You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
At the moment preDNAT is not supported for GlobalNetworkPolicy object. This is one of the features that still do not have parity compared to Calico. All the GlobalNetworkPolicy objects that have preDNAT=true setup for now will be ignored as per:
There are situations where preDNAT support would be needed, especially in the cases where one would need to achieve adequate protection of k8s nodes (HostEndpoints).
Moreover, allowing GNP to have preDNAT=true will bring calico-vpp dp one step closer to the full parity to the feature set Calico would be using.
If we take a look at Calico recommendations when it comes to the node protection itself, preDNAT=true is a clear recommendation.
Describe the solution you'd like
agent should process preDNAT=true and not ignore the gnp w/ quite not clear err messages. One should be able to have the feature parity when it comes to preDNAT gnp config.
Describe alternatives you've considered
At the moment we do not see the way how to make the parity in the configuration that requres us to use in some places calico, the other calico-vpp and at the same protect the access from public locations towards restricted ports towards the k8s nodes, w/o having preDNAT=true supportet on calico-vpp side.
Additional context
Talked to @sknat - decided to file this as a feature request to achieve the parity. We do understand that the preDNAT may add additional latency/lookups, but at the same time the value of achieving in this case the parity w/ Calico is something we would prefer to see.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
At the moment preDNAT is not supported for GlobalNetworkPolicy object. This is one of the features that still do not have parity compared to Calico. All the GlobalNetworkPolicy objects that have
preDNAT=truesetup for now will be ignored as per:There are situations where
preDNATsupport would be needed, especially in the cases where one would need to achieve adequate protection of k8s nodes (HostEndpoints).Moreover, allowing GNP to have
preDNAT=truewill bring calico-vpp dp one step closer to the full parity to the feature set Calico would be using.If we take a look at Calico recommendations when it comes to the node protection itself, preDNAT=true is a clear recommendation.
Describe the solution you'd like
agent should process preDNAT=true and not ignore the gnp w/ quite not clear err messages. One should be able to have the feature parity when it comes to preDNAT gnp config.
Describe alternatives you've considered
At the moment we do not see the way how to make the parity in the configuration that requres us to use in some places calico, the other calico-vpp and at the same protect the access from public locations towards restricted ports towards the k8s nodes, w/o having preDNAT=true supportet on calico-vpp side.
Additional context
Talked to @sknat - decided to file this as a feature request to achieve the parity. We do understand that the preDNAT may add additional latency/lookups, but at the same time the value of achieving in this case the parity w/ Calico is something we would prefer to see.
The text was updated successfully, but these errors were encountered: