You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have "lxdbr0" as a LXD network bridge for my Juju test bed. After installing microk8s, mysql / percona-cluster charm deployments failed because those charms relies on peers' source IP addresses.
br_netfilter and kubenet SNAT iptables will be applied unconditionally after installing microk8s, so LXD private network communication is also affected by the MASQUERADE rule. For example, a packet of 10.0.8.102 -> 10.0.8.2, will be modified as 10.0.8.1 -> 10.0.8.22 on lxdbr0 which will be blocked by MySQL source IP address ACLs.
$ ip a s dev lxdbr0
8: lxdbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether fe:22:7a:6f:a3:09 brd ff:ff:ff:ff:ff:ff
inet 10.0.8.1/24 scope global lxdbr0
valid_lft forever preferred_lft forever
inet6 fe80::30b2:deff:fe7a:383f/64 scope link
valid_lft forever preferred_lft forever
[existing iptables rules]
$ sudo iptables -t nat -L POSTROUTING -v
Chain POSTROUTING (policy ACCEPT 164 packets, 12290 bytes)
pkts bytes target prot opt in out source destination
30 1836 MASQUERADE all -- any any 10.0.8.0/24 !10.0.8.0/24 /* generated for LXD network lxdbr0 */
4 309 MASQUERADE all -- any any 10.112.155.0/24 !10.112.155.0/24
0 0 MASQUERADE udp -- any any 10.112.155.0/24 !10.112.155.0/24 masq ports: 1024-65535
0 0 MASQUERADE tcp -- any any 10.112.155.0/24 !10.112.155.0/24 masq ports: 1024-65535
0 0 RETURN all -- any any 10.112.155.0/24 255.255.255.255
0 0 RETURN all -- any any 10.112.155.0/24 base-address.mcast.net/24
5 332 RETURN all -- any any 192.168.122.0/24 base-address.mcast.net/24
0 0 RETURN all -- any any 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- any any 192.168.122.0/24 !192.168.122.0/24
$ sudo iptables -t nat -L POSTROUTING -v
Chain POSTROUTING (policy ACCEPT 49 packets, 2947 bytes)
pkts bytes target prot opt in out source destination
341 20493 KUBE-POSTROUTING all -- any any anywhere anywhere /* kubernetes postrouting rules */
0 0 MASQUERADE all -- any !docker0 172.17.0.0/16 anywhere
30 1836 MASQUERADE all -- any any 10.0.8.0/24 !10.0.8.0/24 /* generated for LXD network lxdbr0 */
4 309 MASQUERADE all -- any any 10.112.155.0/24 !10.112.155.0/24
0 0 MASQUERADE udp -- any any 10.112.155.0/24 !10.112.155.0/24 masq ports: 1024-65535
0 0 MASQUERADE tcp -- any any 10.112.155.0/24 !10.112.155.0/24 masq ports: 1024-65535
0 0 RETURN all -- any any 10.112.155.0/24 255.255.255.255
0 0 RETURN all -- any any 10.112.155.0/24 base-address.mcast.net/24
6 405 RETURN all -- any any 192.168.122.0/24 base-address.mcast.net/24
0 0 RETURN all -- any any 192.168.122.0/24 255.255.255.255
0 0 MASQUERADE tcp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- any any 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- any any 192.168.122.0/24 !192.168.122.0/24
3 222 MASQUERADE all -- any any anywhere !10.152.183.0/24 /* kubenet: SNAT for outbound traffic from cluster */ ADDRTYPE match dst-type !LOCAL
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
I have "lxdbr0" as a LXD network bridge for my Juju test bed. After installing microk8s, mysql / percona-cluster charm deployments failed because those charms relies on peers' source IP addresses.
br_netfilter and kubenet SNAT iptables will be applied unconditionally after installing microk8s, so LXD private network communication is also affected by the MASQUERADE rule. For example, a packet of 10.0.8.102 -> 10.0.8.2, will be modified as 10.0.8.1 -> 10.0.8.22 on lxdbr0 which will be blocked by MySQL source IP address ACLs.
Although the iptables rule is enabled by kubelet and kubenet, if microk8s could apply some conditions onto the rule, that would be nice.
https://github.com/kubernetes/kubernetes/blob/692f9bb7b1fa6ca72ddd5a305607d79f9684e907/pkg/kubelet/dockershim/network/kubenet/kubenet_linux.go#L169-L181
[existing lxdbr0 bridge]
[existing iptables rules]
[traffic 10.0.8.102 -> 10.0.8.2]
-> source IP = 10.0.8.102
[install microk8s]
[new iptables rules]
[traffic 10.0.8.102 -> 10.0.8.2]
-> source IP = 10.0.8.1
FWIW,
OR
will temporarily disable the unwanted behavior, but it will break Kubernetes...
The text was updated successfully, but these errors were encountered: