stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Open joestringer opened 4 years ago
stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Cilium v1.8
When Cilium defers service translation to kube-proxy, it applies the host firewall logic before the service translation (DNAT) to backend endpoints, so the firewall applies to all such services rather than applying to the backend endpoints like the policy would with
kubeProxyReplacementfully enabled. The general position of Cilium policy enforcement is to apply service translation prior to firewalling so it is also inconsistent with that.This is only an issue when host firewall is enabled (with host firewall policy imported) and kube-proxy-replacement is configured not to implement services for the native device (eg, nodeport).
@pchaigno I didn't see an issue for this yet but if there is one, feel free to close this one.