Open HenryXie1 opened 1 year ago
We have the same issue . Welcome to help to review the https://github.com/projectcalico/calico/pull/7111 :-)
Hi @HenryXie1, #7111 has been merged into Calico v3.25, which fixes this issue
Hi @HenryXie1, #7111 has been merged into Calico v3.25, which fixes this issue
HI @MichalFupso , The https://github.com/projectcalico/calico/pull/7111 is merged into the Calico v3.26. And the Cherry-Pick https://github.com/projectcalico/calico/pull/7460 is for the Calico v3.25.
Hi, @yankay Thanks for your input
I happen to notice this PR https://github.com/projectcalico/calico/pull/4322
https://www.tigera.io/blog/whats-new-in-calico-v3-12/
It seems the fix was included in 3.12,
not sure how that works with your PR https://github.com/projectcalico/calico/pull/7460
HI @HenryXie1
Follow the description of the issue, The issue is the same as the: https://github.com/projectcalico/calico/issues/2322. The auto-detect logic in the RHEL/Centos 8 is to detect auto as a legacy instead of NFT. So that causes the issue.
There is a blog article about the issue: https://mihail-milev.medium.com/no-pod-to-pod-communication-on-centos-8-kubernetes-with-calico-56d694d2a6f4
The https://github.com/projectcalico/calico/pull/7111 and https://github.com/projectcalico/calico/pull/7460 are to fix the issue.
Thanks @yankay I read the blog and implement Calico version 3.24 with RHEL 8 iptables-nft. I discovered that the issue mentioned in https://github.com/projectcalico/calico/issues/2322 had been resolved, as new iptables nft rules were created. However, when I checked the calico-node by running the command iptables -V, it still showed iptables legacy.
I am not sure how this works in version 3.24 without the PRs mentioned in https://github.com/projectcalico/calico/pull/7111 and https://github.com/projectcalico/calico/pull/7460.
We have upgrade the worker node to RHEL 8. it has iptables-nft enabled iptables -V --> iptables-nft in the OS
We are currently using the Calico daemonset version 3.24, and according to the documentation, it should automatically detect the version of iptables on RHEL 8. We have verified this information through the following links: https://github.com/projectcalico/calico/issues/2322, and https://github.com/projectcalico/calico/pull/4322.
However, when we run the command "kubectl exec -it calico-nodes-*** -- iptables -V," it shows that the version being used is iptables v1.8.4 (legacy). Even when we added the environment variable FELIX_IPTABLESBACKEND with the value "Auto" and rolled the pods, the legacy version of iptables was still being used.
. We are confused because despite this information, when we run the "iptables -V" command on the Calico node, it still shows the legacy version of iptables. Could you please provide clarification on this matter?
Meanwhile I found https://github.com/projectcalico/calico/pull/7111 is still open (not merged) seems the issue is not fixed,so I wonder how Calico implemented iptables automatic detection feature. or did I miss sth? Thank you
@caseydavenport Thank you
Expected Behavior
When work nodes upgrade to RHEL 8, kubectl exec -it calico-nodes-*** -- iptables -V --> iptables-nft
Current Behavior
with calico 3.24 and RHEL 8 we run the command "kubectl exec -it calico-nodes-*** -- iptables -V," it shows that the version being used is iptables v1.8.4 (legacy)
Possible Solution
no
Steps to Reproduce (for bugs)
1. 2. 3. 4.
Context
Your Environment