Skip to content
This repository has been archived by the owner on Sep 8, 2022. It is now read-only.

L7 traffic examples need tunnelling datapath mode #9

Open
lizrice opened this issue Dec 16, 2021 · 1 comment
Open

L7 traffic examples need tunnelling datapath mode #9

lizrice opened this issue Dec 16, 2021 · 1 comment
Assignees
@jrajahalme

Comments

@lizrice
Copy link
Member

lizrice commented Dec 16, 2021

In direct routing datapath mode, traffic from the Envoy host process is not being subjected correctly to datapath processing. The symptoms are

  • Lack of L7 visibility for traffic from the proxy (for example, load-balanced traffic)
  • Failure to enforce network policy for these flows

The workaround is to run Cilium in tunnelling database mode, using --datapath-mode=vxlan on the cilium install command.

Seen on GKE and EKS.
@gkjsa
Copy link

gkjsa commented Feb 2, 2022

Same on AKS. When using datapath-mode=azure (by detection) it won't route traffic. vxlan works.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@jrajahalme jrajahalme

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lizrice @jrajahalme @gkjsa