Open AhmadMS1988 opened 2 months ago
VPC-CNI with Security Group for Pods work with kube-proxy in IPVS
Yes,there is no limitation that we know that will not work. Kube-Proxy is service proxy later; and it's mode of ipvs or iptables shouldn't interfere with SGPP functionality of pods.
I will setup a IPVS cluster and verify and share my output.
Hi @AhmadMS1988,
I set up the cluster and switched kube-proxy to IPVS mode. I also created an Nginx service with a security group and tested in-cluster pod-to-pod connectivity to Nginx, which worked fine. Could you please provide more details on the specific networking test that is failing? TIA!
Hi all; @orsenthil please inform me with your findings. @yash97 are you sure that you have replaced the worker nodes after switching to ipvs mode in kube-proxy? I open a ticket with AWS EKS team and they confirmed that they can replicate the situation. Thanks all
@AhmadMS1988 - I was able to verify SGP working with kube-proxy in IPVS mode.
Followed these public docs.
apiVersion: v1
kind: Pod
metadata:
name: curl-pod
namespace: my-namespace
spec:
containers:
- name: curl-container
image: curlimages/curl
command: ['sh', '-c', 'while true; do sleep 30; done;']
kubectl exec -it curl-pod -n my-namespace -- sh
~ $ curl my-app
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
For online documentation and support please refer to
nginx.org.
Commercial support is available at
nginx.com.
Thank you for using nginx.
What happened: We need to use kube-proxy in IPVS mode, with VPC CNI because of our increased numbers of pods, as long as to achieve between request load balancing using k8s services.
We noticed that pods that has security groups and branch network interfaces, the both ingress and egress traffic of these pods stops and never comeback until we go back to iptables mode and refresh all nodes.
We need to know if VPC CNI supports both security groups for pods and kube-proxy in IPVS mode.
Environment:
Kubernetes version (use
kubectl version
): Client Version: v1.30.2 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.30.1-eks-1de2ab1CNI Version v1.18.2-eksbuild.1
kube-proxy Version v1.30.0-eksbuild.3
OS (e.g:
cat /etc/os-release
): Amazon Linux 2023.5.20240624 v1.30.0-eks-036c24b Bottlerocket OS 1.20.3 (aws-k8s-1.30) v1.30.0-eks-fff26e3Kernel (e.g.
uname -a
): Amazon Linux: 6.1.94-99.176.amzn2023.x86_64 Bottlerocket OS: 6.1.92Tested on both arm64 and amd64