Stale iptables rules seen after "kubeadm reset" #689

vhosakot · 2018-02-01T23:14:26Z

BUG REPORT:

After doing kubeadm reset on all the nodes, I see these stale iptables rules installed by kubernetes and the CNI on all the nodes and they are not deleted after kubeadm reset is done. kubeadm version 1.7 was used and calico was the CNI.

These stale iptables rules affect packet forwarding on the nodes after kubeadm reset is done.

$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 63 packets, 4064 bytes)
 pkts bytes target     prot opt in     out     source               destination         
83639  103M cali-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:Cz_u1IQiXIMmKD4c */
93907  154M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */
 121K  170M KUBE-FIREWALL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
 1668  169K cali-FORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:wUHhoiAYhphO9Mso */

Chain OUTPUT (policy ACCEPT 59 packets, 25432 bytes)
 pkts bytes target     prot opt in     out     source               destination         
83963   39M cali-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:tVnHkvAo15HuiPy0 */
95586   44M KUBE-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */
 122K   55M KUBE-FIREWALL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain KUBE-FIREWALL (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000

Chain KUBE-SERVICES (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            10.101.37.60         /* kube-system/calico-typha:calico-typha has no endpoints */ tcp dpt:5473 reject-with icmp-port-unreachable

Chain cali-FORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 1668  169K MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:JV9-BRWxjz8He5Ib */ MARK and 0xf1ffffff
 1668  169K cali-from-hep-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:p3dIAeGsCabF0CUT */ mark match 0x0/0x1000000
  834 88218 cali-from-wl-dispatch  all  --  cali+  *       0.0.0.0/0            0.0.0.0/0            /* cali:DeNlxb0sUevj_Plt */
  834 80898 cali-to-wl-dispatch  all  --  *      cali+   0.0.0.0/0            0.0.0.0/0            /* cali:B81FOaQNZymbX9H8 */
  649 62953 cali-to-hep-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:bB-I9T0YRAYMASx0 */
  649 62953 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:I1Ki7aNgQsJFzEpG */ /* Policy explicitly accepted packet. */ mark match 0x1000000/0x1000000

Chain cali-INPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:i7okJZpS8VxaJB3n */ mark match 0x1000000/0x1000000
  842 98514 ACCEPT     4    --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:kLJdl8-9MpSKcclh */ /* Allow IPIP packets from Calico hosts */ match-set cali4-all-hosts src ADDRTYPE match dst-type LOCAL
    0     0 DROP       4    --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:JhfQUFFJ2v0jbipF */ /* Drop IPIP packets from non-Calico hosts */
 2731  569K cali-wl-to-host  all  --  cali+  *       0.0.0.0/0            0.0.0.0/0           [goto]  /* cali:lCcyvgf8VeDM1u1- */
80066  102M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:GlrNbO_EUWYWRCaO */ MARK and 0xf0ffffff
80066  102M cali-from-host-endpoint  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:K-V6zS0uXrZMyaMZ */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:LxVlCgv5vgFY0hIt */ /* Host endpoint policy accepted packet. */ mark match 0x1000000/0x1000000

Chain cali-OUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:YQSSJIsRcHjFbXaI */ mark match 0x1000000/0x1000000
    0     0 cali-to-wl-dispatch  all  --  *      cali+   0.0.0.0/0            0.0.0.0/0            /* cali:N882DxHZfedrB21M */ ipvs
 3039  557K RETURN     all  --  *      cali+   0.0.0.0/0            0.0.0.0/0            /* cali:3DMcCmSodO9PvZSQ */
  834  105K ACCEPT     4    --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:z0oSsuDED75MEj0R */ /* Allow IPIP packets to other Calico hosts */ match-set cali4-all-hosts dst ADDRTYPE match src-type LOCAL
80090   39M MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:QNnJdgwPtObqbUOD */ MARK and 0xf0ffffff
80090   39M cali-to-host-endpoint  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:B2nj6q0bloZNBIi- */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:Exh0jTsM68POxMgM */ /* Host endpoint policy accepted packet. */ mark match 0x1000000/0x1000000

Chain cali-failsafe-in (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:wWFQM43tJU7wwnFZ */ multiport dports 22
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:LwNV--R8MjeUYacw */ multiport dports 68
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:QOO5NUOqOSS1_Iw0 */ multiport dports 179
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:cwZWoBSwVeIAZmVN */ multiport dports 2379
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:7FbNXT91kugE_upR */ multiport dports 2380
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:ywE9WYUBEpve70WT */ multiport dports 6666
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:l-WQSVBf_lygPR0J */ multiport dports 6667

Chain cali-failsafe-out (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:82hjfji-wChFhAqL */ multiport dports 53
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:TNM3RfEjbNr72hgH */ multiport dports 67
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:ycxKitIl4u3dK0HR */ multiport dports 179
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:hxjEWyxdkXXkdvut */ multiport dports 2379
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:cA_GLtruuvG88KiO */ multiport dports 2380
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:Sb1hkLYFMrKS6r01 */ multiport dports 6666
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:UwLSebGONJUG4yG- */ multiport dports 6667

Chain cali-from-hep-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain cali-from-host-endpoint (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain cali-from-wl-dispatch (2 references)
 pkts bytes target     prot opt in     out     source               destination         
 2847  525K cali-fw-cali760497f1014  all  --  cali760497f1014 *       0.0.0.0/0            0.0.0.0/0           [goto]  /* cali:btNvRWGS9Uc1--wZ */
    0     0 cali-fw-cali8594ba11505  all  --  cali8594ba11505 *       0.0.0.0/0            0.0.0.0/0           [goto]  /* cali:7xg08ELbW_2BwUNt */
  698  127K cali-fw-calicf8e623ea43  all  --  calicf8e623ea43 *       0.0.0.0/0            0.0.0.0/0           [goto]  /* cali:MXgqd9kDw1IoLnFq */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:R_rUYoMTp_Y20Pvq */ /* Unknown interface */

Chain cali-fw-cali760497f1014 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2845  525K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:HwPuZaE8udxDVe6X */ ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:lchRxTw8uJkvqAy7 */ ctstate INVALID
    2   120 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:pkBP2_7UaVFs00FS */ MARK and 0xfeffffff
    2   120 cali-pro-kns.kube-system  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:LJ_eriaJn-qS--1s */
    2   120 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:aQQiqtCp94gFrE4H */ /* Return if profile accepted */ mark match 0x1000000/0x1000000
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:Jcijcqe-Qk-gm2jL */ /* Drop if no profiles matched */

Chain cali-fw-cali8594ba11505 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:jS52NYKbyiOC3qME */ ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:lTtF738vxqFewrMG */ ctstate INVALID
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:O2aRve9PmrvmKDjK */ MARK and 0xfeffffff
    0     0 cali-pro-kns.default  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:zGEL7My6RCPoIX85 */
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:ZQPTSS2mHPuxY26L */ /* Return if profile accepted */ mark match 0x1000000/0x1000000
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:6pzOMDX7P27iWW5s */ /* Drop if no profiles matched */

Chain cali-fw-calicf8e623ea43 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  717  132K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:D3I3OjhrL7qQqzwR */ ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:4JGZ_4cc7H-I3gtS */ ctstate INVALID
    1    60 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:aarFMNHyZ7MCf_Xb */ MARK and 0xfeffffff
    1    60 cali-pro-kns.kube-system  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:5Kk0gGSPW5lTjnzS */
    1    60 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:lJBOWbwmrxOkuWDS */ /* Return if profile accepted */ mark match 0x1000000/0x1000000
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:L4660BXZuZR_FU3S */ /* Drop if no profiles matched */

Chain cali-pri-kns.default (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:5yVkkQ7pBcxxkSaE */ MARK or 0x1000000
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:pZi5w5MrTl3DghSD */ mark match 0x1000000/0x1000000

Chain cali-pri-kns.kube-system (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  649 62953 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:jVs-zlYSX3OG8546 */ MARK or 0x1000000
  649 62953 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:wbS84vjWKVIcWiCG */ mark match 0x1000000/0x1000000

Chain cali-pro-kns.default (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:gbqtfAKh_VXndzz6 */ MARK or 0x1000000
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:JMure-l4CiemFMIB */ mark match 0x1000000/0x1000000

Chain cali-pro-kns.kube-system (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   180 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:B_J-7WG5VtOu-bQy */ MARK or 0x1000000
    3   180 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:_Xu55_wPL7ogYHes */ mark match 0x1000000/0x1000000

Chain cali-to-hep-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain cali-to-host-endpoint (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain cali-to-wl-dispatch (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  834 80898 cali-tw-cali760497f1014  all  --  *      cali760497f1014  0.0.0.0/0            0.0.0.0/0           [goto]  /* cali:SgH8SZ2p7yHU21J5 */
    0     0 cali-tw-cali8594ba11505  all  --  *      cali8594ba11505  0.0.0.0/0            0.0.0.0/0           [goto]  /* cali:_2M9Z9a9p18n7wQX */
    0     0 cali-tw-calicf8e623ea43  all  --  *      calicf8e623ea43  0.0.0.0/0            0.0.0.0/0           [goto]  /* cali:sNxqIDmwZi4H7tq- */
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:JHgjJgzanocMZ1mf */ /* Unknown interface */

Chain cali-tw-cali760497f1014 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  185 17945 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:zrThrogfCh8Y2nYo */ ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:AXdlwjDUaY2pTO3g */ ctstate INVALID
  649 62953 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:PP8JFDh8KlAI3KKK */ MARK and 0xfeffffff
  649 62953 cali-pri-kns.kube-system  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:fHkZrXsYWnCA_5Wz */
  649 62953 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:Elr81ubmQg_TKLO- */ /* Return if profile accepted */ mark match 0x1000000/0x1000000
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:Xvdfce-QzGRHIVod */ /* Drop if no profiles matched */

Chain cali-tw-cali8594ba11505 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:_-IvXbRS5Zv8ZD1w */ ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:_ZefvJfhlYH0SWeq */ ctstate INVALID
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:d3RTUJsAwhQo41gp */ MARK and 0xfeffffff
    0     0 cali-pri-kns.default  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:-vul7suSFRHeXrEq */
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:EmlzY4reMNRb3UZ7 */ /* Return if profile accepted */ mark match 0x1000000/0x1000000
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:BNNJOWy9OOI_tKnw */ /* Drop if no profiles matched */

Chain cali-tw-calicf8e623ea43 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:iPQfnGZvq-6vWckM */ ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:dK4AfsX0qQOjoETY */ ctstate INVALID
    0     0 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:DqtECX--DEsSgCUo */ MARK and 0xfeffffff
    0     0 cali-pri-kns.kube-system  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:Ys68MMb9Q8rXxCj3 */
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:Rw3g-Sg47oS_qcnU */ /* Return if profile accepted */ mark match 0x1000000/0x1000000
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:tSV75lL-CSxHUNeP */ /* Drop if no profiles matched */

Chain cali-wl-to-host (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2731  569K cali-from-wl-dispatch  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:Ee9Sbo10IpVujdIY */
    3   180 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:nSZbcOoG1xPONxb8 */ /* Configured DefaultEndpointToHostAction */

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-N KUBE-FIREWALL
-N KUBE-SERVICES
-N cali-FORWARD
-N cali-INPUT
-N cali-OUTPUT
-N cali-failsafe-in
-N cali-failsafe-out
-N cali-from-hep-forward
-N cali-from-host-endpoint
-N cali-from-wl-dispatch
-N cali-fw-cali760497f1014
-N cali-fw-cali8594ba11505
-N cali-fw-calicf8e623ea43
-N cali-pri-kns.default
-N cali-pri-kns.kube-system
-N cali-pro-kns.default
-N cali-pro-kns.kube-system
-N cali-to-hep-forward
-N cali-to-host-endpoint
-N cali-to-wl-dispatch
-N cali-tw-cali760497f1014
-N cali-tw-cali8594ba11505
-N cali-tw-calicf8e623ea43
-N cali-wl-to-host
-A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
-A INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -j KUBE-FIREWALL
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -m comment --comment "cali:wUHhoiAYhphO9Mso" -j cali-FORWARD
-A OUTPUT -m comment --comment "cali:tVnHkvAo15HuiPy0" -j cali-OUTPUT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A DOCKER-ISOLATION -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-SERVICES -d 10.101.37.60/32 -p tcp -m comment --comment "kube-system/calico-typha:calico-typha has no endpoints" -m tcp --dport 5473 -j REJECT --reject-with icmp-port-unreachable
-A cali-FORWARD -m comment --comment "cali:JV9-BRWxjz8He5Ib" -j MARK --set-xmark 0x0/0xe000000
-A cali-FORWARD -m comment --comment "cali:p3dIAeGsCabF0CUT" -m mark --mark 0x0/0x1000000 -j cali-from-hep-forward
-A cali-FORWARD -i cali+ -m comment --comment "cali:DeNlxb0sUevj_Plt" -j cali-from-wl-dispatch
-A cali-FORWARD -o cali+ -m comment --comment "cali:B81FOaQNZymbX9H8" -j cali-to-wl-dispatch
-A cali-FORWARD -m comment --comment "cali:bB-I9T0YRAYMASx0" -j cali-to-hep-forward
-A cali-FORWARD -m comment --comment "cali:I1Ki7aNgQsJFzEpG" -m comment --comment "Policy explicitly accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-INPUT -m comment --comment "cali:i7okJZpS8VxaJB3n" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-INPUT -p ipencap -m comment --comment "cali:kLJdl8-9MpSKcclh" -m comment --comment "Allow IPIP packets from Calico hosts" -m set --match-set cali4-all-hosts src -m addrtype --dst-type LOCAL -j ACCEPT
-A cali-INPUT -p ipencap -m comment --comment "cali:JhfQUFFJ2v0jbipF" -m comment --comment "Drop IPIP packets from non-Calico hosts" -j DROP
-A cali-INPUT -i cali+ -m comment --comment "cali:lCcyvgf8VeDM1u1-" -g cali-wl-to-host
-A cali-INPUT -m comment --comment "cali:GlrNbO_EUWYWRCaO" -j MARK --set-xmark 0x0/0xf000000
-A cali-INPUT -m comment --comment "cali:K-V6zS0uXrZMyaMZ" -j cali-from-host-endpoint
-A cali-INPUT -m comment --comment "cali:LxVlCgv5vgFY0hIt" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:YQSSJIsRcHjFbXaI" -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-OUTPUT -o cali+ -m comment --comment "cali:N882DxHZfedrB21M" -m ipvs --ipvs -j cali-to-wl-dispatch
-A cali-OUTPUT -o cali+ -m comment --comment "cali:3DMcCmSodO9PvZSQ" -j RETURN
-A cali-OUTPUT -p ipencap -m comment --comment "cali:z0oSsuDED75MEj0R" -m comment --comment "Allow IPIP packets to other Calico hosts" -m set --match-set cali4-all-hosts dst -m addrtype --src-type LOCAL -j ACCEPT
-A cali-OUTPUT -m comment --comment "cali:QNnJdgwPtObqbUOD" -j MARK --set-xmark 0x0/0xf000000
-A cali-OUTPUT -m comment --comment "cali:B2nj6q0bloZNBIi-" -j cali-to-host-endpoint
-A cali-OUTPUT -m comment --comment "cali:Exh0jTsM68POxMgM" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x1000000/0x1000000 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:wWFQM43tJU7wwnFZ" -m multiport --dports 22 -j ACCEPT
-A cali-failsafe-in -p udp -m comment --comment "cali:LwNV--R8MjeUYacw" -m multiport --dports 68 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:QOO5NUOqOSS1_Iw0" -m multiport --dports 179 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:cwZWoBSwVeIAZmVN" -m multiport --dports 2379 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:7FbNXT91kugE_upR" -m multiport --dports 2380 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:ywE9WYUBEpve70WT" -m multiport --dports 6666 -j ACCEPT
-A cali-failsafe-in -p tcp -m comment --comment "cali:l-WQSVBf_lygPR0J" -m multiport --dports 6667 -j ACCEPT
-A cali-failsafe-out -p udp -m comment --comment "cali:82hjfji-wChFhAqL" -m multiport --dports 53 -j ACCEPT
-A cali-failsafe-out -p udp -m comment --comment "cali:TNM3RfEjbNr72hgH" -m multiport --dports 67 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:ycxKitIl4u3dK0HR" -m multiport --dports 179 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:hxjEWyxdkXXkdvut" -m multiport --dports 2379 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:cA_GLtruuvG88KiO" -m multiport --dports 2380 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:Sb1hkLYFMrKS6r01" -m multiport --dports 6666 -j ACCEPT
-A cali-failsafe-out -p tcp -m comment --comment "cali:UwLSebGONJUG4yG-" -m multiport --dports 6667 -j ACCEPT
-A cali-from-wl-dispatch -i cali760497f1014 -m comment --comment "cali:btNvRWGS9Uc1--wZ" -g cali-fw-cali760497f1014
-A cali-from-wl-dispatch -i cali8594ba11505 -m comment --comment "cali:7xg08ELbW_2BwUNt" -g cali-fw-cali8594ba11505
-A cali-from-wl-dispatch -i calicf8e623ea43 -m comment --comment "cali:MXgqd9kDw1IoLnFq" -g cali-fw-calicf8e623ea43
-A cali-from-wl-dispatch -m comment --comment "cali:R_rUYoMTp_Y20Pvq" -m comment --comment "Unknown interface" -j DROP
-A cali-fw-cali760497f1014 -m comment --comment "cali:HwPuZaE8udxDVe6X" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali760497f1014 -m comment --comment "cali:lchRxTw8uJkvqAy7" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali760497f1014 -m comment --comment "cali:pkBP2_7UaVFs00FS" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali760497f1014 -m comment --comment "cali:LJ_eriaJn-qS--1s" -j cali-pro-kns.kube-system
-A cali-fw-cali760497f1014 -m comment --comment "cali:aQQiqtCp94gFrE4H" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali760497f1014 -m comment --comment "cali:Jcijcqe-Qk-gm2jL" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-cali8594ba11505 -m comment --comment "cali:jS52NYKbyiOC3qME" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-cali8594ba11505 -m comment --comment "cali:lTtF738vxqFewrMG" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-cali8594ba11505 -m comment --comment "cali:O2aRve9PmrvmKDjK" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-cali8594ba11505 -m comment --comment "cali:zGEL7My6RCPoIX85" -j cali-pro-kns.default
-A cali-fw-cali8594ba11505 -m comment --comment "cali:ZQPTSS2mHPuxY26L" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-cali8594ba11505 -m comment --comment "cali:6pzOMDX7P27iWW5s" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-fw-calicf8e623ea43 -m comment --comment "cali:D3I3OjhrL7qQqzwR" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-fw-calicf8e623ea43 -m comment --comment "cali:4JGZ_4cc7H-I3gtS" -m conntrack --ctstate INVALID -j DROP
-A cali-fw-calicf8e623ea43 -m comment --comment "cali:aarFMNHyZ7MCf_Xb" -j MARK --set-xmark 0x0/0x1000000
-A cali-fw-calicf8e623ea43 -m comment --comment "cali:5Kk0gGSPW5lTjnzS" -j cali-pro-kns.kube-system
-A cali-fw-calicf8e623ea43 -m comment --comment "cali:lJBOWbwmrxOkuWDS" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-fw-calicf8e623ea43 -m comment --comment "cali:L4660BXZuZR_FU3S" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-pri-kns.default -m comment --comment "cali:5yVkkQ7pBcxxkSaE" -j MARK --set-xmark 0x1000000/0x1000000
-A cali-pri-kns.default -m comment --comment "cali:pZi5w5MrTl3DghSD" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-pri-kns.kube-system -m comment --comment "cali:jVs-zlYSX3OG8546" -j MARK --set-xmark 0x1000000/0x1000000
-A cali-pri-kns.kube-system -m comment --comment "cali:wbS84vjWKVIcWiCG" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-pro-kns.default -m comment --comment "cali:gbqtfAKh_VXndzz6" -j MARK --set-xmark 0x1000000/0x1000000
-A cali-pro-kns.default -m comment --comment "cali:JMure-l4CiemFMIB" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-pro-kns.kube-system -m comment --comment "cali:B_J-7WG5VtOu-bQy" -j MARK --set-xmark 0x1000000/0x1000000
-A cali-pro-kns.kube-system -m comment --comment "cali:_Xu55_wPL7ogYHes" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-to-wl-dispatch -o cali760497f1014 -m comment --comment "cali:SgH8SZ2p7yHU21J5" -g cali-tw-cali760497f1014
-A cali-to-wl-dispatch -o cali8594ba11505 -m comment --comment "cali:_2M9Z9a9p18n7wQX" -g cali-tw-cali8594ba11505
-A cali-to-wl-dispatch -o calicf8e623ea43 -m comment --comment "cali:sNxqIDmwZi4H7tq-" -g cali-tw-calicf8e623ea43
-A cali-to-wl-dispatch -m comment --comment "cali:JHgjJgzanocMZ1mf" -m comment --comment "Unknown interface" -j DROP
-A cali-tw-cali760497f1014 -m comment --comment "cali:zrThrogfCh8Y2nYo" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali760497f1014 -m comment --comment "cali:AXdlwjDUaY2pTO3g" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali760497f1014 -m comment --comment "cali:PP8JFDh8KlAI3KKK" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali760497f1014 -m comment --comment "cali:fHkZrXsYWnCA_5Wz" -j cali-pri-kns.kube-system
-A cali-tw-cali760497f1014 -m comment --comment "cali:Elr81ubmQg_TKLO-" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali760497f1014 -m comment --comment "cali:Xvdfce-QzGRHIVod" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-cali8594ba11505 -m comment --comment "cali:_-IvXbRS5Zv8ZD1w" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-cali8594ba11505 -m comment --comment "cali:_ZefvJfhlYH0SWeq" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-cali8594ba11505 -m comment --comment "cali:d3RTUJsAwhQo41gp" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-cali8594ba11505 -m comment --comment "cali:-vul7suSFRHeXrEq" -j cali-pri-kns.default
-A cali-tw-cali8594ba11505 -m comment --comment "cali:EmlzY4reMNRb3UZ7" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-cali8594ba11505 -m comment --comment "cali:BNNJOWy9OOI_tKnw" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-tw-calicf8e623ea43 -m comment --comment "cali:iPQfnGZvq-6vWckM" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A cali-tw-calicf8e623ea43 -m comment --comment "cali:dK4AfsX0qQOjoETY" -m conntrack --ctstate INVALID -j DROP
-A cali-tw-calicf8e623ea43 -m comment --comment "cali:DqtECX--DEsSgCUo" -j MARK --set-xmark 0x0/0x1000000
-A cali-tw-calicf8e623ea43 -m comment --comment "cali:Ys68MMb9Q8rXxCj3" -j cali-pri-kns.kube-system
-A cali-tw-calicf8e623ea43 -m comment --comment "cali:Rw3g-Sg47oS_qcnU" -m comment --comment "Return if profile accepted" -m mark --mark 0x1000000/0x1000000 -j RETURN
-A cali-tw-calicf8e623ea43 -m comment --comment "cali:tSV75lL-CSxHUNeP" -m comment --comment "Drop if no profiles matched" -j DROP
-A cali-wl-to-host -m comment --comment "cali:Ee9Sbo10IpVujdIY" -j cali-from-wl-dispatch
-A cali-wl-to-host -m comment --comment "cali:nSZbcOoG1xPONxb8" -m comment --comment "Configured DefaultEndpointToHostAction" -j ACCEPT

kubeadm version:

$ kubeadm version
kubeadm version: &version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.11", GitCommit:"b13f2fd682d56eab7a6a2b5a1cab1a3d2c8bdd55", GitTreeState:"clean", BuildDate:"2017-11-25T17:51:39Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Environment:

Kubernetes version:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.11", GitCommit:"b13f2fd682d56eab7a6a2b5a1cab1a3d2c8bdd55", GitTreeState:"clean", BuildDate:"2017-11-25T18:34:52Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.12", GitCommit:"3bda299a6414b4866f179921610d6738206a18fe", GitTreeState:"clean", BuildDate:"2017-12-29T08:39:49Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

OS:
Ubuntu xenial VM:

$ cat /etc/os-release
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

Kernel:

$ uname -a
Linux vhosakot-aci-1-m3710102e28 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Others:

iptables version is v1.6.0.

Docker version:

$ sudo docker info
sudo: unable to resolve host vhosakot-aci-1-m3710102e28
Containers: 0
 Running: 0
 Paused: 0
 Stopped: 0
Images: 11
Server Version: 1.13.1
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 35
 Dirperm1 Supported: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins: 
 Volume: local
 Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version:  (expected: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1)
runc version: N/A (expected: 9df8b306d01f59d3a8029be411de015b7304dd8f)
init version: N/A (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: 4.4.0-112-generic
Operating System: Ubuntu 16.04.3 LTS
OSType: linux
Architecture: x86_64
CPUs: 3
Total Memory: 15.67 GiB
Name: vhosakot-aci-1-m3710102e28
ID: EPSU:SV6W:HQOG:QHFI:CZRJ:WMEJ:TADP:PSSY:BP5T:7X6U:Y6A6:PGNC
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

$ sudo docker version
sudo: unable to resolve host vhosakot-aci-1-m3710102e28
Client:
 Version:      1.13.1
 API version:  1.26
 Go version:   go1.6.2
 Git commit:   092cba3
 Built:        Thu Nov  2 20:40:23 2017
 OS/Arch:      linux/amd64

Server:
 Version:      1.13.1
 API version:  1.26 (minimum version 1.12)
 Go version:   go1.6.2
 Git commit:   092cba3
 Built:        Thu Nov  2 20:40:23 2017
 OS/Arch:      linux/amd64
 Experimental: false

Calico CNI image versions:

registry.ci.dfj.io/cpsg_ccp/quay.io/calico/typha:v0.6.0-5-g08e8985
registry.ci.dfj.io/cpsg_ccp/quay.io/calico/node:v3.0.1-65-g4d78be07
registry.ci.dfj.io/cpsg_ccp/quay.io/calico/cni:v2.0.0-4-g26ec250

What happened?

Stale iptables rules were seen on all the nodes after kubeadm reset was done on all the nodes.

What you expected to happen?

No stale iptables rules and kubeadm reset must delete all the iptables rules installed by kubernetes and the CNI.

How to reproduce it (as minimally and precisely as possible)?

kubeadm reset (see steps above)

The text was updated successfully, but these errors were encountered:

timothysc · 2018-04-06T23:23:11Z

/assign @detiber @chuckha

chuckha · 2018-04-12T20:45:47Z

We should probably include the fact that kubeadm reset doesn't flush iptables rules here: https://kubernetes.io/docs/reference/setup-tools/kubeadm/kubeadm-reset/

in the meantime @vhosakot you can check out this blog post to see how to reset your iptables rules https://blog.heptio.com/properly-resetting-your-kubeadm-bootstrapped-cluster-nodes-heptioprotip-473bd0b824aa (disclaimer: I work at heptio)

chuckha · 2018-04-30T18:53:09Z

On second thought, it's really the kubelet and the CNI doing the networking manipulation (unless I totally missed something). Kubeadm enables the kubelet service and then cleanup instructions will be different for each CNI provider.

I think we could clarify that kubeadm doesn't specifically do anything with networking and therefore kubeadm reset can't reasonably undo anything that the kubelet or CNI has done. We could redirect folks to various CNI cleanup instructions / kubelet cleanup instructions?

timothysc · 2018-07-03T20:08:18Z

This is really on the proxy imo, and I'm not aware of an option to clear the rules.
/cc @kubernetes/sig-network-bugs

caseydavenport · 2018-07-03T23:35:08Z

kube-proxy has an option to do this I believe - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/

--cleanup: If true cleanup iptables and ipvs rules and exit.

Calico does not have an equivalent option, so today you'll need to flush those yourself, and/or open an enhancement request against Calico :)

fejta-bot · 2018-10-02T00:18:59Z

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

timothysc · 2018-10-11T17:13:38Z

/assign @timothysc @liztio @rosti
/cc @rdodev @neolit123

rdodev · 2018-11-08T20:48:21Z

@timothysc @chuckha @neolit123 after inspection and consulting with other contributors, I have come up with the following options which I would like asking for preference before implementing:

We could duplicate the code to replicate functionality kubeadm-side inhttps://github.com/kubernetes/kubernetes/blob/91d6d7530382bf120a1575bae72ca36a33842e95/cmd/kube-proxy/app/server.go#L466-L473 (we could do a pkg level import, but feel weird to cross boundaries)
We could docker run kube-proxy container with --cleanup flag set (but potential cross-platform issues)
shell out iptables flush commands (same as above, plus possibly deleting non-kube rules that were already present).

None are super elegant and there are trade offs to each.

rdodev · 2018-11-09T15:06:28Z

The more I've mulled this over, the more I think @chuckha 's suggestion to print the command the user should run if they want to drop iptables rules is the saner of all options, given the highly decoupled kubeadm is from cluster components.

k8s-ci-robot assigned chuckha and detiber Apr 6, 2018

timothysc added kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Apr 6, 2018

timothysc added this to the v1.11 milestone Apr 6, 2018

chuckha added kind/documentation Categorizes issue or PR as related to documentation. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. and removed kind/bug Categorizes issue or PR as related to a bug. labels Apr 24, 2018

chuckha removed this from the v1.11 milestone Apr 25, 2018

neolit123 mentioned this issue Jun 1, 2018

Umbrella: 1.11 kubeadm tracking issue kubernetes/website#8846

Closed

timothysc unassigned chuckha and detiber Jul 3, 2018

k8s-ci-robot added sig/network Categorizes an issue or PR as relevant to SIG Network. kind/bug Categorizes issue or PR as related to a bug. labels Jul 3, 2018

rosti mentioned this issue Aug 31, 2018

Improve kubeadm reset for 1.13 #971

Closed

k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 2, 2018

timothysc added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Oct 11, 2018

timothysc added this to the v1.13 milestone Oct 11, 2018

k8s-ci-robot assigned liztio, rosti and timothysc Oct 11, 2018

timothysc unassigned rosti Oct 30, 2018

timothysc assigned rdodev and liztio and unassigned liztio and timothysc Oct 30, 2018

timothysc removed the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Nov 1, 2018

rdodev added the lifecycle/active Indicates that an issue or PR is actively being worked on by a contributor. label Nov 8, 2018

timothysc added kind/feature Categorizes issue or PR as related to a new feature. and removed kind/feature Categorizes issue or PR as related to a new feature. labels Nov 9, 2018

rdodev mentioned this issue Nov 9, 2018

iptables reset text message kubernetes/kubernetes#70874

Merged

k8s-ci-robot closed this as completed in kubernetes/kubernetes#70874 Nov 14, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stale iptables rules seen after "kubeadm reset" #689

Stale iptables rules seen after "kubeadm reset" #689

vhosakot commented Feb 1, 2018 •

edited

Loading

timothysc commented Apr 6, 2018

chuckha commented Apr 12, 2018

chuckha commented Apr 30, 2018

timothysc commented Jul 3, 2018

caseydavenport commented Jul 3, 2018 •

edited

Loading

fejta-bot commented Oct 2, 2018

timothysc commented Oct 11, 2018

rdodev commented Nov 8, 2018 •

edited

Loading

rdodev commented Nov 9, 2018

Stale iptables rules seen after "kubeadm reset" #689

Stale iptables rules seen after "kubeadm reset" #689

Comments

vhosakot commented Feb 1, 2018 • edited Loading

What happened?

What you expected to happen?

How to reproduce it (as minimally and precisely as possible)?

timothysc commented Apr 6, 2018

chuckha commented Apr 12, 2018

chuckha commented Apr 30, 2018

timothysc commented Jul 3, 2018

caseydavenport commented Jul 3, 2018 • edited Loading

fejta-bot commented Oct 2, 2018

timothysc commented Oct 11, 2018

rdodev commented Nov 8, 2018 • edited Loading

rdodev commented Nov 9, 2018

vhosakot commented Feb 1, 2018 •

edited

Loading

caseydavenport commented Jul 3, 2018 •

edited

Loading

rdodev commented Nov 8, 2018 •

edited

Loading