Disable uRPF check on lrp on container LS
uRPF check which prevents evil endpoints from spoofing source IP address needs to be disabled for logical router ports on logical switches with container ports in case of Kubernetes. This is to enable kubelet to perform health check. So in this scenario the kubelet runs on the minion and the container runs on the same minion. The packet from the kubelet hairpins back into the VM via the tier-1 router. Interestingly, the 'urpf_mode' property is only valid in the port create body when the router is either of type LogicalRouterUplinkPort or LogicalRouterDownlinkPort. The other two port types LogicalRouterLinkPortOnTIER0 and LogicalRouterLinkPortOnTier1 do not have 'urpf_mode' as their object properties, and passing them results in a API validation error. Hence in the code in the base LogicalRouterPort create method, we add the urpf_mode to the body only if its not None. And we pass 'urpf_mode' only when creating the Downlink port ie. when attaching the logical router to the logical switch. Change-Id: Ib266da6e6f232e78e07f8d6c56cb69606f2ee9fe
This commit is contained in:
parent
4ce55c8608
commit
2181d94403
|
@ -380,7 +380,8 @@ class LogicalRouterPort(AbstractRESTResource):
|
|||
resource_type,
|
||||
logical_port_id,
|
||||
address_groups,
|
||||
edge_cluster_member_index=None):
|
||||
edge_cluster_member_index=None,
|
||||
urpf_mode=None):
|
||||
body = {'display_name': display_name,
|
||||
'resource_type': resource_type,
|
||||
'logical_router_id': logical_router_id,
|
||||
|
@ -398,6 +399,8 @@ class LogicalRouterPort(AbstractRESTResource):
|
|||
body['linked_logical_router_port_id'] = logical_port_id
|
||||
if edge_cluster_member_index:
|
||||
body['edge_cluster_member_index'] = edge_cluster_member_index
|
||||
if urpf_mode:
|
||||
body['urpf_mode'] = urpf_mode
|
||||
|
||||
return self._client.create(body=body)
|
||||
|
||||
|
|
|
@ -143,7 +143,8 @@ class RouterLib(object):
|
|||
tags,
|
||||
ls_id,
|
||||
logical_switch_port_id,
|
||||
address_groups):
|
||||
address_groups,
|
||||
urpf_mode=None):
|
||||
try:
|
||||
port = self._router_port_client.get_by_lswitch_id(ls_id)
|
||||
except exceptions.ResourceNotFound:
|
||||
|
@ -153,7 +154,8 @@ class RouterLib(object):
|
|||
tags,
|
||||
nsx_constants.LROUTERPORT_DOWNLINK,
|
||||
logical_switch_port_id,
|
||||
address_groups)
|
||||
address_groups,
|
||||
urpf_mode=urpf_mode)
|
||||
else:
|
||||
return self._router_port_client.update(
|
||||
port['id'], subnets=address_groups)
|
||||
|
|
Loading…
Reference in New Issue