Open hown3d opened 2 months ago
@hown3d Label kind/todo does not exist.
Hi @hown3d. Thanks for your PR.
I'm waiting for a gardener member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test
on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test
label.
I understand the commands that are listed here.
@hown3d Thank you for your contribution.
Thank you @hown3d for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.
/ok-to-test
/test pull-extension-networking-cilium-e2e-kind
@hown3d: The following test failed, say /retest
to rerun all failed tests or /retest-required
to rerun all mandatory failed tests:
Test name | Commit | Details | Required | Rerun command |
---|---|---|---|---|
pull-extension-networking-cilium-e2e-kind | 50a1e9beeeb5a5787d9e249dba20170f36a89512 | link | true | /test pull-extension-networking-cilium-e2e-kind |
Full PR test history. Your PR dashboard. Command help for this repository. Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.
In tests I see an issue with this change together with the apiserver-proxy.
apiserver-proxy
adds aa additional ip address the service addres of the kube-apiserver to the loopback interface on each node. The endpoint for the kubernetes
service has this address, so the traffic to kubernetes.cluster.local
is send to the loopback device, where an envoy proxy is listening and sending the traffic via proxy-protocol to the see.
With this change this isn't working anymore. In a tcpdump I can see, that source NAT is happening and the packets are send to the default device for outgoing traffic.
I agree, that it would be nice to have bpf masquerading. However, right now, I have no easy fix for the broken apiserver-proxy
connection.
How to categorize this PR?
/area networking /kind TODO
What this PR does / why we need it:
Enable bpf-masquerading on direct routing if SNAT masquerades are not enabled. For more information see the issue.
Which issue(s) this PR fixes: Fixes #349
Special notes for your reviewer:
Release note: