Pods running on windows nodes cannot access the API server using the internal Kubernetes Service #1759
Assignees
Labels
area/OS/windows
Issues or PRs related to the Windows operating system.
kind/bug
Categorizes issue or PR as related to a bug.
p0
Milestone
Comments
ruicao93
added
the
area/OS/windows
|
That doesn't really help with this issue here :), but I just wanted to point out that the fact that the ping tests "succeeds" is a bit misleading here. ICMP traffic is not load-balanced to an actual Pod here. If I recall correctly, for Windows Nodes, we create a "Service interface" on the Node and all ClusterIPs are assigned to it. So when the ping test "succeeds" (or in the case of the traceroute), it's just the host replying directly to the ICMP requests, with no proxy / load-balancing involved. |
|
@ruicao93 does it mean that all Pod-to-Service traffic is broken for Windows Nodes in the latest release, or is this some edge case? |
@antoninbas : I think only the services like "kubernetes" are broken. It's because the endpointIP is node IP instead of pod IP. |
|
@antoninbas, @ruicao93 is correct, We've only seen this on the Kubernetes API internal service, I was going through this with him yesterday. The only thing that I could think of was that the service has a double hop |
|
@perithompson: The root cause should be that for such case, we both do DNAT and SNAT in same pipeline. Which is not supported by OVS as test. So we need a new design to split these two NAT operation in different CT_ZONE. I will popose a new design soon. |
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
When a Pod access cluster service and the selected endpoint uses node IP(hostnetwork mode). The request packets need to be SNATed after have been DNATed. On Windows node, antrea both applied both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
When a Pod access cluster service and the selected endpoint uses node IP(hostnetwork mode). The request packets need to be SNATed after have been DNATed. On Windows node, antrea both applied both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
When a Pod access cluster service and the selected endpoint uses node IP(hostnetwork mode). The request packets need to be SNATed after have been DNATed. On Windows node, antrea both applied both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
When a Pod accesses a ClusterIP Service and the IP of the selected endpoint is not in "cluster-cidr". The request packets need to be SNAT'd after have been DNAT'd. For example, the endpoint Pod may run in hostNetwork and the IP of the endpoint is the current Node IP. Currently, on Windows Node antrea applies both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
When a Pod accesses a ClusterIP Service and the IP of the selected endpoint is not in "cluster-cidr". The request packets need to be SNAT'd after have been DNAT'd. For example, the endpoint Pod may run in hostNetwork and the IP of the endpoint is the current Node IP. Currently, on Windows Node antrea applies both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
When a Pod accesses a ClusterIP Service and the IP of the selected endpoint is not in "cluster-cidr". The request packets need to be SNAT'd after have been DNAT'd. For example, the endpoint Pod may run in hostNetwork and the IP of the endpoint is the current Node IP. Currently, on Windows Node antrea applies both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
When a Pod accesses a ClusterIP Service and the IP of the selected endpoint is not in "cluster-cidr". The request packets need to be SNAT'd after have been DNAT'd. For example, the endpoint Pod may run in hostNetwork and the IP of the endpoint is the current Node IP. Currently, on Windows Node antrea applies both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
When a Pod accesses a ClusterIP Service and the IP of the selected endpoint is not in "cluster-cidr". The request packets need to be SNAT'd after have been DNAT'd. For example, the endpoint Pod may run in hostNetwork and the IP of the endpoint is the current Node IP. Currently, on Windows Node antrea applies both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
When a Pod access cluster service and the selected endpoint uses node IP(hostnetwork mode). The request packets need to be SNATed after have been DNATed. On Windows node, antrea both applied both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 8, 2021
When a Pod accesses a ClusterIP Service and the IP of the selected endpoint is not in "cluster-cidr". The request packets need to be SNAT'd after have been DNAT'd. For example, the endpoint Pod may run in hostNetwork and the IP of the endpoint is the current Node IP. Currently, on Windows Node antrea applies both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 9, 2021
When a Pod access cluster service and the selected endpoint uses node IP(hostnetwork mode). The request packets need to be SNATed after have been DNATed. On Windows node, antrea both applied both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
to ruicao93/antrea
that referenced
this issue
Feb 9, 2021
When a Pod accesses a ClusterIP Service and the IP of the selected endpoint is not in "cluster-cidr". The request packets need to be SNAT'd after have been DNAT'd. For example, the endpoint Pod may run in hostNetwork and the IP of the endpoint is the current Node IP. Currently, on Windows Node antrea applies both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
ruicao93
added a commit
that referenced
this issue
Feb 9, 2021
…usterIP Service (#1824) When a Pod accesses a ClusterIP Service and the IP of the selected endpoint is not in "cluster-cidr". The request packets need to be SNAT'd after have been DNAT'd. For example, the endpoint Pod may run in hostNetwork and the IP of the endpoint is the current Node IP. Currently, on Windows Node antrea applies both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: #1759 Signed-off-by: Rui Cao <[email protected]>
antoninbas
pushed a commit
to antoninbas/antrea
that referenced
this issue
Feb 10, 2021
…usterIP Service (antrea-io#1824) When a Pod accesses a ClusterIP Service and the IP of the selected endpoint is not in "cluster-cidr". The request packets need to be SNAT'd after have been DNAT'd. For example, the endpoint Pod may run in hostNetwork and the IP of the endpoint is the current Node IP. Currently, on Windows Node antrea applies both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
antoninbas
pushed a commit
to antoninbas/antrea
that referenced
this issue
Feb 10, 2021
…usterIP Service (antrea-io#1824) When a Pod accesses a ClusterIP Service and the IP of the selected endpoint is not in "cluster-cidr". The request packets need to be SNAT'd after have been DNAT'd. For example, the endpoint Pod may run in hostNetwork and the IP of the endpoint is the current Node IP. Currently, on Windows Node antrea applies both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: antrea-io#1759 Signed-off-by: Rui Cao <[email protected]>
antoninbas
pushed a commit
that referenced
this issue
Feb 11, 2021
…usterIP Service (#1824) When a Pod accesses a ClusterIP Service and the IP of the selected endpoint is not in "cluster-cidr". The request packets need to be SNAT'd after have been DNAT'd. For example, the endpoint Pod may run in hostNetwork and the IP of the endpoint is the current Node IP. Currently, on Windows Node antrea applies both DNAT and SNAT in the same ct_zone. That's not supported by OVS. In this patch, we introduce a new ct_zone to track this kind of SNATed connection in a different ct_zone. Fixes: #1759 Signed-off-by: Rui Cao <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Pods running on windows nodes cannot access the API server when trying to connect via the kubernetes internal service. It seems that the IP address is accessible from the pod but https traffic fails.
This is not the case when accessing the API server via this service from the host.
To Reproduce
Expected
API Server should be accessible on cluster IP service
Actual behavior
A clear and concise description of what's the actual behavior. If applicable, add screenshots, log messages, etc. to help explain the problem.
Versions:
Please provide the following information:
Additional context
The text was updated successfully, but these errors were encountered: