New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
node is nat'd and doesn't know its IP address on hybrid cluster use wireguard-native is wrong #9535
Comments
Did you want to enable the https://docs.k3s.io/installation/network-options?_highlight=flannel-external-ip#flannel-options |
--flannel-external-ip is enable, but node-x86 is NAT'd and doesn't know its IP address. |
What specifically do you mean by Each node needs to know its external IP for Flannel to operate correctly. It cannot discover it for itself. |
it change periodically, it's home broadband, dynamic IP and uncontrolled NAT. |
No, it cannot. The node needs to know its public IP, and the IP should be static. |
@manuelbuil can you think of any way that this might work without knowing the external IP? |
The wireguard peer negotiation connection will automatically give the master the correct IP port How Do I modify the WIREGUARD configuration file on master? |
How are you configuring wireguard in the arm server so that it knows its public IP address? |
If you have a NAT, you'll need a more advanced solution like tailscale. Here you get a nice entry on how they solve the NAT traversal problem: https://tailscale.com/blog/how-nat-traversal-works. Tailscale is integrated into K3s :) ==> https://docs.k3s.io/installation/network-options#integration-with-the-tailscale-vpn-provider-experimental |
i want to configuring wireguard in the master server, |
I want to understand one thing. You deployed k3s-master and k3s-node-x86 and k3s-node-arm. You claim that the wireguard configuration between k3s-master and k3s-node-arm is correct and I can see that k3s-master knows about |
You can refer to it here https://www.wireguard.com/#built-in-roaming. wireguard can get client current public ip and port. |
Thanks for the information. You are correct, the wireguard implementation in flannel is creating a peer config with its endpoint: https://github.com/flannel-io/flannel/blob/master/pkg/backend/wireguard/wireguard_network.go#L177. That behaviour is the same for server and agents. So whenever a new node is included in K3s, all nodes (server or agent) get updated with this new node information. The endpoint information comes from the annotation:
in the new node. Therefore, I am surprised that in your master node you get |
Apart from the previous comment, I understand that you would like to change the wireguard implementation of flannel to be able to work around the NAT issue (or if you don't know in advanced the Public IP). It might be tricky to implement because in K8s, when it comes to pod-pod communication, there is not really a server-client architecture. Anyway, as K3s is basically using Flannel project for this, we should continue discussing in the flannel repo. Could you open an issue over there please: https://github.com/flannel-io/flannel? |
|
ok, Thanks |
Can you confirm that you arm node does not have |
arm node run |
Environmental Info:
K3s Version:
k3s -v
k3s version v1.28.6+k3s2 (c9f49a3)
go version go1.20.13
Node(s) CPU architecture, OS, and Version:
Linux master 6.1.0-13-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
Linux node-x86 6.1.0-13-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64 GNU/Linux
Linux node-arm 5.15.0-1049-oracle #55-Ubuntu SMP Mon Nov 20 19:53:49 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
Cluster Configuration:
server:
EXTERNAL-IP: xx.xx.xx.xx
INTERNAL-IP: 10.0.8.17
node:
node-x86
node-x86 is NAT'd and doesn't know its IP address.
EXTERNAL-IP: xx.xx.xx.yy
INTERNAL-IP: 192.168.36.22
node-arm
EXTERNAL-IP: xx.xx.xx.zz
INTERNAL-IP: 10.0.1.217
Describe the bug:
wg show
on every node seems to confirm that master can communicate with workers, and workers can ping master, using VPN mesh network. but master ping node-x86 is error, because a wrong address(internal-ip) is configured.Steps To Reproduce:
Installed K3s server using configurations above
Installed K3s workers using configurations above
Expected behavior:
Actual behavior:
Additional context / logs:
The text was updated successfully, but these errors were encountered: