Open busishe opened 1 month ago
Hi. How are you creating the pods? Are you exposing any services with from the pods? I saw that you are using an old flannel and Kubernetes version I don't recall if the MASQUERADE process was different from that old version but I am sure that from the recent versions Flannel is using one single rule based on the Pods CIDR from that node.
thx for reply.I create service from nacos pod , not the service pods in the picture.And im sure that svc ip range is differ from the cluster ip range.Im not a net engineer ,so i dont really understand how iptable and MASQUERADE process works.Our team used an older flannel version in the past 3 years (im not sure it is 0.7.x ?),this problem never happend. Addtionally,i find that the problem happen when a pod restart abnormally,e.g. OOM.When the problem happen,restart the pod manully,the registry info will be correct.
If pod go down, flannel expected to take back pod's cluster-ip ,and delete the rule in iptables?
Flannel shouldn't create any MASQUERADE rule for the pod.
Well,which process create the rules?
I know how Flannel creates the rules on the latest versions 0.11.0
is 5 years old I am not aware how the rules were managed and probably this bug has been fixed on a later version.
Thank you , we will try running a higher version flannel in our testing env,see if there are similar appearances.
Expected Behavior
I use Flannel to manage the allocation strategy of cluster IPs in the k8s cluster. During use, it was found that when a pod dies, its cluster IP no longer exists in the cluster, but it can still ping and telnet this IP. After checking the IP rules of the node machine, it was found that the k8s node still retained the posting chain of this IP and did not seem to delete it properly, which led to my microservices mistakenly registering the service(phenomenon : the old cluster ip still remained in nacos registry center).
Current Behavior
Possible Solution
Steps to Reproduce (for bugs)
Context
On k8s master : kubectl get pods --all-namespaces -o wide|grep 172.25.163
ip:172.25.163.7 not exist but it can still ping and telnet this IP
![image](https://github.com/flannel-io/flannel/assets/13681070/254fc317-863d-4651-81bf-6fe824ec9771)
On k8s node (flannel ip:172.25.163.0):iptables -t nat -L -n -v![image](https://github.com/flannel-io/flannel/assets/13681070/b20f0fc2-2188-44a7-b6c2-4ff6acab20b9)
my etcd config is like: /coreos.com/network/config {"Network":"172.25.128.0/17","Backend":{"Type":"vxlan","Directrouting":false}}
I don't know if this phenomenon is normal, but this non-existent IP appears in the nacos registry.
Your Environment