From fa05d15093616b20d26499d764e1601b5cc4d80d Mon Sep 17 00:00:00 2001 From: Artem Panchenko Date: Tue, 28 Feb 2017 15:10:35 +0200 Subject: [PATCH] Allow connections from pods to local endpoints By default Calico blocks traffic from endpoints to the host itself by using an iptables DROP action. It could lead to a situation when service has one alive endpoint, but pods which run on the same node can not access it. Changed the action to RETURN. --- docs/calico.md | 10 ++++++++++ .../calico/templates/calico-node.service.j2 | 1 + 2 files changed, 11 insertions(+) diff --git a/docs/calico.md b/docs/calico.md index 954cce0c6..eefbcb6e2 100644 --- a/docs/calico.md +++ b/docs/calico.md @@ -147,6 +147,16 @@ The inventory above will deploy the following topology assuming that calico's ![Image](figures/kargo-calico-rr.png?raw=true) +##### Optional : Define default endpoint to host action + +By default Calico blocks traffic from endpoints to the host itself by using an iptables DROP action. When using it in kubernetes the action has to be changed to RETURN (default in kargo) or ACCEPT (see https://github.com/projectcalico/felix/issues/660 and https://github.com/projectcalico/calicoctl/issues/1389). Otherwise all network packets from pods (with hostNetwork=False) to services endpoints (with hostNetwork=True) withing the same node are dropped. + + +To re-define default action please set the following variable in your inventory: +``` +calico_endpoint_to_host_action: "ACCEPT" +``` + Cloud providers configuration ============================= diff --git a/roles/network_plugin/calico/templates/calico-node.service.j2 b/roles/network_plugin/calico/templates/calico-node.service.j2 index dfe8c4a3d..e84ceaba0 100644 --- a/roles/network_plugin/calico/templates/calico-node.service.j2 +++ b/roles/network_plugin/calico/templates/calico-node.service.j2 @@ -12,6 +12,7 @@ ExecStart={{ docker_bin_dir }}/docker run --net=host --privileged \ -e IP=${CALICO_IP} \ -e IP6=${CALICO_IP6} \ -e CALICO_NETWORKING_BACKEND=${CALICO_NETWORKING_BACKEND} \ + -e FELIX_DEFAULTENDPOINTTOHOSTACTION={{ calico_endpoint_to_host_action|default('RETURN') }} \ -e AS=${CALICO_AS} \ -e NO_DEFAULT_POOLS=${CALICO_NO_DEFAULT_POOLS} \ -e CALICO_LIBNETWORK_ENABLED=${CALICO_LIBNETWORK_ENABLED} \