-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Networkpolicy blocks return traffic when connecting to a pod IP #100
Comments
Just taking one sample flow -
After allowing the traffic (i.e, trie lookup), we make an entry in agent conntrack cache for the return flow. So the return packet should just hit the conntrack entry (we do reverse lookup) and it should be allowed. But here seems like it is doing a trie lookup and conntrack look up for some reason has failed.
I will try to repro this locally.. |
We were able to repro and this issue will happen when the pods are on the same node and the way NP is setup in your cluster. We have a possible fix and will open a PR soon. |
Thank you @jayanthvn for the quick response and fix! Do you happen to have any insights as to when this change would make it to a new amazon-vpc-cni-k8s release? |
Also curious about release timing. This is a pretty big showstopper for users (like us) trying to move from calico to the built in vpc-cni network policy support. |
We are in the release testing phase and should have the release by next week. |
What happened:
When connecting from 1 pod to another, inbound requests are allowed, but the return traffic is not.
When making the same connection trough a service, the return traffic is allowed as expected.
/var/log/aws-routed-eni/network-policy-agent.log
Attach logs
I tried running the
/opt/cni/bin/aws-cni-support.sh
script but this does not seem to be supported on bottlerocketWhat you expected to happen:
Return traffic is allowed
How to reproduce it (as minimally and precisely as possible):
Anything else we need to know?:
Environment:
kubectl version
): v1.27.4-eks-2d98532cat /etc/os-release
): Bottlerocket OS 1.14.1 (aws-k8s-1.27)uname -a
): 5.15.108The text was updated successfully, but these errors were encountered: