search

projectcalico / calico

Cloud native networking and network security
https://docs.tigera.io/calico/latest/about/
Apache License 2.0
6.02k stars 1.34k forks source link

Can't ping another pod across the nodes via IPIPCrossSubnet #7462

Closed 631068264 closed 1 year ago

631068264 commented 1 year ago

apply this deploy

apiVersion: apps/v1

kind: Deployment

metadata:

  name: dnsutils
  labels:
    app: dnsutils
spec:
  selector:
    matchLabels:
      app: dnsutils
  replicas: 3

  template:
    metadata:
      labels:
        app: dnsutils
    spec:

      containers:

      - name: dnsutils
        image: mydlqclub/dnsutils:1.3
        command: ["sleep","3600"]

Node 155 57 53 in the same subnet

dnsutils-67865b6fb5-j5mg8   1/1     Running   0          15s   10.42.221.130   xxx.155   <none>           <none>
dnsutils-67865b6fb5-xxs79   1/1     Running   0          15s   10.42.139.134   xxx.57    <none>           <none>
dnsutils-67865b6fb5-z9vvd   1/1     Running   0          15s   10.42.225.196   xxx.53    <none>           <none>

Only pod in Node A can ping itself , can't ping pod in NodeB or NodeC and other dnsutils pod same

 kubectl exec -it pod/dnsutils-67865b6fb5-j5mg8 -- /bin/sh

traceroute 10.42.139.134
traceroute to 10.42.139.134 (10.42.139.134), 30 hops max, 46 byte packets
 1  xxx-155.kubernetes.default.svc.cluster.local (xxx.155)  0.008 ms  0.004 ms  0.004 ms
 2  *  *

  *
 3  *  *  *
 4  *

on xxx.155

ip route|grep bird

10.42.139.128/26 via xxxx.57 dev eth0 proto bird 
blackhole 10.42.221.128/26 proto bird 
10.42.225.192/26 via xxx.53 dev eth0 proto bird

kubectl get installation -o yaml

apiVersion: v1
items:
- apiVersion: operator.tigera.io/v1
  kind: Installation
.......
  spec:
    calicoNetwork:
      bgp: Enabled
      hostPorts: Enabled
      ipPools:
      - blockSize: 26
        cidr: 10.42.0.0/16
        disableBGPExport: false
        encapsulation: IPIPCrossSubnet
        natOutgoing: Enabled
        nodeSelector: all()
      linuxDataplane: Iptables
      multiInterfaceMode: None
      nodeAddressAutodetectionV4:
        firstFound: true
    cni:
      ipam:
        type: Calico
      type: Calico
    controlPlaneReplicas: 2
    flexVolumePath: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/
    imagePullSecrets: []
    kubeletVolumePluginPath: /var/lib/kubelet
    kubernetesProvider: ""
    nodeUpdateStrategy:
      rollingUpdate:
        maxUnavailable: 1
      type: RollingUpdate
    nonPrivileged: Disabled
    variant: Calico

If Use encapsulation: IPIP It can ping

Context

Your Environment

calicoctl node diags

diags-20230313_215827.tar.gz

sridhartigera commented 1 year ago

@631068264 Do you see the packets at the destination node?

631068264 commented 1 year ago

Accroding to this , no packets at the destination node. This pod is on 155 node. Follow the route it can't reach 57 the destination node

 kubectl exec -it pod/dnsutils-67865b6fb5-j5mg8 -- /bin/sh

traceroute 10.42.139.134
traceroute to 10.42.139.134 (10.42.139.134), 30 hops max, 46 byte packets
 1  xxx-155.kubernetes.default.svc.cluster.local (xxx.155)  0.008 ms  0.004 ms  0.004 ms
 2  *  *

  *
 3  *  *  *
 4  *
sridhartigera commented 1 year ago

@631068264 Do the nodes have src-dest check turned on? For example, in aws src-dest check needs to be turned off for this to work.

sridhartigera commented 1 year ago

Closing this due to inactivity. Feel free to reopen if there is any update.