Merge pull request #2687 from noris-network/master

Document how to allow ipip traffic with calico on OpenStack
2018-04-21 10:38:21 +03:00
parent f5db403c45 a49e06b54b
commit d1b4ea5807
1 changed files with 9 additions and 0 deletions
--- a/docs/calico.md
+++ b/docs/calico.md
@ -169,3 +169,12 @@ By default the felix agent(calico-node) will abort if the Kernel RPF setting is
 ```
 calico_node_ignorelooserpf: true
 ```
+
+Note that in OpenStack you must allow `ipip` traffic in your security groups,
+otherwise you will experience timeouts.
+To do this you must add a rule which allows it, for example:
+
+```
+neutron  security-group-rule-create  --protocol 4  --direction egress  k8s-a0tp4t
+neutron  security-group-rule-create  --protocol 4  --direction igress  k8s-a0tp4t
+```