Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: improve guide to setup Cilium overlay on EKS #19207

Merged
merged 1 commit into from
Apr 13, 2022
Merged

docs: improve guide to setup Cilium overlay on EKS #19207

merged 1 commit into from
Apr 13, 2022

Conversation

oliwave
Copy link
Contributor

@oliwave oliwave commented Mar 21, 2022
edited

I've added several documentation steps to properly install Cilium overlay mode on EKS, since removing the aws-node daemonSet will not clear the following iptables rules and the leftover rules will affect routing and filtering decisions.

-A PREROUTING -i eni+ -m comment --comment "AWS, outbound connections" -m state --state NEW -j AWS-CONNMARK-CHAIN-0
-A PREROUTING -m comment --comment "AWS, CONNMARK" -j CONNMARK --restore-mark --nfmask 0x80 --ctmask 0x80
-A POSTROUTING -m comment --comment "AWS SNAT CHAIN" -j AWS-SNAT-CHAIN-0
-A AWS-CONNMARK-CHAIN-0 ! -d 10.2.0.0/16 -m comment --comment "AWS CONNMARK CHAIN, VPC CIDR" -j AWS-CONNMARK-CHAIN-1
-A AWS-CONNMARK-CHAIN-1 -m comment --comment "AWS, CONNMARK" -j CONNMARK --set-xmark 0x80/0x80
-A AWS-SNAT-CHAIN-0 ! -d 10.2.0.0/16 -m comment --comment "AWS SNAT CHAIN" -j AWS-SNAT-CHAIN-1
-A AWS-SNAT-CHAIN-1 ! -o vlan+ -m comment --comment "AWS, SNAT" -m addrtype ! --dst-type LOCAL -j SNAT --to-source 10.2.2.245 --random-fully

Signed-off-by: Oliver Wang a0924100192@gmail.com

@oliwave oliwave requested a review from a team as a code owner March 21, 2022 06:14
@oliwave oliwave requested a review from qmonnet March 21, 2022 06:14
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 21, 2022
qmonnet
qmonnet requested changes Mar 21, 2022
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for your contribution! Please find some comments below.

Also, please drop the Markdown syntax for your commit description. The # symbols are usually marking comments in git descriptions, and the email address for the Signed-off-by: tag is improperly formatted (see the complaints from checkpatch in the BPF checks).

Documentation/gettingstarted/k8s-install-helm.rst Outdated Show resolved Hide resolved
Documentation/gettingstarted/k8s-install-helm.rst Outdated Show resolved Hide resolved
@qmonnet qmonnet added area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. area/misc Impacts miscellaneous areas of the code not otherwise owned by another area. release-note/misc This PR makes changes that have no direct user impact. and removed area/misc Impacts miscellaneous areas of the code not otherwise owned by another area. labels Mar 21, 2022
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Mar 21, 2022
@qmonnet qmonnet requested review from a team and christarazi and removed request for a team March 21, 2022 23:52
@oliwave oliwave force-pushed the docs-patch branch 2 times, most recently from 1cf49b8 to 13f5cef Compare March 23, 2022 02:24
@oliwave oliwave requested a review from qmonnet March 23, 2022 02:27
qmonnet
qmonnet approved these changes Mar 24, 2022
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@oliwave
Copy link
Contributor Author

oliwave commented Mar 26, 2022
edited

@christarazi Please help me review the PR, thanks!

@oliwave oliwave force-pushed the docs-patch branch 4 times, most recently from f0c8019 to 9ea5e81 Compare April 2, 2022 15:43
@oliwave oliwave requested a review from christarazi April 2, 2022 15:46
@oliwave
Copy link
Contributor Author

oliwave commented Apr 2, 2022
edited

@christarazi I've picked out the chains that will affect routing decisions. And since iptables is not flushed, users don't have to restart kube-proxy.

@oliwave oliwave requested a review from qmonnet April 10, 2022 08:42
@oliwave
docs: improve guide to setup Cilium overlay on EKS
c324f2d 
I've added several documentation steps to properly install Cilium overlay mode on EKS, since removing the `aws-node` daemonSet will not clear the iptables rules and the leftover rules will affect routing and filtering decisions.

The issue I'm having is when the source pod is set to `hostNework` mode, the destination pod unable to reply packets through `cilium_vxlan` because of the following AWS CNI residual iptables rules. And also the nodes cannot access pods on different nodes.

```
-A PREROUTING -i eni+ -m comment --comment "AWS, outbound connections" -m state --state NEW -j AWS-CONNMARK-CHAIN-0
-A PREROUTING -m comment --comment "AWS, CONNMARK" -j CONNMARK --restore-mark --nfmask 0x80 --ctmask 0x80
-A POSTROUTING -m comment --comment "AWS SNAT CHAIN" -j AWS-SNAT-CHAIN-0
-A AWS-CONNMARK-CHAIN-0 ! -d 10.2.0.0/16 -m comment --comment "AWS CONNMARK CHAIN, VPC CIDR" -j AWS-CONNMARK-CHAIN-1
-A AWS-CONNMARK-CHAIN-1 -m comment --comment "AWS, CONNMARK" -j CONNMARK --set-xmark 0x80/0x80
-A AWS-SNAT-CHAIN-0 ! -d 10.2.0.0/16 -m comment --comment "AWS SNAT CHAIN" -j AWS-SNAT-CHAIN-1
-A AWS-SNAT-CHAIN-1 ! -o vlan+ -m comment --comment "AWS, SNAT" -m addrtype ! --dst-type LOCAL -j SNAT --to-source 10.2.2.245 --random-fully
```

Signed-off-by: Oliver Wang <a0924100192@gmail.com>
@oliwave oliwave requested a review from qmonnet April 12, 2022 10:13
christarazi
christarazi approved these changes Apr 12, 2022
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from master in 1.11.4 Apr 12, 2022
@christarazi christarazi added the integration/cloud Related to integration with cloud environments such as AKS, EKS, GKE, etc. label Apr 12, 2022
qmonnet
qmonnet approved these changes Apr 12, 2022
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still looks good to me (no need to ask for my review three times ;) )

@qmonnet qmonnet added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 12, 2022
@oliwave
Copy link
Contributor Author

oliwave commented Apr 13, 2022

Still looks good to me (no need to ask for my review three times ;) )

I see. Sorry for bothering you.

@nbusseneau
Copy link
Member

@oliwave Thanks for your contribution!

@nbusseneau nbusseneau merged commit a0dabcd into cilium:master Apr 13, 2022
@joestringer joestringer added this to Needs backport from master in 1.11.5 Apr 15, 2022
@joestringer joestringer removed this from Needs backport from master in 1.11.4 Apr 15, 2022
@tklauser tklauser mentioned this pull request Apr 19, 2022
Merged
@tklauser tklauser added backport-pending/1.11 backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. and removed needs-backport/1.11 labels Apr 19, 2022
@tklauser tklauser moved this from Needs backport from master to Backport done to v1.11 in 1.11.5 Apr 20, 2022
@aanm aanm mentioned this pull request May 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christarazi christarazi christarazi approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees
No one assigned
Labels
area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. integration/cloud Related to integration with cloud environments such as AKS, EKS, GKE, etc. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
No open projects
1.11.5
Backport done to v1.11
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@oliwave @nbusseneau @christarazi @qmonnet @tklauser