search

cloudandheat / ch-k8s-lbaas

Flexible Loadbalancer-as-a-Service controller for Kubernetes
Apache License 2.0
9 stars 7 forks source link

Bug: Controller does not filter IP address family #25

Closed sstrk closed 3 years ago

sstrk commented 3 years ago

The controller does not distinguish between IPv4 and IPv6 addresses. This breaks the appliance of nftables rules if the host nodes have an IPv4 and an IPv6 address (DualStack).

The controller tries to use IPv6 addresses in an IPv4 nftables rule. This leads to the failure of nftables when trying to apply the generated config:

Error: Could not resolve hostname: Address family for hostname not supported
horazont commented 3 years ago

@ComradeOgilvy Could you please add the diff which is logged by the operator so that it’s clear where the error comes from?

sstrk commented 3 years ago 
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: I0422 06:37:55.990373    1757 agent.go:201] configuration diff for /var/lib/ch-k8s-lbaas-agent/nftables/lbaas.conf:
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: --- /var/lib/ch-k8s-lbaas-agent/nftables/.bak-765999954        2021-04-22 06:37:55.984736510 +0000
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: +++ /var/lib/ch-k8s-lbaas-agent/nftables/.tmp-675798527        2021-04-22 06:37:55.984736510 +0000
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: @@ -9,6 +9,10 @@
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:  table ip nat {
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:          chain prerouting {
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:  
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: +
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: +        ip daddr 172.30.154.11 tcp dport 80 mark set 0x1 and 0x1 ct mark set meta mark dnat to numgen inc mod 10 map {0 : 172.30.154.10, 1 : 172.30.154.15, 2 : 172.30.154.22, 3 : 172.30.154.28, 4 : 172.30.154.5, 5 : 172.30.154.7, 6 : fd00::11, 7 : fd00::14, 8 : fd00::15, 9 : fd00::6, } : 30681;
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: +
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:          }
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:  
Apr 22 06:37:55 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]:          chain postrouting {
Apr 22 06:37:55 managed-k8s-gw-az1 sudo[22853]: ch-k8s-lbaas-agent : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/systemctl reload nftables
Apr 22 06:37:56 managed-k8s-gw-az1 sudo[22853]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 22 06:37:56 managed-k8s-gw-az1 ch-k8s-lbaas-agent[1757]: Job for nftables.service failed.