Merge pull request #1090 from artem-panchenko/calicoAcceptHostEndpointConnections

Allow connections from pods to local endpoints
2017-03-01 13:37:05 +01:00 · 2017-03-01 13:37:05 +01:00 · 0c66418dad
parent 45a9eac7d2 fa05d15093
commit 0c66418dad
2 changed files with 11 additions and 0 deletions
--- a/docs/calico.md
+++ b/docs/calico.md
@ -147,6 +147,16 @@ The inventory above will deploy the following topology assuming that calico's

 ![Image](figures/kargo-calico-rr.png?raw=true)

+##### Optional : Define default endpoint to host action
+
+By default Calico blocks traffic from endpoints to the host itself by using an iptables DROP action. When using it in kubernetes the action has to be changed to RETURN (default in kargo) or ACCEPT (see https://github.com/projectcalico/felix/issues/660 and https://github.com/projectcalico/calicoctl/issues/1389). Otherwise all network packets from pods (with hostNetwork=False) to services endpoints (with hostNetwork=True) withing the same node are dropped.
+
+
+To re-define default action please set the following variable in your inventory:
+```
+calico_endpoint_to_host_action: "ACCEPT"
+```
+
 Cloud providers configuration
 =============================

--- a/roles/network_plugin/calico/templates/calico-node.service.j2
+++ b/roles/network_plugin/calico/templates/calico-node.service.j2
@ -12,6 +12,7 @@ ExecStart={{ docker_bin_dir }}/docker run --net=host --privileged \
 -e IP=${CALICO_IP} \
 -e IP6=${CALICO_IP6} \
 -e CALICO_NETWORKING_BACKEND=${CALICO_NETWORKING_BACKEND} \
+ -e FELIX_DEFAULTENDPOINTTOHOSTACTION={{ calico_endpoint_to_host_action|default('RETURN') }} \
 -e AS=${CALICO_AS} \
 -e NO_DEFAULT_POOLS=${CALICO_NO_DEFAULT_POOLS} \
 -e CALICO_LIBNETWORK_ENABLED=${CALICO_LIBNETWORK_ENABLED} \