datapath: Add a new option to skip socket lb when in pod ns #17154
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
test-net-next |
8233676 to
f7d126b
Compare
|
test-me-please |
|
test-runtime |
f7d126b to
490607a
Compare
490607a to
6d54696
Compare
|
test-me-please Job 'Cilium-PR-K8s-1.16-net-next' has 3 failures but they might be new flakes since it also hit 1 known flakes: #17060 (88.47) |
|
net-next hit #12511. Marking as ready to merge. |
1 task
2 tasks
jrajahalme
added a commit
that referenced
this pull request
Mar 8, 2022
Use the same condition in defining the label 'skip_policy_enforcement' as for jumping to it. Otherwise we could jump to a nonexisting label given a suitable datapath configuration. This does not seem possible now, as ENABLE_HOST_SERVICES_FULL should not be defined if ENABLE_SOCKET_LB_HOST_ONLY is defined. However, as the conditions for defining ENABLE_PER_PACKET_LB evolve, this would become a compilation bug. Fixes: #17154 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
jrajahalme
added a commit
to jrajahalme/cilium
that referenced
this pull request
Mar 14, 2022
Use the same condition in defining the label 'skip_policy_enforcement' as for jumping to it. Otherwise we could jump to a nonexisting label given a suitable datapath configuration. This does not seem possible now, as ENABLE_HOST_SERVICES_FULL should not be defined if ENABLE_SOCKET_LB_HOST_ONLY is defined. However, as the conditions for defining ENABLE_PER_PACKET_LB evolve, this would become a compilation bug. Fixes: cilium#17154 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
joestringer
pushed a commit
that referenced
this pull request
Mar 15, 2022
Use the same condition in defining the label 'skip_policy_enforcement' as for jumping to it. Otherwise we could jump to a nonexisting label given a suitable datapath configuration. This does not seem possible now, as ENABLE_HOST_SERVICES_FULL should not be defined if ENABLE_SOCKET_LB_HOST_ONLY is defined. However, as the conditions for defining ENABLE_PER_PACKET_LB evolve, this would become a compilation bug. Fixes: #17154 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
qmonnet
pushed a commit
that referenced
this pull request
Mar 30, 2022
[ upstream commit 6e2ce4a ] Use the same condition in defining the label 'skip_policy_enforcement' as for jumping to it. Otherwise we could jump to a nonexisting label given a suitable datapath configuration. This does not seem possible now, as ENABLE_HOST_SERVICES_FULL should not be defined if ENABLE_SOCKET_LB_HOST_ONLY is defined. However, as the conditions for defining ENABLE_PER_PACKET_LB evolve, this would become a compilation bug. Fixes: #17154 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
qmonnet
pushed a commit
that referenced
this pull request
Apr 4, 2022
[ upstream commit 6e2ce4a ] Use the same condition in defining the label 'skip_policy_enforcement' as for jumping to it. Otherwise we could jump to a nonexisting label given a suitable datapath configuration. This does not seem possible now, as ENABLE_HOST_SERVICES_FULL should not be defined if ENABLE_SOCKET_LB_HOST_ONLY is defined. However, as the conditions for defining ENABLE_PER_PACKET_LB evolve, this would become a compilation bug. Fixes: #17154 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
pchaigno
pushed a commit
that referenced
this pull request
Apr 4, 2022
[ upstream commit 6e2ce4a ] Use the same condition in defining the label 'skip_policy_enforcement' as for jumping to it. Otherwise we could jump to a nonexisting label given a suitable datapath configuration. This does not seem possible now, as ENABLE_HOST_SERVICES_FULL should not be defined if ENABLE_SOCKET_LB_HOST_ONLY is defined. However, as the conditions for defining ENABLE_PER_PACKET_LB evolve, this would become a compilation bug. Fixes: #17154 Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> Signed-off-by: Quentin Monnet <quentin@isovalent.com>
wigust
added a commit
to kitnil/dotfiles
that referenced
this pull request
Sep 21, 2024
This commit applies a Cilium configuration based on 3 issues: [Services are inaccessible from KubeVirt VMs when using kube-proxy free configuration · Issue #14563 · cilium/cilium] (cilium/cilium#14563) > # Services are inaccessible from KubeVirt VMs when using kube-proxy free > configuration #14563 Kubevirt has a layered networking stack that is > described > [here](https://github.com/kubevirt/kubevirt/blob/master/docs/devel/networking.md). As > Daniel Borkman kindly described > [here](https://cilium.slack.com/archives/C1MATJ5U5/p1610058107366400?thread_ts=1609804735.250100&cid=C1MATJ5U5), > "the east-west based load-balancing is basically realised through BPF > attaching to socket hooks e.g. connect(2) and then doing the service xlation > once at connect time from there. This means there is no packet-based NAT > involved. To get this to work, we'd need to compile in the old-style service > translation in bpf\_lxc to catch untranslated service requests on a > per-packet basis (cc [@martynas](https://github.com/martynas)). This would > get ClusterIP translation working for kubevirt case containers at least (and > therefore resolve your DNS issues)." [datapath: Add a new option to skip socket lb when in pod ns by brb · Pull Request #17154 · cilium/cilium] (cilium/cilium#17154) > Diff from previous PR (cannot push to the fork's branch, so opening a new PR instead): > > - Explicitly enable bpf\_lxc LB if the bypass is enabled (previously, the > ifdef was not checking whether the bypass macro was defined). > - Rename the bypass macro to `ENABLE_SOCKET_LB_HOST_ONLY`. > - Rename the helm var from `loadBalancer.hostNamespaceOnly` to > `hostServices.hostNamespaceOnly`. > - Minor doc improvements. [daemon: Rename host-reachable services to socket LB by brb · Pull Request #20369 · cilium/cilium] (cilium/cilium#20369) > Rename "host-reachable services" to "socket LB". The "host-reachable > services" terminology will be completely removed in v1.13.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Diff from previous PR (cannot push to the fork's branch, so opening a new PR instead):
ENABLE_SOCKET_LB_HOST_ONLY.loadBalancer.hostNamespaceOnlytohostServices.hostNamespaceOnly.Supersedes #13882.