feat(NSC): ensure rp_filter is set correctly

rp_filter on RedHat based OS's is often set to 1 instead of 2 which is more permissive and allows the outbound route for traffic to differ from the route of incoming traffic.
cloudnativelabs · Apr 24, 2024 · b423b1f · b423b1f
1 parent af1b07a
commit b423b1f
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/pkg/controllers/proxy/network_services_controller.go b/pkg/controllers/proxy/network_services_controller.go
@@ -289,6 +289,20 @@ func (nsc *NetworkServicesController) Run(healthChan chan<- *healthcheck.Control
 	// https://github.com/kubernetes/kubernetes/pull/70530/files
 	setSysCtlAndCheckError(utils.IPv4ConfAllArpAnnounce, arpAnnounceUseBestLocalAddress)
 
+	// Ensure rp_filter=2 for DSR capability, see:
+	// * https://access.redhat.com/solutions/53031
+	// * https://github.com/cloudnativelabs/kube-router/pull/1651#issuecomment-2072851683
+	if nsc.isIPv4Capable {
+		sysctlErr := utils.SetSysctlSingleTemplate(utils.IPv4ConfRPFilterTemplate, "all", 2)
+		if sysctlErr != nil {
+			if sysctlErr.IsFatal() {
+				klog.Fatal(sysctlErr.Error())
+			} else {
+				klog.Error(sysctlErr.Error())
+			}
+		}
+	}
+
 	// https://github.com/cloudnativelabs/kube-router/issues/282
 	err = nsc.setupIpvsFirewall()
 	if err != nil {