-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iptables: add support for NOTRACK rules for pod to pod traffic #15264
Conversation
7bb5d6a
to
071f8e8
Compare
4d59825
to
3e3b03e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some nits.
752ccfc
to
fac2aa5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand the requirements on not running in managed k8s.
EKS: Native ENI (direct routing) + KPR in probe. So we should probably enable if KPR gets enabled?
GKE: Native routing + k8s IPAM + KPR
AKS: Azure IPAM (direct routing) + KPR
So assuming that the kernel image is recent enough for KPR, we should be able to enable it on all of them?
8a798c6
to
b64afe4
Compare
b64afe4
to
01202c9
Compare
01202c9
to
6a00c6d
Compare
When running in KPR mode, all pod-to-pod traffic goes through connection tracking twice: the first time traffic is tracked by netfilter and the second one by the BPF datapath. This is suboptimal as doing conntrack at the netfilter layer is not strictly required for the operation of the CNI, but it has some important performance implications. This commit introduces a new agent option, --install-no-conntrack-iptables-rules (disabled by default) which installs `-j NOTRACK` Iptables rules that match all traffic from and to the native-routing-cidr CIDR, to prevent netfilter from tracking all pod-to-pod traffic. This feature can be only enabled when Cilium is: * running in direct routing * running in full KPR mode * not running its CNI chained on top of other CNI plugins * not running in a managed Kubernetes environment such as AKS, EKS or GKE There are a few reasons for these specific requirements: * when running in tunneling mode (and with full KPR), the pod-to-pod traffic is encapsulated and decapsulated in the context of the BPF datapath program and so it is already skipping the netfilter raw table where connection tracking happens. * when running in kube-proxy mode conntrack is required to perform NAT * we cannot make assumptions on how a generic CNI is going to use netfilter conntrack Signed-off-by: Gilberto Bertin <gilberto@isovalent.com>
6a00c6d
to
60b6a14
Compare
test-me-please |
retest-runtime |
When running in KPR mode, all pod-to-pod traffic goes through connection
tracking twice: the first time traffic is tracked by netfilter and the
second one by the BPF datapath.
This is suboptimal as doing conntrack at the netfilter layer is not
strictly required for the operation of the CNI, but it has some
important performance implications.
This commit introduces a new agent option,
--install-no-conntrack-iptables-rules (enabled by default) which
installs
-j NOTRACK
Iptables rules that match all traffic from and tothe native-routing-cidr CIDR, to prevent netfilter from tracking all
pod-to-pod traffic.
This feature can be only enabled when Cilium is:
There are a few reasons for these specific requirements:
traffic is encapsulated and decapsulated in the context of the BPF
datapath program and so it is already skipping the netfilter raw table
where connection tracking happens.
netfilter conntrack
Signed-off-by: Gilberto Bertin gilberto@isovalent.com