Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update cni version to 0.7.5 to avoid CNI-HOSTPORT-DNAT problem #499

Closed
ckcd opened this issue Jun 5, 2019 · 0 comments
Closed

update cni version to 0.7.5 to avoid CNI-HOSTPORT-DNAT problem #499

ckcd opened this issue Jun 5, 2019 · 0 comments
Labels
priority/P1 Must be staffed and worked currently or soon. Is a candidate for next release
Milestone
v1.6

Comments

@ckcd
Copy link

ckcd commented Jun 5, 2019
edited
Loading

The problem is: when using IPVS mode in kube-proxy, with a hostPort (assume 80) defines in a nodes, then all traffics from this node to any service:80 will be failed, actually wrongly be DNAT to this hostPort pod.

Relate discuss:
kubernetes/kubernetes#66103
containernetworking/plugins#222
kubernetes/kubernetes#62718

The reason is because the order of two chains in iptables: CNI-HOSTPORT-DNAT and KUBE-SERVICES :

Chain PREROUTING (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination
 5953  548K CNI-HOSTPORT-DNAT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
 6894  606K KUBE-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */

which is, the correct order is KUBE-SERVICES must be ahead of CNI-HOSTPORT-DNAT, we can find more details in here, and if the CNI-HOSTPORT-DNAT is at the first line, then there will be problem.

The solution: in cni-plugins-portmap, they makes some changes to make the CNI-HOSTPORT-DNAT always in last position, and this problem will be solved, relate commit is: Portmap: append

But, this changes only available in version 0.7.5 (and newer), so i think maybe we can update our cni version from 0.6.0 to 0.7.5.

Thanks a lot !!!
@ckcd ckcd changed the title update cni version to 1.7.5 to avoid CNI-HOSTPORT-DNAT problem update cni version to 0.7.5 to avoid CNI-HOSTPORT-DNAT problem Jun 5, 2019
@mogren mogren added this to the v1.6 milestone Jun 5, 2019
@mogren mogren added the priority/P0 Highest priority. Someone needs to actively work on this. label Jun 5, 2019
@mogren mogren added priority/P1 Must be staffed and worked currently or soon. Is a candidate for next release and removed priority/P0 Highest priority. Someone needs to actively work on this. labels Jul 18, 2019
@mogren mogren modified the milestones: v1.6, v1.7 Jul 18, 2019
@mogren mogren modified the milestones: v1.7, v1.6 Aug 5, 2019
mogren pushed a commit to mogren/amazon-vpc-cni-k8s that referenced this issue Aug 5, 2019
Bump portmap version aws#499
b765e2a 
https://github.com/containernetworking/plugins/releases/tag/v0.7.5
@mogren mogren mentioned this issue Aug 7, 2019
Merged
mogren pushed a commit to mogren/amazon-vpc-cni-k8s that referenced this issue Aug 13, 2019
Bump portmap version aws#499
9f4c2ea 
https://github.com/containernetworking/plugins/releases/tag/v0.7.5
mogren pushed a commit that referenced this issue Aug 13, 2019
@mogren
Bump portmap version #499
03332cd 
https://github.com/containernetworking/plugins/releases/tag/v0.7.5
@mogren mogren closed this as completed Aug 22, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority/P1 Must be staffed and worked currently or soon. Is a candidate for next release
Projects
None yet
Milestone
v1.6
Development

No branches or pull requests
2 participants
@mogren @ckcd