Disable src/dst checks for Calico in IPv6 mode

kubernetes · Jun 19, 2021 · 9e587c7 · 9e587c7
1 parent 23ab07e
commit 9e587c7
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template
@@ -3886,7 +3886,7 @@ spec:
             # kops additions
             # Enable source/destination checks for AWS
             - name: FELIX_AWSSRCDSTCHECK
-              value: "{{- if and (eq .CloudProvider "aws") (.Networking.Calico.CrossSubnet) -}}Disable{{- else -}} {{- or .Networking.Calico.AWSSrcDstCheck "DoNothing" -}} {{- end -}}"
+              value: "{{ CalicoAWSSrcDstCheck }}"
             # Enable eBPF dataplane mode
             - name: FELIX_BPFENABLED
               value: "{{ .Networking.Calico.BPFEnabled }}"

diff --git a/upup/pkg/fi/cloudup/template_functions.go b/upup/pkg/fi/cloudup/template_functions.go
@@ -172,6 +172,16 @@ func (tf *TemplateFunctions) AddTo(dest template.FuncMap, secretStore fi.SecretS
 			}
 			return "Always"
 		}
+		dest["CalicoAWSSrcDstCheck"] = func() string {
+			if kops.CloudProviderID(cluster.Spec.CloudProvider) == kops.CloudProviderAWS {
+				if c.AWSSrcDstCheck != "" {
+					return c.AWSSrcDstCheck
+				} else if cluster.Spec.IsIPv6Only() || c.CrossSubnet {
+					return "Disable"
+				}
+			}
+			return "DoNothing"
+		}
 	}
 
 	if cluster.Spec.Networking != nil && cluster.Spec.Networking.Cilium != nil {