-
Notifications
You must be signed in to change notification settings - Fork 463
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error cleaning up old/bad masquerade rules: failed to lookup iptables rule / CNI not working when run-router=false #1434
Comments
Thanks for reporting this. It looks like this bug has been around for a while, as far as I know there aren't many people that run kube-router in a proxy only mode, so it's nice when people let us know when this stuff is broken. It looks like there was a place where we weren't checking for the existence of a variable that is only populated when the router option is selected. #1435 should fix this. Would you be willing to test out that patch and let me know if it resolves the error you were getting? As far as |
Just to clarify, because the last part of my comment might have been ambiguous, if you're not running kube-router with |
@aauren Our core runs on OSPF which means we don't really need any of the BGP stuff, and are using BIRD instance to basically feed the routes from machine to OSPF so additional BGP on top of that is redundant. But we still want to configure rest of the CNI stuff. Our config is basically k8s nodes connected to VLAN with L3 switch running OSPF Looking at options now I believe As for the bug I've compiled 8624776 and there is no iptables errors during start |
So the way that kube-router works, is that in order for kube-router to function as a pod networking system (i.e. So if you enable It does not have to peer with other routers on your network though if you don't want it to. For this, you just wouldn't configure any external peers. However, if running BGP at all for kubernetes is unacceptable for your use-case than your only option will be to run some other CNI for pod networking purposes. kube-router can still work as a firewall or a service proxy without enabling BGP. |
@aauren Thanks for clarification how it works! After testing Initially I assumed |
What happened?
Error on cleaning iptables at start, and it appears that cni in
/var/lib/cni/networks/
is also not initialized when that happensThe problem happened on fresh node install
running with
on version 1.5.3 (tested with some earlier ones with same effect) (OS is Debian 11)
and switching
--run-router=false
totrue
"fixes" the problem and files in/var/lib/cni/networks/
get created.we run with
--run-router=false
because (AFAIK) there is no option to tell kube-router to not inject stuff into system routing table (which we don't want, we already manage that with BIRD)The text was updated successfully, but these errors were encountered: