On Wed, 2023-03-08 at 14:03 +0100, Charles Gibert via discuss wrote: > Hi all, > > I am not sure this is the right place to ask about this here I go. I > was wondering if ovn-kubernetes has some similar way to achieve what > the Calico CNI does to disable NAT in egress. > > The Calico CNI or the AWS CNI have a way to disable NAT for a given > CIDR like > this https://github.ibm.com/palmetto/gateway/blob/develop/doc/k8s/vm. > md#identity-ip-preservation-cni. And basically, you can play with > couple of environment variables: > * AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS > * AWS_VPC_K8S_CNI_EXTERNALSNAT > I have been playing with openvswitch and the ovn CNI and I cannot > find an equivalent. > > Sure you can play with the northbound database, remove the pod snat > that you want to remove and add some policies to the > ovn_cluster_router, but packets seem to eventually drop when exiting > the node. > > Would you have some pointers for me to achieve the same functionality > than calico or aws CNI but with OVN?
ovnkube does not currently have a way to send traffic out of a node without SNAT only if the destination is a specific subnet. It does have a feature to send all traffic for specific namespaces to an external gateway(s) without SNAT, optionally using ECMP for redundancy/balancing. You might be able to just specify the IP of the cluster's default gateway (assuming all nodes are on the same L2) to do what you want (though for all traffic not specific subnets). This uses the "k8s.ovn.org/routing-external-gws" Namespace annotation whose value is a comma-separated list of IPv4 and/or IPv6 addresses. If you're interested in adding a feature to limit this to only specific destination CIDRs others might find it useful. Does that help answer the question? Dan > > Thanks in advance, and best regards, > > Charles > > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
