mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-01-16 14:57:35 +00:00
9587272e1e
Automatic merge from submit-queue (batch tested with PRs 63319, 64248, 64250, 63890, 64233). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Always masquerade node-originating traffic with a service VIP source ip **What this PR does / why we need it**: This is a follow up to make IPVS work on systems without cluster-cidr or masquerade-all. On these systems the best matching network / source IP to reach the service VIP is the service VIP itself - at least for the host network. The workaround is simple: Everything originating on the host (OUTPUT nat chain) with a source IP that is the VIP should be masqueraded. The relevant rule change is the first rule in `KUBE-SERVICES`: ``` Chain KUBE-SERVICES (2 references) pkts bytes target prot opt in out source destination 0 0 KUBE-MARK-MASQ all -- * * 0.0.0.0/0 0.0.0.0/0 match-set KUBE-CLUSTER-IP src,dst 104 6240 KUBE-MARK-MASQ tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp match-set KUBE-NODE-PORT-TCP dst ``` The matching rule could be stricter by matching src(ip),dst(ip),dst(port) but the src ip will only be selected if the VIP should be reached. **Which issue(s) this PR fixes** Fixes #63241 **Special notes for your reviewer**: **Release note**: ```release-note NONE ```