kprop across NAT boundaries (patching privsafe)

Greg Hudson ghudson at
Wed Jan 6 20:56:48 EST 2021

On 1/5/21 11:17 AM, Jorj Bauer wrote:
> Because the privsafe protocol bakes in the source and destination address and port, it’s not possible to run kprop through layers of NAT (without doing something that undoes the damage NAT does). In particular, I’m finding this to be one of the problems with being able to run Kerberos “for real” inside Kubernetes, where we have an F5 fronting multiple k8s clusters, whose ingresses fan out traffic to multiple pods inside each.

1.18 and 1.19 beta have this commit:

Is it not sufficient?

More information about the krbdev mailing list