Kubernetes iptables interfere with lxd container on the same node
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Kubernetes Control Plane Charm |
New
|
Undecided
|
Unassigned | ||
Kubernetes Worker Charm |
New
|
Undecided
|
Unassigned | ||
kubernetes |
New
|
Undecided
|
Unassigned | ||
lxd |
New
|
Undecided
|
Unassigned |
Bug Description
Let's put for instance keystone service in lxd on vm with K8s master installed
and there k8s installs firewall
the packets go whole way from one lxd on first machine to another lxd but on the way back their way back from the 2nd vm and they splash on the vm firewall installed by k8s
all baremetal, vm, container share the same network 10.198.0.0/16
here's the exact travel of icmp packets (or any other packets
lxd1 -> vm1 > baremetal1 -> network layer2 -> baremetal2 -> vm2 -> lxd2 (echo request reached dst)
then travel back:
lxd2 -> vm2 ---!!!---> baremetal1
no communication, the packets hits the following rule:


Chain KUBE-FORWARD (1 references)
pkts bytes target prot opt in out source destination
1353 84652 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ mark match 0x4000/0x4000
248 43868 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
ubuntu@
root@juju-
PING 10.198.0.249 (10.198.0.249) 56(84) bytes of data.
64 bytes from 10.198.0.249: icmp_seq=1 ttl=64 time=0.720 ms
64 bytes from 10.198.0.249: icmp_seq=2 ttl=64 time=0.511 ms
description: | updated |
wrong project, fixed