New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redhat 8 install kubernetes, that can't communication between the podip #97283
Comments
/sig network |
This looks like a request for advice. The steps to reproduce: “install kubernetes in redhat 8” might not be detailed enough to replicate the issue, even knowing that Calico was also used. /kind support |
tks,I added the installation process and update the comment |
@readerx Looks like you solved your issue report. If yes, could you please clarify it was firewalld settings? Could you please share what you did to solve it and close the issue report? |
yes, I have a solution. like this:
But, I don't know if this is a good way. Whether K8S or Calico can automatically handle this firewalld settings |
Hey @readerx, In a fresh env, what happens if you do the following:
Add the following configuration into the env section:
Save and apply/deploy the plugin:
See also: projectcalico/calico#2322 |
Adding @champtar into the loop. Have you seen this one in your recent tests? |
I'm not convinced that this is a documentation issue for Kubernetes. Maybe this'd work better as a Calico issue or support request? |
kubespray recommend to just stop firewalld, or to manage it manualy
In the add-entry I put the nodes ips, the clusterIPs and podIPs cidr your nft rule just allow any forwarding, might be too permissive |
Agreed and I believe the trick I have mentioned in #97283 (comment) should make it work. |
@dougsland right, you also definitly need to set |
I used this configuration in calico-node
nft ruleset like this
But problems remain
I think the reason for the problem is iptabes-nft operations is If want to solve this problem Calico needs to handle the |
I would first test without firewalld (disable & reboot all nodes). If it work this is not a k8s bug ;), and you can enable it again, configure it as I explained, and restart your debug journey from there. |
Yes, After the firewall is turned off, the problem does not appear. |
So, our general recommendation on the Calico side is to just disable firewalld and instead to use Calico to manage the firewall rules on the host. I think that's what most folks end up doing. I believe that it is possible to make Calico and firewalld play nicely together, but I'm afraid I don't know the full set of configurations needed in firewalld to make this happen off the top of my head. Some things to look out for would be:
At the end of the day, though, I don't think this is really a Kubernetes bug or feature request, since the interactions are solely between Calico and firewalld. /remove-kind bug |
@caseydavenport: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I've left the corresponding Calico issue open since we should probably document something on that side. |
Hi, I solved this problem in CentOS 8 by creating a new firewalld zone for kubernetes pods and setting its target to ACCEPT. Commands :
firewall-cmd man :
Versions :
To see what is getting rejected by firewalld, use the below commands
|
Think you. |
Hi,
looks like this config worked on CentOS 8 steam, but its not working for me Any help to fix this issue? Thanks |
IPIP offload is broken with at least Mellanox and VMware in RHEL 8.3, and Calico defaults to IPIP, so have a look at this bug this might be your problem: projectcalico/calico#4384 |
Thanks based on this I need to run these two commands, My server running on VMWare: kubernetes-sigs/kubespray#7268
to keep this setting during reboot:
|
Or you can switch from IPIP to VXLAN or even pure routing ;) |
@sfgroups-k8s Have you solved your problem yet? The firewall is off in your environment,So it's not the same problem that I have |
What happened:
Redhat 8 install kubernetes, that can't communication between the podip
How to reproduce it (as minimally and precisely as possible):
install kubernetes in redhat 8.
podA (busybox): 10.254.219.69
podB (nginx): 10.254.219.68,listen 80 tcp port
kubectl exec -it podA -- sh
Anything else we need to know?:
Environment:
kubectl version
):Cloud provider or hardware configuration:
OS (e.g:
cat /etc/os-release
):uname -a
):The problem was that the firewalld dropped the packet forwarding packet.
like this:
The text was updated successfully, but these errors were encountered: