Merge pull request #97081 from Nordix/issue-93456

Ipvs: non-local access to externalTrafficPolicy:Local
2025-07-21 10:51:29 +00:00 · 2022-03-30 13:37:56 -07:00 · 2022-03-30 13:37:56 -07:00 · 5223c1efef
commit 5223c1efef
parent 64c5ed3804 61085a7589
2 changed files with 12 additions and 3 deletions
--- a/pkg/proxy/ipvs/proxier.go
+++ b/pkg/proxy/ipvs/proxier.go
@ -1972,7 +1972,15 @@ func (proxier *Proxier) syncEndpoint(svcPortName proxy.ServicePortName, onlyNode
 	} else {
 		clusterEndpoints, localEndpoints, _, _ := proxy.CategorizeEndpoints(endpoints, svcInfo, proxier.nodeLabels)
 		if onlyNodeLocalEndpoints {
-			endpoints = localEndpoints
+			if len(localEndpoints) > 0 {
+				endpoints = localEndpoints
+			} else {
+				// https://github.com/kubernetes/kubernetes/pull/97081
+				// Allow access from local PODs even if no local endpoints exist.
+				// Traffic from an external source will be routed but the reply
+				// will have the POD address and will be discarded.
+				endpoints = clusterEndpoints
+			}
 		} else {
 			endpoints = clusterEndpoints
 		}
--- a/pkg/proxy/ipvs/proxier_test.go
+++ b/pkg/proxy/ipvs/proxier_test.go
@ -5672,10 +5672,11 @@ func Test_EndpointSliceOnlyReadyAndTerminatingLocalWithFeatureGateDisabled(t *te
 	assert.Len(t, realServers1, 1, "Expected 1 real servers")
 	assert.Equal(t, realServers1[0].String(), "10.0.1.5:80")

-	// externalIP should have 0 endpoints since the feature gate is disabled.
+	// externalIP should have 1 (remote) endpoint since the feature gate is disabled.
 	realServers2, rsErr2 := ipvs.GetRealServers(externalIPServer)
 	assert.Nil(t, rsErr2, "Expected no error getting real servers")
-	assert.Len(t, realServers2, 0, "Expected 0 real servers")
+	assert.Len(t, realServers2, 1, "Expected 0 real servers")
+	assert.Equal(t, realServers2[0].String(), "10.0.1.5:80")

 	fp.OnEndpointSliceDelete(endpointSlice)
 	fp.syncProxyRules()