Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[kube-proxy] Fix session affinity with local endpoints traffic #55519

Merged
merged 1 commit into from
Nov 13, 2017
Merged

[kube-proxy] Fix session affinity with local endpoints traffic #55519

merged 1 commit into from
Nov 13, 2017

Conversation

MrHohn
Copy link
Member

@MrHohn MrHohn commented Nov 11, 2017
edited
Loading

What this PR does / why we need it:
Set up session affinity rules in svcXlbChain over local endpoints. It is basically a mirror of what we set in svcChain:

kubernetes/pkg/proxy/iptables/proxier.go

Lines 1423 to 1433 in 012b085

// First write session affinity rules, if applicable.
if svcInfo.sessionAffinityType == api.ServiceAffinityClientIP {
for _, endpointChain := range endpointChains {
writeLine(proxier.natRules,
"-A", string(svcChain),
"-m", "comment", "--comment", svcNameString,
"-m", "recent", "--name", string(endpointChain),
"--rcheck", "--seconds", strconv.Itoa(svcInfo.stickyMaxAgeSeconds), "--reap",
"-j", string(endpointChain))
}
}

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #55429

Special notes for your reviewer:
@nicksardo @bowei

Release note:

Fix session affinity issue with external load balancer traffic when ExternalTrafficPolicy=Local.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 11, 2017
This was referenced Nov 11, 2017
Closed
Closed
@thockin
Copy link
Member

thockin commented Nov 13, 2017

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 13, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MrHohn, thockin

Associated issue: 55429

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 13, 2017
@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 55561, 55519). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 72a2b0b into kubernetes:master Nov 13, 2017
@nicksardo
Copy link
Contributor

@MrHohn Is the issue only when using an external LB? Isn't traffic via clusterIP and nodeport also vulnerable?

Is this worth cherrypicking?

@MrHohn
Copy link
Member Author

MrHohn commented Nov 13, 2017

@nicksardo In fact, check again and I think this will affect external traffic for nodePort as well. In cluster traffic (captured by CIDR 10/X) to clusterIP, nodePort and loadBalancer will not be affected.

Will attempt to cherrypick this to 1.8 and 1.7.

@MrHohn
Copy link
Member Author

MrHohn commented Nov 13, 2017

cc @bowei Did a quick scan and haven't found other incompatible service feature with ESIPP.

This was referenced Nov 14, 2017
Merged
Merged
k8s-github-robot pushed a commit that referenced this pull request Nov 17, 2017
Merge pull request #55721 from MrHohn/automated-cherry-pick-of-#55519…
35e2730 
…-upstream-release-1.8

Automatic merge from submit-queue.

Automated cherry pick of #55519

Cherry pick of #55519 on release-1.8.

#55519: Fix session affinity with local endpoints

```release-note
Fix session affinity issue with external load balancer traffic when ExternalTrafficPolicy=Local.
```
k8s-github-robot pushed a commit that referenced this pull request Nov 18, 2017
Merge pull request #55723 from MrHohn/automated-cherry-pick-of-#55519…
fe959b1 
…-upstream-release-1.7

Automatic merge from submit-queue.

Automated cherry pick of #55519

Cherry pick of #55519 on release-1.7.

#55519: Fix session affinity with local endpoints

```release-note
Fix session affinity issue with external load balancer traffic when ExternalTrafficPolicy=Local.
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@freehan freehan

@thockin thockin

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

kube-proxy: session affinity stops working when ESIPP=Local
6 participants
@MrHohn @thockin @k8s-github-robot @nicksardo @freehan @k8s-ci-robot