John Howard
John Howard
#52557 is really a structured match requirement.. If we had a way to match on individual split headers instead of aggregated ones, it would solve this. That is, instead of...
I suspect this is an unexpected poor interaction with Calico or some other part of your environment. Can you give some more info about your setup?
FWIW how its supposed to work is: * `-A ISTIO_PRERT -s 169.254.7.127/32 -p tcp -m tcp -j ACCEPT` in the pod means we do not redirect * `-A ISTIO_POSTRT -p...
Thanks for all the info - much appreciated. Looking into it
Dropped on the return path: `10.244.190.134:12345->169.254.7.127:39500(tcp) kfree_skb_reason(SKB_DROP_REASON_TC_EGRESS)`
Trace logs (I did curl instead of kubelet, same thing though. local port 12346, health check port 12345) ``` curl-1954511 [010] b.s2. 617201.255780: bpf_trace_printk: eth0------------E: New packet at ifindex=113; mark=1000000...
Hmm.. the ifindex on that, 113, is eth0 on the node. So a packet **from** the pod is going to eth0...? Maybe they are partially short circuiting the iptables/conntrack/snat stuff...
I think this is what you are after here, LMK if not ``` -1954511 [010] b..1. 617201.255659: bpf_trace_printk: cali1f808cfe5dc-I: New packet at ifindex=8; mark=0 -1954511 [010] b..1. 617201.255661: bpf_trace_printk: cali1f808cfe5dc-I:...
Thanks @tomastigera. I think it will be good to keep this open on our side to track/keep it visible to users, but will be keeping an eye on the Calico...
Thanks everyone, especially @tomastigera !