-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Calico Daemonset Iptables Issue in RHEL 8 #7393
Comments
We have the same issue . |
Hi @HenryXie1, #7111 has been merged into Calico v3.25, which fixes this issue |
HI @MichalFupso , |
Hi, @yankay Thanks for your input |
HI @HenryXie1 Follow the description of the issue, The issue is the same as the: #2322. The auto-detect logic in the RHEL/Centos 8 is to detect auto as a legacy instead of NFT. So that causes the issue. There is a blog article about the issue: https://mihail-milev.medium.com/no-pod-to-pod-communication-on-centos-8-kubernetes-with-calico-56d694d2a6f4 |
Thanks @yankay I am not sure how this works in version 3.24 without the PRs mentioned in #7111 and #7460. |
env: RHEL 8.10, iptables v1.8.5 (nf_tables), kube-proxy v1.23.4,Calico v3.25.2, calico-node daemonset env added FELIX_IPTABLESBACKEND value to Auto maybe related with this: #8025 ? |
We have upgrade the worker node to RHEL 8. it has iptables-nft enabled
iptables -V --> iptables-nft in the OS
We are currently using the Calico daemonset version 3.24, and according to the documentation, it should automatically detect the version of iptables on RHEL 8. We have verified this information through the following links: #2322, and #4322.
However, when we run the command "kubectl exec -it calico-nodes-*** -- iptables -V," it shows that the version being used is iptables v1.8.4 (legacy). Even when we added the environment variable FELIX_IPTABLESBACKEND with the value "Auto" and rolled the pods, the legacy version of iptables was still being used.
. We are confused because despite this information, when we run the "iptables -V" command on the Calico node, it still shows the legacy version of iptables. Could you please provide clarification on this matter?
Meanwhile I found #7111 is still open (not merged)
seems the issue is not fixed,so I wonder how Calico implemented iptables automatic detection feature. or did I miss sth?
Thank you
@caseydavenport Thank you
Expected Behavior
When work nodes upgrade to RHEL 8,
kubectl exec -it calico-nodes-*** -- iptables -V --> iptables-nft
Current Behavior
with calico 3.24 and RHEL 8
we run the command "kubectl exec -it calico-nodes-*** -- iptables -V," it shows that the version being used is iptables v1.8.4 (legacy)
Possible Solution
no
Steps to Reproduce (for bugs)
Context
Your Environment
The text was updated successfully, but these errors were encountered: