donotrack policy requires disabling conntrack invalid check #2609
Comments
|
"doNotTrack" was designed for host protection rather than workload protection; in this case, I think the problem is that the pod policy is also being applied and pod policy is always expecting conntrack (since most k8s network usage relies on that). Depending on your use case, it may be cleaner to run your pod host-networked so that it serves directly on the host's IP; then doNotTrack will work as expected. Disabling the invalid check seems reasonable in your use case, it's a defensive measure. |
|
You're right. This doNotTrack feature if applying to hostendpoint level only will break our k8s services. Thanks for your answer anyway. |
Expected Behavior
When enable donotrack policy for an host endpoint ( with Allow-all profile + global network policy for that host endpoint ), request from another physical host to container / workload endpoints on that host will work properly
Current Behavior
Request from remote physical host to host endpoint was drop by conntrack INVALID
[7:420] -A cali-fw-cali0d15f58372a -m comment --comment "cali:W0TLQ_-e8RQ1FC18" -m conntrack --ctstate INVALID -j DROPdisable rp-filter doesn't help. Only work by setting FELIX_DISABLECONNTRACKINVALIDCHECK to true.
My DefaultEndpointToHostAction is ACCEPT.
Context
We have a redis container that receive quite high traffic from services on another physical note, thus have some weird latency outliers quite often. We suspect that may be conntrack issue and want to disable it completely, thus need to configure donotrack policy for our hostendpoint
Could you please tell me:
Thanks in advance
My Environment
The text was updated successfully, but these errors were encountered: