© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Hi,
We just hit this issue on a deployment and I need to say this is not easy to troubleshoot.
The issue we were seeing is that, in Focal, traffic was not getting src NAT from iptables when leaving POD > outside; whereas Bionic it was.
Looking into the iptables, we could see that Focal had no cali-* chains, while Bionic had those.
The reason was indeed the rp_filter errors:
2021-06-25 14:27:17.024 [FATAL][2023] int_dataplane.go 1032: Kernel's RPF check is set to 'loose'. This would allow endpoints to spoof their IP address. Calico requires net.ipv4.
Calico/k8s issue: https:/
Indeed, it makes sense the change in behavior on Bionic vs. Focal due to:
https:/
We need to consider that iptables is also used by kube-proxy.
On the kubernetes-sigs above, seems they moved rp_filter=1 by default.
Howeer, if we keep the OS value, then we surely need a more clear warning, such as:
if OS>=focal and not ignore-loose-rpf and rp_filter != 1:
block the charm and warn the rp_filter mismatch with Calico config.
Additional reference: https:/
(search for rp_filter)