Fix broken ciliumlocalredirectpolicy #570
Conversation
brandond
left a comment
brandond
left a comment
There was a problem hiding this comment.
Thanks for the contribution!
You need to bump the package version in chart.yaml if you're going to add new local changes
Appreciate the fast response! The cilium chart version tracks the upstream version, so I set a pre-release version on the chart. This can safely be removed when the next cilium version is released. |
|
No, sorry, wrong file - leave that alone. I mean this: https://github.com/rancher/rke2-charts/blob/main-source/packages/rke2-coredns/package.yaml#L2 |
|
@simonfelding thanks for the contribution. Could you provide more details on how you deploy cilium and coredns? I just ran with our current cilium chart and all the tests were passing including the one that is failing for you. Did you follow all the steps in https://docs.rke2.io/networking/networking_services#nodelocal-dns-cache-with-cilium-in-kube-proxy-replacement-mode ? |
|
Yep, I did that to the letter, and that's how I ended up here 🙂 Did you turn off kube-proxy in your test when deploying rke2?
I'm running RHEL9.4, rke2 off the latest channel (1.31), no kube-proxy and cilium 1.16 off the rke2 helm chart with a few normal additions. Nodes can route to each other on L2.
I can give you the details tomorrow, but I'm pretty confident I methodically tested this and cab conclude that the patch I submitted is what made the difference. I wonder where our setups differ!
Sent from Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: thomasferrandiz ***@***.***>
Sent: Thursday, November 28, 2024 11:45:40 AM
To: rancher/rke2-charts ***@***.***>
Cc: simonfelding ***@***.***>; Mention ***@***.***>
Subject: Re: [rancher/rke2-charts] Fix broken ciliumlocalredirectpolicy (PR #570)
@simonfelding<https://github.com/simonfelding> thanks for the contribution.
Could you provide more details on how you deploy cilium and coredns?
I just ran
cilium connectivity test
with our current cilium chart and all the tests were passing including the one that is failing for you.
Did you follow all the steps in https://docs.rke2.io/networking/networking_services#nodelocal-dns-cache-with-cilium-in-kube-proxy-replacement-mode ?
—
Reply to this email directly, view it on GitHub<#570 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AKYOW73OOVDCZWY54NCTX4D2C3X5JAVCNFSM6AAAAABSUECTAGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMBVHAYTANRVG4>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
yes I have a similar setup (rke2 1.31 and no kube-proxy) but with SLES 15.6 instead of RHEL. |
|
I just updated rke2 which caused Cilium to update as well. This caused the problem once again, and the solution was exactly the same. @thomasferrandiz Can you specify what you want to see from my setup? |
|
@thomasferrandiz I think I have an idea. It might be because I'm running RKE2 with Cilium and the CIS profile. Could it be that this is the cause of the issue? Two overlapping network policies regarding DNS? |
3 participants
The Cilium local redirect policy is broken. The solution posted here cilium/cilium#13040 (comment) solves the problem. This PR implements the solution.
Before:
After: