Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to egress packets from pod #1750

Closed
johngmyers opened this issue Nov 15, 2021 · 19 comments
Closed

Unable to egress packets from pod #1750

johngmyers opened this issue Nov 15, 2021 · 19 comments
Assignees
Labels
bug stale Issue or PR is stale

Comments

@johngmyers
Copy link

What happened:

Brought up IPv6-only cluster. Pods are unable to egress network traffic, not to nodes, other pods, services, or the Internet.

Attach logs

What you expected to happen:

IPv6 Traffic to egress pod, to nodes, other pods, services, and the Internet.

How to reproduce it (as minimally and precisely as possible):

  • Create IPv6 cluster using johngmyers/kops@cb6a583 and AMI 099720109477/ubuntu/images/hvm-ssd/ubuntu-impish-21.10-amd64-server-2021101

  • Add the following to each instancegroup spec, to work around systemd/systemd#200803 (handling of AWS's broken DHCP6 responses):

  additionalUserData:
  - name: myscript.sh
    type: text/x-shellscript
    content: |
      #!/bin/sh
      sudo add-apt-repository -y ppa:chacman/systemd
      sudo apt-get -y install systemd
  • kops update cluster --yes --admin

  • Create a Deployment running digitalocean/doks-debug:latest and try pinging various IPv6 addresses.

Anything else we need to know?:

From the pod, the routing table is:

# ip -6 route
2600:1f18:1e5f:8500:a44c::3 dev eth0 proto kernel metric 256 pref medium
fe80::1 dev eth0 metric 1024 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev v4if0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 metric 1024 pref medium

Neighbor discovery does not appear functional:

# ip neigh
fe80::1 dev eth0 lladdr c6:43:68:c9:df:6e PERMANENT

The node has a much more functional routing table:

# ip -6 route 
::1 dev lo proto kernel metric 256 pref medium
2600:1f18:1e5f:8500:a44c:: dev eni2bc5020d5a5 metric 1024 pref medium
2600:1f18:1e5f:8500:a44c::1 dev eni6c4abe62074 metric 1024 pref medium
2600:1f18:1e5f:8500:a44c::2 dev eni49504107038 metric 1024 pref medium
2600:1f18:1e5f:8500:a44c::3 dev enif4bf4b6b9cf metric 1024 pref medium
2600:1f18:1e5f:8500::/64 dev ens5 proto ra metric 100 pref medium
2600:1f18:1e5f:8500::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev veth417b9f8e proto kernel metric 256 pref medium
fe80::/64 dev eni2bc5020d5a5 proto kernel metric 256 pref medium
fe80::/64 dev eni49504107038 proto kernel metric 256 pref medium
fe80::/64 dev veth30e71106 proto kernel metric 256 pref medium
fe80::/64 dev eni6c4abe62074 proto kernel metric 256 pref medium
fe80::/64 dev veth33b2a2cf proto kernel metric 256 pref medium
fe80::/64 dev enif4bf4b6b9cf proto kernel metric 256 pref medium
fe80::/64 dev vethe907b245 proto kernel metric 256 pref medium
default via fe80::1086:14ff:fe90:9c27 dev ens5 proto ra metric 100 expires 1793sec pref medium
default via fe80::1086:14ff:fe90:9c27 dev ens5 proto ra metric 1024 expires 1793sec hoplimit 255 pref medium

Environment:

  • Kubernetes version (use kubectl version): 1.22.2
  • CNI Version: v1.10.0 minus the last two commits, plus a cherrypicked IMDSv2 fix.
  • OS (e.g: cat /etc/os-release): 099720109477/ubuntu/images/hvm-ssd/ubuntu-impish-21.10-amd64-server-2021101
  • Kernel (e.g. uname -a): 5.13.0-1005-aws #6-Ubuntu SMP
@johngmyers johngmyers added the bug label Nov 15, 2021
@johngmyers
Copy link
Author

@achevuru
Copy link
Contributor

achevuru commented Nov 15, 2021

@johngmyers Can you share your aws-node daemonset spec?

Neighbor table is fine, because we assign a /128 to Pod's eth0 (and not /64 or /80 ). Can you also share ifconfig and ip route output from inside the pod?

@johngmyers
Copy link
Author

apiVersion: apps/v1
kind: DaemonSet
metadata:
  annotations:
    deprecated.daemonset.template.generation: "1"
  creationTimestamp: "2021-11-15T07:17:55Z"
  generation: 1
  labels:
    addon.kops.k8s.io/name: networking.amazon-vpc-routed-eni
    app.kubernetes.io/instance: aws-vpc-cni
    app.kubernetes.io/managed-by: kops
    app.kubernetes.io/name: aws-node
    app.kubernetes.io/version: v1.9.3
    k8s-app: aws-node
    role.kubernetes.io/networking: "1"
  name: aws-node
  namespace: kube-system
  resourceVersion: "679"
  uid: 90c03a1e-818e-4c90-ac9d-dbd215f1c17d
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: aws-node
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/instance: aws-vpc-cni
        app.kubernetes.io/name: aws-node
        k8s-app: aws-node
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
              - key: kubernetes.io/arch
                operator: In
                values:
                - amd64
                - arm64
              - key: eks.amazonaws.com/compute-type
                operator: NotIn
                values:
                - fargate
      containers:
      - env:
        - name: AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER
          value: "false"
        - name: ENABLE_IPv4
          value: "false"
        - name: ENABLE_IPv6
          value: "true"
        - name: ENABLE_PREFIX_DELEGATION
          value: "true"
        - name: WARM_PREFIX_TARGET
          value: "1"
        - name: MY_NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        - name: CLUSTER_NAME
          value: k8s.jgmyers.proofpoint-pg.net
        image: johngmyers/amazon-k8s-cni:v1.10.0-219-gf2dac813
        imagePullPolicy: Always
        livenessProbe:
          exec:
            command:
            - /app/grpc-health-probe
            - -addr=:50051
            - -connect-timeout=2s
            - -rpc-timeout=2s
          failureThreshold: 3
          initialDelaySeconds: 60
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 5
        name: aws-node
        ports:
        - containerPort: 61678
          hostPort: 61678
          name: metrics
          protocol: TCP
        readinessProbe:
          exec:
            command:
            - /app/grpc-health-probe
            - -addr=:50051
            - -connect-timeout=2s
            - -rpc-timeout=2s
          failureThreshold: 3
          initialDelaySeconds: 1
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 5
        resources:
          requests:
            cpu: 10m
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /host/opt/cni/bin
          name: cni-bin-dir
        - mountPath: /host/etc/cni/net.d
          name: cni-net-dir
        - mountPath: /host/var/log/aws-routed-eni
          name: log-dir
        - mountPath: /var/run/aws-node
          name: run-dir
        - mountPath: /var/run/dockershim.sock
          name: dockershim
        - mountPath: /run/xtables.lock
          name: xtables-lock
      dnsPolicy: ClusterFirst
      hostNetwork: true
      initContainers:
      - env:
        - name: DISABLE_TCP_EARLY_DEMUX
          value: "false"
        - name: ENABLE_IPv6
          value: "true"
        image: johngmyers/amazon-k8s-cni-init:v1.10.0-219-gf2dac813
        imagePullPolicy: Always
        name: aws-vpc-cni-init
        resources: {}
        securityContext:
          privileged: true
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /host/opt/cni/bin
          name: cni-bin-dir
      priorityClassName: system-node-critical
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: aws-node
      serviceAccountName: aws-node
      terminationGracePeriodSeconds: 10
      tolerations:
      - operator: Exists
      volumes:
      - hostPath:
          path: /opt/cni/bin
          type: ""
        name: cni-bin-dir
      - hostPath:
          path: /etc/cni/net.d
          type: ""
        name: cni-net-dir
      - hostPath:
          path: /run/containerd/containerd.sock
          type: ""
        name: dockershim
      - hostPath:
          path: /run/xtables.lock
          type: ""
        name: xtables-lock
      - hostPath:
          path: /var/log/aws-routed-eni
          type: DirectoryOrCreate
        name: log-dir
      - hostPath:
          path: /var/run/aws-node
          type: DirectoryOrCreate
        name: run-dir
  updateStrategy:
    type: OnDelete
status:
  currentNumberScheduled: 2
  desiredNumberScheduled: 2
  numberAvailable: 2
  numberMisscheduled: 0
  numberReady: 2
  observedGeneration: 1
  updatedNumberScheduled: 2

@johngmyers
Copy link
Author

bash-4.2# ip route
default via 172.20.32.1 dev ens5 proto dhcp src 172.20.59.200 metric 100 
169.254.172.2 dev veth417b9f8e scope link 
169.254.172.3 dev veth30e71106 scope link 
169.254.172.4 dev veth33b2a2cf scope link 
169.254.172.5 dev vethe907b245 scope link 
172.20.32.0/19 dev ens5 proto kernel scope link src 172.20.59.200 
172.20.32.1 dev ens5 proto dhcp scope link src 172.20.59.200 metric 100 
bash-4.2# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 12:9c:c0:bd:01:b1 brd ff:ff:ff:ff:ff:ff
    inet 172.20.59.200/19 brd 172.20.63.255 scope global dynamic ens5
       valid_lft 2472sec preferred_lft 2472sec
    inet6 2600:1f18:1e5f:8500:b2a6:310b:b39e:710/128 scope global dynamic noprefixroute 
       valid_lft 427sec preferred_lft 117sec
    inet6 fe80::109c:c0ff:febd:1b1/64 scope link 
       valid_lft forever preferred_lft forever
3: eni2bc5020d5a5@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether e2:57:0f:35:40:a7 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::e057:fff:fe35:40a7/64 scope link 
       valid_lft forever preferred_lft forever
4: veth417b9f8e@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether b6:5c:86:f1:e4:39 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.172.1/32 scope link veth417b9f8e
       valid_lft forever preferred_lft forever
    inet6 fe80::fcd0:70ff:fe6a:4f26/64 scope link 
       valid_lft forever preferred_lft forever
5: eni49504107038@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether 46:25:0f:b1:d2:a5 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::4425:fff:feb1:d2a5/64 scope link 
       valid_lft forever preferred_lft forever
6: veth30e71106@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether ce:8e:cb:34:e1:88 brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet 169.254.172.1/32 scope link veth30e71106
       valid_lft forever preferred_lft forever
    inet6 fe80::94a5:bfff:feff:c06/64 scope link 
       valid_lft forever preferred_lft forever
7: eni6c4abe62074@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether 36:64:40:f4:2a:f9 brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::446a:eff:fefc:7e1b/64 scope link 
       valid_lft forever preferred_lft forever
8: veth33b2a2cf@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether 1e:8f:fa:f0:55:3b brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet 169.254.172.1/32 scope link veth33b2a2cf
       valid_lft forever preferred_lft forever
    inet6 fe80::30c0:dff:fe7f:f698/64 scope link 
       valid_lft forever preferred_lft forever
9: enif4bf4b6b9cf@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether c6:d8:7b:c5:90:f0 brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet6 fe80::c4d8:7bff:fec5:90f0/64 scope link 
       valid_lft forever preferred_lft forever
10: vethe907b245@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether ee:cc:72:f6:b0:a5 brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet 169.254.172.1/32 scope link vethe907b245
       valid_lft forever preferred_lft forever
    inet6 fe80::9c30:f0ff:fe00:868b/64 scope link 
       valid_lft forever preferred_lft forever

@achevuru
Copy link
Contributor

achevuru commented Nov 17, 2021

@johngmyers Was asking for ifconfig and ip route output from inside the pod. Would you be able to share that? Also, I do see you already shared ip -6 route and ip neigh output from within the pod. Did you get in to the pod via kubectl exec? or

@johngmyers
Copy link
Author

I gave you ip route and ip addr output from inside the pod. The pod doesn't have ifconfig installed; the ip addr output should be equivalent. This was all gotten from kubectl exec.

@johngmyers
Copy link
Author

Ah, from inside the non-host-network pod.

On a new cluster, running v0.10.1:

root@sample-app-5b87df5d88-ttntd:~# ip route
default via 169.254.172.1 dev v4if0 
169.254.172.0/22 via 169.254.172.1 dev v4if0 src 169.254.172.5 
169.254.172.1 dev v4if0 scope link src 169.254.172.5 
root@sample-app-5b87df5d88-ttntd:~# ip -6 route
2600:1f18:1e5f:8500:5256::3 dev eth0 proto kernel metric 256 pref medium
fe80::1 dev eth0 metric 1024 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev v4if0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 metric 1024 pref medium
root@sample-app-5b87df5d88-ttntd:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether 16:0c:fe:d4:80:29 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 2600:1f18:1e5f:8500:5256::3/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::140c:feff:fed4:8029/64 scope link 
       valid_lft forever preferred_lft forever
5: v4if0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether f6:89:cf:ca:ac:84 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 169.254.172.5/22 brd 169.254.175.255 scope global v4if0
       valid_lft forever preferred_lft forever
    inet6 fe80::f489:cfff:feca:ac84/64 scope link 
       valid_lft forever preferred_lft forever

That pod's node has:

ubuntu@ip-172-20-34-242:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 12:d5:2d:6b:e6:0b brd ff:ff:ff:ff:ff:ff
    altname enp0s5
    inet 172.20.34.242/19 brd 172.20.63.255 scope global dynamic ens5
       valid_lft 3167sec preferred_lft 3167sec
    inet6 2600:1f18:1e5f:8500:6ffd:1205:8f26:b4e6/128 scope global dynamic noprefixroute 
       valid_lft 424sec preferred_lft 114sec
    inet6 fe80::10d5:2dff:fe6b:e60b/64 scope link 
       valid_lft forever preferred_lft forever
3: eni7fd8b16aacb@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether 6a:3c:1c:df:48:6f brd ff:ff:ff:ff:ff:ff link-netns cni-73b397f7-c017-3c12-5950-a4d0b7015a6d
    inet6 fe80::683c:1cff:fedf:486f/64 scope link 
       valid_lft forever preferred_lft forever
4: enia72b044bd6f@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether 2e:04:5a:eb:87:ff brd ff:ff:ff:ff:ff:ff link-netns cni-c0a75514-ce3d-e955-1601-37d1396836bc
    inet6 fe80::a86c:ecff:fefa:5f3d/64 scope link 
       valid_lft forever preferred_lft forever
5: veth6505755a@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether d2:97:26:65:63:88 brd ff:ff:ff:ff:ff:ff link-netns cni-73b397f7-c017-3c12-5950-a4d0b7015a6d
    inet 169.254.172.1/32 scope link veth6505755a
       valid_lft forever preferred_lft forever
    inet6 fe80::5855:b3ff:fef7:af27/64 scope link 
       valid_lft forever preferred_lft forever
6: veth77485ce1@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether 02:8f:c2:62:77:94 brd ff:ff:ff:ff:ff:ff link-netns cni-c0a75514-ce3d-e955-1601-37d1396836bc
    inet 169.254.172.1/32 scope link veth77485ce1
       valid_lft forever preferred_lft forever
    inet6 fe80::a48a:12ff:fe54:fb33/64 scope link 
       valid_lft forever preferred_lft forever
7: eni0d3cd18e401@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether aa:b8:45:58:d4:21 brd ff:ff:ff:ff:ff:ff link-netns cni-01ebe9c8-0533-fc31-c78f-05fe48644562
    inet6 fe80::f8e5:adff:fefd:f3d/64 scope link 
       valid_lft forever preferred_lft forever
8: veth7c7f6320@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether d6:33:60:e2:79:4f brd ff:ff:ff:ff:ff:ff link-netns cni-01ebe9c8-0533-fc31-c78f-05fe48644562
    inet 169.254.172.1/32 scope link veth7c7f6320
       valid_lft forever preferred_lft forever
    inet6 fe80::7831:87ff:fe1f:6d20/64 scope link 
       valid_lft forever preferred_lft forever
9: eni31b7f64232f@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether e6:b3:3a:18:9f:22 brd ff:ff:ff:ff:ff:ff link-netns cni-7696798c-9ae1-0f8d-af50-518596ff65cf
    inet6 fe80::e4b3:3aff:fe18:9f22/64 scope link 
       valid_lft forever preferred_lft forever
10: vethdd59ce86@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default 
    link/ether 16:87:3c:c9:66:15 brd ff:ff:ff:ff:ff:ff link-netns cni-7696798c-9ae1-0f8d-af50-518596ff65cf
    inet 169.254.172.1/32 scope link vethdd59ce86
       valid_lft forever preferred_lft forever
    inet6 fe80::3421:3fff:feb1:7c09/64 scope link 
       valid_lft forever preferred_lft forever
ubuntu@ip-172-20-34-242:~$ ip route
default via 172.20.32.1 dev ens5 proto dhcp src 172.20.34.242 metric 100 
169.254.172.2 dev veth6505755a scope link 
169.254.172.3 dev veth77485ce1 scope link 
169.254.172.4 dev veth7c7f6320 scope link 
169.254.172.5 dev vethdd59ce86 scope link 
172.20.32.0/19 dev ens5 proto kernel scope link src 172.20.34.242 
172.20.32.1 dev ens5 proto dhcp scope link src 172.20.34.242 metric 100 
ubuntu@ip-172-20-34-242:~$ ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2600:1f18:1e5f:8500:5256:: dev eni7fd8b16aacb metric 1024 pref 

@achevuru
Copy link
Contributor

@johngmyers Thanks for sharing the info. Will go through them and get back. We validated IPv6 on AL2 and Bottlerocket AMIs. I will check the behavior with Ubuntu AMI and will get back.

On a quick glance, I notice that there is no route for Pod IP (2600:1f18:1e5f:8500:5256::3) on the host. Can you confirm ip -6 route output included above is the entire route list? I don't see 2600:1f18:1e5f:8500:5256::3 dev eni<xxxxxxx> metric 1024 pref route in there. How many pods are running on this node? I would assume 4 based on the eni/veth info shared above..

@achevuru
Copy link
Contributor

Going by the ip -6 route o/p on the initial issue comment, all the routes for individual pods are present in host netns. So, I'm assuming the ip -6 route o/p isn't copied in it's entirety in the latest comment. I don't see anything missing except that we've an fe80::/64 via v4if0 as well but that should be alright. Can you share o/p of /proc/sys/net/ipv6/conf/all/forwarding and also for the host side veth interface of the pod (for ex- /proc/sys/net/ipv6/conf/eni0d3cd18e401/forwarding) ?

@johngmyers
Copy link
Author

Not sure what happened there. Here's the full ip -6 route from the node:

ubuntu@ip-172-20-34-242:~$ ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2600:1f18:1e5f:8500:5256:: dev eni7fd8b16aacb metric 1024 pref medium
2600:1f18:1e5f:8500:5256::1 dev enia72b044bd6f metric 1024 pref medium
2600:1f18:1e5f:8500:5256::2 dev eni0d3cd18e401 metric 1024 pref medium
2600:1f18:1e5f:8500:5256::3 dev eni31b7f64232f metric 1024 pref medium
2600:1f18:1e5f:8500::/64 dev ens5 proto ra metric 100 pref medium
2600:1f18:1e5f:8500::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev ens5 proto kernel metric 256 pref medium
fe80::/64 dev eni7fd8b16aacb proto kernel metric 256 pref medium
fe80::/64 dev enia72b044bd6f proto kernel metric 256 pref medium
fe80::/64 dev veth6505755a proto kernel metric 256 pref medium
fe80::/64 dev veth77485ce1 proto kernel metric 256 pref medium
fe80::/64 dev eni0d3cd18e401 proto kernel metric 256 pref medium
fe80::/64 dev veth7c7f6320 proto kernel metric 256 pref medium
fe80::/64 dev eni31b7f64232f proto kernel metric 256 pref medium
fe80::/64 dev vethdd59ce86 proto kernel metric 256 pref medium
default via fe80::1031:76ff:feb4:53b3 dev ens5 proto ra metric 100 expires 1797sec pref medium
default via fe80::1031:76ff:feb4:53b3 dev ens5 proto ra metric 1024 expires 1797sec hoplimit 255 pref medium
ubuntu@ip-172-20-34-242:~$ cat /proc/sys/net/ipv6/conf/all/forwarding
1
ubuntu@ip-172-20-34-242:~$ cat /proc/sys/net/ipv6/conf/eni0d3cd18e401/forwarding 
1

@johngmyers
Copy link
Author

ubuntu@ip-172-20-34-242:~$ sudo iptables -L
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
KUBE-NODEPORTS  all  --  anywhere             anywhere             /* kubernetes health check service ports */
KUBE-EXTERNAL-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */
KUBE-FIREWALL  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
KUBE-FORWARD  all  --  anywhere             anywhere             /* kubernetes forwarding rules */
KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
KUBE-EXTERNAL-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
KUBE-FIREWALL  all  --  anywhere             anywhere            

Chain KUBE-EXTERNAL-SERVICES (2 references)
target     prot opt source               destination         

Chain KUBE-FIREWALL (2 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
DROP       all  -- !localhost/8          localhost/8          /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT

Chain KUBE-FORWARD (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     all  --  anywhere             anywhere             /* kubernetes forwarding rules */ mark match 0x4000/0x4000
ACCEPT     all  --  anywhere             anywhere             /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED

Chain KUBE-KUBELET-CANARY (0 references)
target     prot opt source               destination         

Chain KUBE-NODEPORTS (1 references)
target     prot opt source               destination         

Chain KUBE-PROXY-CANARY (0 references)
target     prot opt source               destination         

Chain KUBE-SERVICES (2 references)
target     prot opt source               destination         
ubuntu@ip-172-20-34-242:~$ sudo iptables-legacy -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             169.254.172.0/22     ctstate NEW /* Block Node Local Pod access via IPv4 */ reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ubuntu@ip-172-20-34-242:~$ 

@johngmyers
Copy link
Author

jgmyers@bzxy473 kops % kubectl describe node ip-172-20-34-242.ec2.internal 
Name:               ip-172-20-34-242.ec2.internal
Roles:              node
Labels:             beta.kubernetes.io/arch=amd64
                    beta.kubernetes.io/instance-type=t3.medium
                    beta.kubernetes.io/os=linux
                    failure-domain.beta.kubernetes.io/region=us-east-1
                    failure-domain.beta.kubernetes.io/zone=us-east-1a
                    kops.k8s.io/instancegroup=nodes-us-east-1a
                    kubernetes.io/arch=amd64
                    kubernetes.io/hostname=ip-172-20-34-242.ec2.internal
                    kubernetes.io/os=linux
                    kubernetes.io/role=node
                    node-role.kubernetes.io/node=
                    node.kubernetes.io/instance-type=t3.medium
                    topology.kubernetes.io/region=us-east-1
                    topology.kubernetes.io/zone=us-east-1a
Annotations:        node.alpha.kubernetes.io/ttl: 0
                    volumes.kubernetes.io/controller-managed-attach-detach: true
CreationTimestamp:  Thu, 18 Nov 2021 21:24:08 -0800
Taints:             <none>
Unschedulable:      false
Lease:
  HolderIdentity:  ip-172-20-34-242.ec2.internal
  AcquireTime:     <unset>
  RenewTime:       Sat, 20 Nov 2021 12:28:12 -0800
Conditions:
  Type             Status  LastHeartbeatTime                 LastTransitionTime                Reason                       Message
  ----             ------  -----------------                 ------------------                ------                       -------
  MemoryPressure   False   Sat, 20 Nov 2021 12:24:16 -0800   Thu, 18 Nov 2021 21:24:08 -0800   KubeletHasSufficientMemory   kubelet has sufficient memory available
  DiskPressure     False   Sat, 20 Nov 2021 12:24:16 -0800   Thu, 18 Nov 2021 21:24:08 -0800   KubeletHasNoDiskPressure     kubelet has no disk pressure
  PIDPressure      False   Sat, 20 Nov 2021 12:24:16 -0800   Thu, 18 Nov 2021 21:24:08 -0800   KubeletHasSufficientPID      kubelet has sufficient PID available
  Ready            True    Sat, 20 Nov 2021 12:24:16 -0800   Thu, 18 Nov 2021 21:24:28 -0800   KubeletReady                 kubelet is posting ready status. AppArmor enabled
Addresses:
  InternalIP:   2600:1f18:1e5f:8500:6ffd:1205:8f26:b4e6
  InternalIP:   172.20.34.242
  ExternalIP:   54.89.140.104
  InternalDNS:  ip-172-20-34-242.ec2.internal
  Hostname:     ip-172-20-34-242.ec2.internal
Capacity:
  cpu:                2
  ephemeral-storage:  130045936Ki
  hugepages-1Gi:      0
  hugepages-2Mi:      0
  memory:             3958748Ki
  pods:               110
Allocatable:
  cpu:                2
  ephemeral-storage:  119850334420
  hugepages-1Gi:      0
  hugepages-2Mi:      0
  memory:             3856348Ki
  pods:               110
System Info:
  Machine ID:                 ec29a257794d9a48c6f0335ecf97e8e2
  System UUID:                ec29a257-794d-9a48-c6f0-335ecf97e8e2
  Boot ID:                    6f294fbb-2fba-48f8-96e7-c00ce74d3541
  Kernel Version:             5.13.0-1005-aws
  OS Image:                   Ubuntu 21.10
  Operating System:           linux
  Architecture:               amd64
  Container Runtime Version:  containerd://1.4.11
  Kubelet Version:            v1.22.2
  Kube-Proxy Version:         v1.22.2
ProviderID:                   aws:///us-east-1a/i-00229659928f73b78
Non-terminated Pods:          (6 in total)
  Namespace                   Name                                        CPU Requests  CPU Limits  Memory Requests  Memory Limits  Age
  ---------                   ----                                        ------------  ----------  ---------------  -------------  ---
  default                     sample-app-5b87df5d88-ttntd                 100m (5%)     0 (0%)      0 (0%)           0 (0%)         39h
  kube-system                 aws-node-rbwjl                              10m (0%)      0 (0%)      0 (0%)           0 (0%)         39h
  kube-system                 coredns-6c8944dbdc-948sk                    100m (5%)     0 (0%)      70Mi (1%)        170Mi (4%)     39h
  kube-system                 coredns-autoscaler-84d4cfd89c-7q7nt         20m (1%)      0 (0%)      10Mi (0%)        0 (0%)         39h
  kube-system                 ebs-csi-node-g84d7                          0 (0%)        0 (0%)      0 (0%)           0 (0%)         39h
  kube-system                 kube-proxy-ip-172-20-34-242.ec2.internal    100m (5%)     0 (0%)      0 (0%)           0 (0%)         39h
Allocated resources:
  (Total limits may be over 100 percent, i.e., overcommitted.)
  Resource           Requests    Limits
  --------           --------    ------
  cpu                330m (16%)  0 (0%)
  memory             80Mi (2%)   170Mi (4%)
  ephemeral-storage  0 (0%)      0 (0%)
  hugepages-1Gi      0 (0%)      0 (0%)
  hugepages-2Mi      0 (0%)      0 (0%)
Events:              <none>

@achevuru
Copy link
Contributor

@johngmyers Thanks for sharing all the requested info. Couldn't get to it last week, will try to test with Ubuntu AMI this week and will provide an update.

@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days

@github-actions github-actions bot added the stale Issue or PR is stale label Apr 29, 2022
@jayanthvn
Copy link
Contributor

/not stale

@github-actions github-actions bot removed the stale Issue or PR is stale label May 10, 2022
@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days

@github-actions github-actions bot added the stale Issue or PR is stale label Jul 10, 2022
@jayanthvn
Copy link
Contributor

/not stale

@github-actions github-actions bot removed the stale Issue or PR is stale label Jul 11, 2022
@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days

@github-actions github-actions bot added the stale Issue or PR is stale label Sep 22, 2022
@github-actions
Copy link

github-actions bot commented Oct 6, 2022

Issue closed due to inactivity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Oct 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug stale Issue or PR is stale
Projects
None yet
Development

No branches or pull requests

3 participants