-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Networking/NAT not working on older iptables versions with v1.25.7+k3s1 #7096
Comments
Any ideas @rbrtbnfgl ? Have you rebooted the node since upgrading? I wonder if this is a case of rule order changing between releases. |
Could you check the nat iptables rules? |
No the node has not been rebooted. I've done a /usr/local/bin/k3s-uninstall.sh and checked that the nat tables was empty befure installing.
I've brought in k3s-v1.25.6+k3s1 again now on the node
Then ran
Then Installed new version:
|
With those rules is the NAT working? |
The second set of rules are from k3s-v1.25.7+k3s1 and NAT/networking is not working . I can switch back and forth between those two versions, uninstalling k3s inbetween , with consistent results: k3s-v1.25.6+k3s1 works, k3s-v1.25.7+k3s1 does not work |
On the second set of rules flannel rules are missing. Could you check K3s logs if there are any errors? |
Yes, you're right - iptables fails to apply flanneld rules. Below is the last few lines of CentOS 7.9.2009 comes with iptables v1.4.21 , there's no newer version available for CentOS/RHEL 7 afaik.
If the log is verbatim, this command is failing:
The comment should be quoted like
|
Ok. It's probably related to the different iptables version on Centos. I'll check how the cmd is parsed on flannel. |
Can you try starting k3s with |
Thank you, that works !
And --prefer-bundled-bin makes networking work as far as I can tell |
OK. That suggests that some recent changes to Flannel have broken compatibility with older versions of iptables. Can you confirm what version of iptables your host has? |
This is on the host:
|
Wow that is an older version than I think I have seen in a while; that is like 9 years old. For some reason I thought there was a newer version available for EL7 but perhaps not without adding additional repos. |
I too ran into this, but on It has I found that setting |
Reproduced using VERSION=v1.26.2+k3s1 Reproduction on Centos 7.9bare single node install no configs$ sudo INSTALL_K3S_VERSION=v1.26.2+k3s1 INSTALL_K3S_EXEC=server ./install-k3s.sh $ k3s -v
$ iptables --version
$ sudo iptables -t nat -vnL | grep -i flannel
Validation on Centos 7.9upgrade single node in place to detect missing routing rules$ sudo INSTALL_K3S_VERSION=v1.26.3-rc2+k3s1 INSTALL_K3S_EXEC=server ./install-k3s.sh $ k3s -v
centos@node:~$ iptables --version
$ sudo iptables -t nat -vnL | grep -i flannel
Reproduction on Ubuntu 18.04bare single node install no configs$ sudo INSTALL_K3S_VERSION=v1.26.2+k3s1 INSTALL_K3S_EXEC=server ./install-k3s.sh $ k3s -v
$ iptables --version
$ sudo iptables -t nat -vnL | grep -i flannel
Validation on Ubuntu 18.04upgrade existing node to the latest rc-2$ sudo INSTALL_K3S_VERSION=v1.26.3-rc2+k3s1 INSTALL_K3S_EXEC=server ./install-k3s.sh $ k3s -v
ubuntu@node-two:~$ iptables --version
ubuntu@ip-172-31-17-58:~$ sudo iptables -t nat -vnL | grep -i flannel
|
Environmental Info:
K3s Version:
k3s version v1.25.7+k3s1 (f7c20e2)
go version go1.19.6
**Node(s) CPU architecture, OS, and Version: **
Linux dev01-spa 3.10.0-1160.83.1.el7.x86_64 #1 SMP Wed Jan 25 16:41:43 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Running CentOS Linux release 7.9.2009
Cluster Configuration:
Single node.
Describe the bug:
Pods can not access external networks. This works fine if going back to v1.25.6+k3s1
It turns out outgoing traffic from the host is not NATed anymore.
e.g. running tcpdump on the ens32 interface, which is the NIC owning the IP 192.168.170.101 of the host, that's attached to the
local subnet.
The line above with `10.42.0.18 > 8.8.8.8:? is the result of a pod manually doing a ping 8.8.8.8
The pod network seems not to be NAT'ed out, the 10.42.0.18 address should not appear on our internal network.
Steps To Reproduce:
Installed k3s with with
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--disable traefik" sh -
on CentOS Linux release 7.9.2009
Ran
And manually ran
ping 8.8.8.8
from this pod, which never get any replies (see the above tcpdump output)Expected behavior:
With v1.25.6+k3s1 everything works ok on this node.
Installed with
curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.25.6+k3s1 INSTALL_K3S_EXEC="--disable traefik" sh -
Ran
And manually running
ping 8.8.8.8
from the bosybox pod succeeds.Now the external traffic gets NAT'ed, as seen with
192.168.170.101 > 8.8.8.8:
above, 10.42.0..0/24 network is not leaking out of the host.Additional context / logs:
The text was updated successfully, but these errors were encountered: