You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I delete all the endpoint pods which bind to a kubernetes service,calico never rejects packet which belongs to the kubernetes service without any endpoint in the iptable rule "cali-FORWARD" in filter table.At the same time,kubernetes rejects the packet in iptables rule "KUBE-SERVICES" in filter table.
[root@node55 ~]# iptables -t filter -nvL KUBE-SERVICES
Chain KUBE-SERVICES (3 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 10.96.178.165 /* default/etcd-test: has no endpoints */ tcp dpt:2379 reject-with icmp-port-unreachable
But the "cali-FORWARD" just accepts the packet in filter table FORWARD chain,so the packets will not reject by the kubernetes iptable rule above.
[root@node56 ~]# iptables -t filter -nvL cali-pro-kns.kube-system
Chain cali-pro-kns.kube-system (6 references)
pkts bytes target prot opt in out source destination
471K 28M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:-50oJuMfLVO3LkBk */ MARK or 0x10000
471K 28M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:ztVPKv1UYejNzm1g */ mark match 0x10000/0x10000
Then if anther pod wants to connects the service,it will create a nf_conntrack without any DNAT.This action may leads a problem because the wrong nf_conntrack will be alive for 2 minutes.If the pod retries to connect within 2 minutes,the wrong nf_conntrack will refresh the alive time for another 2 minutes even if the endpoint pods come back.
calico rejects packets which belong to the kubernetes service without any endpoint in "cali-FORWARD" chain in filter table.
Current Behavior
calico never rejects packets which belong to the kubernetes service without any endpoint in "cali-FORWARD" chain in filter table.
Possible Solution
Steps to Reproduce (for bugs)
1.deploy kubernetes with calico as its CNI
2.create a kubernetes service which binds to some healthy endpoint pods
3.delete all the endpoint pods
4.try to connect the kubernetes service in a client pod.
Context
Your Environment
Calico version
v3.7.4
Orchestrator version (e.g. kubernetes, mesos, rkt):
kubernetes v1.15
Operating System and version:
CentOS 7.5
Link to your project (optional):
The text was updated successfully, but these errors were encountered:
When I delete all the endpoint pods which bind to a kubernetes service,calico never rejects packet which belongs to the kubernetes service without any endpoint in the iptable rule "cali-FORWARD" in filter table.At the same time,kubernetes rejects the packet in iptables rule "KUBE-SERVICES" in filter table.
But the "cali-FORWARD" just accepts the packet in filter table FORWARD chain,so the packets will not reject by the kubernetes iptable rule above.
Then if anther pod wants to connects the service,it will create a nf_conntrack without any DNAT.This action may leads a problem because the wrong nf_conntrack will be alive for 2 minutes.If the pod retries to connect within 2 minutes,the wrong nf_conntrack will refresh the alive time for another 2 minutes even if the endpoint pods come back.
Expected Behavior
calico rejects packets which belong to the kubernetes service without any endpoint in "cali-FORWARD" chain in filter table.
Current Behavior
calico never rejects packets which belong to the kubernetes service without any endpoint in "cali-FORWARD" chain in filter table.
Possible Solution
Steps to Reproduce (for bugs)
1.deploy kubernetes with calico as its CNI
2.create a kubernetes service which binds to some healthy endpoint pods
3.delete all the endpoint pods
4.try to connect the kubernetes service in a client pod.
Context
Your Environment
v3.7.4
kubernetes v1.15
CentOS 7.5
The text was updated successfully, but these errors were encountered: