search

kubeovn / kube-ovn

A Bridge between SDN and Cloud Native (Project under CNCF)
https://kubeovn.github.io/docs/stable/en/
Apache License 2.0
1.92k stars 436 forks source link

[BUG] TPROXY fails to add iptables rules if probe use a named port #4331

Open CiraciNicolo opened 1 month ago

CiraciNicolo commented 1 month ago

Kube-OVN Version

v1.12.19

Kubernetes Version

v.1.9.6

Operation-system/Kernel Version

"Ubuntu 22.04.4 LTS" 5.15.0-116-generic

Description

The TPROXY feature is failing if a probe is using a named port instead of a port number

Steps To Reproduce

  1. Deploy an application with a liveness probe with the following syntax: 
    livenessProbe:
httpGet:
port: http-healthz
path: /livez
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 8

    This example is taken from cert-manager

Current Behavior

The probe fails and the tproxy logs reports the following error:

 exit status 2: iptables v1.8.7 (nf_tables): invalid port/service `http-healthz' specified

Expected Behavior

Probes should works. TPROXY should not use the port name but should try to infer the port number from the ports definition. Furthermore TPROXY just stop working and no further proxies are applied in the node.

Current workaround

Edit the deployment and use the port number

CiraciNicolo commented 1 month ago

Also, I don't know if related, I see a lot of errors:

kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:43.303677 2724900 tproxy_tcp_linux.go:219] connection refused
kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:43.318113 2724900 tproxy_tcp_linux.go:219] connection refused
kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:44.413434 2724900 tproxy_tcp_linux.go:219] connection refused
kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:44.427963 2724900 tproxy_tcp_linux.go:219] connection refused
kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:44.442445 2724900 tproxy_tcp_linux.go:219] connection refused
kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:45.541091 2724900 tproxy_tcp_linux.go:219] connection refused
kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:45.556966 2724900 tproxy_tcp_linux.go:219] connection refused
kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:45.572167 2724900 tproxy_tcp_linux.go:219] connection refused
kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:46.685740 2724900 tproxy_tcp_linux.go:219] connection refused
kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:46.700273 2724900 tproxy_tcp_linux.go:219] connection refused
kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:47.814334 2724900 tproxy_tcp_linux.go:219] connection refused
kube-system/kube-ovn-cni-hh5fb[cni-server]: E0723 12:23:47.829467 2724900 tproxy_tcp_linux.go:219] connection refuse

Maybe a more verbose logs should ease the troubleshoot?

oilbeater commented 1 month ago

@changluyi can you take a look at this?