-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
--proxy-mode=nftables
fails if non-canonical (but standardized) IPv6 addresses are used
#122611
Comments
Use the manifest below, and the assign-lb-ip tool:
The loadBalancerIPs are taken from the documentation ranges, specified in rfc5737 and rfc3849. alpine-nc.yamlapiVersion: apps/v1
kind: Deployment
metadata:
name: alpine-nc
spec:
selector:
matchLabels:
app: alpine-nc
replicas: 4
template:
metadata:
labels:
app: alpine-nc
spec:
containers:
- name: alpine
image: alpine:latest
imagePullPolicy: IfNotPresent
command: ["nc", "-lk", "-p", "7007", "-e", "hostname"]
ports:
- name: nc
containerPort: 7007
---
apiVersion: v1
kind: Service
metadata:
name: alpine-nc
spec:
ipFamilyPolicy: RequireDualStack
selector:
app: alpine-nc
type: LoadBalancer
ports:
- port: 7007
name: nc |
/assign @danwinship |
If you are using KinD, you can set static routes to your control-plane for testing (--name default assumed below):
Since the addresses are reserved for documentation, it shouldn't disturb your network setup (in theory 😄 ) |
No, But anyway, that said, it seems like this could only be failing if the nftables CLI doesn't handle those IPs (which would be a bug in nftables), and kube-proxy is directly passing the value from the Service object to nftables, which it shouldn't be doing anyway because of the whole "IPv4 with leading 0s" fiasco. (I just wrote a warning about this in another PR!). We should be parsing-and-restringifying the IP from the Service and passing the restringified version to external APIs. (The service tracker code enforces this for ClusterIP but it looks like we're not doing that for other Service/Endpoint IPs...)
Go ahead, but as above, I think the fixes will be in |
+1 to Dan's opinion on canonicalizing everything before plumbing it down
@uablrek you should see in the logs if it fails in nftables , because we should open a bug there if that is the problem /triage accepted |
Yes.
Also manually tested with the latest
|
ipv6 parsing from scanner.l
|
If a user specifies |
/retitle |
--proxy-mode=nftables
fails if non-canonical (but standardized) IPv6 addresses are used
opened a bug in netfilter https://bugzilla.netfilter.org/show_bug.cgi?id=1730 so community can fix it there |
A more relaxed regexp for ip6addr may be used. The address is parsed later on anyway. Just try a ipv4 "900.900.900.0". It's recognized as an ip4addr, but can't be used (obviously), and the error points (correctly) at the address, not at the "action" as with an embedded ipv4. BTW, I tried to alter the scanner.l, but it didn't work. I don't know enough about flex. |
What happened?
When a non-canonical IPv6 address, e.g.
fd00::10.0.0.34
, is used as a loadBalancerIP, communication fails./sig network
/area kube-proxy
What did you expect to happen?
Addresses like
fd00::10.0.0.34
should work, as they do for proxy-mode ipvs and iptablesHow can we reproduce it (as minimally and precisely as possible)?
I will add a manifest for test, and more instructions later.
Anything else we need to know?
What "canonical" really is can be debated. The rfc5952 seems to accept "embedded ipv4", as long as the prefix follows the rules. So, as I understand it,
fd00::10.0.0.34
is a canonical IPv6 address.@danwinship If you don't mind I would like to take a shot at this myself to get acquainted with the code
Kubernetes version
v1.29.0
Cloud provider
None
OS version
Linux
Install tools
None
Container runtime (CRI) and version (if applicable)
N/A (cri-o)
Related plugins (CNI, CSI, ...) and versions (if applicable)
N/A (but tested with calico and flannel)
The text was updated successfully, but these errors were encountered: