Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Old network policy iptables rules are not cleared on upgrade #7251

Closed
ShylajaDevadiga opened this issue Apr 7, 2023 · 2 comments
Closed

Old network policy iptables rules are not cleared on upgrade #7251

ShylajaDevadiga opened this issue Apr 7, 2023 · 2 comments
Assignees
@rbrtbnfgl @est-suse
Labels
kind/bug Something isn't working
Milestone
v1.26.4+k3s1

Comments

@ShylajaDevadiga
Copy link
Contributor

ShylajaDevadiga commented Apr 7, 2023
edited
Loading

Environmental Info:
K3s Version:
k3s version v1.25.8+k3s1 (6c5ac02)

Infrastructure
Cloud EC2 instance

Node(s) CPU architecture, OS, and Version:
Ubuntu 20.04

Cluster Configuration:
Single node

Describe the bug:
After upgrade we have a mix of old and new iptables that addresses KUBE-ROUTER

Steps To Reproduce:

  1. Install k3s with default config
    curl -fL https://get.k3s.io| INSTALL_K3S_VERSION=v1.25.8+k3s1 sh -s - server
  2. Upgrade to commit id 027cc18

Expected behavior:
On v1.25.8+k3s1:

$ k3s -v
k3s version v1.25.8+k3s1 (6c5ac022)

$ sudo iptables-save |grep network |grep ROUTER
-A KUBE-ROUTER-FORWARD -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN
-A KUBE-ROUTER-INPUT -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN
-A KUBE-ROUTER-OUTPUT -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN

After upgrade

$ sudo iptables-save |grep network |grep ROUTER
-A INPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A FORWARD -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A OUTPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT

Actual behavior:
On v1.25.8+k3s1:

$ k3s -v
k3s version v1.25.8+k3s1 (6c5ac022)

$ sudo iptables-save |grep network |grep ROUTER
-A KUBE-ROUTER-FORWARD -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN
-A KUBE-ROUTER-INPUT -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN
-A KUBE-ROUTER-OUTPUT -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN

After upgrade we have both old and new rules

$ sudo iptables-save |grep network |grep ROUTER
-A INPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A FORWARD -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A OUTPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A KUBE-ROUTER-FORWARD -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN
-A KUBE-ROUTER-INPUT -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN
-A KUBE-ROUTER-OUTPUT -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN

Workaround:
Run k3s-killall.sh after disabling the network policy controller or during upgrade

Related issue:
#7203
@ShylajaDevadiga ShylajaDevadiga added the kind/bug Something isn't working label Apr 7, 2023
@brandond brandond changed the title old iptables rules are not cleared on upgrade. Old network policy iptables rules are not cleared on upgrade Apr 7, 2023
@brandond
Copy link
Contributor

brandond commented Apr 7, 2023

This is similar to #7244 - it looks like the K3s NPC setup needs to do some cleanup of old rules regardless of whether its enabled or not.

@rbrtbnfgl rbrtbnfgl mentioned this issue Apr 12, 2023
Merged
@est-suse
Copy link
Contributor

est-suse commented Apr 13, 2023
edited
Loading

Validated on 59e573d

k3s version v1.25.8+k3s-59e573d1 (59e573d1)
go version go1.19.7

NAME="Ubuntu"
VERSION="20.04 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

Steps To Reproduce:

Install k3s with default config
curl -fL https://get.k3s.io| INSTALL_K3S_VERSION=v1.25.8+k3s1 sh -s - server
Upgrade to commit id 027cc18

Before the upgrade:

sudo iptables-save |grep network |grep ROUTER
-A KUBE-ROUTER-FORWARD -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN
-A KUBE-ROUTER-INPUT -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN
-A KUBE-ROUTER-OUTPUT -m comment --comment "rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j RETURN

After the upgrade:

ubuntu@ip-172-31-40-237:~$ kubectl get nodes
NAME               STATUS   ROLES                  AGE     VERSION
ip-172-31-40-237   Ready    control-plane,master   6m14s   v1.25.8+k3s-59e573d1
ubuntu@ip-172-31-40-237:~$ sudo iptables-save |grep network |grep ROUTER
-A INPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A FORWARD -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A OUTPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT

Validated on 1.26.3 d9f40d4

-A INPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A FORWARD -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
-A OUTPUT -m comment --comment "KUBE-ROUTER rule to explicitly ACCEPT traffic that comply to network policies" -m mark --mark 0x20000/0x20000 -j ACCEPT
ubuntu@ip-172-31-40-237:~$ kubectl get nodes
NAME               STATUS   ROLES                  AGE     VERSION
ip-172-31-40-237   Ready    control-plane,master   7m12s   v1.26.3+k3s-d9f40d4f

@ShylajaDevadiga ShylajaDevadiga added this to the v1.26.4+k3s1 milestone Apr 14, 2023
@ShylajaDevadiga ShylajaDevadiga mentioned this issue Apr 14, 2023
Closed
@brandond brandond mentioned this issue Apr 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rbrtbnfgl rbrtbnfgl

@est-suse est-suse

Labels
kind/bug Something isn't working
Projects
K3s Development
Archived in project
Milestone
v1.26.4+k3s1
Development

No branches or pull requests
4 participants
@brandond @rbrtbnfgl @ShylajaDevadiga @est-suse