From 61085a75899a820b5eebfa71801e17423c1ca4da Mon Sep 17 00:00:00 2001
From: Lars Ekman <lars.g.ekman@est.tech>
Date: Sat, 5 Dec 2020 08:32:15 +0100
Subject: [PATCH] Ipvs: non-local access to externalTrafficPolicy:Local

Allow access to externalTrafficPolicy:Local services from PODs
not on a node where a server executes. Problem described in #93456
---
 pkg/proxy/ipvs/proxier.go      | 10 +++++++++-
 pkg/proxy/ipvs/proxier_test.go |  5 +++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go
index a6aeac3c0b2..635f30f9d41 100644
--- a/pkg/proxy/ipvs/proxier.go
+++ b/pkg/proxy/ipvs/proxier.go
@@ -1972,7 +1972,15 @@ func (proxier *Proxier) syncEndpoint(svcPortName proxy.ServicePortName, onlyNode
 	} else {
 		clusterEndpoints, localEndpoints, _, _ := proxy.CategorizeEndpoints(endpoints, svcInfo, proxier.nodeLabels)
 		if onlyNodeLocalEndpoints {
-			endpoints = localEndpoints
+			if len(localEndpoints) > 0 {
+				endpoints = localEndpoints
+			} else {
+				// https://github.com/kubernetes/kubernetes/pull/97081
+				// Allow access from local PODs even if no local endpoints exist.
+				// Traffic from an external source will be routed but the reply
+				// will have the POD address and will be discarded.
+				endpoints = clusterEndpoints
+			}
 		} else {
 			endpoints = clusterEndpoints
 		}
diff --git a/pkg/proxy/ipvs/proxier_test.go b/pkg/proxy/ipvs/proxier_test.go
index 33d8a7e7e40..18498b88bff 100644
--- a/pkg/proxy/ipvs/proxier_test.go
+++ b/pkg/proxy/ipvs/proxier_test.go
@@ -5319,10 +5319,11 @@ func Test_EndpointSliceOnlyReadyAndTerminatingLocalWithFeatureGateDisabled(t *te
 	assert.Len(t, realServers1, 1, "Expected 1 real servers")
 	assert.Equal(t, realServers1[0].String(), "10.0.1.5:80")
 
-	// externalIP should have 0 endpoints since the feature gate is disabled.
+	// externalIP should have 1 (remote) endpoint since the feature gate is disabled.
 	realServers2, rsErr2 := ipvs.GetRealServers(externalIPServer)
 	assert.Nil(t, rsErr2, "Expected no error getting real servers")
-	assert.Len(t, realServers2, 0, "Expected 0 real servers")
+	assert.Len(t, realServers2, 1, "Expected 0 real servers")
+	assert.Equal(t, realServers2[0].String(), "10.0.1.5:80")
 
 	fp.OnEndpointSliceDelete(endpointSlice)
 	fp.syncProxyRules()