Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

question about iptable update rules #1965

Open
busishe opened this issue May 7, 2024 · 7 comments
Open

question about iptable update rules #1965

busishe opened this issue May 7, 2024 · 7 comments

Comments

@busishe
Copy link

busishe commented May 7, 2024

Expected Behavior

I use Flannel to manage the allocation strategy of cluster IPs in the k8s cluster. During use, it was found that when a pod dies, its cluster IP no longer exists in the cluster, but it can still ping and telnet this IP. After checking the IP rules of the node machine, it was found that the k8s node still retained the posting chain of this IP and did not seem to delete it properly, which led to my microservices mistakenly registering the service(phenomenon : the old cluster ip still remained in nacos registry center).

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

Context

On k8s master : kubectl get pods --all-namespaces -o wide|grep 172.25.163
image
ip:172.25.163.7 not exist but it can still ping and telnet this IP
image

On k8s node (flannel ip:172.25.163.0):iptables -t nat -L -n -v
image

my etcd config is like:
/coreos.com/network/config
{"Network":"172.25.128.0/17","Backend":{"Type":"vxlan","Directrouting":false}}

I don't know if this phenomenon is normal, but this non-existent IP appears in the nacos registry.

Your Environment

  • Flannel version: 0.11.0
  • Backend used (e.g. vxlan or udp): vxlan
  • Etcd version: 3.5.0
  • Kubernetes version (if used): 1.17.5
  • Operating System and version: ky10
  • Link to your project (optional):
@rbrtbnfgl
Copy link
Contributor

Hi. How are you creating the pods? Are you exposing any services with from the pods? I saw that you are using an old flannel and Kubernetes version I don't recall if the MASQUERADE process was different from that old version but I am sure that from the recent versions Flannel is using one single rule based on the Pods CIDR from that node.

@busishe
Copy link
Author

busishe commented May 9, 2024

thx for reply.I create service from nacos pod , not the service pods in the picture.And im sure that svc ip range is differ from the cluster ip range.Im not a net engineer ,so i dont really understand how iptable and MASQUERADE process works.Our team used an older flannel version in the past 3 years (im not sure it is 0.7.x ?),this problem never happend.
Addtionally,i find that the problem happen when a pod restart abnormally,e.g. OOM.When the problem happen,restart the pod manully,the registry info will be correct.

@busishe
Copy link
Author

busishe commented May 9, 2024

If pod go down, flannel expected to take back pod's cluster-ip ,and delete the rule in iptables?

@rbrtbnfgl
Copy link
Contributor

Flannel shouldn't create any MASQUERADE rule for the pod.

@busishe
Copy link
Author

busishe commented May 9, 2024

Well,which process create the rules?

@rbrtbnfgl
Copy link
Contributor

I know how Flannel creates the rules on the latest versions 0.11.0 is 5 years old I am not aware how the rules were managed and probably this bug has been fixed on a later version.

@busishe
Copy link
Author

busishe commented May 10, 2024

Thank you , we will try running a higher version flannel in our testing env,see if there are similar appearances.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@busishe @rbrtbnfgl