How To Fix Hairpin Connectivity with IPVS enabled
This document (000020045) is provided subject to the disclaimer at the end of this document.
Situation
Issue
Many users enable IPVS for kube-proxy to help alleviate bottlenecks associated with iptables. An issue arises on Kubernetes 1.15 and below where the masquerade iptables rule doesn't get applied and therefore hairpin connectivity stops working.
You can determine if this isn't working by connecting to a pod, from itself via its service. The connection should time out. It's worth noting that if the node is never rebooted after enabling IPVS the masquerade rule will remain, but it will not be restored after reboot.
Pre-requisites
- Kubernetes 1.15 and below
- IPVS enabled for kube-proxy
Workaround
The workaround is to apply the masquerade-all=true flag to kube-proxy to force it to apply the masquerade iptables rule.
Resolution
Edit the cluster yaml and change services.kubeproxy.extra_args to reflect the following and hit save:
kubeproxy:
extra_args:
proxy-mode: ipvs
masquerade-all: trueOnce this is done, hairpin connectivity should be restored.
Further reading
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020045
- Creation Date: 06-May-2021
- Modified Date:06-May-2021
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
