Closed EKami closed 1 month ago
By default, kuberouter sends all the traffic to the pods directly just using normal layer 3 routing. In other words, the package from the node A goes to the node B using the podIP.
Some infrastructure providers do not allow this, most certainly you can get this to work fix this this by setting the option: .spec.network.kuberouter.ipMasq
to true
.
By default, kuberouter sends all the traffic to the pods directly just using normal layer 3 routing. In other words, the package from the node A goes to the node B using the podIP.
Some infrastructure providers do not allow this, most certainly you can get this to work fix this this by setting the option:
.spec.network.kuberouter.ipMasq
totrue
.
Thank you for the pointer, but unfortunately it did not work. I also tried the following, but it didn't work either:
apiVersion: k0s.k0sproject.io/v1beta1
kind: ClusterConfig
metadata:
creationTimestamp: null
name: k0s
spec:
api:
address: 116.203.97.220
k0sApiPort: 9443
port: 6443
sans:
- 116.203.97.220
controllerManager: {}
extensions:
helm:
charts: null
concurrencyLevel: 5
repositories: null
storage:
create_default_storage_class: false
type: external_storage
installConfig:
users:
etcdUser: etcd
kineUser: kube-apiserver
konnectivityUser: konnectivity-server
kubeAPIserverUser: kube-apiserver
kubeSchedulerUser: kube-scheduler
konnectivity:
adminPort: 8133
agentPort: 8132
network:
serviceCIDR: 10.96.0.0/12
podCIDR: 10.244.0.0/16
provider: calico
calico:
mode: ipip
ipipMode: Always
nodeLocalLoadBalancing:
envoyProxy:
apiServerBindPort: 7443
konnectivityServerBindPort: 7132
type: EnvoyProxy
scheduler: {}
storage:
etcd:
externalCluster: null
peerAddress: 116.203.97.220
type: etcd
telemetry:
enabled: true
In both cases I started with a fresh cluster to make sure the previous configuration wasn't applied on existing nodes.
❯ kubectl logs -n kube-system -l k8s-app=calico-node
Defaulted container "calico-node" out of: calico-node, install-cni (init)
Defaulted container "calico-node" out of: calico-node, install-cni (init)
Defaulted container "calico-node" out of: calico-node, install-cni (init)
2024-07-22 13:54:23.303 [INFO][86] felix/summary.go 100: Summarising 10 dataplane reconciliation loops over 1m2.9s: avg=17ms longest=37ms ()
2024-07-22 13:54:23.413 [INFO][84] monitor-addresses/autodetection_methods.go 103: Using autodetected IPv4 address on interface eth0: 5.75.130.232/32
2024-07-22 13:55:23.426 [INFO][84] monitor-addresses/autodetection_methods.go 103: Using autodetected IPv4 address on interface eth0: 5.75.130.232/32
2024-07-22 13:55:26.198 [INFO][86] felix/summary.go 100: Summarising 7 dataplane reconciliation loops over 1m2.9s: avg=12ms longest=18ms (resync-ipsets-v4)
2024-07-22 13:56:14.880 [INFO][86] felix/int_dataplane.go 1954: Received *proto.HostMetadataV4V6Update update from calculation graph msg=hostname:"worker-1" ipv4_addr:"5.75.130.232/32" labels:<key:"beta.kubernetes.io/arch" value:"amd64" > labels:<key:"beta.kubernetes.io/os" value:"linux" > labels:<key:"kubernetes.io/arch" value:"amd64" > labels:<key:"kubernetes.io/hostname" value:"worker-1" > labels:<key:"kubernetes.io/os" value:"linux" >
2024-07-22 13:56:15.527 [INFO][86] felix/int_dataplane.go 1954: Received *proto.HostMetadataV4V6Update update from calculation graph msg=hostname:"worker-2" ipv4_addr:"162.55.48.10/32" labels:<key:"beta.kubernetes.io/arch" value:"amd64" > labels:<key:"beta.kubernetes.io/os" value:"linux" > labels:<key:"kubernetes.io/arch" value:"amd64" > labels:<key:"kubernetes.io/hostname" value:"worker-2" > labels:<key:"kubernetes.io/os" value:"linux" >
2024-07-22 13:56:20.641 [INFO][86] felix/int_dataplane.go 1954: Received *proto.HostMetadataV4V6Update update from calculation graph msg=hostname:"ip-172-31-12-4" ipv4_addr:"172.31.12.4/20" labels:<key:"beta.kubernetes.io/arch" value:"amd64" > labels:<key:"beta.kubernetes.io/os" value:"linux" > labels:<key:"gpu-memory-MiB" value:"15360" > labels:<key:"kubernetes.io/arch" value:"amd64" > labels:<key:"kubernetes.io/hostname" value:"ip-172-31-12-4" > labels:<key:"kubernetes.io/os" value:"linux" > labels:<key:"nvidia.com/gpu.present" value:"true" >
2024-07-22 13:56:23.428 [INFO][84] monitor-addresses/autodetection_methods.go 103: Using autodetected IPv4 address on interface eth0: 5.75.130.232/32
2024-07-22 13:56:28.955 [INFO][86] felix/summary.go 100: Summarising 12 dataplane reconciliation loops over 1m2.8s: avg=11ms longest=36ms ()
2024-07-22 13:57:23.443 [INFO][84] monitor-addresses/autodetection_methods.go 103: Using autodetected IPv4 address on interface eth0: 5.75.130.232/32
bird: BGP: Unexpected connect from unknown address 35.91.61.120 (port 50701)
bird: BGP: Unexpected connect from unknown address 35.91.61.120 (port 48971)
bird: BGP: Unexpected connect from unknown address 35.91.61.120 (port 55499)
bird: BGP: Unexpected connect from unknown address 35.91.61.120 (port 54229)
2024-07-22 13:57:23.174 [INFO][88] monitor-addresses/autodetection_methods.go 103: Using autodetected IPv4 address on interface eth0: 162.55.48.10/32
bird: BGP: Unexpected connect from unknown address 35.91.61.120 (port 34559)
bird: BGP: Unexpected connect from unknown address 35.91.61.120 (port 47097)
bird: BGP: Unexpected connect from unknown address 35.91.61.120 (port 54185)
bird: BGP: Unexpected connect from unknown address 35.91.61.120 (port 39407)
bird: BGP: Unexpected connect from unknown address 35.91.61.120 (port 37163)
2024-07-22 13:54:31.634 [INFO][97] monitor-addresses/autodetection_methods.go 103: Using autodetected IPv4 address on interface ens5: 172.31.12.4/20
2024-07-22 13:54:53.332 [INFO][102] felix/summary.go 100: Summarising 8 dataplane reconciliation loops over 1m3.7s: avg=4ms longest=11ms ()
2024-07-22 13:55:31.645 [INFO][97] monitor-addresses/autodetection_methods.go 103: Using autodetected IPv4 address on interface ens5: 172.31.12.4/20
2024-07-22 13:55:53.752 [INFO][102] felix/summary.go 100: Summarising 8 dataplane reconciliation loops over 1m0.4s: avg=4ms longest=10ms ()
2024-07-22 13:56:14.964 [INFO][102] felix/int_dataplane.go 1954: Received *proto.HostMetadataV4V6Update update from calculation graph msg=hostname:"worker-1" ipv4_addr:"5.75.130.232/32" labels:<key:"beta.kubernetes.io/arch" value:"amd64" > labels:<key:"beta.kubernetes.io/os" value:"linux" > labels:<key:"kubernetes.io/arch" value:"amd64" > labels:<key:"kubernetes.io/hostname" value:"worker-1" > labels:<key:"kubernetes.io/os" value:"linux" >
2024-07-22 13:56:15.613 [INFO][102] felix/int_dataplane.go 1954: Received *proto.HostMetadataV4V6Update update from calculation graph msg=hostname:"worker-2" ipv4_addr:"162.55.48.10/32" labels:<key:"beta.kubernetes.io/arch" value:"amd64" > labels:<key:"beta.kubernetes.io/os" value:"linux" > labels:<key:"kubernetes.io/arch" value:"amd64" > labels:<key:"kubernetes.io/hostname" value:"worker-2" > labels:<key:"kubernetes.io/os" value:"linux" >
2024-07-22 13:56:20.722 [INFO][102] felix/int_dataplane.go 1954: Received *proto.HostMetadataV4V6Update update from calculation graph msg=hostname:"ip-172-31-12-4" ipv4_addr:"172.31.12.4/20" labels:<key:"beta.kubernetes.io/arch" value:"amd64" > labels:<key:"beta.kubernetes.io/os" value:"linux" > labels:<key:"gpu-memory-MiB" value:"15360" > labels:<key:"kubernetes.io/arch" value:"amd64" > labels:<key:"kubernetes.io/hostname" value:"ip-172-31-12-4" > labels:<key:"kubernetes.io/os" value:"linux" > labels:<key:"nvidia.com/gpu.present" value:"true" >
2024-07-22 13:56:31.645 [INFO][97] monitor-addresses/autodetection_methods.go 103: Using autodetected IPv4 address on interface ens5: 172.31.12.4/20
2024-07-22 13:56:58.649 [INFO][102] felix/summary.go 100: Summarising 12 dataplane reconciliation loops over 1m4.9s: avg=4ms longest=9ms (resync-nat-v4,resync-raw-v4)
2024-07-22 13:57:31.656 [INFO][97] monitor-addresses/autodetection_methods.go 103: Using autodetected IPv4 address on interface ens5: 172.31.12.4/20
This didn't help either :( :
apiVersion: k0s.k0sproject.io/v1beta1
kind: ClusterConfig
metadata:
creationTimestamp: null
name: k0s
spec:
api:
address: 116.203.97.220
k0sApiPort: 9443
port: 6443
sans:
- 116.203.97.220
controllerManager: {}
extensions:
helm:
charts: null
concurrencyLevel: 5
repositories: null
storage:
create_default_storage_class: false
type: external_storage
installConfig:
users:
etcdUser: etcd
kineUser: kube-apiserver
konnectivityUser: konnectivity-server
kubeAPIserverUser: kube-apiserver
kubeSchedulerUser: kube-scheduler
konnectivity:
adminPort: 8133
agentPort: 8132
network:
serviceCIDR: 10.96.0.0/12
podCIDR: 10.244.0.0/16
provider: calico
calico:
mode: vxlan
vxlanPort: 4789
crossSubnet: true
nodeLocalLoadBalancing:
envoyProxy:
apiServerBindPort: 7443
konnectivityServerBindPort: 7132
type: EnvoyProxy
scheduler: {}
storage:
etcd:
externalCluster: null
peerAddress: 116.203.97.220
type: etcd
telemetry:
enabled: true
This kind of setup requires source/destination checking to be turned off for your EC2 instance. Can you verify that this is the case? In the AWS Console, go to EC2, then select Actions -> Networking -> Change source/destination check. Check that the "Stop" box is checked.
You can verify the status of the Source/Destination checks via the AWS CLI, too:
aws ec2 describe-instances --query "Reservations[].Instances[].[Tags[?Key=='Name'].Value | [0], InstanceId, SourceDestCheck]"
This needs to print false
for the value of SourceDestCheck.
Thanks a lot for your help. I did exactly that, and the AWS command returns:
[
[
"gpu1",
"i-0c5f8ba18d7b8616a",
false
]
]
With the following k0s configuration file:
apiVersion: k0s.k0sproject.io/v1beta1
kind: ClusterConfig
metadata:
creationTimestamp: null
name: k0s
spec:
api:
address: 116.203.97.220
k0sApiPort: 9443
port: 6443
sans:
- 116.203.97.220
controllerManager: {}
extensions:
helm:
charts: null
concurrencyLevel: 5
repositories: null
storage:
create_default_storage_class: false
type: external_storage
installConfig:
users:
etcdUser: etcd
kineUser: kube-apiserver
konnectivityUser: konnectivity-server
kubeAPIserverUser: kube-apiserver
kubeSchedulerUser: kube-scheduler
konnectivity:
adminPort: 8133
agentPort: 8132
network:
provider: kuberouter
podCIDR: 10.244.0.0/16
serviceCIDR: 10.96.0.0/12
clusterDomain: cluster.local
kubeProxy:
iptables:
minSyncPeriod: 0s
syncPeriod: 0s
ipvs:
minSyncPeriod: 0s
syncPeriod: 0s
tcpFinTimeout: 0s
tcpTimeout: 0s
udpTimeout: 0s
metricsBindAddress: 0.0.0.0:10249
mode: iptables
kuberouter:
ipMasq: true
autoMTU: true
hairpin: Enabled
metricsPort: 8080
nodeLocalLoadBalancing:
envoyProxy:
apiServerBindPort: 7443
konnectivityServerBindPort: 7132
type: EnvoyProxy
scheduler: {}
storage:
etcd:
externalCluster: null
peerAddress: 116.203.97.220
type: etcd
telemetry:
enabled: true
But it still doesn't work :( . I guess the only way to bypass this limitation in any cloud is to use something like tailscale.
Is there a CNI that allows bypassing these limitations without a solution like tailscale?
I finally got it working with Cilium as a CNI coupled with Wireguard tunneling.
Here is my final k0s.yaml
configuration:
apiVersion: k0s.k0sproject.io/v1beta1
kind: ClusterConfig
metadata:
creationTimestamp: null
name: k0s
spec:
api:
address: {{ ansible_host }}
k0sApiPort: 9443
port: 6443
sans:
- {{ ansible_host }}
controllerManager: {}
extensions:
helm:
charts: null
concurrencyLevel: 5
repositories: null
storage:
create_default_storage_class: false
type: external_storage
installConfig:
users:
etcdUser: etcd
kineUser: kube-apiserver
konnectivityUser: konnectivity-server
kubeAPIserverUser: kube-apiserver
kubeSchedulerUser: kube-scheduler
konnectivity:
adminPort: 8133
agentPort: 8132
network:
provider: custom
kubeProxy:
disabled: true
nodeLocalLoadBalancing:
envoyProxy:
apiServerBindPort: 7443
konnectivityServerBindPort: 7132
type: EnvoyProxy
scheduler: {}
storage:
etcd:
externalCluster: null
peerAddress: {{ ansible_host }}
type: etcd
telemetry:
enabled: true
And here is how I installed cilium with Ansible:
- name: Check if Cilium is already installed
stat:
path: /etc/ansible/facts.d/cilium_installed.fact
register: cilium_installed_fact
- block:
- name: Ensure /etc/ansible/facts.d directory exists
file:
become: yes
path: /etc/ansible/facts.d
state: directory
mode: '0755'
- name: Get the latest Cilium CLI version
shell: curl -s https://raw.githubusercontent.com/cilium/cilium-cli/main/stable.txt
register: cilium_cli_version
- name: Determine the CLI architecture
set_fact:
cli_arch: "{{ 'arm64' if ansible_architecture == 'aarch64' else 'amd64' }}"
- name: Download the Cilium CLI tarball and its checksum
get_url:
url: "https://github.com/cilium/cilium-cli/releases/download/{{ cilium_cli_version.stdout }}/cilium-linux-{{ cli_arch }}.tar.gz"
dest: "/tmp/cilium-linux-{{ cli_arch }}.tar.gz"
register: cilium_cli_tarball
- name: Download the Cilium CLI checksum
get_url:
url: "https://github.com/cilium/cilium-cli/releases/download/{{ cilium_cli_version.stdout }}/cilium-linux-{{ cli_arch }}.tar.gz.sha256sum"
dest: "/tmp/cilium-linux-{{ cli_arch }}.tar.gz.sha256sum"
- name: Verify the checksum
shell: sha256sum --check /tmp/cilium-linux-{{ cli_arch }}.tar.gz.sha256sum
args:
chdir: /tmp
- name: Extract the Cilium CLI tarball
become: yes
unarchive:
src: "/tmp/cilium-linux-{{ cli_arch }}.tar.gz"
dest: /usr/local/bin
remote_src: yes
- name: Clean up the downloaded files
file:
path: "/tmp/cilium-linux-{{ cli_arch }}.tar.gz{{ item }}"
state: absent
loop:
- ''
- '.sha256sum'
- name: Install Cilium
become: yes
shell: "cilium install --set encryption.enabled=true --set encryption.type=wireguard"
environment:
KUBECONFIG: "{{ ansible_facts.env.HOME }}/.kube/config"
- name: Check Cilium status and wait until it is ready
shell: "cilium status --wait"
environment:
KUBECONFIG: "{{ ansible_facts.env.HOME }}/.kube/config"
retries: 5
delay: 10
register: cilium_status
until: cilium_status.rc == 0
- name: Test nodes connectivity with Cilium
shell: "cilium connectivity test --test '/node-to-node/'"
environment:
KUBECONFIG: "{{ ansible_facts.env.HOME }}/.kube/config"
retries: 5
delay: 10
register: connectivity_test
until: connectivity_test.rc == 0
- name: Test pods connectivity with Cilium
shell: "cilium connectivity test --test '/pod-to-pod/'"
environment:
KUBECONFIG: "{{ ansible_facts.env.HOME }}/.kube/config"
retries: 5
delay: 10
register: connectivity_test
until: connectivity_test.rc == 0
- name: Create a fact file indicating Cilium installation
become: yes
copy:
dest: /etc/ansible/facts.d/cilium_installed.fact
content: |
[cilium]
installed = true
when: cilium_installed_fact.stat.exists == false
Before creating an issue, make sure you've checked the following:
Platform
Version
v1.30.2+k0s.0
Sysinfo
`k0s sysinfo`
What happened?
I have a cluster with 4 nodes, 3 are running in the Hetzner cloud, and 1 is running in AWS.
worker-1
/worker-2
andworker-3
are all located in the Hetzner cloud. And in AWS I have the nodeip-172-31-7-1
In AWS the security group is open to the world so theoretically, accessible from any IP and port:
The issue is that I can easily communicate between worker-1 and worker-2 or worker-3 but it's impossible to communicate between worker-1/2/3 -> ip-172-31-7-1. I also checked the ACL of my VPC, everything seems fine on both the VPC and security groups level.
See below for more details.
Steps to reproduce
Using the following deployment file:
I get:
I can send a message with
echo "Hello from $(hostname)" | nc 10.244.2.7 12345
fromtest-pod-worker-2
but not fromip-172-30-0-144
. The command actually hangs fromip-172-31-7-1
. Ping has the same problem:Also:
I'm not sure what I'm missing here. I have tried with an instance in a provider different from AWS (lambdalabs) and I'm facing the same issue. For that reason I think it's coming from my k0s or k8s configuration.
Expected behavior
For my pods to communicate between themselves
Actual behavior
Not all pods are able to communicate with each other
Additional context
On all of my nodes with direct SSH access:
from the
worker-1
instance:the results are:
List of ports taken from the docs. This is my
/etc/k0s/k0s.yaml
configuration file on my controller node: