iptables: add support for NOTRACK rules for pod to pod traffic #15264
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
jibi
force-pushed
the
pr/jibi/disable-ct
branch
7 times, most recently
from
7bb5d6a
to
071f8e8
Compare
jibi
added
the
release-note/minor
maintainer-s-little-helper
bot
removed
the
dont-merge/needs-release-note-label
jibi
added
area/daemon
jibi
force-pushed
the
pr/jibi/disable-ct
branch
6 times, most recently
from
4d59825
to
3e3b03e
Compare
jibi
force-pushed
the
pr/jibi/disable-ct
branch
from
752ccfc
to
fac2aa5
Compare
tgraf
requested changes
Mar 23, 2021
There was a problem hiding this comment.
I don't understand the requirements on not running in managed k8s.
EKS: Native ENI (direct routing) + KPR in probe. So we should probably enable if KPR gets enabled?
GKE: Native routing + k8s IPAM + KPR
AKS: Azure IPAM (direct routing) + KPR
So assuming that the kernel image is recent enough for KPR, we should be able to enable it on all of them?
tgraf
requested changes
Mar 23, 2021
nathanjsweet
approved these changes
Mar 23, 2021
jibi
force-pushed
the
pr/jibi/disable-ct
branch
2 times, most recently
from
8a798c6
to
b64afe4
Compare
tgraf
approved these changes
Mar 23, 2021
pchaigno
requested changes
Mar 23, 2021
jibi
force-pushed
the
pr/jibi/disable-ct
branch
from
b64afe4
to
01202c9
Compare
pchaigno
approved these changes
Mar 23, 2021
borkmann
reviewed
Mar 23, 2021
borkmann
reviewed
Mar 23, 2021
borkmann
reviewed
Mar 23, 2021
jibi
force-pushed
the
pr/jibi/disable-ct
branch
from
01202c9
to
6a00c6d
Compare
When running in KPR mode, all pod-to-pod traffic goes through connection tracking twice: the first time traffic is tracked by netfilter and the second one by the BPF datapath. This is suboptimal as doing conntrack at the netfilter layer is not strictly required for the operation of the CNI, but it has some important performance implications. This commit introduces a new agent option, --install-no-conntrack-iptables-rules (disabled by default) which installs `-j NOTRACK` Iptables rules that match all traffic from and to the native-routing-cidr CIDR, to prevent netfilter from tracking all pod-to-pod traffic. This feature can be only enabled when Cilium is: * running in direct routing * running in full KPR mode * not running its CNI chained on top of other CNI plugins * not running in a managed Kubernetes environment such as AKS, EKS or GKE There are a few reasons for these specific requirements: * when running in tunneling mode (and with full KPR), the pod-to-pod traffic is encapsulated and decapsulated in the context of the BPF datapath program and so it is already skipping the netfilter raw table where connection tracking happens. * when running in kube-proxy mode conntrack is required to perform NAT * we cannot make assumptions on how a generic CNI is going to use netfilter conntrack Signed-off-by: Gilberto Bertin <gilberto@isovalent.com>
jibi
force-pushed
the
pr/jibi/disable-ct
branch
from
6a00c6d
to
60b6a14
Compare
|
test-me-please |
|
retest-runtime |
borkmann
approved these changes
Mar 24, 2021
maintainer-s-little-helper
bot
added
the
ready-to-merge
This was referenced Apr 28, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When running in KPR mode, all pod-to-pod traffic goes through connection
tracking twice: the first time traffic is tracked by netfilter and the
second one by the BPF datapath.
This is suboptimal as doing conntrack at the netfilter layer is not
strictly required for the operation of the CNI, but it has some
important performance implications.
This commit introduces a new agent option,
--install-no-conntrack-iptables-rules (enabled by default) which
installs
-j NOTRACKIptables rules that match all traffic from and tothe native-routing-cidr CIDR, to prevent netfilter from tracking all
pod-to-pod traffic.
This feature can be only enabled when Cilium is:
There are a few reasons for these specific requirements:
traffic is encapsulated and decapsulated in the context of the BPF
datapath program and so it is already skipping the netfilter raw table
where connection tracking happens.
netfilter conntrack
Signed-off-by: Gilberto Bertin gilberto@isovalent.com