Many users enable IPVS for kube-proxy to help alleviate bottlenecks associated with iptables. An issue arises on Kubernetes 1.15 and below where the masquerade iptables rule doesn't get applied and therefore hairpin connectivity stops working.
You can determine if this isn't working by connecting to a pod, from itself via its service. The connection should time out. It's worth noting that if the node is never rebooted after enabling IPVS the masquerade rule will remain, but it will not be restored after reboot.
- Kubernetes 1.15 and below
- IPVS enabled for kube-proxy
The workaround is to apply the
masquerade-all=true flag to kube-proxy to force it to apply the masquerade iptables rule.
Edit the cluster yaml and change
services.kubeproxy.extra_args to reflect the following and hit save:
kubeproxy: extra_args: proxy-mode: ipvs masquerade-all: true
Once this is done, hairpin connectivity should be restored.