-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OnlyLocal nodeports #33587
OnlyLocal nodeports #33587
Conversation
I guess I should write an e2e as well |
Jenkins GCI GKE smoke e2e failed for commit 554e649d10cc19be6159a7b398eae22cd7e1d6c0. Full PR test history. The magic incantation to run this job again is |
@@ -1173,6 +1177,16 @@ func (proxier *Proxier) syncProxyRules() { | |||
localEndpointChains = append(localEndpointChains, endpointChains[i]) | |||
} | |||
} | |||
// First rule in the chain redirects all pod -> external vip traffic to the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not understand this rule. If you jump to KUBE-SVC chain from KUBE-XLB chain. Then it may reach any backend pods right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh I see the bug now. You want to allow pods on the node to access the LB.
LGTM cherry pick it for 1.4? Or since it is alpha, do not care. |
@bprashanth you mentioned that this might partially fix #33081. Which part does this fix? |
@kdima the blackholing part. You just get dnatted to your endpoints, not out to the public lb and back down to your endpoints. |
@bprashanth |
554e649
to
06cbb36
Compare
@kdima thanks! |
I didn't actually change anything, just rebased, so I'm re-applying lgtm |
Jenkins GKE smoke e2e failed for commit 06cbb36. Full PR test history. The magic incantation to run this job again is |
I would say the failure is from this pr at this point but I've seen identical failures across the board. |
Jenkins unit/integration failed for commit 06cbb36. Full PR test history. The magic incantation to run this job again is |
This change is prime suspect for drastic increase in flakiness of the |
Automatic merge from submit-queue Remove onlyLocal NodePort e2e till pr #33957 We were basically testing this bug: #30809 We fixed the bug: #33587, but forgot to remove the "test". This pr adds a test for the new feature: #33957 (ensure that nodePort with onlyLocal works only on nodes with endpoints and fails otherwise) fixes #34124
90% unittests.
Code changes:
NodePorts still don't get firewalls: #33586
This change is![Reviewable](https://camo.githubusercontent.com/2d899f4291d07d3cd2fa4aaae1e3b243f164c23fce87d30a589ace0d496a444c/68747470733a2f2f72657669657761626c652e6b756265726e657465732e696f2f7265766965775f627574746f6e2e737667)