-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adds pod annotation to manage iptables NOTRACK rules. #13805
Conversation
This comment has been minimized.
This comment has been minimized.
16355a6
to
c556ba2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some questions / comments before doing a more thorough review.
9334219
to
40cb542
Compare
I think all previous comments are addressed :) PTAL @joestringer @aditighag @brb |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple of other minor deviations compared to similar surrounding code.
60b0d24
to
61823c8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I must've missed my coffee before my earlier review today 😅 . A few more pretty minor tidyup suggestions below but after those this should be good to merge.
61823c8
to
745b238
Compare
test-me-please |
hmm, I don't think GKE failure is PR related? seems like a test setup issue. |
kernel-netnext seems to be failing for the same reason as kernel-4.19 (unrelated to this PR). |
#14159 was now resolved, can re-run CI. |
test-me-please |
We watch for a new annotation "io.cilium.no-track-port" when updating endpoints. Combined with adding such annotation to nodelocaldns's yaml, this should bring back the NOTRACK rules for nodelocaldns. Signed-off-by: Weilong Cui <cuiwl@google.com>
745b238
to
e34476e
Compare
rebased, rerun CI |
test-me-please |
retest-4.9 |
4.9 failure seems unrelated |
retest-4.9 |
@Weil0ng would you mind updating the PR description to briefly describe the path that this PR ended up taking? It could be useful to reference in future. |
Done :) |
Nitpicking, but as there is no release note, therefore (AFAIK) the title will be used in the 1.10 release notes. I read the title as if NOTRACK rule can be added only for nodelocaldns pods, which is not true. |
Sorry just was this, edited the title to be more generic. |
This adds handler of a new pod annotation
no-track-port: <port-number>
. When this annotation is in place, 5 NOTRACK rules are automatically inserted into the root-ns iptables for the pod at the port specified. The 5 rules are:The effect of these rules is essentially all traffic going to/from that specified port will skip kernel conntrack. One particular use case is to achieve feature parity with nodelocaldns (https://github.com/kubernetes/enhancements/blob/master/keps/sig-network/0030-nodelocal-dns-cache.md#iptables-notrack).
The rules are managed via a new event type
EndpointNoTrackEvent
at endpoint creation/deletion time and in pod watcher (when annotation changes).Fixes: #13686