-
Notifications
You must be signed in to change notification settings - Fork 465
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kube-router duplicates rules in the KUBE-ROUTER-INPUT chain #1676
Comments
Thanks for reporting this @TPXP! I haven't seen this in any of my clusters, but I'll be taking a look as soon as I have a free moment to see if I can figure out what might be causing this. In the meantime, if you get any more information that might be helpful, please add more comments. |
@TPXP - So after being a bit more observant, I can now say that I definitely see this happening in my own clusters as well. Thanks for reporting it! This is a very serious problem, so I'm glad that you took the time. From what I can tell, it looks like the When I try to execute this even from within the kube-router pod, it looks like it is failing:
This seems like something is broken upstream in the netfilter code. When I revert to a base image of Alpine 3.18 which carries with it iptables
I want to see if we're able to get to the bottom of this, but in the meantime, I think that we should revert the alpine version bump and see if we can get a stable version of kube-router out there. |
This will be fixed in v2.1.3 which should be pushed later today. |
What happened?
Hello, we're happily using kube-router to handle network policies on our kubernetes cluster (--run-router=false --run-firewall=true --run-service-proxy=false). We recently upgraded to
v2.0.1
andv2.1.2
and it seems that kube-router is slow to sync firewall rules on some of our nodes.We believe this could cause some packet drops impacting performance of our applications. Our investigations led us to look at iptables on our server. These look mostly OK, except for the KUBE-ROUTER-INPUT chain in the ip filter table. Indeed, on some of our machines, it that some rules are repeated:
Our servers run Ubuntu 22.04 LTS so we're using nftables under the hood. Asking
nftables
what it has gives curious results:Also, it seems that the rule is frequently replaced/re-created since the packet counter (at the end of every rule line) is frequently reset to 0. While I'm not sure about it, I think the rules reset could cause the packet losses we're investigating.
Another consequence of this is that kube-router takes much longer to sync iptables rules. On impacted nodes, sync times can take over 10 seconds which -we think- may prevent newly assigned pod from reaching the internet in their startup scripts.
What did you expect to happen?
kube-router should recognize existing "allow LOCAL TCP traffic to node ports" and "allow LOCAL UDP traffic to node ports" rules and not re-create them every time it syncs. 🙏
How can we reproduce the behavior you experienced?
I'm not 100% sure about what's causing this since some of our nodes don't have the issue. Here's my guess
Screenshots / Architecture Diagrams / Network Topologies
We have a bunch of bare metal servers with a public IP and use kilo to encrypt traffic between them.
System Information (please complete the following information):
Logs, other output, metrics
Here's the iptables sync time metrics we have. The repeated rules are present on all pods taking longer to sync.
Additional context
We've been using kube-router for a few years and it has served us well, thanks for maintaining it! <3
The text was updated successfully, but these errors were encountered: