-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't establish direct connection to a Kubernetes pod despite having a direct connection to its node (Flannel CNI) #11427
Comments
Hi, thanks for creating the issue. A known issue why it is not possible to get direct connections on some Kubernetes configurations is when the CNI enforces source port randomization. You could verify that it is on, by grepping for We do need to document this behaviour and/or if it can be turned off for different CNIs. See also #3822 |
Yeah, I have found rules like that in my iptables:
I'll try removing the Additionally, I've looked into how Flannel builds its iptables rules, and it appears that it will automatically enable port randomization if it finds that iptables supports it. So I'm not sure if there is a way to easily disable it, and I'm also not sure if it's a good thing to completely disable it either (although I am not a network person so I dunno). |
Thank you for taking a look- it does indeed seem like they have it hardcoded. Is the client that you are connecting from also behind hard nat? |
Yeah, most likely - it's a student dorm network, and while I have no idea how to properly quantify how hard its NAT is, I remember I've always had issues connecting to P2P games on a Nintendo Switch, so there's certainly some stuff going on there. |
If you take a look at your client in Tailscale Machines panel, there is a field named |
I have tried manually editing the relevant iptables rules but either I'm doing something wrong and these are not applied, or flannel just keeps reapplying them, because I am still unable to get a direct connection. I guess I will have to manually patch flannel itself and try again. Though I suppose this should be reported upstream as well. |
Small update: I have switched to Calico for networking on my cluster, since it has a way to disable source port randomization, by configuring Felix (Calico's node agent) to override iptables feature detection and make it think the randomization is not supported. The relevant bits of documentation can be found here: https://docs.tigera.io/calico/latest/reference/felix/configuration. The relevant config key is referenced by some variation of With this set, I can now directly connect to my pods, and iptables only reports a single rule with
I'm guessing if someone removed the rules created by Flannel while also preventing it from adding them back, it would have the same effect. Should I close this issue now? My issue is fixed but I suppose it could also track any changes to the docs. |
Hi @LiquidPL thank you very much for the confirmation that you now get direct connections with Calico.
I think we could leave this open- as you say it would be great to update docs and I would also like to reach out to Flannel folks and see if they might be willing to make the port randomization for external connections configurable. |
Did you reach out to Flannel folks about this? I am definitely interested as well! |
What is the issue?
I have configured the Tailscale Kubernetes operator on my cluster, so that I could expose my services to the tailnet. It works, and I can get access, however I am unable to establish direct connection with the tailnet node that's responsible for my exposed K8s pod. The node running said pod however can establish a direct connection without any issues.
tailscale status
output (with irrelevant nodes and public IP addresses omitted):Steps to reproduce
Are there any recent changes that introduced the issue?
No response
OS
Linux
OS version
Latest Fedora CoreOS on the k8s nodes, Arch Linux on the desktop
Tailscale version
1.62.0 on both desktop and the k8s node
Other software
Standard K3s installation with (default) Flannel networking on the cluster
Bug report
BUG-451fb6ee26ceb7c75ed1267cd48d26d4a43de5259c2e6db1ff0cb06353ea0d8e-20240315170435Z-3c58dcacadf8a4b7
The text was updated successfully, but these errors were encountered: