:80 5 192.168.178.29:30465 NodePort 1 => 10.217.0.252:80 6 0.0.0.0:30465 NodePort 1 => 10.217.0.252:80 7 192.168.178.29:30465/i NodePort 1 => 10.217.0.252:80 2 => 10.217.1.86:80 8 0.0.0.0:30465/i NodePort 1 => 10.217.0.252:80 2 => 10.217.1.86:80 # ./cilium/cilium bpf lb list SERVICE ADDRESS BACKEND ADDRESS 10.100.125.187:80 0.0.0.0:0 (4) [ClusterIP] 10.217.0.252:80 (4) 10.217.1.86:80 (4) 192.168.178.29:30465 0.0.0.0:0 (5) [NodePort, Local] 10.217.0.252:80 (5) 192.168.178.29:30465/i 0.0.0.0:0 (7) [NodePort, Local] 10.217.0.252:80 (7) 10.217.1.86:80 (7) 0.0.0.0:30465 0.0.0.0:0 (6) [NodePort, Local] 10.217.0.252:80 (6) 0.0.0.0:30465/i 10.217.1.86:80 (8) 10.217.0.252:80 (8) 0.0.0.0:0 (8) [NodePort, Local] # kubectl get pods --all-namespaces -o wide NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES default nginx6-7d4b5d6bdf-7tpk4 1/1 Running 0 127m 10.217.1.86 tank <none> <none> default nginx6-7d4b5d6bdf-wd9hf 1/1 Running 0 127m 10.217.0.252 apoc <none> <none> [...] As can be seen the ClusterIP has all backends, the external facing NodePort only has local backends whereas the internal facing NodePort has all backends. The 0.0.0.0:30465 could still be optimized away since genCartesianProduct() has no awareness from the logic in ParseService() which adds the surrogate entries. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
... given kube-proxy-free setup supports them now, lets run these. Also add tests from third node to make sure they fail to a node that has no local backend. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Add an 'umbrella' section on client source IP preservation with links to the related sections. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
34e6282
to
775b097
Compare
test-me-please EDIT: net-next failed provisioning: |
test-focus K8sService* |
retest-net-next |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
docs/cli/bpf LGTM. I didn't look so closely at services side.
See commit messages.
Fixes: #11746
Fixes: #11724