resources outside the cluster (e.g., VMs in the VPC or AWS managed services) is masqueraded (i.e., SNAT) by Cilium to use the VPC IP address of the Kubernetes worker node. Excluding the lines for global { "type": "portmap", "capabilities": {"portMappings": true}, "snat": true }, { "name": "cilium", "type": "cilium-cni" } }, { "type": "portmap", "capabilities": {"portMappings": true}, "snat": true }, { "name": "cilium", "type": "cilium-cni" }

resources outside the cluster (e.g., VMs in the VPC or AWS managed services) is masqueraded (i.e., SNAT) by Cilium to use the VPC IP address of the Kubernetes worker node. Excluding the lines for eni=true }, { "type": "portmap", "capabilities": {"portMappings": true}, "snat": true }, { "name": "cilium", "type": "cilium-cni" } "/etc/cni/net.d/calico-kubeconfig" } }, { "type": "portmap", "snat": true, "capabilities": {"portMappings": true} }, { "type": "cilium-cni"

resources outside the cluster (e.g., VMs in the VPC or AWS managed services) is masqueraded (i.e., SNAT) by Cilium to use the VPC IP address of the Kubernetes worker node. Excluding the lines for eni.enabled=true }, { "type": "portmap", "capabilities": {"portMappings": true}, "snat": true }, { "name": "cilium", "type": "cilium-cni" } "/etc/cni/net.d/calico-kubeconfig" } }, { "type": "portmap", "snat": true, "capabilities": {"portMappings": true} }, { "type": "cilium-cni"

resources outside the cluster (e.g., VMs in the VPC or AWS managed services) is masqueraded (i.e., SNAT) by Cilium to use the VPC IP address of the Kubernetes worker node. To set up Cilium overlay mode default). 2. Flush iptables rules added by VPC CNI iptables -t nat -F AWS-SNAT-CHAIN-0 \\ && iptables -t nat -F AWS-SNAT-CHAIN-1 \\ && iptables -t nat -F AWS-CONNMARK-CHAIN-0 \\ && iptables -t }, { "type": "portmap", "capabilities": {"portMappings": true}, "snat": true }, { "name": "cilium", "type": "cilium-cni" }

driver kube-proxy DNAT kube-proxy SNAT worker node nodePort request backend endpoint tc eBPF NAT XDP eBPF NAT DSR 加速南北向 nodePort 访问 传统的 nodePort 转发，伴随着 SNAT的发生。而 Cilium 为 nodePort 提供了 native redirect_neigh step1 client -> node1 : nodePort step3 client -> pod2 : targetPort native DSR DNAT and No SNAT step4 pod2:targetPort -> client step6 node2 : nodePort -> client client step5 node2 : nodePort

resources outside the cluster (e.g., VMs in the VPC or AWS managed services) is masqueraded (i.e., SNAT) by Cilium to use the VPC IP address of the Kubernetes worker node. Excluding the lines for global }, { "type": "portmap", "capabilities": {"portMappings": true}, "snat": true }, { "name": "cilium", "type": "cilium-cni" } }, { "type": "portmap", "capabilities": {"portMappings": true}, "snat": true }, { "name": "cilium", "type": "cilium-cni" }

{ "type": "portmap", "capabilities": {"portMappings": true}, "snat": true }, { "name": "cilium", "type": "cilium-cni" } }, { "type": "portmap", "capabilities": {"portMappings": true}, "snat": true }, { "name": "cilium", "type": "cilium-cni" } "/etc/cni/net.d/calico-kubeconfig" } }, { "type": "portmap", "snat": true, "capabilities": {"portMappings": true} }, { "type": "cilium-cni"

svc = bpf_map_lookup_elem(..); if (svc) { b = select_backend(svc); dnat(skb, b); snat(skb); redirect(skb); } } CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=122201

EKS cluster "ridiculous-gopher-1548608219" in "us-west-2" region is re Disable SNAT in aws-node agent Disable the SNAT behavior of the aws-node DaemonSet which causes all traffic leaving a node to be ACCEPT POSTROUTING (mangle) CILIUM_POST_mangle CILIUM_POST_nat ! -s HOST_IP -o cilium_host -j SNAT --to-source HOST_IP -s NODE_CIDR ! -d NODE_CIDR ! -o cilium_+ -j MASQUERADE iptables Rules Overview