stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Open pchaigno opened 4 years ago
stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
The host firewall currently doesn't work with portmap chaining when using kube-proxy. This limitation is related to the fact that we redirect traffic from pods to remote nodes through a tunnel when the host firewall is enabled.
Setting both
global.hostFirewall=trueandglobal.cni.chainingMode=portmapresults in connection breakage, probably due to some masquerading issue. Packets are not dropped by the host firewall itself (i.e., it fails even with an allow-all policy).To reproduce the bug, one can comment the following line in e2e tests: https://github.com/cilium/cilium/blob/f55ec9066e3a23461a0d14e20b3be8ab49a04c97/test/k8sT/Conformance.go#L79
Related: #12345.