Comments (4)
The apiserver SNI feature with its istio gateway moves the problem from the apiserver service (which is now internal) to the istio-ingressgateway
server, with the additional "bonus" that we can not change this service from this extension provider.
We still need the original client address for the audit log eventually.
Gardener's documentation says it is possible to use a self-deployed istio instead of using the Gardener managed istio, but do we want to do this?
from gardener-extension-provider-metal.
Did we ask some people from the Gardener community in the past on how they deal with this?
As the problem originates from the kubeproxy, I assume that running Calico or another CNI like Cilium in "kubeproxy-free" mode resolves the issue as a whole. It's probably hard to setup and change will be disruptive, but it generally fits to our environment and also from the network / performance perspective it seems to be superior:
- https://projectcalico.docs.tigera.io/maintenance/enabling-bpf
- https://docs.cilium.io/en/stable/gettingstarted/kubeproxy-free/#direct-server-return-dsr
from gardener-extension-provider-metal.
This has nothing to do with calico or CNI.
From https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/
.spec.externalTrafficPolicy - denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. There are two available options: Cluster (default) and Local. Cluster obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading. Local preserves the client source IP and avoids a second hop for LoadBalancer and NodePort type Services, but risks potentially imbalanced traffic spreading.
from gardener-extension-provider-metal.
According to the Cilium documentation it sounds to me like externalTrafficPolicy=Cluster
does not obscure source IPs when running in DSR mode. But maybe I did not understand it correctly then. 🤔
externalTrafficPolicy=Cluster: For the Cluster policy which is the default upon service creation, multiple options exist for achieving client source IP preservation for external traffic, that is, operating the kube-proxy replacement in DSR or Hybrid mode if only TCP-based services are exposed to the outside world for the latter.
(source already mentioned above)
As far as I know, the local
policy comes with minor nits that are probably tolerable in our case, but still not 100% cool. This is unequal traffic distribution + short traffic blackholing on service update / roll (see this KEP?).
I am gonna need to read a bit more or experiment with it first...
from gardener-extension-provider-metal.
Related Issues (20)
- firewall update fails
- Firewall ignition still uses deprecated enable instead of enabled
- MCM Secret Finalizer Patch in Migrate can probably be removed in g/g v1.36.0
- ☂️-Issue reduce container capabilities
- ☂ Adapt to new secrets manager [GEP-18] HOT 1
- Shoot migration not working anymore HOT 2
- Auditing for reversed VPN does not work anymore HOT 1
- Adapt audit log path
- firewall-controller-manager mutating and validation webhooks are not cleaned up on cluster deletion
- tailer pods violating pod security standards HOT 2
- Remove PSP Deployment if k8s >= 1.25 HOT 1
- Add Fluentd operator resources
- Override DNS and NTP on the worker from NetworkIsolation if given HOT 4
- Make DNS and NTP CWNP match exactly the DNS and NTP Servers from Cloudprofile if given HOT 1
- Remove vendor
- No health endpoint
- Allow setting storage class for prometheus and etcd-events HOT 1
- ☂️ update metallb to v0.14.x HOT 1
- Using deprecated containerd configuration
- Cilium needs new configuration options
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from gardener-extension-provider-metal.