Skip to content

Minor improvement: automatically cleanup stale AWS-CNI iptables rules in nodeinit #25804

New issue
New issue
Closed
#28697
Closed
Minor improvement: automatically cleanup stale AWS-CNI iptables rules in nodeinit#25804
#28697
Labels
area/agentCilium agent related.area/helmImpacts helm charts and user deployment experiencegood-first-issueGood starting point for new developers, which requires minimal understanding of Cilium.help-wantedPlease volunteer for this by adding yourself as an assignee!kind/featureThis introduces new functionality.
@squeed

Description

@squeed
squeed
opened on May 31, 2023

In the install documentation for EKS, it has you manually remove some stale AWS iptables rules. Not removing these rules results in subtle and random connectivity issues, most notably around host-network processes accessing the pod network. This typically results in a failure to reach the health check.

So, when we're sure these aren't in use, we should remove these in the nodeinit script.

The challenge is knowing these rules are not in use. From reading the install documentation, I don't see a reliable way to detect it, so we'll have to add another helm value. Probably something like nodeinit.removeAWSCNI.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/agentCilium agent related.area/helmImpacts helm charts and user deployment experiencegood-first-issueGood starting point for new developers, which requires minimal understanding of Cilium.help-wantedPlease volunteer for this by adding yourself as an assignee!kind/featureThis introduces new functionality.

    Type

    No type

    Projects

    Good First Issues

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions