cluster: do not export metallb routes to mesh peers

This prevents metallb routes being announced from all peers to our ToR, thereby preventing issues with traffic hitting services with externalTrafficPolicy: local. There still is the from-host loopback issue, but that will be fixed by upgrading to kube 1.15. Change-Id: Ifc9964b46840aee82d99f0b6550188550e46fe04
2020-10-03 14:42:36 +02:00 · 2020-10-03 14:42:36 +02:00 · c7de7e562f
parent f0acf16564
commit c7de7e562f
1 changed files with 9 additions and 0 deletions
--- a/cluster/kube/lib/calico-bird-ipam.cfg.template
+++ b/cluster/kube/lib/calico-bird-ipam.cfg.template
@ -1,13 +1,22 @@
 # This is forked from bird.cfg.template from calico running on k0.hswaw.net on 2020/09/21.
 # Changed vs. upstream (C-f HSCLOUD):
+#  - do not pass over RTD_UNREACHABLE routes obtained from mesh peers, to
+#    prevent them from being then passed over to ToRs. This prevents route leaks
+#    of metallb routes into ToRs from nodes that do not actually run that
+#    particular metallb service.
 #  - do not program RTD_UNREACHABLE routes into the kernel (these come from metallb, and
 #    programming them seems to break things)
 # Generated by confd
+
 filter calico_export_to_bgp_peers {
  calico_aggr();
 {{- $static_key := "/staticroutes"}}
 {{- if ls $static_key}}

+  if ( proto ~ "Mesh_*" ) && ( dest = RTD_UNREACHABLE ) then { # HSCLOUD
+    reject;
+  }
+
  # Export static routes.
  {{- range ls $static_key}}
    {{- $parts := split . "-"}}