Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test: Fix kube-proxy service tests when running with socket-level LB #14699

Merged
merged 1 commit into from
Jan 25, 2021
Merged

test: Fix kube-proxy service tests when running with socket-level LB #14699

merged 1 commit into from
Jan 25, 2021

Conversation

pchaigno
Copy link
Member

I would normally send this as part of the PR that requires it, but I have two WIP PRs that will be blocked by this: #14543 and the fix for #14628.

When running Cilium with the following configuration, requests from k8s2 to
NodePort services with backends only in k8s2 will be dropped if the
request is sent to k8s1.

    kube-proxy-replacement: partial
    enable-node-port: false
    enable-host-reachable-services: true

This is a known behavior of kube-proxy 1.15+. The request won't be
translated by the socket-level LB since, when BPF NodePort is disabled,
the BPF service map is only populated with ClusterIP entries.

The above configuration can be obtained by running on newer kernels with
IPSec enabled [1], which disables BPF NodePort but not socket-level LB.
This same configuration is also tested in the work-in-progress hybrid CI
pipeline [2], where the kube-proxy replacement runs alongside kube-proxy.

1 - https://github.com/cilium/cilium/pull/14628
2 - https://github.com/cilium/cilium/pull/14543
Signed-off-by: Paul Chaignon <paul@cilium.io>

@pchaigno pchaigno added area/CI Continuous Integration testing issue or flake release-note/ci This PR makes changes to the CI. labels Jan 22, 2021
@maintainer-s-little-helper maintainer-s-little-helper bot added this to In progress in 1.10.0 Jan 22, 2021
@pchaigno pchaigno marked this pull request as ready for review January 22, 2021 17:28
@pchaigno pchaigno requested a review from a team as a code owner January 22, 2021 17:28
@pchaigno pchaigno requested review from a team, errordeveloper and aditighag January 22, 2021 17:28
aditighag
aditighag reviewed Jan 22, 2021
View reviewed changes
test/k8sT/Services.go Outdated Show resolved Hide resolved
@pchaigno
test: Fix kube-proxy service tests when running with socket-level LB
5a2beee 
When running Cilium with the following configuration, requests from k8s2 to
NodePort services with backends only in k8s2 will be dropped if the
request is sent to k8s1.

    kube-proxy-replacement: partial
    enable-node-port: false
    enable-host-reachable-services: true

This is a known behavior of kube-proxy 1.15+. The request won't be
translated by the socket-level LB since, when BPF NodePort is disabled,
the BPF service map is only populated with ClusterIP entries.

The above configuration can be obtained by running on newer kernels with
IPSec enabled [1], which disables BPF NodePort but not socket-level LB.
This same configuration is also tested in the work-in-progress hybrid CI
pipeline [2], where the kube-proxy replacement runs alongside kube-proxy.

1 - #14628
2 - #14543
Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno pchaigno force-pushed the pr/pchaigno/fix-kube-proxy-svc-test-sock-lb branch from c9a98da to 5a2beee Compare January 22, 2021 22:49
@pchaigno
Copy link
Member Author

test-me-please

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 23, 2021
@aanm aanm merged commit 0a3d605 into master Jan 25, 2021
@aanm aanm deleted the pr/pchaigno/fix-kube-proxy-svc-test-sock-lb branch January 25, 2021 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christarazi christarazi christarazi approved these changes

@aditighag aditighag aditighag approved these changes

Assignees
No one assigned
Labels
area/CI Continuous Integration testing issue or flake ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/ci This PR makes changes to the CI.
Projects
No open projects
1.10.0
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@pchaigno @christarazi @aditighag @errordeveloper @aanm @fristonio