Hi, Sorry; missed the response since it wasn't sent to the list...
If the pod's outgoing traffic isn't SNAT-ed, does the thing that the pod is sending to know how to get the reply back to the pod via the node? Or is this just one-way pod -> external? The main issue is we would need to figure out how exactly to specify which pods get the exclusion, and what the object that describes the exclusion looks like. eg, a Custom Resource with a list of excluded CIDRs perhaps, that pods could select via annotations maybe. Or, instead of annotations (which are generally frowned upon for stuff like this) a label selector for the custom resource that matches against pods that should have the exclusions that the CR defines. For the technical side, probably just adding NAT objects and setting them on the Gateway logical router where the NAT logical_ip is the pod IP, and the external_ip is the node IP, and exempted_ext_ips pointing to an AddressSet containing the list of CIDRS to exclude from SNAT, taken from the custom resource. Or something like that. Would you be interested in joining our ovn-kubernetes community meeting to discuss your use-case more? They happen every even-numbered week (so, next week) at 4PM US Eastern. If so, I can add you to the agenda. Thanks, Dan On Thu, 2023-03-09 at 16:26 +0100, Charles Gibert wrote: > Does that help answer the question? > > On Thu, 9 Mar 2023 at 16:09, Dan Williams <d...@redhat.com> wrote: > > On Wed, 2023-03-08 at 14:03 +0100, Charles Gibert via discuss > > wrote: > > > Hi all, > > > > > > I am not sure this is the right place to ask about this here I > > > go. I > > > was wondering if ovn-kubernetes has some similar way to achieve > > > what > > > the Calico CNI does to disable NAT in egress. > > > > > > The Calico CNI or the AWS CNI have a way to disable NAT for a > > > given > > > CIDR like > > > this > > > https://github.ibm.com/palmetto/gateway/blob/develop/doc/k8s/vm. > > > md#identity-ip-preservation-cni. And basically, you can play with > > > couple of environment variables: > > > * AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS > > > * AWS_VPC_K8S_CNI_EXTERNALSNAT > > > I have been playing with openvswitch and the ovn CNI and I cannot > > > find an equivalent. > > > > > > Sure you can play with the northbound database, remove the pod > > > snat > > > that you want to remove and add some policies to the > > > ovn_cluster_router, but packets seem to eventually drop when > > > exiting > > > the node. > > > > > > Would you have some pointers for me to achieve the same > > > functionality > > > than calico or aws CNI but with OVN? > > > > ovnkube does not currently have a way to send traffic out of a node > > without SNAT only if the destination is a specific subnet. > > > > It does have a feature to send all traffic for specific namespaces > > to > > an external gateway(s) without SNAT, optionally using ECMP for > > redundancy/balancing. You might be able to just specify the IP of > > the > > cluster's default gateway (assuming all nodes are on the same L2) > > to do > > what you want (though for all traffic not specific subnets). > > > > This uses the "k8s.ovn.org/routing-external-gws" Namespace > > annotation > > whose value is a comma-separated list of IPv4 and/or IPv6 > > addresses. > > > > If you're interested in adding a feature to limit this to only > > specific > > destination CIDRs others might find it useful. > > > > Does that help answer the question? > > > > Dan > > > > > > > > Thanks in advance, and best regards, > > > > > > Charles > > > > > > _______________________________________________ > > > discuss mailing list > > > disc...@openvswitch.org > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
