forked from siderolabs/pkgs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes: siderolabs#1028 INET_DIAG_DESTROY is used by CNIs such as Cilium to terminate connections in other containers. KSPP recommends to disable it due to "Prior to v4.1, assists heap memory attacks; best to keep interface disabled.". Linux 4.1 was almost 10 years ago and Cilium with their eBPF-based kube-proxy replacement is widely used by the community and not having this enabled leads to weird networking issues (e.g. when coredns pods get a different IP due deployment restarts UDP dns clients keep sending connections to the old IP) Signed-off-by: Ströger Florian <[email protected]> Signed-off-by: Noel Georgi <[email protected]>
- Loading branch information
1 parent
c9f7eb9
commit 79a4f92
Showing
3 changed files
with
14 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters