$ k3s --version
k3s version v1.25.4+k3s- ()
go version go1.22.2
Node(s) CPU architecture, OS, and Version:
$ cat /etc/lsb-release
DISTRIB_ID="Gentoo"
$ uname -a
Linux solid 6.0.7-gentoo-solid-stolz #4 SMP Sat Nov 5 19:03:13 HKT 2022 x86_64 AMD Ryzen 7 5700G with Radeon Graphics AuthenticAMD GNU/Linux
$ uptime # Long uptime, hence the old kernel version in use
17:49:54 up 350 days, 7:16, 4 users, load average: 0.78, 0.79, 0.55
$ iptables --version
iptables v1.8.10 (legacy)
Cluster Configuration: Single node server.
$ cat /etc/rancher/k3s/config.yaml
write-kubeconfig-mode: "0640"
$ env | grep K3S_ # No output because no K3s env variables have been defined
Describe the bug:
Pods from default addons cannot connect to https://10.43.0.1:443.
Steps To Reproduce:
Flush iptables firewall and reset default policy to allow all traffic
Install K3s
Start K3s server
Check status of pods in kube-system namespace
Expected behavior:
All default addons from /var/lib/rancher/k3s/server/manifests should be up and running. If any iptables extension is missing it should be catched by check-config.sh script.
Actual behavior:
coredns pod never reaches ready staus. local-path-provisioner and metrics-server pods enter CrashLoopBackOff status. All the failing pods show an error related to unable to connect to https://10.43.0.1:443. Server logs mention some iptables extension as missing.
Additional context / logs:
My system has a lot of iptables rules but for the sake of simplicity I have reproduced the issue with a firewall withot any rule and with a permissive default policy. These are all the steps I followed:
coredns pod ...
```
$ kubectl describe -n kube-system pod/coredns-597584b69b-pwlmm
(...redacted for brevity...)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 14m default-scheduler Successfully assigned kube-system/coredns-597584b69b-pwlmm to solid
Normal Pulled 14m kubelet Container image "rancher/mirrored-coredns-coredns:1.9.4" already present on machine
Normal Created 14m kubelet Created container coredns
Normal Started 14m kubelet Started container coredns
Warning Unhealthy 4m19s (x310 over 14m) kubelet Readiness probe failed: HTTP probe failed with statuscode: 503
$ kubectl logs -n kube-system pod/coredns-597584b69b-pwlmm
[INFO] plugin/reload: Running configuration SHA512 = b941b080e5322f6519009bb49349462c7ddb6317425b0f6a83e5451175b720703949e3f3b454a24e77f3ffe57fd5e9c6130e528a5a1dd00d9000e4afd6c1108d
CoreDNS-1.9.4
linux/amd64, go1.19.1, 1f0a41a
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[INFO] plugin/ready: Still waiting on: "kubernetes"
[WARNING] plugin/kubernetes: Kubernetes API connection failure: Get "https://10.43.0.1:443/version": dial tcp 10.43.0.1:443: i/o timeout
```
local-path-provisioner pod ...
```
$ kubectl describe -n kube-system pod/local-path-provisioner-79f67d76f8-j4vcv
(...redacted for brevity...)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 26m default-scheduler Successfully assigned kube-system/local-path-provisioner-79f67d76f8-j4vcv to solid
Normal Pulled 23m (x5 over 26m) kubelet Container image "rancher/local-path-provisioner:v0.0.23" already present on machine
Normal Created 23m (x5 over 26m) kubelet Created container local-path-provisioner
Normal Started 23m (x5 over 26m) kubelet Started container local-path-provisioner
Warning BackOff 82s (x96 over 25m) kubelet Back-off restarting failed container
$ kubectl logs -n kube-system pod/local-path-provisioner-79f67d76f8-j4vcv
time="2024-04-23T10:15:26Z" level=fatal msg="Error starting daemon: Cannot start Provisioner: failed to get Kubernetes server version: Get \"https://10.43.0.1:443/version?timeout=32s\": dial tcp 10.43.0.1:443: i/o timeout"
```
local-path-provisioner pod ...
```
$ kubectl describe -n kube-system pod/metrics-server-5c8978b444-mhx2c
(...redacted for brevity...)
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 28m default-scheduler Successfully assigned kube-system/metrics-server-5c8978b444-mhx2c to solid
Warning Unhealthy 28m kubelet Readiness probe failed: Get "https://10.42.0.7:10250/readyz": read tcp 10.42.0.1:52682->10.42.0.7:10250: read: connection reset by peer
Normal Created 28m (x2 over 28m) kubelet Created container metrics-server
Normal Started 28m (x2 over 28m) kubelet Started container metrics-server
Warning Unhealthy 28m (x13 over 28m) kubelet Readiness probe failed: Get "https://10.42.0.7:10250/readyz": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Warning Unhealthy 28m (x5 over 28m) kubelet Readiness probe failed: Get "https://10.42.0.7:10250/readyz": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
Warning Unhealthy 13m kubelet Readiness probe failed: Get "https://10.42.0.7:10250/readyz": read tcp 10.42.0.1:54188->10.42.0.7:10250: read: connection reset by peer
Normal Pulled 8m39s (x9 over 28m) kubelet Container image "rancher/mirrored-metrics-server:v0.6.1" already present on machine
Warning BackOff 3m41s (x99 over 27m) kubelet Back-off restarting failed container
$ kubectl logs -n kube-system pod/metrics-server-5c8978b444-mhx2c
Error: unable to load configmap based request-header-client-ca-file: Get "https://10.43.0.1:443/api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication": dial tcp 10.43.0.1:443: i/o timeout
```
Environmental Info:
K3s Version:
Node(s) CPU architecture, OS, and Version:
Cluster Configuration: Single node server.
Describe the bug:
Pods from default addons cannot connect to
https://10.43.0.1:443
.Steps To Reproduce:
Expected behavior:
All default addons from
/var/lib/rancher/k3s/server/manifests
should be up and running. If any iptables extension is missing it should be catched by check-config.sh script.Actual behavior:
coredns
pod never reaches ready staus.local-path-provisioner
andmetrics-server
pods enterCrashLoopBackOff
status. All the failing pods show an error related to unable to connect tohttps://10.43.0.1:443
. Server logs mention some iptables extension as missing.Additional context / logs:
My system has a lot of iptables rules but for the sake of simplicity I have reproduced the issue with a firewall withot any rule and with a permissive default policy. These are all the steps I followed:
Install K3s from official Getoo repository
Check if there are any kernel options missing ...
``` $ wget -q https://raw.githubusercontent.com/k3s-io/k3s/master/contrib/util/check-config.sh $ modprobe configs $ sh check-config.sh Verifying binaries in .: - sha256sum: sha256sums unavailable - links: link list unavailable System: - /sbin iptables v1.8.10 (legacy): ok - swap: disabled - routes: ok Limits: - /proc/sys/kernel/keys/root_maxkeys: 1000000 info: reading kernel config from /proc/config.gz ... Generally Necessary: - cgroup hierarchy: cgroups Hybrid mounted, cpuset|memory controllers status: good - CONFIG_NAMESPACES: enabled - CONFIG_NET_NS: enabled - CONFIG_PID_NS: enabled - CONFIG_IPC_NS: enabled - CONFIG_UTS_NS: enabled - CONFIG_CGROUPS: enabled - CONFIG_CGROUP_PIDS: enabled - CONFIG_CGROUP_CPUACCT: enabled - CONFIG_CGROUP_DEVICE: enabled - CONFIG_CGROUP_FREEZER: enabled - CONFIG_CGROUP_SCHED: enabled - CONFIG_CPUSETS: enabled - CONFIG_MEMCG: enabled - CONFIG_KEYS: enabled - CONFIG_VETH: enabled (as module) - CONFIG_BRIDGE: enabled (as module) - CONFIG_BRIDGE_NETFILTER: enabled (as module) - CONFIG_IP_NF_FILTER: enabled (as module) - CONFIG_IP_NF_TARGET_MASQUERADE: enabled (as module) - CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: enabled (as module) - CONFIG_NETFILTER_XT_MATCH_CONNTRACK: enabled (as module) - CONFIG_NETFILTER_XT_MATCH_IPVS: enabled (as module) - CONFIG_NETFILTER_XT_MATCH_COMMENT: enabled (as module) - CONFIG_NETFILTER_XT_MATCH_MULTIPORT: enabled (as module) - CONFIG_IP_NF_NAT: enabled (as module) - CONFIG_NF_NAT: enabled (as module) - CONFIG_POSIX_MQUEUE: enabled Optional Features: - CONFIG_USER_NS: enabled - CONFIG_SECCOMP: enabled - CONFIG_BLK_CGROUP: enabled - CONFIG_BLK_DEV_THROTTLING: enabled - CONFIG_CGROUP_PERF: enabled - CONFIG_CGROUP_HUGETLB: missing - CONFIG_NET_CLS_CGROUP: enabled (as module) - CONFIG_CGROUP_NET_PRIO: enabled - CONFIG_CFS_BANDWIDTH: enabled - CONFIG_FAIR_GROUP_SCHED: enabled - CONFIG_RT_GROUP_SCHED: enabled - CONFIG_IP_NF_TARGET_REDIRECT: enabled (as module) - CONFIG_IP_SET: enabled (as module) - CONFIG_IP_VS: enabled (as module) - CONFIG_IP_VS_NFCT: enabled - CONFIG_IP_VS_PROTO_TCP: enabled - CONFIG_IP_VS_PROTO_UDP: enabled - CONFIG_IP_VS_RR: enabled (as module) - CONFIG_EXT4_FS: enabled - CONFIG_EXT4_FS_POSIX_ACL: enabled - CONFIG_EXT4_FS_SECURITY: enabled - Network Drivers: - "overlay": - CONFIG_VXLAN: enabled (as module) Optional (for encrypted networks): - CONFIG_CRYPTO: enabled - CONFIG_CRYPTO_AEAD: enabled (as module) - CONFIG_CRYPTO_GCM: enabled (as module) - CONFIG_CRYPTO_SEQIV: enabled (as module) - CONFIG_CRYPTO_GHASH: enabled (as module) - CONFIG_XFRM: missing - CONFIG_XFRM_USER: missing - CONFIG_XFRM_ALGO: missing - CONFIG_INET_ESP: missing - CONFIG_INET_XFRM_MODE_TRANSPORT: missing - Storage Drivers: - "overlay": - CONFIG_OVERLAY_FS: enabled (as module) STATUS: pass ```Disable firewall (default policy allows all traffic)
Start K3s server
Check iptables rules added by K3s ...
``` $ iptables -nvL Chain INPUT (policy ACCEPT 16833 packets, 3787K bytes) pkts bytes target prot opt in out source destination 1237 104K KUBE-PROXY-FIREWALL 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes load balancer firewall */ 13477 2499K KUBE-NODEPORTS 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes health check service ports */ 1237 104K KUBE-EXTERNAL-SERVICES 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes externally-visible service portals */ 16833 3787K KUBE-ROUTER-INPUT 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* kube-router netpol - 4IA2OSFRMVNDXBVV */ 16833 3787K KUBE-FIREWALL 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 KUBE-PROXY-FIREWALL 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes load balancer firewall */ 0 0 KUBE-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes forwarding rules */ 0 0 KUBE-SERVICES 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 0 0 KUBE-EXTERNAL-SERVICES 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes externally-visible service portals */ 0 0 FLANNEL-FWD 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* flanneld forward */ 0 0 KUBE-ROUTER-FORWARD 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* kube-router netpol - TEMCG2JMHZYE7H7T */ Chain OUTPUT (policy ACCEPT 17079 packets, 4687K bytes) pkts bytes target prot opt in out source destination 886 70988 KUBE-PROXY-FIREWALL 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes load balancer firewall */ 886 70988 KUBE-SERVICES 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW /* kubernetes service portals */ 17079 4687K KUBE-ROUTER-OUTPUT 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* kube-router netpol - VEAAIY32XVBHCSCY */ 17079 4687K KUBE-FIREWALL 0 -- * * 0.0.0.0/0 0.0.0.0/0 Chain FLANNEL-FWD (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- * * 10.42.0.0/16 0.0.0.0/0 /* flanneld forward */ 0 0 ACCEPT 0 -- * * 0.0.0.0/0 10.42.0.0/16 /* flanneld forward */ Chain KUBE-EXTERNAL-SERVICES (2 references) pkts bytes target prot opt in out source destination Chain KUBE-FIREWALL (2 references) pkts bytes target prot opt in out source destination 0 0 DROP 0 -- * * !127.0.0.0/8 127.0.0.0/8 /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT 0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000 Chain KUBE-FORWARD (1 references) pkts bytes target prot opt in out source destination Chain KUBE-KUBELET-CANARY (0 references) pkts bytes target prot opt in out source destination Chain KUBE-NODEPORTS (1 references) pkts bytes target prot opt in out source destination Chain KUBE-NWPLCY-DEFAULT (0 references) pkts bytes target prot opt in out source destination 0 0 MARK 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* rule to mark traffic matching a network policy */ MARK or 0x10000 Chain KUBE-PROXY-CANARY (0 references) pkts bytes target prot opt in out source destination Chain KUBE-PROXY-FIREWALL (3 references) pkts bytes target prot opt in out source destination Chain KUBE-ROUTER-FORWARD (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000 Chain KUBE-ROUTER-INPUT (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN 0 -- * * 0.0.0.0/0 10.43.0.0/16 /* allow traffic to primary cluster IP range - TZZOAXOCHPHEHX7M */ 0 0 RETURN 6 -- * * 0.0.0.0/0 0.0.0.0/0 /* allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767 0 0 RETURN 17 -- * * 0.0.0.0/0 0.0.0.0/0 /* allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000 Chain KUBE-ROUTER-OUTPUT (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000 Chain KUBE-SERVICES (2 references) pkts bytes target prot opt in out source destination ```Check pod status
Check failing pods logs
coredns pod ...
``` $ kubectl describe -n kube-system pod/coredns-597584b69b-pwlmm (...redacted for brevity...) Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 14m default-scheduler Successfully assigned kube-system/coredns-597584b69b-pwlmm to solid Normal Pulled 14m kubelet Container image "rancher/mirrored-coredns-coredns:1.9.4" already present on machine Normal Created 14m kubelet Created container coredns Normal Started 14m kubelet Started container coredns Warning Unhealthy 4m19s (x310 over 14m) kubelet Readiness probe failed: HTTP probe failed with statuscode: 503 $ kubectl logs -n kube-system pod/coredns-597584b69b-pwlmm [INFO] plugin/reload: Running configuration SHA512 = b941b080e5322f6519009bb49349462c7ddb6317425b0f6a83e5451175b720703949e3f3b454a24e77f3ffe57fd5e9c6130e528a5a1dd00d9000e4afd6c1108d CoreDNS-1.9.4 linux/amd64, go1.19.1, 1f0a41a [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [INFO] plugin/ready: Still waiting on: "kubernetes" [WARNING] plugin/kubernetes: Kubernetes API connection failure: Get "https://10.43.0.1:443/version": dial tcp 10.43.0.1:443: i/o timeout ```local-path-provisioner pod ...
``` $ kubectl describe -n kube-system pod/local-path-provisioner-79f67d76f8-j4vcv (...redacted for brevity...) Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 26m default-scheduler Successfully assigned kube-system/local-path-provisioner-79f67d76f8-j4vcv to solid Normal Pulled 23m (x5 over 26m) kubelet Container image "rancher/local-path-provisioner:v0.0.23" already present on machine Normal Created 23m (x5 over 26m) kubelet Created container local-path-provisioner Normal Started 23m (x5 over 26m) kubelet Started container local-path-provisioner Warning BackOff 82s (x96 over 25m) kubelet Back-off restarting failed container $ kubectl logs -n kube-system pod/local-path-provisioner-79f67d76f8-j4vcv time="2024-04-23T10:15:26Z" level=fatal msg="Error starting daemon: Cannot start Provisioner: failed to get Kubernetes server version: Get \"https://10.43.0.1:443/version?timeout=32s\": dial tcp 10.43.0.1:443: i/o timeout" ```local-path-provisioner pod ...
``` $ kubectl describe -n kube-system pod/metrics-server-5c8978b444-mhx2c (...redacted for brevity...) Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 28m default-scheduler Successfully assigned kube-system/metrics-server-5c8978b444-mhx2c to solid Warning Unhealthy 28m kubelet Readiness probe failed: Get "https://10.42.0.7:10250/readyz": read tcp 10.42.0.1:52682->10.42.0.7:10250: read: connection reset by peer Normal Created 28m (x2 over 28m) kubelet Created container metrics-server Normal Started 28m (x2 over 28m) kubelet Started container metrics-server Warning Unhealthy 28m (x13 over 28m) kubelet Readiness probe failed: Get "https://10.42.0.7:10250/readyz": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) Warning Unhealthy 28m (x5 over 28m) kubelet Readiness probe failed: Get "https://10.42.0.7:10250/readyz": context deadline exceeded (Client.Timeout exceeded while awaiting headers) Warning Unhealthy 13m kubelet Readiness probe failed: Get "https://10.42.0.7:10250/readyz": read tcp 10.42.0.1:54188->10.42.0.7:10250: read: connection reset by peer Normal Pulled 8m39s (x9 over 28m) kubelet Container image "rancher/mirrored-metrics-server:v0.6.1" already present on machine Warning BackOff 3m41s (x99 over 27m) kubelet Back-off restarting failed container $ kubectl logs -n kube-system pod/metrics-server-5c8978b444-mhx2c Error: unable to load configmap based request-header-client-ca-file: Get "https://10.43.0.1:443/api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication": dial tcp 10.43.0.1:443: i/o timeout ```