Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Kube-proxy: ICMP reject via LBs when no endpoints #74394
What this PR does / why we need it:
ICMP reject services with no endpoints through LBs. We already reject all other cases.
Does this PR introduce a user-facing change?:
[APPROVALNOTIFIER] This PR is APPROVED
This pull-request has been approved by: thockin
The full list of commands accepted by this bot can be found here.
The pull request process is described here
2 times, most recently
Feb 22, 2019
referenced this pull request
Feb 26, 2019
As this PR is virtually identical to #72879 I would appreciate if you name me as co-author and close the other one.
Testing is indeed tricky but here is how I did it manually (with some proposal to automate). Our problem was not the "connection refused" but the stale conntrack entries that were caused by not rejecting the packets. Downside is that it works only for providers that have load balancers that do not terminate the TCP connections.
Log on to the host or a pod with host network (in this case calico-node)
Make sure there are not
-> no stale SYN_SENT entries, all clean
Start curl endless loop
Scale replicas to 0
Go to host and look for stale entries:
With the fix we don't see any stale
This can be simplified in the following way, however that works only if the load balancer is not a terminating one:
This should be straightforward but will not work when NodePort is created for the LB (but is straightforward to automate).
Happy to name you as co-author (inasmuch as that's a thing).
We need to have automated testing for this. I have been jumping between tasks, and have not had much time on this one. I think I finally figured why the approach I had was not working. If this run fails the way I expect, then we can proceed.