kubernetes

  1. Bug #1932292
  2. Activity log

Activity log for bug #1932292

Date Who What changed Old value New value Message
2021-06-17 10:01:46 Bartosz Woronicz bug added bug
2021-06-17 10:02:58 Bartosz Woronicz affects murano-applications kubernetes
2021-06-17 11:06:25 Pedro Guimarães bug task added charm-kubernetes-master
2021-06-17 11:06:46 Pedro Guimarães bug task added charm-kubernetes-worker
2021-06-17 11:54:11 Pedro Guimarães bug task added lxd
2021-06-18 08:28:46 Bartosz Woronicz description Let's put for instance keystone service in lxd on vm with K8s master installed and there k8s installs firewall the packets go whole way from one lxd on first machine to another lxd but on the way back their way back from the 2nd vm and they splash on the vm firewall installed by k8s all baremetal, vm, container share the same network 10.198.0.0/16 here's the exact travel of icmp packets (or any other packets lxd1 -> vm1 > baremetal1 -> network layer2 -> baremetal2 -> vm2 -> lxd2 (echo request reached dst) then travel back: lxd2 -> vm2 ---!!!---> baremetal1 no communication, the packets heats the following rule:   Chain KUBE-FORWARD (1 references) pkts bytes target prot opt in out source destination 1353 84652 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ mark match 0x4000/0x4000 248 43868 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED ubuntu@k8smaster-1:~$ sudo iptables -D KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP root@juju-587661-1-lxd-0:~# ping 10.198.0.249 PING 10.198.0.249 (10.198.0.249) 56(84) bytes of data. 64 bytes from 10.198.0.249: icmp_seq=1 ttl=64 time=0.720 ms 64 bytes from 10.198.0.249: icmp_seq=2 ttl=64 time=0.511 ms Let's put for instance keystone service in lxd on vm with K8s master installed and there k8s installs firewall the packets go whole way from one lxd on first machine to another lxd but on the way back their way back from the 2nd vm and they splash on the vm firewall installed by k8s all baremetal, vm, container share the same network 10.198.0.0/16 here's the exact travel of icmp packets (or any other packets lxd1 -> vm1 > baremetal1 -> network layer2 -> baremetal2 -> vm2 -> lxd2 (echo request reached dst) then travel back: lxd2 -> vm2 ---!!!---> baremetal1 no communication, the packets hits the following rule:   Chain KUBE-FORWARD (1 references)  pkts bytes target prot opt in out source destination  1353 84652 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID     0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ mark match 0x4000/0x4000   248 43868 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED     0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED ubuntu@k8smaster-1:~$ sudo iptables -D KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP root@juju-587661-1-lxd-0:~# ping 10.198.0.249 PING 10.198.0.249 (10.198.0.249) 56(84) bytes of data. 64 bytes from 10.198.0.249: icmp_seq=1 ttl=64 time=0.720 ms 64 bytes from 10.198.0.249: icmp_seq=2 ttl=64 time=0.511 ms
2021-06-18 08:37:38 Bartosz Woronicz attachment added k8smaster_iptables.txt https://bugs.launchpad.net/kubernetes/+bug/1932292/+attachment/5505431/+files/k8smaster_iptables.txt
2021-06-18 08:38:02 Bartosz Woronicz attachment added lxc_config.txt https://bugs.launchpad.net/kubernetes/+bug/1932292/+attachment/5505432/+files/lxc_config.txt