Local Redirect Policy results in loopback when socket-LB is disabled

[pravk03]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

PR#13287 was added to prevent the local-redirect service from looping back packets from the service's node-local backend to itself. However, this solution works only when socket load balancing mode is fully enabled (ENABLE_SOCKET_LB_FULL) or when the node local backend uses host network (ENABLE_SOCKET_LB_HOST_ONLY). We would run into the same loopback issue when the local-redirect service uses pod network and we probably need to have a loop prevention logic added in the lxc ebpf code.

cc: @sugangli , @liuyuan10 , @aojea

Cilium Version

Client: 1.13.10
Daemon: 1.13.10

Kernel Version

Linux default-byac 6.1.58+ #1 SMP PREEMPT_DYNAMIC Sat Nov 4 14:14:29 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Kubernetes Version

Client Version: v1.28.5
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.3-gke.1203001

Sysdump

No response

Relevant log output

No response

Anything else?

No response

Code of Conduct

• I agree to follow this project's Code of Conduct

[pravk03]

cc @aditighag

[aditighag]

We would run into the same loopback issue when the local-redirect service uses pod network

Hi! Could you describe your use case: when would you want packets not to be looped back in case of LRP?

[sugangli]

Hi @aditighag , we want to use LRP to redirect traffic to Nodelocal DNS on pod network and be able to send DNS to other DNS service when there is cache miss. However, we cannot enable socket LB because we want to be compatible with Istio (see this doc we shared with the OSS for more context). Is there a better way to do it with bpf_lxc only?

[aditighag]

we want to use LRP to redirect traffic to Nodelocal DNS on pod network and be able to send DNS to other DNS service when there is cache miss.

Did you follow the guide to set up LRP for the node-local dns use case?
Per the official k8s documentation, when there is a cache miss, the node-local dns pods would send DNS requests to the upstream (cluster) DNS pods. When do you see packets getting looped?

However, we cannot enable socket LB because we want to be compatible with Istio (see this doc we shared with the OSS for more context). Is there a better way to do it with bpf_lxc only?

The datapath code that prevents loop in the socket-lb case has some drawbacks, and we are planning to replace that logic (see issue).

[pravk03]

cc @Weil0ng

[pravk03]

when there is a cache miss, the node-local dns pods would send DNS requests to the upstream (cluster) DNS pods. When do you see packets getting looped?

The bpf program on the lxc interface translates the request from node-local DNS pod to cluster DNS back to itself here. We probably need a loop back check here before translation.

[pravk03]

Here is a repro:

• Followed the dev setup gide to set up a kind cluster with cilium 1.14

  cilium version
  cilium-cli: v0.15.20 compiled with go1.21.6 on linux/amd64
  cilium image (default): v1.14.5
  cilium image (stable): v1.14.6
  cilium image (running): 1.14.6

• Set up node local DNS from here. The node local DNS uses 192.168.11.1 as the cluster external DNS server.

• Created a simple pod and updated the DNS server to resolve the queries cluster external DNS server 192.168.11.1 (and bypass kube-dns).

cat <<EOF | kubectl apply -f - 
apiVersion: v1
kind: Pod
metadata:
  name: pk-pod
spec:
  containers:
    - name: pk-pod
      image: busybox
      command: ["/bin/sh", "-c", "echo 'nameserver 192.168.11.1' > /etc/resolv.conf && sleep 10000"]
EOF

• Added a LRP to steer the reqests from cluster external DNS server to node-local-dns pods

  apiVersion: cilium.io/v2
  kind: CiliumLocalRedirectPolicy
  metadata:
    annotations:
    name: nodelocaldns
    namespace: kube-system
  spec:
    redirectFrontend:
      addressMatcher:
        ip: 192.168.11.1
        toPorts:
        - name: dns
          port: "53"
          protocol: UDP
        - name: dns-tcp
          port: "53"
          protocol: TCP
    redirectBackend:
      localEndpointSelector:
        matchLabels:
          k8s-app: node-local-dns
      toPorts:
      - name: dns
        port: "53"
        protocol: UDP
      - name: dns-tcp
        port: "53"
        protocol: TCP

• Trigger a ping command and it works as expected.

kubectl exec pk-pod -- ping -v -c 1 www.google.com
PING www.google.com (142.251.2.99): 56 data bytes
64 bytes from 142.251.2.99: seq=0 ttl=112 time=1.432 ms

--- www.google.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.432/1.432/1.432 ms


From hubble logs:
hubble observe --pod pk-pod -f
Feb  3 01:54:09.224: default/pk-pod (ID:3296) <> kube-system/nodelocaldns-local-redirect:53 (world) pre-xlate-fwd TRACED (UDP)
Feb  3 01:54:09.224: default/pk-pod (ID:3296) <> kube-system/node-local-dns-24dnm:53 (ID:32364) post-xlate-fwd TRANSLATED (UDP)
Feb  3 01:54:09.224: default/pk-pod:45520 (ID:3296) -> kube-system/node-local-dns-24dnm:53 (ID:32364) to-endpoint FORWARDED (UDP)
Feb  3 01:54:09.224: default/pk-pod:45520 (ID:3296) <> kube-system/node-local-dns-24dnm (ID:32364) pre-xlate-rev TRACED (UDP)
Feb  3 01:54:09.224: default/pk-pod:45520 (ID:3296) <> kube-system/node-local-dns-24dnm (ID:32364) pre-xlate-rev TRACED (UDP)
Feb  3 01:54:09.226: default/pk-pod:45520 (ID:3296) <- kube-system/node-local-dns-24dnm:53 (ID:32364) to-endpoint FORWARDED (UDP)
Feb  3 01:54:09.226: kube-system/node-local-dns-24dnm:53 (ID:32364) <> default/pk-pod (ID:3296) pre-xlate-rev TRACED (UDP)
Feb  3 01:54:09.226: kube-system/nodelocaldns-local-redirect:53 (world) <> default/pk-pod (ID:3296) post-xlate-rev TRANSLATED (UDP)
Feb  3 01:54:09.226: kube-system/node-local-dns-24dnm:53 (ID:32364) <> default/pk-pod (ID:3296) pre-xlate-rev TRACED (UDP)
Feb  3 01:54:09.226: kube-system/nodelocaldns-local-redirect:53 (world) <> default/pk-pod (ID:3296) post-xlate-rev TRANSLATED (UDP)
Feb  3 01:54:09.226: default/pk-pod (ID:3296) -> 142.251.2.99 (world) to-stack FORWARDED (ICMPv4 EchoRequest)
Feb  3 01:54:09.228: default/pk-pod (ID:3296) <- 142.251.2.99 (world) to-endpoint FORWARDED (ICMPv4 EchoReply)

• Edit cilium-config configmap to enable socket LB in host only mode (bpf-lb-sock-hostns-only: "true") and restart the cilium-agent pods.

• Trigger a ping command, but now it fails as DNS resolution fails.

kubectl exec pk-pod -- ping -v -c 1 www.google.com
ping: bad address 'www.google.com'
command terminated with exit code 1

From hubble logs:
root@kind-worker:/home/cilium# hubble observe --pod pk-pod -f
Feb  3 01:56:31.292: default/pk-pod:53548 (ID:3296) -> kube-system/node-local-dns-24dnm:53 (ID:32364) to-endpoint FORWARDED (UDP)
Feb  3 01:56:36.777: default/pk-pod:53548 (ID:3296) <- kube-system/node-local-dns-24dnm:53 (ID:32364) to-endpoint FORWARDED (UDP)
Feb  3 01:56:38.855: default/pk-pod (ID:3296) -> 192.168.11.1 (world) to-stack FORWARDED (ICMPv4 DestinationUnreachable(Port))

• Adding some logs in the bpf_lxc.c i confirmed that the requests from node local dns were getting looped back during service lookup.

[aditighag]

The node local DNS would use cluster metadata server as the upstream DNS server (192.168.11.1 as a proxy for cluster metadata server).

I don't follow this. What's "cluster metadata server"? In a standard node-local-dns deployment there is a cluster DNS service and upstream DNS service.

Also, I just noticed that the LRP you've mentioned is incorrect for the node-local dns use case. Please follow this guide to deploy node-local dns and LRP - https://docs.cilium.io/en/latest/network/kubernetes/local-redirect-policy/#node-local-dns-cache.