Comments (5)
Have you ever tested kube-router in Flannel with Vxlan backend and can kube-router preserve the source pod IP?
from kube-router.
@m1093782566 i am answering to questions in #21 as well here
IPVS has no conflict with encapsulation used. From IPVS perspective, all it needs is reverse traffic goes through IPVS director so that traffic reaches the source pod (after performing DNAT). This is no different from the requiremetns of kube-proxy.
I tested some time back, but will test again the combination of Flannel + Kube-router providing IPVS service proxy and network policy. I will update the thread after re-testing.
Just so you know Canal has Flannel VXLAN + iptables Kube-proxy + Calico network policy. I dont think it has any issues with source IP not being preserved.
from kube-router.
@m1093782566 I just tested with Flannel VXLAN + Kube-routers service proxy and network policies, i dont see any issue with VXLAN encapsulation + IPVS.
from kube-router.
Quick notes on what changed with 1.7 GA of network policy compared to beta of NP(network policies). Kube-router currently implements Beta NP.
-
By default, pods are non-isolated; they accept traffic from any source. (this is the behaviour in Beta of NP till 1.6 as well.) Current implemention of Kube-router honours this now. So no change is required.
-
Annotation to network policy to default deny has no significance in the NP GA. In Beta NP and current implementation of Kube-router adding a annotation to namespaces to default deny, puts all the pods in the namespace isolated. So kube-router behaviour needs to change dependeing on kubernetes server version. If kubernetes is ver 1.7 then kube-router needs to ignore [namespace network plocy annotation] (http://blog.kubernetes.io/2016/04/Kubernetes-Network-Policy-APIs.html) even if its configured.
-
Pods become isolated by having a NetworkPolicy that selects them. Once there is any NetworkPolicy in a Namespace selecting a particular pod, that pod will reject any connections that are not allowed by any NetworkPolicy. Current implementation in kube-router should be able to handle this change, with no modification.
-
Other pods in the Namespace that are not selected by any NetworkPolicy will continue to accept all traffic. This is big change from Beta GA. Pods not selected by any network policy continue to accept traffic.
Overall semantic changes from NP Beta to 1.7 GA shoule be easily adopted. Only part that is little challenging is to support both NP Beta and GA version. Or may be just implement for network policy GA semantics, and suggest users if they want to use Kube-router for network policy then use Kuberetes 1.7
from kube-router.
Spent some time analyzing the effort and changes needed. It seems its wise to hold on this for a while. Though changes required are lot lesser than i thought, i see potential re-work due to client-go, api repos are in flux. Its better to wait a bit and see direction client-go goes. It looks like client-go will use api repo post 4.0 release, which will force kube-router to use api, which is good as its going to be canonical location of the Kubernetes API definition.
Anyway, 1.7 is still backward compatible, so beta network policies still can be used.
from kube-router.
Related Issues (20)
- Pods with hostNetwork=true can't connect to Kube API Server HOT 3
- Routing issue in IPv6-Only cluster HOT 6
- v2.1.1: TCPMSS not setup with DSR HOT 2
- Bug in network policy ipsets when using dualStack HOT 2
- . HOT 1
- Initial BGP sync during kube-router startup extremely slow in kubernetes v1.29 HOT 6
- /var/lib/kube-router/kubeconfig does not regenerate when configmap changes are made HOT 3
- kube-router crashloop backoff without obvious cause on brand new cluster HOT 8
- v2.1: DSR+TCPMSS with non-ready services not set-up correctly HOT 6
- Globally enable hairpin mode for externalIPs HOT 2
- kube-router should cleanup rules it does not handle anymore in its chains HOT 2
- kube-router duplicates rules in the KUBE-ROUTER-INPUT chain HOT 3
- Custom ipset sets and entries get reverted periodically HOT 12
- Creating LoadBalancer service blocks API server IP HOT 12
- IPv6 Error: `unknown option "--icmpv6-type"`
- Unable To Route to IPv6 Service VIPs from Same Node
- Service traffic being dropped when NetworkPolicy is present HOT 2
- Unknown option "--icmp-type" HOT 3
- Seeking New Maintainers HOT 3
- documentation/DSR examples: mount directory containing the socket instead the socket directly HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-router.