By default the platform firewall for kubernetes traffic
is configured to apply NAT on outgoing traffic generated
inside the K8s cluster only for TCP ports.
The outgoing traffic of other protocolos (e.g. UDP, ICMP)
are leaving the system without NAT. When the traffic is
generated on workers nodes the packages leaves the system
with the internal management IP address.
Test Plan:
----------
PASS: CENTOS Standard fresh install.
PASS: Verify that the iptables "Kubernetes post-routing
rule" is updated to accept all protocols.
PASS: Verify src IP of outgoing traffic of UDP protocol
from worker nodes (e.g. sending SNMP traps).
Reviewed: https:/ /review. opendev. org/c/starlingx /stx-puppet/ +/849452 /opendev. org/starlingx/ stx-puppet/ commit/ 638e2292b522569 43306d448f654ba ad15dd4b15
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 638e2292b522569 43306d448f654ba ad15dd4b15
Author: Jorge Saffe <email address hidden>
Date: Tue Jul 12 02:33:19 2022 -0400
Apply NAT on k8s outgoing pkgs for all protocols
By default the platform firewall for kubernetes traffic
is configured to apply NAT on outgoing traffic generated
inside the K8s cluster only for TCP ports.
The outgoing traffic of other protocolos (e.g. UDP, ICMP)
are leaving the system without NAT. When the traffic is
generated on workers nodes the packages leaves the system
with the internal management IP address.
Test Plan:
----------
PASS: CENTOS Standard fresh install.
PASS: Verify that the iptables "Kubernetes post-routing
rule" is updated to accept all protocols.
PASS: Verify src IP of outgoing traffic of UDP protocol
from worker nodes (e.g. sending SNMP traps).
Closes-Bug: 1981405 60ff5459d16255e 8ce49dbdee9
Signed-off-by: Jorge Saffe <email address hidden>
Change-Id: Id6d9465f318a83