Report mismatch between rp_filter sysconfig and ignore-loose-rpf charm config
Bug #1895547 reported by
Cory Johns
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Calico Charm |
Fix Released
|
Medium
|
Stone Preston | ||
Canal Charm |
Triaged
|
Medium
|
Unassigned |
Bug Description
During the debugging of https:/
Changed in charm-canal: | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in charm-calico: | |
milestone: | none → 1.24 |
Changed in charm-canal: | |
milestone: | none → 1.24 |
Changed in charm-calico: | |
assignee: | nobody → Stone Preston (stonepreston) |
Changed in charm-canal: | |
milestone: | 1.24 → none |
Changed in charm-calico: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Hi,
We just hit this issue on a deployment and I need to say this is not easy to troubleshoot.
The issue we were seeing is that, in Focal, traffic was not getting src NAT from iptables when leaving POD > outside; whereas Bionic it was.
Looking into the iptables, we could see that Focal had no cali-* chains, while Bionic had those.
The reason was indeed the rp_filter errors:
2021-06-25 14:27:17.024 [FATAL][2023] int_dataplane.go 1032: Kernel's RPF check is set to 'loose'. This would allow endpoints to spoof their IP address. Calico requires net.ipv4. conf.all. rp_filter to be set t...
Calico/k8s issue: https:/ /github. com/kubernetes- sigs/kind/ issues/ 891
Indeed, it makes sense the change in behavior on Bionic vs. Focal due to: /github. com/systemd/ systemd/ commit/ 230450d4e4f1f5f c9fa4295ed9185e ea5b6ea16e
https:/
We need to consider that iptables is also used by kube-proxy.
On the kubernetes-sigs above, seems they moved rp_filter=1 by default.
Howeer, if we keep the OS value, then we surely need a more clear warning, such as:
if OS>=focal and not ignore-loose-rpf and rp_filter != 1:
block the charm and warn the rp_filter mismatch with Calico config.
Additional reference: https:/ /www.kernel. org/doc/ Documentation/ networking/ ip-sysctl. txt
(search for rp_filter)