mirror of
https://github.com/outbackdingo/kubernetes.git
synced 2026-01-27 18:19:28 +00:00
c7a870135a
A packet can traverse the service-xxxx chains by matching on either service-ips or service-nodeports verdict map. We masquerade off-cluster traffic to ClusterIP (when masqueradeAll = false) by adding a rule in service-xxxx which checks if destination IP is ClusterIP, port and protocol matches with service specs and source IP doesn't belong to PodCIDR and masquerade on match. If the packet reaches the service chain by match on service-ips map, then ClusterIP, port and protocol are already matching service specs. If it comes via external-xxxx chain then the destination IP will never be ClusterIP. Therefore, we can simplify the masquerade off-cluster traffic to ClusterIP check by simply matching on destination ip and source ip. Signed-off-by: Daman Arora <aroradaman@gmail.com>