Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

calico - default FELIX_DEFAULTENDPOINTTOHOSTACTION to ACCEPT #10766

Open
tomastigera opened this issue Jan 4, 2024 · 2 comments · May be fixed by #11052
Open

calico - default FELIX_DEFAULTENDPOINTTOHOSTACTION to ACCEPT #10766

tomastigera opened this issue Jan 4, 2024 · 2 comments · May be fixed by #11052
Labels
kind/feature Categorizes issue or PR as related to a new feature.

Comments

@tomastigera
Copy link

What would you like to be added:

Kubespray defaults FELIX_DEFAULTENDPOINTTOHOSTACTION to RETURN while calico's manifests or operator default it to ACCEPT It would be good to change it to ACCEPT as well.

Why is this needed:

The coarse-grained control provided by the FELIX_DEFAULTENDPOINTTOHOSTACTION option is superseded by wildcard host endpoints that can provide fine-grained policy-based control. When the FELIX_DEFAULTENDPOINTTOHOSTACTION is set to RETURN the wildcard HEPs trump this option in newer versions anyway. Unless kubespray uses this option to fall back to its or 3rd party's iptable rules, there is no reason to set it to RETURN.

In addition, it may be good not to default it in the calico-node daemonset but in felixconfiguration resource as the it cannot be set from the resource, which is the preferred way, see this calico issue In general, it might be better to set it in the default felixconfiguration, but that is a secondary issue to the main one here.
@tomastigera tomastigera added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 4, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 3, 2024
@tomastigera
Copy link
Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 3, 2024
tomastigera added a commit to tomastigera/kubespray that referenced this issue Apr 3, 2024
@tomastigera
calico - default FELIX_DEFAULTENDPOINTTOHOSTACTION to ACCEPT
65a0970 
Calico defaults this setting to ACCEPT, this aligns kubespray manifests
with those provided by calico.

fixes kubernetes-sigs#10766
@tomastigera tomastigera linked a pull request Apr 3, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

calico - default FELIX_DEFAULTENDPOINTTOHOSTACTION to ACCEPT tomastigera/kubespray
3 participants
@k8s-ci-robot @tomastigera @k8s-triage-robot