-
Notifications
You must be signed in to change notification settings - Fork 465
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --random-fully to MASQ iptables rules to mitigate conntrack issues #958
Conversation
Docker image for testing purposes: |
@coufalja thanks for the PR. |
@murali-reddy The way I deployed was going through full rolling-update of a cluster so I didn't hit the issue. But yeah It would be great to actually allow users to update in place. What needs to be done? Adding the old one to pkg/controllers/routing/pod_egress.go:85 and pkg/controllers/proxy/network_services_controller.go:1268 ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM. Thanks for all of your work on this!
@murali-reddy I tested this locally on our nodes with both iptables that are able to support --random-full
and iptables that are not. I also tested the upgrade procedure and found that it cleaned the nodes appropriately when upgrading from iptables that didn't support it to iptables that did support it.
@aauren Thanks, just a question when I can expect this to be released? in the 1.1 or you plan to release 1.0.2 with a round of minor fixes? |
This would be an additional feature, so it will be in 1.1 |
thanks @aauren |
To mitigate conntrack issues in Kubernetes.
See: https://tech.xing.com/a-reason-for-unexplained-connection-timeouts-on-kubernetes-docker-abd041cf7e02 and kubernetes/kubernetes#56903 for details.