Casey Callendrello
Casey Callendrello
You need to masquerade, but only when the source address is 127.0.0.1. Check out https://github.com/containernetworking/plugins/tree/master/plugins/meta/portmap#snat-masquerade
The CNI plugins already handle this; what version and what CNI configuration are you using?
This is really cool stuff. I have a few minor-ish comments. My only big question (and apologies if this is mentioned in the docs somewhere): when *wouldn't* you want this...
> The traces pertain to socket-lb events, so the feature flag is enabled by default when socket-lb is enabled Gotcha, makes sense. Does this code do anything if socket-lb is...
What if this is a dual-stack cluster? Will we do the right thing there? (It may be that cilium was wrong before, and this code isn't at fault. But we...
> What would dual-stack have to do with this code? Right, but dual-stack nodes have multiple entries for the same address type. Like I said, it is possible that the...
I did some quick research. The current systemd documentation states: > It is strongly recommended that local programs use the glibc NSS or bus APIs instead... Given this, I'm not...
It looks like systemd-resolved introduces some problems around wildcard socket binding and go - so if we do this, it needs to be opt-in.
Oh, interesting. I bet I know what's wrong. Are you running with the default network, or have you provided your own CNI configuration?
Indeed, this is "a bit of a bug," though it is also somewhat expected given that hairpin nat is flaky. I was able to fix this manually by adding an...