caseydavenport
commented
2 years ago CC @tomastigera
Closed olljanat closed 2 years ago
caseydavenport
commented
2 years ago CC @tomastigera
tomastigera
commented
2 years ago eBPF dataplane will support internalTrafficPolicy=Local in 3.23. It is available in master since this commit as part of PR https://github.com/projectcalico/felix/pull/3076
olljanat
commented
2 years ago That's nice. However afaiu eBPF is still quite far to be production ready so maybe it would make sense to support internalTrafficPolicy=Local also with iptables/ipvs?
tomastigera
commented
2 years ago Afaict, for the iptables mode, you need to enable it in kube-proxy, not in calico. And as for eBFP, it is quite production ready, judging by it running in many production environments ;-)
olljanat
commented
2 years ago Afaict, for the iptables mode, you need to enable it in kube-proxy, not in calico.
Ah, thanks for clarifying. I had missed that fact.
And as for eBFP, it is quite production ready, judging by it running in many production environments ;-)
Ok. Nice to know. However limitations list still quite long https://projectcalico.docs.tigera.io/maintenance/ebpf/enabling-bpf#limitations and especially hybrid cluster support is something which I most probably will need which why there is item #5149
Anyway, will close this one as it is kube-proxy side thing.
olljanat
commented
2 years ago eBPF dataplane will support
internalTrafficPolicy=Localin 3.23. It is available in master since this commit as part of PR projectcalico/felix#3076
@tomastigera did I read code correctly that it is actually supported already in 3.22 ? For me it looks like so but I didn't found any mentioning about it from release notes (or maybe I missed it).
tomastigera
commented
2 years ago I think it is in 3.22
bewing
commented
2 years ago Couldn't you also do this without eBPF if calico advertises /32s for services with internalTrafficPolicy: Local while using iptables-mode kube-proxy?
tomastigera
commented
2 years ago Without eBPF we use regular kube-proxy which programs the service rules. We have no say in that.
bewing
commented
2 years ago I think internalTrafficPolicy: Local disables the SNAT in kube-proxy when present? I will have to experiment and check.
Currently Calico allows minimizing extra hops with
externalTrafficPolicy=Localbut as it is only supported by LoadBalancer and NodePort. That why it would be nice to have support for same behavior withinternalTrafficPolicy=Localso it can be used with ClusterIPinternalTrafficPolicy=Localneeds feature gate ServiceInternalTrafficPolicy to be enabled but as it was promoted to beta on Kubernetes 1.22 it is enabled by default now.I can prepare pull request about this if idea gets green light and someone guides me to correct part of code.