-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow install-no-conntrack-iptables-rules
when masquerading is disabled
#18482
Allow install-no-conntrack-iptables-rules
when masquerading is disabled
#18482
Conversation
500672e
to
3d454f1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thanks!
Could you also update the tuning guide please? At the moment it still mentions eBPF masquerading is required to enable install-no-conntrack-iptables-rules
:
cilium/Documentation/operations/performance/tuning.rst
Lines 49 to 54 in 8bf4e22
**Requirements:** | |
* Kernel >= 4.19.57, >= 5.1.16, >= 5.2 | |
* Direct-routing configuration | |
* eBPF-based kube-proxy replacement | |
* eBPF masquerading |
MasqueradingEnabled returns true whenever IPv4 or IPv6 masquerading is enabled. Signed-off-by: Paul Chaignon <paul@cilium.io>
Until now the agent would fatal if install-no-conntrack-iptables-rules was passed when BPF masquerading is disabled, regardless of whether any masquerading is even enabled. What we want to avoid is for iptables-based masquerading to be used at the same time as install-no-conntrack-iptables-rules. Using install-no-conntrack-iptables-rules when no masquerading is enabled should be fine. Signed-off-by: Paul Chaignon <paul@cilium.io>
3d454f1
to
81ee108
Compare
Several tests failed with known flakes:
Reviews are in, except for the CLI team, but I'm not sure why that team was requested in the first place (I didn't modify any of our CLIs). Marking ready to merge. |
The first commit introduces a helper function used by the second commit. The second commit allows
install-no-conntrack-iptables-rules
to be used if (1) BPF masquerading is used or if (2) all masquerading is disabled. Until now, it was only allowed for the first condition.