submariner: Submariner doesn't work with Calico CNI

Calico CNI supports several networking modes.

  • First, I checked the IP in IP or VXLAN encapsulation.

After successful submariner installation (disable-nat), I was able to ping from a pod which is colocated with the submariner gateway to pods on another cluster, but was not able to ping services. Pings from a pod which is not colocated with the GW, achieved neither pods nor services on another cluster.

  • After that I checked the BGP peering mode. In this case I was able to ping only from a pod colocated with a GW to pods colocated with another GW on the second cluster.

Looks like Calico puts its rules before submariner’s in iptables.

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
cali-POSTROUTING  all  --  anywhere             anywhere             /* cali:O3lYWMrLQYEMJtB5 */
SUBMARINER-POSTROUTING  all  --  anywhere             anywhere            
KUBE-POSTROUTING  all  --  anywhere             anywhere             /* kubernetes postrouting rules */
MASQUERADE  all  --  172.17.0.0/16        anywhere

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 18 (12 by maintainers)

Most upvoted comments

@sridhargaddam yes, that IP pool looks right to me! Assuming my understanding of the issue is correct, that should configure Calico to stop performing NAT on traffic destined to pods in the other cluster.

+1
caseydavenport on Aug 14, 2020

Welcome @caseydavenport! /cc @sridhargaddam @mangelajo

+1
dfarrell07 on Mar 31, 2020
Read more comments on GitHub
← UnitTesting: Unable to test for SublimeText 3
submariner: can't access to k8s api server by cluster IP across cluster →