Istio
English | 简体中文
Introduction
In the context of Istio, when using Spiderpool to configure the network for service mesh applications with an Underlay network, there may be issues where traffic cannot be intercepted by Istio. This is because:
-
Traffic accessing the service mesh Pod is forwarded through its veth0 network interface (created by Spiderpool). The traffic is then intercepted to the sidecar container through the iptables redirect rules set by Istio. However, since iptables redirect rules require the receiving network interface to be configured with an IP address, otherwise the packet will be silently dropped by the kernel.
-
By default, Spiderpool does not configure an IP address for the veth0 network interface of Pods using the Underlay network, which leads to the traffic accessing the service mesh being dropped.
Refer to #Issue 3568. To solve this problem, Spiderpool provides a configuration: vethLinkAddress
, which is used to configure a link-local address for the veth0 network interface.
How to Configure
-
When installing Spiderpool using Helm, you can enable this feature with the following command:
helm repo add spiderpool https://spidernet-io.github.io/spiderpool helm repo update spiderpool kubectl create namespace spiderpool helm install spiderpool spiderpool/spiderpool -n spiderpool --set coordinator.vethLinkAddress=169.254.100.1
vethLinkAddress
must be a valid IP address.- If you are a user in China, you can specify the parameter
--set global.imageRegistryOverride=ghcr.m.daocloud.io
to use a domestic image source.
-
After installation, check the configuration of the Spidercoordinator to ensure that
vethLinkAddress
is configured correctly:~# kubectl get spidercoordinators.spiderpool.spidernet.io default -o yaml apiVersion: spiderpool.spidernet.io/v2beta1 kind: SpiderCoordinator metadata: creationTimestamp: "2024-10-30T08:31:09Z" finalizers: - spiderpool.spidernet.io generation: 7 name: default resourceVersion: "195405" uid: 8bdceced-15db-497b-be07-81cbcba7caac spec: detectGateway: false detectIPConflict: false hijackCIDR: - 169.254.0.0/16 podRPFilter: 0 hostRPFilter: 0 hostRuleTable: 500 mode: auto podCIDRType: calico podDefaultRouteNIC: "" vethLinkAddress: 169.254.100.1 podMACPrefix: "" tunePodRoutes: true status: overlayPodCIDR: - 10.222.64.0/18 - 10.223.64.0/18 phase: Synced serviceCIDR: - 10.233.0.0/18
-
If you have already installed Spiderpool, you can directly modify the configuration of
vethLinkAddress
in the Spidercoordinator:kubectl patch spidercoordinators default --type='merge' -p '{"spec": {"vethLinkAddress": "169.254.100.1"}}'
-
Step 3 is the default setting for the cluster. If you do not want the entire cluster to default to configuring
vethLinkAddress
, you can configure it for a single network interface:MACVLAN_MASTER_INTERFACE="eth0" cat <<EOF | kubectl apply -f - apiVersion: spiderpool.spidernet.io/v2beta1 kind: SpiderMultusConfig metadata: name: macvlan-conf namespace: kube-system spec: cniType: macvlan macvlan: master: - ${MACVLAN_MASTER_INTERFACE} coordinator: vethLinkAddress: 169.254.100.1 EOF
Verification
After creating the application, you can check whether the Pod's veth0 network interface is correctly configured with the IP address: 169.254.100.1
~# kubectl exec -it <pod-name> -n <namespace> -- ip addr show veth0