nirmata / kube-static-egress-ip

Kubernetes CRD to manage static egress IP addresses for workloads
Apache License 2.0
214 stars 38 forks source link

`kube-static-egress-ip` results in rp_filter issues in case of multiple physical networks #14

Open murali-reddy opened 5 years ago

murali-reddy commented 5 years ago

kube-static-egress-ip directs the traffic from the director node to gateway node by using policy based routing. For eg. if a staticegressip custom resource is created as below.

apiVersion: staticegressips.nirmata.io/v1alpha1
kind: StaticEgressIP
metadata:
  name: eip
spec:
  rules:
  - egressip: 100.137.146.100
    service-name: frontend
    cidr: 4.2.2.2/32

traffic from the pods that need static egress IP for traffic destined to 4.2.2.2 should be steered to gateway node. While this works fine for nodes with single network interface, it will fail if the node has multiple interfaces.

For e.g if node has two interfaces eth0, eth1. Default route to 4.4.4.4 is via eth0 and if director sends the traffic to gateway node via eth1 then this results in RPF (reverse path filtering) dropping the packets.

We can disable RPF but its not desirable. kube-static-egress-ip should work through RPF issues using policy based routing.