Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stoping or removing microk8s does not clear iptables #688

Closed
jareks opened this issue Sep 27, 2019 · 4 comments
Closed

Stoping or removing microk8s does not clear iptables #688

jareks opened this issue Sep 27, 2019 · 4 comments
Labels

Comments

@jareks
Copy link

jareks commented Sep 27, 2019

Installing and starting microk8s adds rules to host's iptables but stopping / removing snap does not remove them (without reboot).


Version: microk8s v1.16.0 2019-09-25 (920).
Tested on ubuntu/xenial64 with Vagrant.

# no kube rules in iptables at start
$ sudo iptables -L -v | grep -i kube | wc -l
0

# install microk8s and notice 15 new iptables rules
$ sudo snap install microk8s --classic
$ sleep 15 # wait for microk8s to start
$ sudo iptables -L -v | grep -i kube | wc -l
15

# stop microk8s and notice that rules are still up
$ sudo iptables -L -v | grep -i kube | wc -l
15

# remove snap and notice that rules are still up
$ sudo snap remove --purge microk8s
$ sudo iptables -L -v | grep -i kube | wc -l
15

If you reboot the machine the rules are finally removed.

(Possibly the problem is not with iptables rules itself, but with k8s network interface(s) not being removed)

@rzr
Copy link
Contributor

rzr commented Oct 1, 2019

Should a wrapper script handle this ?

@hernil
Copy link

hernil commented Oct 19, 2019

I'm dropping this here since I did not find anyone mentioning this on the internet so far.

-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP

This iptables rule created by microk8s might interfere with WireGuard using wg-quick. I'm guessing it's because wg-quick adds a fwmark to the packets and this rule catches that but this is where my networking fu stops 😄

The rule can be reverted by running

sudo iptables -D KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP

However microk8s does a great job reinserting the rule as long as it is running, you therefore need to stop the service for this to help.

Hopefully this will save someone some head scratching later on!

IMO all iptable rules created by the microk8s service should be reverted upon stopping it.

@bingh0
Copy link

bingh0 commented Jun 20, 2020

I recently came across this issue and spent a week tearing my hair apart before finding this issue. I can confirm this issue with Ubuntu 20.04 and Fedora 32. Has anybody figured out a workaround for this? I'm surprised so few people have reported this - I would imagine there are people running microk8s and wireguard.

@stale
Copy link

stale bot commented May 17, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the inactive label May 17, 2021
@stale stale bot closed this as completed Jun 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants