Disable Source NAT for Calico

Question

The default settings that kubeadm + calico use is to NAT any incoming connection that is not from a pod_ip.

I have calico publishing the service network to my outside LAN, and would rather the service pods utilize the actual client IPs and not a translated IP.

Specifically, it adds

-A KUBE-SERVICES ! -s 172.16.0.0/16 -d 172.20.160.251/32 -p tcp -m comment --comment "telemetry/pipeline-cdn:http cluster IP" -m tcp --dport 5000 -j KUBE-MARK-MASQ

to iptables.

Although this isn't an immediate concern, it does raise risk in the future for ephemeral port exhaustion, and general difficulty to trace connections, and log clients accessing my web services.

score 0 · Answer 1 · answered Aug 26 '19 at 19:55

0

With some help from the Clico Slack, I figured it out.

Short answer, it is doing what it needs to do, leave it alone.

Eloquent answer

https://www.asykim.com/blog/deep-dive-into-kubernetes-external-traffic-policies

answered Aug 26 '19 at 19:55

Matt Ruge

1
1

Disable Source NAT for Calico

1 Answers1