-
Notifications
You must be signed in to change notification settings - Fork 741
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Traffic from outside VPC does not reach pod #1392
Comments
Hi @Nuru We will look into the support ticket and get in touch with you for further debugging. Thanks! |
This sounds identical to the issue I just spent a chunk of time with support on yesterday. Our case number is 8015490531 if you want more information. I think the only difference in our case is we're using TCP. |
Thanks @ImperialXT, Yes it might be a similar issue since the pods behind secondary ENIs are impacted. @Nuru - Can you please share the logs - You can email it me varavaj@amazon.com |
Hi Sorry for the delayed response. Since this is the ingress traffic and you mentioned the impacted pod is behind the secondary ENI, did you capture tcp dump to verify the traffic is entering instance on the secondary ENI? Thank you! |
@jayanthvn wrote:
Yes. |
I have a BPF script which captures pipeline lookup events. We will reach out to you with your case number (7990499551). /cc @abhipth Thanks |
After much more investigation, I believe this is a mirror of #75 which was fixed by #130. In that issue, traffic arriving on @liwenwu-amazon predicted this would happen: #130 (review)
My scenario is exactly the one @liwenwu-amazon warned about. We have the NLB in IP mode directly sending traffic to the Pod IP via Here are the important diagnostics:
The destination Pod's IP is
Only interested in If I turn reverse path filtering back on and add a reverse route
(where Of course, this is not the correct fix; you will have to figure out what is. My guess is that the restriction on destination in the 1536 rule is unnecessary. If I delete my added routes (so we are back to the original configuration) and then add
then again traffic flows as expected. UpdateIt appears that I am in luck in my specific case, because my EKS cluster is in a private subnet with a NAT Gateway attached. This means I can set the The bad news is that this remains a problem for people who put their EKS clusters in public subnets. They do not have the option of setting
As we have seen, the routing only works if the "user" is in the same VPC, where SNAT is automatically disabled. It does not work where the user is in a different VPC or on the internet, due to reverse path filtering. At least now I understand that this was not a careless oversight, but a series of difficult decisions that need further refinement. This is also more than a bit outside my wheelhouse. Nevertheless, I will offer an opinion that the correct thing to do is use |
Hi @Nuru Nice debugging. During the debug session we did set |
@jayanthvn TCP worked because, by default, NLB -> TCP disables source IP preservation, which means the observed source address was the private IP of the NLB, which is within the VPC, even if the sender was outside the VPC. UDP forces source IP preservation. Which raises the question: with source IP preservation, how does return traffic know to exit via the NLB (so that the client sees a response from the same address it sent the request to) rather than through the NAT gateway? |
@Nuru, thank you for sharing the details of your troubleshooting, and the analysis. You are right, the traffic flow is not successful due to the routing configuration. NLB with IP targets, with client IP preservation enabled and the pod is attached to a secondary ENI exhibit this behavior. There are two issues
When external SNAT is enabled, traffic ingress on secondary interfaces have the same return path since the routing rules don't have the VPC CIDR restriction. External SNAT can only be used for private EC2 instances. For TCP connections through NLB-IP, client IP doesn't get preserved unless enabled via target group attributes. SInce the source IP is within the VPC range, the return path is the same as the ingress interface. So the issue is not seen. The fix involves configuring less restrictive rp_filter settings on the secondary interfaces, connmark and ip rules to make the return path same as the ingress interface. I'm reviewing the corner cases and any other features that could be affected by the proposed changes. |
Did you also try running your application pods on Fargate? I don't foresee any issues. If you were able to verify, feel free to share your results. |
@kishorj I did not try running pods on Fargate and do not have time or resources to try it. You understand the problem well enough now that you should be able to deploy a test case yourself. |
📝 In case it saves anyone some debugging time, this also affects NLBs when using IP mode and client IP preservation with EKS 1.20 clusters that don't contain the fixed CNI version. |
What happened:
For some reason, UDP traffic from outside the VPC is not reaching the pod. Traffic flow logs show UDP traffic flowing through the load balancer and being sent to the correct internal address. UDP traffic has been confirmed (via
tcpdump
) to reach the primary IP of the ENI that hosts the pod's IP, but does not reach the pod. UDP traffic from inside the VPC does reach the pod as expected. TCP traffic from both inside and outside the VPC reaches the pod as expected.AWS Support has confirmed that security groups are properly configured to allow access.
Attach logs
Logs are attached to AWS Support case 7990499551 which I opened 16 days ago but remains unresolved. I feel like the ticket is not getting directed to the right team, which is why I am opening this issue. I think this is a CNI bug.
What you expected to happen:
With a pod listening on a UDP port and a security group allowing access from
0.0.0.0/0
, I expect traffic targeted to that UDP port to be delivered, regardless of its source address,How to reproduce it (as minimally and precisely as possible):
At this point, the configuration is complete and you should be able to communicate from the public internet to the Pod using the NLB's DNS name. However, the connection does not work. On the other hand, you can verify that the Pod is serving traffic properly by connecting to it from any host in the private subnet on the same IP as is specified in the target group.
~~Original version~~
I don't know. The entire configuration, from creating the VPC through creating the EKS cluster through deploying the Pod, Kubernetes service, and load balancer, was all provisioned with Terraform and Helm. The almost exactly the same configuration was applied in another account and works fine as expected. (The differences between the 2 configurations are things like ID names, DNS names, ARNs, etc. that have to be different between different installations, but basically the configurations are identical in what should be all relevant aspects.)
As deployed, the only noticeable difference is that the working instance has the Pod deployed on the EC2 instance's primary ENI and the non-working instance has the pod deployed on a secondary ENI.
Anything else we need to know?:
The default configuration leaves
aws-node
withAWS_VPC_K8S_CNI_EXTERNALSNAT: false
. You can check withUnfortunately, this is incompatible with allowing Pods to be reached on their private IPs when the source IP is outside the VPC. This issue can be fixed by setting
AWS_VPC_K8S_CNI_EXTERNALSNAT=true
but there is no AWS API for doing that, thus it is not practical to set in a large organization.aws
CLI, Terraform, etc.) for settingAWS_VPC_K8S_CNI_EXTERNALSNAT=true
Environment:
kubectl version
): v1.18.9-eks-d1db3ccat /etc/os-release
): Amazon Linux 2uname -a
):4.14.209-160.339.amzn2.x86_64 #1 SMP Wed Dec 16 22:44:04 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
The text was updated successfully, but these errors were encountered: