How to disable tx-sctp-segmentation for all Pods with calico CNI

[Anil-YadavK8s]

We are using Calico as CNI and IPAM on top of OVS-Bride. We want to disable tx-sctp-segmentation on all Pods interface. We disabled tx-sctp-segmentation via ethtool on calico CNI interface but same setting was not propagated to a Pod interface.

Expected Behavior

Current Behavior

worker1~> sudo ethtool -k ccd_int | grep -i tx-sctp-segmentation tx-sctp-segmentation: on

worker1:~> sudo ethtool -K ccd_int tx-sctp-segmentation off

worker1~> sudo ethtool -k ccd_int | grep -i tx-sctp-segmentation tx-sctp-segmentation: off

Restart calico pod / test pod - still tx-sctp-segemention was On on calico-XX interface on Pod

worker1:~> sudo ethtool -k calic048fd9a750 | grep tx-sctp-segmentation tx-sctp-segmentation: on

worker1~> sudo ethtool -k ccd_int | grep -i tx-sctp-segmentation tx-sctp-segmentation: off

Possible Solution

Context

Is there any parameter exposed by calico IPAM to disable tx-sctp-segmentation on all Pods.

Your Environment

• Calico version: 3.23.0
• Orchestrator version (e.g. kubernetes, mesos, rkt): Kubernetes
• Operating System and version: SUSE Linux Enterprise Server 15 SP3
• Link to your project (optional):

[caseydavenport]

There's not currently any config option built in to Calico to do this as far as I'm aware, although it might be just a small enhancement to configure it. Is there a sysctl option for this?

calico CNI interface

What do you mean by the Calico CNI interface?

[Anil-YadavK8s]

@caseydavenport Thanks for the reply.

To achieve this we have to run container (a init container) with root privilege and modify the pod interface via script which performs "ethtool -K interface-name tx-sctp segmentation off"

Running pod with root-previlege is a security concern which we want to avoid it.

[ismaell]

Why is this needed?