Windows Nodes cannot access pod's local PortMappings

[daschott]

What happened:
When node attempts to access its own local hostPort mapped to pod, traffic will never reach container networking stack but instead be dropped by TCP/IP stack.

What you expected to happen:
I would expect traffic to be routed from TCP/IP stack to container networking stack. To achieve this, we need to substitute the hcsshim.NatPolicy

This should be switched from V1 HNS to V2 HCN API and set LocalRoutedVIP flag. This will instrument the OS to add a route to the host which will make this traffic reach vSwitch.

Here is some sample code to replace the hcsshim.NatPolicy:

	natPolicy := hcn.PortMappingPolicySetting{
		InternalPort: portMappingPolicy.InternalPort,
		ExternalPort: portMappingPolicy.ExternalPort,
		Flags:        hcn.NatFlags(hcn.NatFlagsLocalRoutedVip),
	}
	switch portMappingPolicy.Protocol {
	case ProtocolTcp:
		natPolicy.Protocol = "TCP"
	case ProtocolUdp:
		natPolicy.Protocol = "UDP"
	}

How to reproduce it:

1. Deploy a Windows Node without NodePort service pods running on the node.
2. Deploy a pod with hostPort mapping.
3. From the Node, curl node_ip:hostPort
4. Observe traffic will be dropped by TCP/IP

Orchestrator and Version (e.g. Kubernetes, Docker):
Kubernetes

Operating System (Linux/Windows):
Windows Server 2022 + Windows Server 2019

Kernel (e.g. uanme -a for Linux or $(Get-ItemProperty -Path "C:\windows\system32\hal.dll").VersionInfo.FileVersion for Windows):

Anything else we need to know?:
[Miscellaneous information that will assist in solving the issue.]

[AbelHu]

@daschott what is the workaround if user hit this issue?

[daschott]

As a workaround, users can schedule a pod with NodePort service. HNS will then also add the same route.

[tamilmani1989]

will sync with @daschott on this today