only enable IPv6 sysctls on lb if service is IPv6

Change-Id: I7433a29b5613b9adeb2dce32c31829eb04c65a1c
aojea · Aug 6, 2024 · e2f51e4 · e2f51e4
1 parent 7cf70cb
commit e2f51e4
Showing 1 changed file with 22 additions and 5 deletions.
diff --git a/pkg/loadbalancer/server.go b/pkg/loadbalancer/server.go
@@ -216,11 +216,16 @@ func (s *Server) createLoadBalancer(clusterName string, service *v1.Service, ima
 		// including some ones docker would otherwise do by default.
 		// for now this is what we want. in the future we may revisit this.
 		"--privileged",
-		"--restart=on-failure",                      // to deal with the crash casued by https://github.com/envoyproxy/envoy/issues/34195
-		"--sysctl=net.ipv4.ip_forward=1",            // allow ip forwarding
-		"--sysctl=net.ipv6.conf.all.disable_ipv6=0", // enable IPv6
-		"--sysctl=net.ipv6.conf.all.forwarding=1",   // allow ipv6 forwarding
-		"--sysctl=net.ipv4.conf.all.rp_filter=0",    // disable rp filter
+		"--restart=on-failure",                   // to deal with the crash casued by https://github.com/envoyproxy/envoy/issues/34195
+		"--sysctl=net.ipv4.ip_forward=1",         // allow ip forwarding
+		"--sysctl=net.ipv4.conf.all.rp_filter=0", // disable rp filter
+	}
+
+	if isIPv6Service(service) {
+		args = append(args, []string{
+			"--sysctl=net.ipv6.conf.all.disable_ipv6=0", // enable IPv6
+			"--sysctl=net.ipv6.conf.all.forwarding=1",   // allow ipv6 forwarding})
+		}...)
 	}
 
 	if s.tunnelManager != nil {
@@ -256,3 +261,15 @@ func (s *Server) createLoadBalancer(clusterName string, service *v1.Service, ima
 
 	return nil
 }
+
+func isIPv6Service(service *v1.Service) bool {
+	if service == nil {
+		return false
+	}
+	for _, family := range service.Spec.IPFamilies {
+		if family == v1.IPv6Protocol {
+			return true
+		}
+	}
+	return false
+}