Description
Component: salt, network
Why this is needed:
In case the networks backing a cluster drop any packet from an unknown origin, Pod-to-Pod communication through DNS resolution will be broken (since it will rely on ClusterIPs).
Always enabling IP-IP encapsulation would prevent this kind of issue.
What should be done:
Add a configuration option in the BootstrapConfiguration file (/etc/metalk8s/bootstrap.yaml) to control usage of IP-IP encapsulation. Values should be either Always or CrossSubnet (we use the latter in the current version of MetalK8s).
This configuration value should be reflected in the calico-node DaemonSet, replacing the CALICO_IPV4POOL_IPIP environment variable (see salt/metalk8s/kubernetes/cni/calico/deployed.sls#L620).
See https://docs.projectcalico.org/v3.5/usage/configuration/ip-in-ip for more details.
Test plan:
Pod-to-Pod communication should work with both variants of this option in a network that doesn't enforce the known origin policy.
Pod-to-Pod communication should work with IP-IP set to Always in a network that do enforce this policy.