runc: Pods can't reach cluster service IPs

[seanknox]

Using runc, pods cannot reach cluster service IPs (10.0.0.0/16), including apiserver at 10.0.0.1. Nodes can reach service IPs, however.

May be related to #1

To repro:

• Try curl'ing the apiserver from a pod (doesn't work):

$ kubectl run -it --image ianneub/network-tools nettools bash

If you don't see a command prompt, try pressing enter.

root@nettools-69f59c45fc-ghzmf:/# curl --connect-timeout 10 -k https://10.0.0.1
curl: (28) Connection timed out after 10000 milliseconds

curl'ing from a node does work, however:

CLUSTER_NAME=containerd2nics make ssh hostname=node1
Agent pid 56185
Identity added: .keypair/containerd2nics/containerd2nics.pem (.keypair/containerd2nics/containerd2nics.pem)
Welcome to Ubuntu 17.10 (GNU/Linux 4.13.0-39-generic x86_64)
...
ubuntu@node1:~$ curl -k https://10.0.0.1
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {

  },
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401 

[seanknox]

Docker seems to work, probably because it creates a bridge network:

May 13 17:12:33 node1 dockerd[94383]: time="2018-05-13T17:12:33.614546457Z" level=info msg="Default bridge (docker0) is assigned with an IP address 172.17.0.0/16. Daemon option --bip can be used to set a preferred IP address"

$ ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 0.0.0.0
        inet6 fe80::42:41ff:febb:302c  prefixlen 64  scopeid 0x20<link>
        ether 02:42:41:bb:30:2c  txqueuelen 0  (Ethernet)
        RX packets 36  bytes 2893 (2.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 41  bytes 5561 (5.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[seanknox]

Fixed in dd03078