I currently have a requirement to run a k3s worker on vyos and i’m having some networking issues. The pods are not able to talk to the server API. I’ve been working with the k3s devs to try to troubleshoot the issue to see why they can’t communicate, but have hit a dead-end. What would be blocking the pods from being able to communicate over the flannel network?
Hi,
you try unsupported stuff
can you post all steps to reproduce this? maybe i can help you.
- Install VyOS to disk
- create directory /var/lib/rancher
- Create ext4 filesystem and mount to /var/lib/rancher
- convert to iptables-legacy
- install k3s as described on their gitub using the curl command
- sudo kubectl get pods -A (to see the pods)
- sudo kubectl logs -n kube-system (name of a pod) here you will see the communication errors
The linked github issue shows all the commands and outputs on the system I was using.
Thanks for taking a look!
the nat rules for the kube nics and networkes don’t work.
“iptables -t nat -L”
I don’t know what exactly is happening. Either the chains don’t fit or switching to the iptables-legacy destroys something.
when you do a tcpdump on the kube nic (cni0 on my host) and on the outgoing interface of vyos you see the plain an unnatted traffic of the pods.
Can you describe this step in more detail? What do you change?
I use update-alternatives to switch to iptables-legacy then reboot. I am looking at cni plugins that support nftables since it appears to a natting issue. Converting to iptables-legacy has some pretty rough side effects with vyos.
Firewall rules in VyOS have own HOOKS, maybe this conflicts with your new iptables rules.
It shows you all the firewall rules.
$ sudo iptables-save
# Generated by xtables-save v1.8.2 on Wed Oct 28 20:07:31 2020
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VYATTA_CT_IGNORE - [0:0]
:VYATTA_CT_TIMEOUT - [0:0]
:VYATTA_CT_HELPER - [0:0]
:VYATTA_CT_PREROUTING_HOOK - [0:0]
:VYATTA_CT_OUTPUT_HOOK - [0:0]
:NAT_CONNTRACK - [0:0]
-A PREROUTING -j VYATTA_CT_IGNORE
-A PREROUTING -j VYATTA_CT_HELPER
-A PREROUTING -j VYATTA_CT_TIMEOUT
-A PREROUTING -j VYATTA_CT_PREROUTING_HOOK
-A PREROUTING -j NAT_CONNTRACK
-A PREROUTING -j NOTRACK
-A OUTPUT -j VYATTA_CT_IGNORE
-A OUTPUT -j VYATTA_CT_HELPER
-A OUTPUT -j VYATTA_CT_TIMEOUT
-A OUTPUT -j VYATTA_CT_OUTPUT_HOOK
-A OUTPUT -j NAT_CONNTRACK
-A OUTPUT -j NOTRACK
-A VYATTA_CT_IGNORE -j RETURN
-A VYATTA_CT_TIMEOUT -j RETURN
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1536 -j CT --helper tns
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1525 -j CT --helper tns
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 1521 -j CT --helper tns
-A VYATTA_CT_HELPER -p udp -m udp --dport 111 -j CT --helper rpc
-A VYATTA_CT_HELPER -p tcp -m tcp --dport 111 -j CT --helper rpc
-A VYATTA_CT_HELPER -j RETURN
-A VYATTA_CT_PREROUTING_HOOK -j RETURN
-A VYATTA_CT_OUTPUT_HOOK -j RETURN
-A NAT_CONNTRACK -j ACCEPT
COMMIT
# Completed on Wed Oct 28 20:07:31 2020
# Generated by xtables-save v1.8.2 on Wed Oct 28 20:07:31 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:VYATTA_PRE_FW_IN_HOOK - [0:0]
:VYATTA_PRE_FW_FWD_HOOK - [0:0]
:VYATTA_PRE_FW_OUT_HOOK - [0:0]
:VYATTA_POST_FW_IN_HOOK - [0:0]
:VYATTA_POST_FW_FWD_HOOK - [0:0]
:VYATTA_POST_FW_OUT_HOOK - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-FORWARD - [0:0]
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A INPUT -j VYATTA_PRE_FW_IN_HOOK
-A INPUT -j VYATTA_POST_FW_IN_HOOK
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A FORWARD -j VYATTA_PRE_FW_FWD_HOOK
-A FORWARD -j VYATTA_POST_FW_FWD_HOOK
-A FORWARD -s 10.42.0.0/16 -j ACCEPT
-A FORWARD -d 10.42.0.0/16 -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A OUTPUT -j VYATTA_PRE_FW_OUT_HOOK
-A OUTPUT -j VYATTA_POST_FW_OUT_HOOK
-A VYATTA_PRE_FW_IN_HOOK -j RETURN
-A VYATTA_PRE_FW_FWD_HOOK -j RETURN
-A VYATTA_PRE_FW_OUT_HOOK -j RETURN
-A VYATTA_POST_FW_IN_HOOK -j ACCEPT
-A VYATTA_POST_FW_FWD_HOOK -j ACCEPT
-A VYATTA_POST_FW_OUT_HOOK -j ACCEPT
-A KUBE-FIREWALL -m mark --mark 0x8000/0x8000 -m comment --comment "kubernetes firewall for dropping marked packets" -j DROP
-A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -m comment --comment "block incoming localnet connections" -j DROP
-A KUBE-SERVICES -d 10.43.0.10/32 -p tcp -m tcp --dport 9153 -m comment --comment "kube-system/kube-dns:metrics has no endpoints" -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 10.43.0.10/32 -p udp -m udp --dport 53 -m comment --comment "kube-system/kube-dns:dns has no endpoints" -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 10.43.0.10/32 -p tcp -m tcp --dport 53 -m comment --comment "kube-system/kube-dns:dns-tcp has no endpoints" -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 10.43.170.47/32 -p tcp -m tcp --dport 443 -m comment --comment "kube-system/metrics-server has no endpoints" -j REJECT --reject-with icmp-port-unreachable
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m mark --mark 0x4000/0x4000 -m comment --comment "kubernetes forwarding rules" -j ACCEPT
-A KUBE-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "kubernetes forwarding conntrack pod source rule" -j ACCEPT
-A KUBE-FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "kubernetes forwarding conntrack pod destination rule" -j ACCEPT
COMMIT
# Completed on Wed Oct 28 20:07:31 2020
# Generated by xtables-save v1.8.2 on Wed Oct 28 20:07:31 2020
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:KUBE-KUBELET-CANARY - [0:0]
:KUBE-PROXY-CANARY - [0:0]
COMMIT