calico icon indicating copy to clipboard operation
calico copied to clipboard

Published 20 hours ago verified publisher icon projectcalico

Add option to selectively disable rpf check for all workloads

Open ottoyiu opened this issue 2 years ago • 3 comments

Description

We use a separate loadbalancing solution outside of Calico that uses IPIP encapsulation to implement a DSR-type loadbalancer.

Currently, the strict rpf checks on the iptables raw table causes response/DSR packets from the pod to the client to be dropped.

This PR introduces a mechanism that allows a list of CIDRs to be specified that are considered "safe", to be excluded from the RPF. In this scenario, the allowlist would be set to the VIP ranges of the loadbalancers.

WorkloadSourceSpoofing (#5742) is similarly to what we need, but that is on a workload to workload (pod to pod) basis, and we want this globally on every single workload without opt-in.

I currently have this implemented in the endpoint_mgr.go alongside to the workloadSourceSpoofing implementation, but these iptables rules maybe better suited programmed in the DefaultRuleRenderer in felix/rules/static.go. Before writing tests, I want to gather feedback to see if this is structured in the right location.

Suggestions and feedback is much appreciated! Would be curious to see if there's any appetite for a feature like this to be merged.

Related issues/PRs

strict RPF check using iptables: https://github.com/projectcalico/calico/commit/60b41a07001a38b94e90e123d34ec535260b1ae1

selective disabling of rpf check for workloads: https://github.com/projectcalico/calico/pull/5742

Todos

  • [ ] Tests
  • [ ] Documentation
  • [ ] Release note

Release Note

TBD

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

  • docs-pr-required: This change requires a change to the documentation that has not been completed yet.
  • docs-completed: This change has all necessary documentation completed.
  • docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

  • release-note-required: This PR has user-facing changes. Most PRs should have this label.
  • release-note-not-required: This PR has no user-facing changes.

Other optional labels:

  • cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
  • needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

ottoyiu avatar Jul 08 '22 06:07 ottoyiu

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Jul 08 '22 06:07 CLAassistant

Hey @ottoyiu sorry for the delay on response here - we've been pretty focused on v3.24 work. We'll take a look at this as a candidate for the v3.25 release.

caseydavenport avatar Jul 26 '22 16:07 caseydavenport

@caseydavenport thanks for the reply! I'm still missing tests on those changes, but looking to see if it's the right place for those changes before I invest further time. When you have the chance, can you give a quick glance to see if the change seems sound?

ottoyiu avatar Jul 26 '22 18:07 ottoyiu