datapath: Only NOTRACK proxy return traffic going to Cilium datapath#11899
datapath: Only NOTRACK proxy return traffic going to Cilium datapath#11899joestringer merged 1 commit intomasterfrom
Conversation
Proxy return traffic accessed via a k8s NodePort will not be routed back via Cilium bpf datapath, so such traffic needs to have possible reverse NAT applied. Setting NOTRACK prevented this. Fix this by setting NOTRACK only on packets heading back to the Cilium datapath (-o lxc+ and -o cilium_host). Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
|
test-me-please |
|
test-gke |
|
This fixed nodeport with L7 on GKE on manual testing. |
|
1.17 flake #10231 |
|
K8s test suite run locally against a private cluster passed on GKE with this PR: |
|
retest-4.19 |
|
retest-gke |
|
Change makes sense, probably just worth considering whether to further gate one of the new rules per my feedback above. I don't think it makes sense to backport to v1.6, we're not hearing reports of issues on that release with eg. EKS. This fixes a known issue with the GKE mode which is the same on v1.7 and v1.8 so those backports make sense to me. |
joestringer
left a comment
There was a problem hiding this comment.
We should agree on the previous comment before merging:
https://github.com/cilium/cilium/pull/11899/files#r436051065
|
Merging despite GKE failure since the GKE job seems entirely broken but Jarno had manually validated the fix in a GKE environment. |
#11899 made it possible to run NodePort BPF with L7 policies. Signed-off-by: Martynas Pumputis <m@lambda.lt>
#11899 made it possible to run NodePort BPF with L7 policies. Signed-off-by: Martynas Pumputis <m@lambda.lt>
Proxy return traffic accessed via a k8s NodePort will not be routed
back via Cilium bpf datapath, so such traffic needs to have possible
reverse NAT applied. Setting NOTRACK prevented this. Fix this by
setting NOTRACK only on packets heading back to the Cilium datapath
(
-o lxc+and-o cilium_host).Fixes: #8971
Fixes: #8945
Signed-off-by: Jarno Rajahalme jarno@covalent.io