-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always create kubeClusterIPSet in ipvs proxier #65388
Always create kubeClusterIPSet in ipvs proxier #65388
Conversation
/ok-to-test |
/lgtm /approve Thanks for catching this 👍 |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lbernail, m1093782566 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/retest Review the full test history for this PR. Silence the bot with an |
@m1093782566 Thanks. Everything seems to look good now |
/milestone v1.11 |
/kind bug /sig network /priority critical-urgent |
[MILESTONENOTIFIER] Milestone Pull Request Needs Approval @lbernail @m1093782566 @kubernetes/sig-network-misc Action required: This pull request must have the Pull Request Labels
|
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue (batch tested with PRs 65388, 64995). If you want to cherry-pick this change to another branch, please follow the instructions here. |
😮 That's impressive! |
…8-origin-release-1.11 Automatic merge from submit-queue. Automated cherry pick of #65388 This PR has already been merged in master (this is my first use of the cherry-pick script, let me know if something is missing) ```release-note Allow access to ClusterIP from the host network namespace when kube-proxy is started in IPVS mode without either masqueradeAll or clusterCIDR flags ```
What this PR does / why we need it:
This PR creates the kubeClusterIPSet ipset even if kube-proxy is started without masqueradeAll and clusterCIDR.
This is necessary to masquerade traffic sent to a clusterIP from the host network namespace. The code to do so is actually already present here: https://github.com/kubernetes/kubernetes/blob/master/pkg/proxy/ipvs/proxier.go#L1220-L1244
However the second else (neither masqueradeAll nor clusterCIDR are set) cannot be used because, before this PR, the initial test
if !proxier.ipsetList[kubeClusterIPSet].isEmpty()
can never return true when masqueradeAll and clusterCIDR are not set because kubeClusterIPSet is empty.Which issue(s) this PR fixes
Fixes #65158
Additional comment
Issue #65158 is closed because ClusterIP access from the host has already fixed in master, except for the case described here (no masquerade flag). More detail in the issue.