-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Canal on K8s v1.8 with chain append mode no longer respects networkpolicies #4037
Comments
@KashifSaadat just to confirm, this is only an issue when the |
Yes I believe so, because the flannel rules are then at the bottom of the |
See my comment here. Essentially, Calico is behaving as expected for the given config. There's probably room for a change in flannel to play nicer in this situation, but if possible I'd recommend using the default |
Automatic merge from submit-queue. Downgrade Flannel in Canal deployment to v0.9.0 Flannel v0.9.1 introduces a single change to add 2 iptables rules to the `FORWARD` chain, permitting traffic in/out of the pod network (introduced to improve compatibility with newer versions of Docker). This change is unnecessary for Canal deployments for the following reasons: - Calico's `DefaultEndpointToHostAction` is set to `ACCEPT` in the manifest deployed by kops, allowing traffic by default once all other Calico rules are processed. - If Calico's `ChainInsertMode` is set to `APPEND`, the flannel rules will be processed before the Calico rules, accepting traffic by default, and so Kubernetes network policies will not take effect This change is temporary until a more permanent resolution is available with Flannel, such as providing a configurable option to disable the addition of these rules when deployed with Calico. Related to #4037
@KashifSaadat Could you raise an issue against flannel to make this configurable |
@tomdee sure, I've raised the following issue to track this: flannel-io/flannel#938 |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/remove-lifecycle stale I've raised this PR to address the issue within flannel: flannel-io/flannel#978 |
The information around this issue is documented here: projectcalico/canal#115
Depending on the outcome from the above issue, we will likely need updates to the following files:
Versions
Cluster Spec (networking block)
CC @chrislovecnm
The text was updated successfully, but these errors were encountered: