From f66d4e183fcfd62e0e3123a007a2a62ab9c980c5 Mon Sep 17 00:00:00 2001 From: Rene Treffer Date: Sun, 29 Apr 2018 13:54:19 +0200 Subject: [PATCH] Always masquerade node-originating traffic with a service VIP source ip --- pkg/proxy/ipvs/proxier.go | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/pkg/proxy/ipvs/proxier.go b/pkg/proxy/ipvs/proxier.go index b5a4dd95d1e..9142cbdd38c 100644 --- a/pkg/proxy/ipvs/proxier.go +++ b/pkg/proxy/ipvs/proxier.go @@ -1218,17 +1218,25 @@ func (proxier *Proxier) writeIptablesRules() { "-A", string(kubeServicesChain), "-m", "comment", "--comment", proxier.ipsetList[kubeClusterIPSet].getComment(), "-m", "set", "--match-set", kubeClusterIPSet, - "dst,dst", ) if proxier.masqueradeAll { - writeLine(proxier.natRules, append(args, "-j", string(KubeMarkMasqChain))...) + writeLine(proxier.natRules, append(args, "dst,dst", "-j", string(KubeMarkMasqChain))...) } else if len(proxier.clusterCIDR) > 0 { // This masquerades off-cluster traffic to a service VIP. The idea // is that you can establish a static route for your Service range, // routing to any node, and that node will bridge into the Service // for you. Since that might bounce off-node, we masquerade here. // If/when we support "Local" policy for VIPs, we should update this. - writeLine(proxier.natRules, append(args, "! -s", proxier.clusterCIDR, "-j", string(KubeMarkMasqChain))...) + writeLine(proxier.natRules, append(args, "dst,dst", "! -s", proxier.clusterCIDR, "-j", string(KubeMarkMasqChain))...) + } else { + // Masquerade all OUTPUT traffic coming from a service ip. + // The kube dummy interface has all service VIPs assigned which + // results in the service VIP being picked as the source IP to reach + // a VIP. This leads to a connection from VIP: to + // VIP:. + // Always masquerading OUTPUT (node-originating) traffic with a VIP + // source ip and service port destination fixes the outgoing connections. + writeLine(proxier.natRules, append(args, "src,dst", "-j", string(KubeMarkMasqChain))...) } }