K
Q

Cannot connect to service of it's own from inside pod on kubernetes 1.6

4/7/2017

I created service and deployment. Now from inside the pod I'm trying to connect to it's own service. It gets times out after few minutes.

This works perfectly fine on kubenetes 1.5.x but not 1.6.x. FYI - created kubernetes cluster using kubeadm tool and using weave as network plugin.

Cluster dump: https://drive.google.com/file/d/0ByZSwkp_d2U-aFREc3E5SjRCVFU/view?usp=sharing

Connecting to kafka service from other container

root@falkonry-redis-0:/data# curl -v http://falkonry-kafka:9092          
* About to connect() to falkonry-kafka port 9092 (#0)
*   Trying 10.99.232.10...
* connected
* Connected to falkonry-kafka (10.99.232.10) port 9092 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: falkonry-kafka:9092
> Accept: */*
> 
* additional stuff not fine transfer.c:1037: 0 0
* Recv failure: Connection reset by peer
* Closing connection #0
curl: (56) Recv failure: Connection reset by peer

Connecting to kafka service from inside kafka container

root@falkonry-kafka-56017906-9qlg3:/# curl -v http://falkonry-kafka:9092
* Rebuilt URL to: http://falkonry-kafka:9092/
* Hostname was NOT found in DNS cache
*   Trying 10.99.232.10...
^C

Request never finishes.

Service and deployment

Phaguns-MacBook-Pro:falkonryagent phagunbaya$ kubectl describe service falkonry-kafka
Name:           falkonry-kafka
Namespace:      default
Labels:         function=kafka
            party=falkonry
Selector:       name=falkonry-kafka
Type:           ClusterIP
IP:         10.99.232.10
Port:           kafka   9092/TCP
Endpoints:      10.32.0.7:9092
Session Affinity:   None
No events.

Phaguns-MacBook-Pro:falkonryagent phagunbaya$ kubectl describe deployment falkonry-kafka
Name:           falkonry-kafka
Namespace:      default
CreationTimestamp:  Thu, 06 Apr 2017 16:58:36 -0700
Labels:         function=kafka
            party=falkonry
Selector:       function=kafka,name=falkonry-kafka
Replicas:       1 updated | 1 total | 1 available | 0 unavailable
StrategyType:       RollingUpdate
MinReadySeconds:    0
RollingUpdateStrategy:  1 max unavailable, 1 max surge
Conditions:
  Type      Status  Reason
  ----      ------  ------
  Available     True    MinimumReplicasAvailable
OldReplicaSets: <none>
NewReplicaSet:  falkonry-kafka-56017906 (1/1 replicas created)
No events.

iptables-save output

# Generated by iptables-save v1.4.21 on Fri Apr  7 12:16:32 2017
*nat
:PREROUTING ACCEPT [1:60]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [12:720]
:POSTROUTING ACCEPT [16:1038]
:DOCKER - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-4QD2LE2R2TODS2YV - [0:0]
:KUBE-SEP-6K3WNWFYOAH5UDZ7 - [0:0]
:KUBE-SEP-AR5TRSQMIM2F553H - [0:0]
:KUBE-SEP-BIZOCAOAPTCX4WBC - [0:0]
:KUBE-SEP-F7NTE7AMKDKNWUUF - [0:0]
:KUBE-SEP-FV6ZZ4EMBZMV4DQ5 - [0:0]
:KUBE-SEP-HVHMJPRJS2UA65HH - [0:0]
:KUBE-SEP-IBDVBYXSRD6MIAGE - [0:0]
:KUBE-SEP-KDTJFZVKN4ESIN24 - [0:0]
:KUBE-SEP-KNER6ASWBX763QL7 - [0:0]
:KUBE-SEP-NGQUCFCRE45KSL73 - [0:0]
:KUBE-SEP-NYKTVPUDBMHXGWAX - [0:0]
:KUBE-SEP-QLLLKZOFDP244LAS - [0:0]
:KUBE-SEP-RBQF4CU7COIZTWDJ - [0:0]
:KUBE-SEP-SX34LAYKH37CF5LT - [0:0]
:KUBE-SEP-SZZ7MOWKTWUFXIJT - [0:0]
:KUBE-SEP-TZPDA6OWOVPRIIUZ - [0:0]
:KUBE-SEP-UJJNLSZU6HL4F5UO - [0:0]
:KUBE-SEP-W4RNB3VXXTJ3LGHB - [0:0]
:KUBE-SEP-YYIR7TZA6ZBQSUSF - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-BL55CP3MKKB53NTC - [0:0]
:KUBE-SVC-BV4E552EX2CNKPCU - [0:0]
:KUBE-SVC-BYB5G3MHEBYVN43P - [0:0]
:KUBE-SVC-C64CQIO6Z225CXIH - [0:0]
:KUBE-SVC-CAVFOYOJQPPKKFSK - [0:0]
:KUBE-SVC-DM7TKUYSW7TW345O - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-NTZIAVXWXJCS7DKZ - [0:0]
:KUBE-SVC-PJO6V2NNIUDO2DKL - [0:0]
:KUBE-SVC-QIJ4ARI55YRJ76JG - [0:0]
:KUBE-SVC-QQGUGJWMO5HSN6XL - [0:0]
:KUBE-SVC-RVQUD6RAXHQPQF3I - [0:0]
:KUBE-SVC-SZGELJVIQ5IRMA57 - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SVC-U6PKKNLWPXOUUWIP - [0:0]
:KUBE-SVC-XGPIXF43F4GLZBG7 - [0:0]
:KUBE-SVC-Y4IVC7EWPWRMUFRE - [0:0]
:WEAVE - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 172.17.50.0/24 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j WEAVE
-A DOCKER -i docker0 -j RETURN
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/falkonry-merlin:merlin-web" -m tcp --dport 30061 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/falkonry-merlin:merlin-web" -m tcp --dport 30061 -j KUBE-SVC-SZGELJVIQ5IRMA57
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-4QD2LE2R2TODS2YV -s 10.44.0.6/32 -m comment --comment "default/falkonry-spark-master:rest" -j KUBE-MARK-MASQ
-A KUBE-SEP-4QD2LE2R2TODS2YV -p tcp -m comment --comment "default/falkonry-spark-master:rest" -m tcp -j DNAT --to-destination 10.44.0.6:6066
-A KUBE-SEP-6K3WNWFYOAH5UDZ7 -s 10.32.0.4/32 -m comment --comment "default/falkonry-kafka:kafka" -j KUBE-MARK-MASQ
-A KUBE-SEP-6K3WNWFYOAH5UDZ7 -p tcp -m comment --comment "default/falkonry-kafka:kafka" -m tcp -j DNAT --to-destination 10.32.0.4:9092
-A KUBE-SEP-AR5TRSQMIM2F553H -s 10.24.10.4/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-AR5TRSQMIM2F553H -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-AR5TRSQMIM2F553H --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.24.10.4:6443
-A KUBE-SEP-BIZOCAOAPTCX4WBC -s 10.44.0.3/32 -m comment --comment "default/falkonry-merlin:merlin-web" -j KUBE-MARK-MASQ
-A KUBE-SEP-BIZOCAOAPTCX4WBC -p tcp -m comment --comment "default/falkonry-merlin:merlin-web" -m tcp -j DNAT --to-destination 10.44.0.3:8080
-A KUBE-SEP-F7NTE7AMKDKNWUUF -s 10.42.0.3/32 -m comment --comment "default/falkonry-riactor:riactor-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-F7NTE7AMKDKNWUUF -p tcp -m comment --comment "default/falkonry-riactor:riactor-http" -m tcp -j DNAT --to-destination 10.42.0.3:8000
-A KUBE-SEP-FV6ZZ4EMBZMV4DQ5 -s 10.32.0.10/32 -m comment --comment "default/falkonry-redis:redis-cli" -j KUBE-MARK-MASQ
-A KUBE-SEP-FV6ZZ4EMBZMV4DQ5 -p tcp -m comment --comment "default/falkonry-redis:redis-cli" -m tcp -j DNAT --to-destination 10.32.0.10:6379
-A KUBE-SEP-HVHMJPRJS2UA65HH -s 10.32.0.7/32 -m comment --comment "default/falkonry-hadoop:namenode-ui" -j KUBE-MARK-MASQ
-A KUBE-SEP-HVHMJPRJS2UA65HH -p tcp -m comment --comment "default/falkonry-hadoop:namenode-ui" -m tcp -j DNAT --to-destination 10.32.0.7:50070
-A KUBE-SEP-IBDVBYXSRD6MIAGE -s 10.44.0.5/32 -m comment --comment "default/falkonry-riactor:riactor-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-IBDVBYXSRD6MIAGE -p tcp -m comment --comment "default/falkonry-riactor:riactor-http" -m tcp -j DNAT --to-destination 10.44.0.5:8000
-A KUBE-SEP-KDTJFZVKN4ESIN24 -s 10.32.0.7/32 -m comment --comment "default/falkonry-hadoop:datanode" -j KUBE-MARK-MASQ
-A KUBE-SEP-KDTJFZVKN4ESIN24 -p tcp -m comment --comment "default/falkonry-hadoop:datanode" -m tcp -j DNAT --to-destination 10.32.0.7:50010
-A KUBE-SEP-KNER6ASWBX763QL7 -s 10.32.0.7/32 -m comment --comment "default/falkonry-hadoop:datanode-ui" -j KUBE-MARK-MASQ
-A KUBE-SEP-KNER6ASWBX763QL7 -p tcp -m comment --comment "default/falkonry-hadoop:datanode-ui" -m tcp -j DNAT --to-destination 10.32.0.7:50075
-A KUBE-SEP-NGQUCFCRE45KSL73 -s 10.44.0.6/32 -m comment --comment "default/falkonry-spark-master:webui" -j KUBE-MARK-MASQ
-A KUBE-SEP-NGQUCFCRE45KSL73 -p tcp -m comment --comment "default/falkonry-spark-master:webui" -m tcp -j DNAT --to-destination 10.44.0.6:8080
-A KUBE-SEP-NYKTVPUDBMHXGWAX -s 10.44.0.6/32 -m comment --comment "default/falkonry-spark-master:akka" -j KUBE-MARK-MASQ
-A KUBE-SEP-NYKTVPUDBMHXGWAX -p tcp -m comment --comment "default/falkonry-spark-master:akka" -m tcp -j DNAT --to-destination 10.44.0.6:7077
-A KUBE-SEP-QLLLKZOFDP244LAS -s 10.42.0.1/32 -m comment --comment "default/falkonry-connector:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-QLLLKZOFDP244LAS -p tcp -m comment --comment "default/falkonry-connector:http" -m tcp -j DNAT --to-destination 10.42.0.1:8001
-A KUBE-SEP-RBQF4CU7COIZTWDJ -s 10.32.0.6/32 -m comment --comment "default/falkonry-zookeeper:zookeeper" -j KUBE-MARK-MASQ
-A KUBE-SEP-RBQF4CU7COIZTWDJ -p tcp -m comment --comment "default/falkonry-zookeeper:zookeeper" -m tcp -j DNAT --to-destination 10.32.0.6:2181
-A KUBE-SEP-SX34LAYKH37CF5LT -s 10.42.0.2/32 -m comment --comment "default/falkonry-merlin:merlin-web" -j KUBE-MARK-MASQ
-A KUBE-SEP-SX34LAYKH37CF5LT -p tcp -m comment --comment "default/falkonry-merlin:merlin-web" -m tcp -j DNAT --to-destination 10.42.0.2:8080
-A KUBE-SEP-SZZ7MOWKTWUFXIJT -s 10.32.0.2/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-SZZ7MOWKTWUFXIJT -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.32.0.2:53
-A KUBE-SEP-TZPDA6OWOVPRIIUZ -s 10.32.0.3/32 -m comment --comment "default/falkonry-riactor:riactor-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-TZPDA6OWOVPRIIUZ -p tcp -m comment --comment "default/falkonry-riactor:riactor-http" -m tcp -j DNAT --to-destination 10.32.0.3:8000
-A KUBE-SEP-UJJNLSZU6HL4F5UO -s 10.32.0.2/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-UJJNLSZU6HL4F5UO -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.32.0.2:53
-A KUBE-SEP-W4RNB3VXXTJ3LGHB -s 10.32.0.8/32 -m comment --comment "default/falkonry-mongo:mongo-http" -j KUBE-MARK-MASQ
-A KUBE-SEP-W4RNB3VXXTJ3LGHB -p tcp -m comment --comment "default/falkonry-mongo:mongo-http" -m tcp -j DNAT --to-destination 10.32.0.8:27017
-A KUBE-SEP-YYIR7TZA6ZBQSUSF -s 10.32.0.7/32 -m comment --comment "default/falkonry-hadoop:namenode" -j KUBE-MARK-MASQ
-A KUBE-SEP-YYIR7TZA6ZBQSUSF -p tcp -m comment --comment "default/falkonry-hadoop:namenode" -m tcp -j DNAT --to-destination 10.32.0.7:8020
-A KUBE-SERVICES -d 10.103.204.121/32 -p tcp -m comment --comment "default/falkonry-spark-master:akka cluster IP" -m tcp --dport 7077 -j KUBE-SVC-CAVFOYOJQPPKKFSK
-A KUBE-SERVICES -d 10.111.87.193/32 -p tcp -m comment --comment "default/falkonryagent:agent-web cluster IP" -m tcp --dport 9090 -j KUBE-SVC-QQGUGJWMO5HSN6XL
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.107.140.112/32 -p tcp -m comment --comment "default/falkonry-zookeeper:zookeeper cluster IP" -m tcp --dport 2181 -j KUBE-SVC-BYB5G3MHEBYVN43P
-A KUBE-SERVICES -d 10.106.78.154/32 -p tcp -m comment --comment "default/falkonry-hadoop:datanode cluster IP" -m tcp --dport 50010 -j KUBE-SVC-NTZIAVXWXJCS7DKZ
-A KUBE-SERVICES -d 10.106.78.154/32 -p tcp -m comment --comment "default/falkonry-hadoop:datanode-ui cluster IP" -m tcp --dport 50075 -j KUBE-SVC-BL55CP3MKKB53NTC
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.111.174.212/32 -p tcp -m comment --comment "default/falkonry-merlin:merlin-web cluster IP" -m tcp --dport 8080 -j KUBE-SVC-SZGELJVIQ5IRMA57
-A KUBE-SERVICES -d 10.103.204.121/32 -p tcp -m comment --comment "default/falkonry-spark-master:rest cluster IP" -m tcp --dport 6066 -j KUBE-SVC-DM7TKUYSW7TW345O
-A KUBE-SERVICES -d 10.103.204.121/32 -p tcp -m comment --comment "default/falkonry-spark-master:webui cluster IP" -m tcp --dport 8080 -j KUBE-SVC-QIJ4ARI55YRJ76JG
-A KUBE-SERVICES -d 10.106.78.154/32 -p tcp -m comment --comment "default/falkonry-hadoop:namenode cluster IP" -m tcp --dport 9000 -j KUBE-SVC-BV4E552EX2CNKPCU
-A KUBE-SERVICES -d 10.106.78.154/32 -p tcp -m comment --comment "default/falkonry-hadoop:namenode-ui cluster IP" -m tcp --dport 50070 -j KUBE-SVC-U6PKKNLWPXOUUWIP
-A KUBE-SERVICES -d 10.98.38.82/32 -p tcp -m comment --comment "default/falkonry-mongo:mongo-http cluster IP" -m tcp --dport 27017 -j KUBE-SVC-Y4IVC7EWPWRMUFRE
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.96.90.91/32 -p tcp -m comment --comment "default/falkonry-redis:redis-cli cluster IP" -m tcp --dport 6379 -j KUBE-SVC-PJO6V2NNIUDO2DKL
-A KUBE-SERVICES -d 10.99.232.10/32 -p tcp -m comment --comment "default/falkonry-kafka:kafka cluster IP" -m tcp --dport 9092 -j KUBE-SVC-XGPIXF43F4GLZBG7
-A KUBE-SERVICES -d 10.100.203.65/32 -p tcp -m comment --comment "default/falkonry-riactor:riactor-http cluster IP" -m tcp --dport 8000 -j KUBE-SVC-C64CQIO6Z225CXIH
-A KUBE-SERVICES -d 10.110.120.177/32 -p tcp -m comment --comment "default/falkonry-connector:http cluster IP" -m tcp --dport 8001 -j KUBE-SVC-RVQUD6RAXHQPQF3I
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-BL55CP3MKKB53NTC -m comment --comment "default/falkonry-hadoop:datanode-ui" -j KUBE-SEP-KNER6ASWBX763QL7
-A KUBE-SVC-BV4E552EX2CNKPCU -m comment --comment "default/falkonry-hadoop:namenode" -j KUBE-SEP-YYIR7TZA6ZBQSUSF
-A KUBE-SVC-BYB5G3MHEBYVN43P -m comment --comment "default/falkonry-zookeeper:zookeeper" -j KUBE-SEP-RBQF4CU7COIZTWDJ
-A KUBE-SVC-C64CQIO6Z225CXIH -m comment --comment "default/falkonry-riactor:riactor-http" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-TZPDA6OWOVPRIIUZ
-A KUBE-SVC-C64CQIO6Z225CXIH -m comment --comment "default/falkonry-riactor:riactor-http" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-F7NTE7AMKDKNWUUF
-A KUBE-SVC-C64CQIO6Z225CXIH -m comment --comment "default/falkonry-riactor:riactor-http" -j KUBE-SEP-IBDVBYXSRD6MIAGE
-A KUBE-SVC-CAVFOYOJQPPKKFSK -m comment --comment "default/falkonry-spark-master:akka" -j KUBE-SEP-NYKTVPUDBMHXGWAX
-A KUBE-SVC-DM7TKUYSW7TW345O -m comment --comment "default/falkonry-spark-master:rest" -j KUBE-SEP-4QD2LE2R2TODS2YV
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-UJJNLSZU6HL4F5UO
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-AR5TRSQMIM2F553H --mask 255.255.255.255 --rsource -j KUBE-SEP-AR5TRSQMIM2F553H
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-AR5TRSQMIM2F553H
-A KUBE-SVC-NTZIAVXWXJCS7DKZ -m comment --comment "default/falkonry-hadoop:datanode" -j KUBE-SEP-KDTJFZVKN4ESIN24
-A KUBE-SVC-PJO6V2NNIUDO2DKL -m comment --comment "default/falkonry-redis:redis-cli" -j KUBE-SEP-FV6ZZ4EMBZMV4DQ5
-A KUBE-SVC-QIJ4ARI55YRJ76JG -m comment --comment "default/falkonry-spark-master:webui" -j KUBE-SEP-NGQUCFCRE45KSL73
-A KUBE-SVC-RVQUD6RAXHQPQF3I -m comment --comment "default/falkonry-connector:http" -j KUBE-SEP-QLLLKZOFDP244LAS
-A KUBE-SVC-SZGELJVIQ5IRMA57 -m comment --comment "default/falkonry-merlin:merlin-web" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-SX34LAYKH37CF5LT
-A KUBE-SVC-SZGELJVIQ5IRMA57 -m comment --comment "default/falkonry-merlin:merlin-web" -j KUBE-SEP-BIZOCAOAPTCX4WBC
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-SZZ7MOWKTWUFXIJT
-A KUBE-SVC-U6PKKNLWPXOUUWIP -m comment --comment "default/falkonry-hadoop:namenode-ui" -j KUBE-SEP-HVHMJPRJS2UA65HH
-A KUBE-SVC-XGPIXF43F4GLZBG7 -m comment --comment "default/falkonry-kafka:kafka" -j KUBE-SEP-6K3WNWFYOAH5UDZ7
-A KUBE-SVC-Y4IVC7EWPWRMUFRE -m comment --comment "default/falkonry-mongo:mongo-http" -j KUBE-SEP-W4RNB3VXXTJ3LGHB
-A WEAVE -s 10.32.0.0/12 -d 224.0.0.0/4 -j RETURN
-A WEAVE ! -s 10.32.0.0/12 -d 10.32.0.0/12 -j MASQUERADE
-A WEAVE -s 10.32.0.0/12 ! -d 10.32.0.0/12 -j MASQUERADE
COMMIT
# Completed on Fri Apr  7 12:16:32 2017
# Generated by iptables-save v1.4.21 on Fri Apr  7 12:16:32 2017
*filter
:INPUT ACCEPT [741:270665]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [727:337487]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-SERVICES - [0:0]
:WEAVE-NPC - [0:0]
:WEAVE-NPC-DEFAULT - [0:0]
:WEAVE-NPC-INGRESS - [0:0]
-A INPUT -j KUBE-FIREWALL
-A INPUT -d 172.17.50.1/32 -i docker0 -p tcp -m tcp --dport 6783 -j DROP
-A INPUT -d 172.17.50.1/32 -i docker0 -p udp -m udp --dport 6783 -j DROP
-A INPUT -d 172.17.50.1/32 -i docker0 -p udp -m udp --dport 6784 -j DROP
-A INPUT -i docker0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i docker0 -p tcp -m tcp --dport 53 -j ACCEPT
-A FORWARD -i docker0 -o weave -j DROP
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o weave -j WEAVE-NPC
-A FORWARD -o weave -m state --state NEW -j NFLOG --nflog-group 86
-A FORWARD -o weave -j DROP
-A FORWARD -i weave ! -o weave -j ACCEPT
-A FORWARD -o weave -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A DOCKER-ISOLATION -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-SERVICES -d 10.111.87.193/32 -p tcp -m comment --comment "default/falkonryagent:agent-web has no endpoints" -m tcp --dport 9090 -j REJECT --reject-with icmp-port-unreachable
-A WEAVE-NPC -m state --state RELATED,ESTABLISHED -j ACCEPT
-A WEAVE-NPC -d 224.0.0.0/4 -j ACCEPT
-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-DEFAULT
-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-INGRESS
-A WEAVE-NPC-DEFAULT -m set --match-set weave-k?Z;25^M}|1s7P3|H9i;*;MhG dst -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-4vtqMI<kx/2]jD%_c0S%thO%V dst -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-iuZcey(5DeXbzgRFs8Szo]<@p dst -j ACCEPT
COMMIT
# Completed on Fri Apr  7 12:16:32 2017

Kube-proxy logs

I0406 19:42:35.453335       1 server.go:225] Using iptables Proxier.
W0406 19:42:35.559100       1 proxier.go:309] clusterCIDR not specified, unable to distinguish between internal and external traffic
I0406 19:42:35.559155       1 server.go:249] Tearing down userspace rules.
I0406 19:42:35.711702       1 conntrack.go:81] Set sysctl 'net/netfilter/nf_conntrack_max' to 524288
I0406 19:42:35.712557       1 conntrack.go:66] Setting conntrack hashsize to 131072
I0406 19:42:35.713879       1 conntrack.go:81] Set sysctl 'net/netfilter/nf_conntrack_tcp_timeout_established' to 86400
I0406 19:42:35.713949       1 conntrack.go:81] Set sysctl 'net/netfilter/nf_conntrack_tcp_timeout_close_wait' to 3600
-- Phagun Baya
kubeadm
kubernetes

Similar Questions

Dynamic wildcard subdomain ingress for Kubernetes
Scheduling more pods than there are resources available
Apiman does not restore gateway
Kubernetes executor on Gitlab ERROR: Job failed: image pull failed

1 Answer

4/7/2017

How did you set up weave? There is a 1.6-specific configuration[1][2] that sets up an role and service account for running weave on clusters with RBAC enabled

[1] https://github.com/weaveworks/weave/blob/master/prog/weave-kube/weave-daemonset-k8s-1.6.yaml

[2] https://www.weave.works/weave-net-kubernetes-integration/

-- Jordan Liggitt
Source: StackOverflow