From ec4a07f8ba33e317fe5cd89bb7345a7119d7694b Mon Sep 17 00:00:00 2001
From: jmgao <jmgaozz@163.com>
Date: Wed, 6 Dec 2017 11:14:22 +0800
Subject: [PATCH] =?UTF-8?q?bugfix:=20NetworkPolicy=20=E8=B7=A8=E8=8A=82?=
 =?UTF-8?q?=E7=82=B9=E5=A4=B1=E6=95=88=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 roles/kube-node/templates/kube-proxy.service.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/kube-node/templates/kube-proxy.service.j2 b/roles/kube-node/templates/kube-proxy.service.j2
index 0fe5223..6a680a3 100644
--- a/roles/kube-node/templates/kube-proxy.service.j2
+++ b/roles/kube-node/templates/kube-proxy.service.j2
@@ -4,13 +4,13 @@ Documentation=https://github.com/GoogleCloudPlatform/kubernetes
 After=network.target
 
 [Service]
+# kube-proxy 根据 --cluster-cidr 判断集群内部和外部流量，指定 --cluster-cidr 或 --masquerade-all 选项后
+# kube-proxy 会对访问 Service IP 的请求做 SNAT，这个特性与calico 实现 network policy冲突，因此禁用
 WorkingDirectory=/var/lib/kube-proxy
 ExecStart={{ bin_dir }}/kube-proxy \
   --bind-address={{ NODE_IP }} \
   --hostname-override={{ NODE_IP }} \
-  --cluster-cidr={{ SERVICE_CIDR }} \
   --kubeconfig=/etc/kubernetes/kube-proxy.kubeconfig \
-  --masquerade-all=false \
   --logtostderr=true \
   --v=2
 Restart=on-failure