Something seems to be catching TCP traffic to pods

1/29/2019

I'm trying to deploy Kubernetes with Calico (IPIP) with Kubeadm. After deployment is done I'm deploying Calico using these manifests

kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml
kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml

Before applying it, I'm editing CALICO_IPV4POOL_CIDR and setting it to 10.250.0.0/17 as well as using command kubeadm init --pod-cidr 10.250.0.0/17.

After few seconds CoreDNS pods (for example getting addr 10.250.2.2) starts restarting with error 10.250.2.2:8080 connection refused.

Now a bit of digging:

from any node in cluster ping 10.250.2.2 works and it reaches pod (tcpdump in pod net namespace shows it).

from different pod (on different node) curl 10.250.2.2:8080 works well

from any node to curl 10.250.2.2:8080 fails with connection refused

Because it's coredns pod it listens on 53 both udp and tcp, so I've tried netcat from nodes

nc 10.250.2.2 53 - connection refused nc -u 10.250.2.2 55 - works

Now I've tcpdump each interface on source node for port 8080 and curl to CoreDNS pod doesn't even seem to leave node... sooo iptables?

I've also tried weave, canal and flannel, all seem to have same issue.

I've ran out of ideas by now...any pointers please?

-- inc0
cni
kubernetes
project-calico

1 Answer

1/30/2019

Seems to be a problem with Calico implementation, CoreDNS Pods are sensitive on the CNI network Pods successful functioning. For proper CNI network plugin implementation you have to include --pod-network-cidr flag to kubeadm init command and afterwards apply the same value to CALICO_IPV4POOL_CIDR parameter inside calico.yml.

Moreover, for a successful Pod network installation you have to apply some RBAC rules in order to make sufficient permissions in compliance with general cluster security restrictions, as described in official Kubernetes documentation:

For Calico to work correctly, you need to pass --pod-network-cidr=192.168.0.0/16 to kubeadm init or update the calico.yml file to match your Pod network. Note that Calico works on amd64 only.

kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/rbac-kdd.yaml
kubectl apply -f https://docs.projectcalico.org/v3.3/getting-started/kubernetes/installation/hosted/kubernetes-datastore/calico-networking/1.7/calico.yaml

In your case I would switched to the latest Calico versions at least from v3.3 as given in the example.

If you've noticed that you run Pod network plugin installation properly, please take a chance and update the question with your current environment setup and Kubernetes components versions with a health statuses.

-- mk_sta
Source: StackOverflow