Fix pods unable to send traffic to ClusterIP

Flannel with VXLAN suffers from a bug[1] where pods on the same node are unable to send traffic to a service's ClusterIP when the endpoint is on the same node. This is due to improper NATTing of the return traffic. The fix is to load the br_netfilter module as specified in the kubernetes doc.[2] [1] flannel-io/flannel#1702 [2] https://kubernetes.io/docs/setup/production-environment/container-runtimes/#forwarding-ipv4-and-letting-iptables-see-bridged-traffic Change-Id: Ic182bba9d480421c2cb581558ebde8dfb20421c8
openstack · Mar 29, 2023 · ae7a50e · ae7a50e
1 parent b7092d3
commit ae7a50e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@@ -41,8 +41,11 @@ EOF
         systemctl restart NetworkManager
     fi
 elif [ "$NETWORK_DRIVER" = "flannel" ]; then
-    $ssh_cmd modprobe vxlan
-    echo "vxlan" > /etc/modules-load.d/vxlan.conf
+    $ssh_cmd modprobe -a vxlan br_netfilter
+    cat <<EOF > /etc/modules-load.d/flannel.conf
+vxlan
+br_netfilter
+EOF
 fi
 
 

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
@@ -47,8 +47,12 @@ EOF
         $ssh_cmd systemctl restart NetworkManager
     fi
 elif [ "$NETWORK_DRIVER" = "flannel" ]; then
-    $ssh_cmd modprobe vxlan
-    echo "vxlan" > /etc/modules-load.d/vxlan.conf
+    $ssh_cmd modprobe -a vxlan br_netfilter
+    cat <<EOF > /etc/modules-load.d/flannel.conf
+vxlan
+br_netfilter
+EOF
+
 fi
 
 mkdir -p /srv/magnum/kubernetes/