github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

iptables proxier: route local traffic to LB IPs to service chain

Browse Source 
Signed-off-by: Andrew Sy Kim <kiman@vmware.com>
This commit is contained in:
Andrew Sy Kim
2019-05-06 17:19:31 -04:00
parent 4b7c607ba4
commit b926fb9d2b
2 changed files with 14 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
pkg/proxy/iptables/proxier.go
View File

@@ -1202,6 +1202,16 @@ func (proxier *Proxier) syncProxyRules() {
continue
}
// For LBs with externalTrafficPolicy=Local, we need to re-route any local traffic to the service chain masqueraded.
// Masqueraded traffic in this scenario is okay since source IP preservation only applies to external traffic anyways.
args = append(args[:0], "-A", string(svcXlbChain))
writeLine(proxier.natRules, append(args,
"-m", "comment", "--comment", fmt.Sprintf(`"masquerade LOCAL traffic for %s LB IP"`, svcNameString),
"-m", "addrtype", "--src-type", "LOCAL", "-j", string(KubeMarkMasqChain))...)
writeLine(proxier.natRules, append(args,
"-m", "comment", "--comment", fmt.Sprintf(`"route LOCAL traffic for %s LB IP to service chain"`, svcNameString),
"-m", "addrtype", "--src-type", "LOCAL", "-j", string(svcChain))...)
// First rule in the chain redirects all pod -> external VIP traffic to the
// Service's ClusterIP instead. This happens whether or not we have local
// endpoints; only if clusterCIDR is specified