Pods with sidecar injection stuck in ContainerCreating status

[mishaque]

No description provided.

[rlenglet]

@mishaque Istio CNI logs into journalctl on the node. Can you grep for "nsenter" in journalctl logs?

[rlenglet]

@mishaque more specifically look for a log containing "nsenter failed".

[rlenglet]

@mishaque Also can you give more details about the kernel on your worker nodes? What version? Does it support iptables? nftables?

[rlenglet]

Ok so IPv6 is disabled in your kernel?

[rlenglet]

That is weird because the script attempts to setup ip6tables chains only if the pod has an IPv6 address.
@mishaque could you please run "ip addr" inside a pod (without injection) and post the output?

[rlenglet]

Thanks! So that means that the isIPv6 function in the istio-iptables.sh script is buggy. I'll fix that.

[mishaque]

@rlenglet is there a workaround for time being?

[mishaque]

@rlenglet, thanks for including this in the 1.3 milestone. I will try enabling the IPV6 on the Node as a workaround; I am not sure if this would solve the issue. Please let me know your recommendation/workaround.

[rlenglet]

The ENABLE_INBOUND_IPV6 variable is not set in your logs:

ENABLE_INBOUND_IPV6=\n

So there is no mis-detection of IPv6. That part is correct.
The commands that are failing are those executed in case IPv6 is not detected:
https://github.com/istio/cni/blob/master/tools/packaging/common/istio-iptables.sh#L665-L668

  ip6tables -F INPUT || true
  ip6tables -A INPUT -m state --state ESTABLISHED -j ACCEPT || true
  ip6tables -A INPUT -i lo -d ::1 -j ACCEPT || true
  ip6tables -A INPUT -j REJECT || true

These commands are failing because of the retrying of the commands in this script.
I need to disable retries for those in case IPv6 is disabled.

This bug is specific to Istio CNI's version of the istio-iptables.sh script.
So @mishaque you could try using normal injection instead of Istio CNI. It won't have this problem.