kube-router doesn't support named port configurations

[eranreshef]

When I try to apply a NetworkPolicy object that making use of named ports defined in a deployment/daemonset/statefulset spec, I get the following errors that are followed by crashes of the kube-router pods:

kube-router-d6lrq kube-router E0313 12:57:49.202191       1 network_policy_controller.go:146] Error syncing on pod update: Aborting sync. Failed to sync network policy chains: Failed to run iptables command: running [/sbin/iptables -t filter -C KUBE-NWPLCY-TQVID2JAR264CEKX -m comment --comment rule to ACCEPT traffic from source pods to dest pods selected by policy name monitoring-grafana namespace kube-system -m set --set KUBE-SRC-CEDAYVZJP7X7CLEI src -m set --set KUBE-DST-TQVID2JAR264CEKX dst -p TCP --dport api -j ACCEPT --wait]: exit status 2: --set option deprecated, please use --match-set
kube-router-d6lrq kube-router --set option deprecated, please use --match-set
kube-router-d6lrq kube-router iptables v1.6.1: invalid port/service `api' specified
kube-router-d6lrq kube-router Try `iptables -h' or 'iptables --help' for more information.

(In addition, it seems that there is usage in deprecated iptables options).

When modifying the NetworkPolicy to work with numbered ports, everything is ok.

[murali-reddy]

@eranreshef thanks for reporting. Support for named port is not added yet. We will work on fix in one of upcoming releases.

[zegl]

This bug hit me hard a while ago. It seems like kube-router is not able to recover from a NetworkPolicy with a named port, even if that named port is removed. Restarting kube-router does not fix the issue, the only workaround that I found was to reboot all nodes in the Kubernetes cluster.

Until kube-router has support for named ports, would it be possible to at least filter those rules out?

[murali-reddy]

Oops that sounds bad. It should have been more gracefully handled by kube-router. Will fix it (not the support for named ports but graceful handling) for next coming release.