How To Fix Hairpin Connectivity with IPVS enabled

Follow
Table of Contents

Issue

Many users enable IPVS for kube-proxy to help alleviate bottlenecks associated with iptables. An issue arises on Kubernetes 1.15 and below where the masquerade iptables rule doesn't get applied and therefore hairpin connectivity stops working.

You can determine if this isn't working by connecting to a pod, from itself via its service. The connection should time out. It's worth noting that if the node is never rebooted after enabling IPVS the masquerade rule will remain, but it will not be restored after reboot.

Pre-requisites

  • Kubernetes 1.15 and below
  • IPVS enabled for kube-proxy

Workaround

The workaround is to apply the masquerade-all=true flag to kube-proxy to force it to apply the masquerade iptables rule.

Resolution

Edit the cluster yaml and change services.kubeproxy.extra_args to reflect the following and hit save:

  kubeproxy:
    extra_args:
      proxy-mode: ipvs
      masquerade-all: true

Once this is done, hairpin connectivity should be restored.

Further reading

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.