Canal didn't add blackhole route, why?

[linyinli]

Expected Behavior

Pod traffic does not go out of the host.

Current Behavior

Pod traffic was going out of the host.

Possible Solution

Fix it.

Steps to Reproduce (for bugs)

1. Use Canal(VXLAN) for K8s CNI plugin;
2. Create a nginx pod in host 1;
3. Create a alpine pod in host 2;
4. Use tcpdump to show host nic traffic in the host 1;
5. Use alpine pod to curl nginx pod IP, the traffic is normal;
6. Delete nginx pod and try again( alpine will curl a not exist pod IP), we can see the pod IP on the host 1 nic traffic, this is not normal.

Context

Unlike Calico, Canal did not add blackhole route, is the blackhole route not added because it will affect the working of Canal?

Pod traffic should never go out. We have an issue by use Cicso ACI SDN. It caused a cyber storm.

Your Environment

• Calico version: Canal 3.12
• Orchestrator version (e.g. kubernetes, mesos, rkt): kubernetes
• Operating System and version: RHEL 7.9

https://github.com/projectcalico/calico/issues/4362 https://github.com/projectcalico/calico/issues/3498

[linyinli]

This is my pods list: nginx pod IP 10.42.0.36 alpine pod IP 10.42.1.28

There is my curl record: I exec into alpine and curl the nginx pod IP, the result of curl is normal when nginx pod exists, and it return "Operation timed out" after I deleted the nginx pod.

When the nginx pod exists and I curl the nginx pod IP, tcpdump cannot capture 10.42.1.28 traffic on the host eth0 nic.

When the nginx pod not exists and I curl the nginx pod IP again, tcpdump can capture 10.42.1.28 traffic on the host eth0 nic.

[caseydavenport]

If you want those blackhole routes, you probably need to either raise an issue with flannel itself (who is responsible for programming of the routes) or just use Calico VXLAN which recently added support for programming those blackhole routes.

This repository isn't maintained any more, and the Calico / flannel integration is instead maintained at github.com/projectcalico/calico