You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When enable donotrack policy for an host endpoint ( with Allow-all profile + global network policy for that host endpoint ), request from another physical host to container / workload endpoints on that host will work properly
Current Behavior
Request from remote physical host to host endpoint was drop by conntrack INVALID [7:420] -A cali-fw-cali0d15f58372a -m comment --comment "cali:W0TLQ_-e8RQ1FC18" -m conntrack --ctstate INVALID -j DROP
disable rp-filter doesn't help. Only work by setting FELIX_DISABLECONNTRACKINVALIDCHECK to true.
My DefaultEndpointToHostAction is ACCEPT.
Context
We have a redis container that receive quite high traffic from services on another physical note, thus have some weird latency outliers quite often. We suspect that may be conntrack issue and want to disable it completely, thus need to configure donotrack policy for our hostendpoint
"doNotTrack" was designed for host protection rather than workload protection; in this case, I think the problem is that the pod policy is also being applied and pod policy is always expecting conntrack (since most k8s network usage relies on that).
Depending on your use case, it may be cleaner to run your pod host-networked so that it serves directly on the host's IP; then doNotTrack will work as expected.
Disabling the invalid check seems reasonable in your use case, it's a defensive measure.
You're right. This doNotTrack feature if applying to hostendpoint level only will break our k8s services.
I wanted to use this to get rid of conntrack at all for some of my services which are headless ( clusterIP = None ) but can't find a way to apply it for them only.
Expected Behavior
When enable donotrack policy for an host endpoint ( with Allow-all profile + global network policy for that host endpoint ), request from another physical host to container / workload endpoints on that host will work properly
Current Behavior
Request from remote physical host to host endpoint was drop by conntrack INVALID
[7:420] -A cali-fw-cali0d15f58372a -m comment --comment "cali:W0TLQ_-e8RQ1FC18" -m conntrack --ctstate INVALID -j DROP
disable rp-filter doesn't help. Only work by setting FELIX_DISABLECONNTRACKINVALIDCHECK to true.
My DefaultEndpointToHostAction is ACCEPT.
Context
We have a redis container that receive quite high traffic from services on another physical note, thus have some weird latency outliers quite often. We suspect that may be conntrack issue and want to disable it completely, thus need to configure donotrack policy for our hostendpoint
Could you please tell me:
Thanks in advance
My Environment
The text was updated successfully, but these errors were encountered: