-
Notifications
You must be signed in to change notification settings - Fork 716
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stale iptables rules seen after "kubeadm reset" #689
Comments
We should probably include the fact that in the meantime @vhosakot you can check out this blog post to see how to reset your iptables rules https://blog.heptio.com/properly-resetting-your-kubeadm-bootstrapped-cluster-nodes-heptioprotip-473bd0b824aa (disclaimer: I work at heptio) |
On second thought, it's really the kubelet and the CNI doing the networking manipulation (unless I totally missed something). Kubeadm enables the kubelet service and then cleanup instructions will be different for each CNI provider. I think we could clarify that kubeadm doesn't specifically do anything with networking and therefore kubeadm reset can't reasonably undo anything that the kubelet or CNI has done. We could redirect folks to various CNI cleanup instructions / kubelet cleanup instructions? |
This is really on the proxy imo, and I'm not aware of an option to clear the rules. |
kube-proxy has an option to do this I believe - https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy/
Calico does not have an equivalent option, so today you'll need to flush those yourself, and/or open an enhancement request against Calico :) |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
/assign @timothysc @liztio @rosti |
@timothysc @chuckha @neolit123 after inspection and consulting with other contributors, I have come up with the following options which I would like asking for preference before implementing:
None are super elegant and there are trade offs to each. |
The more I've mulled this over, the more I think @chuckha 's suggestion to print the command the user should run if they want to drop iptables rules is the saner of all options, given the highly decoupled kubeadm is from cluster components. |
BUG REPORT:
After doing
kubeadm reset
on all the nodes, I see these stale iptables rules installed by kubernetes and the CNI on all the nodes and they are not deleted afterkubeadm reset
is done.kubeadm
version1.7
was used andcalico
was the CNI.These stale iptables rules affect packet forwarding on the nodes after
kubeadm reset
is done.kubeadm version:
Environment:
Ubuntu xenial VM:
iptables
version isv1.6.0
.Docker version:
Calico CNI image versions:
What happened?
Stale iptables rules were seen on all the nodes after
kubeadm reset
was done on all the nodes.What you expected to happen?
No stale iptables rules and
kubeadm reset
must delete all the iptables rules installed by kubernetes and the CNI.How to reproduce it (as minimally and precisely as possible)?
kubeadm reset
(see steps above)The text was updated successfully, but these errors were encountered: