Skip to content

Commit

Permalink
infrastructure: base: cilium: values: Enable socketLB.hostNamespaceOnly.
Browse files Browse the repository at this point in the history 
This commit applies a Cilium configuration based on 3 issues:

[Services are inaccessible from KubeVirt VMs when using kube-proxy free configuration · Issue #14563 · cilium/cilium]
(cilium/cilium#14563)

> # Services are inaccessible from KubeVirt VMs when using kube-proxy free
> configuration #14563 Kubevirt has a layered networking stack that is
> described
> [here](https://github.com/kubevirt/kubevirt/blob/master/docs/devel/networking.md). As
> Daniel Borkman kindly described
> [here](https://cilium.slack.com/archives/C1MATJ5U5/p1610058107366400?thread_ts=1609804735.250100&cid=C1MATJ5U5),
> "the east-west based load-balancing is basically realised through BPF
> attaching to socket hooks e.g. connect(2) and then doing the service xlation
> once at connect time from there. This means there is no packet-based NAT
> involved. To get this to work, we'd need to compile in the old-style service
> translation in bpf\_lxc to catch untranslated service requests on a
> per-packet basis (cc [@martynas](https://github.com/martynas)). This would
> get ClusterIP translation working for kubevirt case containers at least (and
> therefore resolve your DNS issues)."

[datapath: Add a new option to skip socket lb when in pod ns by brb · Pull Request #17154 · cilium/cilium]
(cilium/cilium#17154)

> Diff from previous PR (cannot push to the fork's branch, so opening a new PR instead):
>
> -   Explicitly enable bpf\_lxc LB if the bypass is enabled (previously, the
> ifdef was not checking whether the bypass macro was defined).
> -   Rename the bypass macro to `ENABLE_SOCKET_LB_HOST_ONLY`.
> -   Rename the helm var from `loadBalancer.hostNamespaceOnly` to
> `hostServices.hostNamespaceOnly`.
> -   Minor doc improvements.

[daemon: Rename host-reachable services to socket LB by brb · Pull Request #20369 · cilium/cilium]
(cilium/cilium#20369)

> Rename "host-reachable services" to "socket LB". The "host-reachable
> services" terminology will be completely removed in v1.13.
  • Loading branch information
@wigust
wigust committed Sep 21, 2024
1 parent f089cfe commit 47a2715
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion infrastructure/base/cilium/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ socketLB:
enabled: true

# -- Disable socket lb for non-root ns. This is used to enable Istio routing rules.
hostNamespaceOnly: false
hostNamespaceOnly: true

loadBalancer:
mode: hybrid
Expand Down

0 comments on commit 47a2715

Please sign in to comment.