-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
limit the scope of 169.254.169.252/32 to host #107502
Conversation
/sig auth |
@zshihang: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/priority important-soon |
That pr you mention only uses a global unicast addresses from the loopback if there are no other global unicast addresses on the host. 169.254.0.0/24 is link local and should not be picked, do you have an occurrence? I find it weird |
/cc Kubelet should not take this ip, will take a look later, thanks for reporting |
seems #95790 is not relevant here. this happens in a cluster with calico enabled. |
is UDP traffic? can you provide more details about the problem? |
it is the healthcheck traffic (TCP) initiated by kubelet, i.e. node -> pod. if you tcpdump on ip of any pod that has health check configured, you would see something like this:
this only happens in cluster with calico enabled. |
there was an issue with this exact problem, I'll try to find it, it was related to some iptables rules doing NAT IIIRC |
I can't find it, but I think that was the same problem, check the iptables rules on the host, I don't know why but sometimes it SNATed the traffic with the link local address, on that issue it was created by the node-local-dns sidecar |
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mikedanese, zshihang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
What type of PR is this?
/kind bug
What this PR does / why we need it:
when a cluster has calico enabled, traffic from node would sometimes use 169.254.169.252 as source ip instead of node ip. we need to change the scope from global to host.
Special notes for your reviewer:
Does this PR introduce a user-facing change?