-
Notifications
You must be signed in to change notification settings - Fork 374
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make proxyAll/LoadBalancerModeDSR work with kube-proxy present #6232
Comments
Do we need to bypass all Service traffic or only LoadBalancers? If bypassing all Service traffic (I assumed that users need to set
If bypassing LoadBalancer traffic only, we could add a chain to match LoadBalancer traffic and bypass kube-proxy in prerouting/input chain of nat table. We could leverage some existing code to build the iptables rules and sync them periodically. I'm looking forward to hearing your thoughts. |
Just want to confirm this requirement is only suitable for Linux, right? I am asking it because we can't make kube-proxy with kernel mode to work with Antrea on Windows, since it may cause issues in the HNS Network (VMSwitch) because the VMSwitch Extensions are not consistent. |
I'm thinking the external access points only, i.e. LBIP, externalIP, NodePort. It's basically the same as before but ensures the effective proxy is antrea, regardless of kube-proxy's presence.
Yes, I was thinking ipsets contsisting LBIPs and externalIPs, like NodePort ipset. We could perhaps even remove the per-ip route (but perhaps not good to make the change in the same PR).
Yes, it's for Linux only. The proposal is just making a common scenario work better, not introducing a scenario not required by users. |
It seems that we cannot remove the per-ip route. If we remove these routes we need to do DNAT to the traffic destined for the LBIPs and externalIPs(like NodePort). Another issue introduce in this case is that we cannot identify these traffic in ServiceLB table since they all have the same destination IP. |
I should have described more details: after matching the IPs in iptables, the action should mark them, then we only need a single route to forward them to OVS, thus we don't need per-ip route. |
Do you meant that we can use a policy-route to forward the marked traffic to the OVS pipeline? |
How about this? This is the chain I'm testing right now but not finished yet:
|
Describe what you are trying to solve
For users who want to use
LoadBalancerModeDSR
, currently we require kube-proxy to be removed as it will handle the Service traffic in host network before it gets forwarded to OVS, which is also the prerequisite of usingproxyAll
.However, removing kube-proxy may be not a easy task for users of managed Kubernetes clusters which don't provide the option. Hence, it would be hard for them to take advantage of this feature on these platforms.
Previously we don't have a good reason why users want to use
proxyAll
when kube-proxy is present, but with the DSR support, now I wonder whether we should makeproxyAll
really proxy all Service traffic regardless of the presence of kube-proxy. It's actually not hard to achieve as it's just about the priority of iptables rules, and it can really benefit users who want to use DSR mode.Describe the solution you have in mind
When
proxyAll
is enabled,Describe how your solution impacts user flows
Users who expect Antrea to process all Service traffic and/or want to use DSR mode can use the features by setting
proxyAll
to true, without having to remove kube-proxy.The text was updated successfully, but these errors were encountered: