search

kubernetes-retired / kubeadm-dind-cluster

[EOL] A Kubernetes multi-node test cluster based on kubeadm
Apache License 2.0
1.11k stars 274 forks source link

Calico on 1.14 fails because kernel has loose RPF checking configured #311

Closed cewood closed 5 years ago

cewood commented 5 years ago

When using Calico on 1.14 the calico-node pods go into a crash-loop because they detect the kernel has RPF checking set to 'loose':

[FATAL][1343] int_dataplane.go 824: Kernel's RPF check is set to 'loose'. This would allow endpoints to spoof their IP address. Calico requires net.ipv4.conf.all.rp_filter to be set to 0 or 1. If you require loose RPF and you are not concerned about spoofing, this check can be disabled by setting the IgnoreLooseRPF configuration parameter to 'true'.

Looking at the Calico documentation https://docs.projectcalico.org/v3.0/reference/felix/configuration#iptables-dataplane-configuration they have a setting to ignore this situation: the IgnoreLooseRPF config setting, or the FELIX_IGNORELOOSERPF environment variable.

I've looked for a way to override the default Calico configuration that kubeadm-dind-cluster applies during setup, but wasn't able to find anything. For the time being I've tested that this fixes the problem I've encountered by manually editing the calico-node daemonset to include the FELIX_IGNORELOOSERPF environment variable as documented.

mrbobbytables commented 5 years ago

Closing as this project is being deprecated and retired in favor of KinD.

Please see this issue for more details: https://github.com/kubernetes/org/issues/1016

/close

k8s-ci-robot commented 5 years ago

@mrbobbytables: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/kubeadm-dind-cluster/issues/311#issuecomment-515756934): >Closing as this project is being deprecated and retired in favor of [KinD](https://github.com/kubernetes-sigs/kind). > >Please see this issue for more details: >https://github.com/kubernetes/org/issues/1016 > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.