Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

node: Don't skip masquerading for External node IPs #18483

Merged
merged 2 commits into from Jan 19, 2022
Merged

node: Don't skip masquerading for External node IPs #18483

merged 2 commits into from Jan 19, 2022

Conversation

pchaigno
Copy link
Member

@pchaigno pchaigno commented Jan 14, 2022
edited

See commits for details. The first has the fix, the second documents the different between our two implementations.

Fixes: #16603.
Related: #17177.

@pchaigno pchaigno added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. needs-backport/1.11 labels Jan 14, 2022
@pchaigno pchaigno requested review from a team and borkmann January 14, 2022 10:27
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.11.1 Jan 14, 2022
@pchaigno pchaigno mentioned this pull request Jan 14, 2022
Open
@brb
Copy link
Member

brb commented Jan 17, 2022

Hence, this commit changes the logic to only skip masquerading in iptables for Internal node IPs. This commit doesn't affect the BPF-based masquerading logic, as unfortunately we can't easily distinguish between Internal and External node IPs in our datapath today (both are identified as host or remote-node).

I think we should document this subtle difference in the masquerading.rst.

@pchaigno
node: Don't skip masquerading for External node IPs
c499c60 
Commit 49cb220 ("iptables: Don't masquerade traffic to cluster
nodes") introduced ipsets in our iptables rules, to skip masquerading
traffic to cluster nodes when iptables-based masquerading is used.
BPF-based masquerading already implemented this logic.

In practice, traffic to both Internal and External node IPs would skip
masquerading. However, Kubernetes doesn't state that External Node IPs
are routable within the cluster. Masquerading may thus be required for
External Node IPs, as reported by several users.

Hence, this commit changes the logic to only skip masquerading in
iptables for Internal node IPs. This commit doesn't affect the BPF-based
masquerading logic, as unfortunately we can't easily distinguish between
Internal and External node IPs in our datapath today (both are
identified as host or remote-node).

Fixes: 49cb220 ("iptables: Don't masquerade traffic to cluster nodes")
Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno
docs: Document ExternalIP diff between BPF and ipt masquerading
d3304c0 
This commit documents the difference in handling traffic to External IPs
of cluster nodes between the BPF-based and iptables-based
implementations of masquerading in Cilium.

Suggested-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Paul Chaignon <paul@cilium.io>
@pchaigno
Copy link
Member Author

I think we should document this subtle difference in the masquerading.rst.

@brb 👍 Done in the second commit. Please have a look.

@pchaigno pchaigno force-pushed the fix-ipt-masq-external-node-ips branch from 28a40dc to d3304c0 Compare January 17, 2022 15:07
@pchaigno pchaigno requested a review from a team as a code owner January 17, 2022 15:07
@pchaigno pchaigno requested a review from qmonnet January 17, 2022 15:07
brb
brb approved these changes Jan 17, 2022
View reviewed changes
Copy link
Member

@brb brb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@pchaigno pchaigno closed this Jan 17, 2022
@pchaigno pchaigno reopened this Jan 17, 2022
@pchaigno
Copy link
Member Author

Several tests failed with known flakes:

Reviews are in, except for the agent team, but I'm not sure why that team was requested in the first place. Marking ready to merge.

@pchaigno pchaigno added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jan 18, 2022
@joestringer joestringer added this to Needs backport from master in 1.11.2 Jan 18, 2022
@joestringer joestringer removed this from Needs backport from master in 1.11.1 Jan 18, 2022
@aditighag aditighag merged commit aaf0a75 into cilium:master Jan 19, 2022
@pchaigno pchaigno deleted the fix-ipt-masq-external-node-ips branch January 19, 2022 08:28
@pchaigno pchaigno mentioned this pull request Jan 21, 2022
Merged
This was referenced Jan 21, 2022
Merged
Merged
@glibsm glibsm added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed backport-pending/1.11 labels Jan 30, 2022
@jibi jibi mentioned this pull request Feb 14, 2022
Merged
@joestringer joestringer moved this from Needs backport from master to Backport done to v1.11 in 1.11.2 Feb 23, 2022
@joestringer joestringer mentioned this pull request Feb 23, 2022
Merged
zuzzas added a commit to deckhouse/deckhouse that referenced this pull request Mar 23, 2022
@zuzzas
Correctly backport cilium/cilium#18483
f5c9da5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brb brb brb approved these changes

@qmonnet qmonnet qmonnet approved these changes

@borkmann borkmann Awaiting requested review from borkmann

Assignees

@borkmann borkmann

Labels
backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
No open projects
1.11.2
Backport done to v1.11
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@pchaigno @brb @qmonnet @glibsm @kkourt @borkmann @aditighag