Open panpan0000 opened 4 years ago
I found we enable net.ipv4.vs.conntrack=1
in the code,
but when running a native keepalived service(yum install then service keepalived start), this kernel parameter is not required.
This also confuses me .
conntrack=1
is required if we use MASQUERADE
to achieve SNAT.
But not catching what's the recommendation way kube-keepalived-vip
officially suggest to achieve SNAT .
This is a [Help Needed] first, and maybe a [Doc Enhancement] later.
as we know, Neither
native LVS
norkeepalived
will do SNAT(should be taken care by ourselves), but only DNAT. With the steps in the doc, the vip:port is not accessable. Due to there's no SNAT.Usually, we will have to set the default route to VIP from real-server(the pods in kube-keepalived-vip scenario) . We use another tricky way to DNAT all in the node (
iptables -t nat -I POSTROUTING -d 0.0.0.0/0 -j MASQUERADE
) [ we are using IPVS NAT mode]But handling SNAT seems not being mentioned in kube-keepalived-vip documents any where. Did I miss anything? if not , who is not familiar with LVS may suffer from question like
why my vip:port is not achievable outside LVS node
..