Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Canal on K8s v1.8 with chain append mode no longer respects networkpolicies #4037

Closed
KashifSaadat opened this issue Dec 11, 2017 · 7 comments · Fixed by #6469
Closed

Canal on K8s v1.8 with chain append mode no longer respects networkpolicies #4037

KashifSaadat opened this issue Dec 11, 2017 · 7 comments · Fixed by #6469
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@KashifSaadat
Copy link
Contributor

KashifSaadat commented Dec 11, 2017
edited
Loading

The information around this issue is documented here: projectcalico/canal#115

Depending on the outcome from the above issue, we will likely need updates to the following files:

Versions

  • Calico version: v2.6.2
  • Flannel version: v0.9.1 (the issue was introduced in this version, v0.9.0 works fine)
  • Kops version: v1.8.0
  • Operating System and version: CoreOS stable v1520.8.0

Cluster Spec (networking block)

  networking:
    canal:
      chainInsertMode: append
      defaultEndpointToHostAction: RETURN
      prometheusMetricsEnabled: true

CC @chrislovecnm
@caseydavenport
Copy link
Member

@KashifSaadat just to confirm, this is only an issue when the chainInsertMode has been set to append - the default insert continues to work as expected.

@KashifSaadat
Copy link
Contributor Author

Yes I believe so, because the flannel rules are then at the bottom of the FORWARD chain and so the Calico rules will be processed first.

@caseydavenport
Copy link
Member

See my comment here.

Essentially, Calico is behaving as expected for the given config. There's probably room for a change in flannel to play nicer in this situation, but if possible I'd recommend using the default chainInsertMode.

@KashifSaadat KashifSaadat mentioned this issue Dec 12, 2017
Merged
k8s-github-robot pushed a commit that referenced this issue Dec 13, 2017
Merge pull request #4047 from KashifSaadat/canal-flannel-downgrade
db09337 
Automatic merge from submit-queue.

Downgrade Flannel in Canal deployment to v0.9.0

Flannel v0.9.1 introduces a single change to add 2 iptables rules to the `FORWARD` chain, permitting traffic in/out of the pod network (introduced to improve compatibility with newer versions of Docker). This change is unnecessary for Canal deployments for the following reasons:
- Calico's `DefaultEndpointToHostAction` is set to `ACCEPT` in the manifest deployed by kops, allowing traffic by default once all other Calico rules are processed.
- If Calico's `ChainInsertMode` is set to `APPEND`, the flannel rules will be processed before the Calico rules, accepting traffic by default, and so Kubernetes network policies will not take effect

This change is temporary until a more permanent resolution is available with Flannel, such as providing a configurable option to disable the addition of these rules when deployed with Calico.

Related to #4037
@tomdee
Copy link
Contributor

tomdee commented Jan 30, 2018

@KashifSaadat Could you raise an issue against flannel to make this configurable

@KashifSaadat KashifSaadat mentioned this issue Feb 1, 2018
Closed
@KashifSaadat
Copy link
Contributor Author

@tomdee sure, I've raised the following issue to track this: flannel-io/flannel#938

@KashifSaadat KashifSaadat mentioned this issue Apr 10, 2018
Merged
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 2, 2018
@KashifSaadat
Copy link
Contributor Author

/remove-lifecycle stale
/lifecycle frozen

I've raised this PR to address the issue within flannel: flannel-io/flannel#978
Until it's merged, it is not recommended to update the flannel version in the canal manifest file.

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 2, 2018
@KashifSaadat KashifSaadat mentioned this issue Feb 14, 2019
Merged
@KashifSaadat KashifSaadat mentioned this issue Apr 3, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updated Canal manifest to v3.5.0 for k8s v1.12+ appvia/kops
5 participants
@tomdee @caseydavenport @KashifSaadat @k8s-ci-robot @fejta-bot