Comments (11)
ikatson
commented on May 22, 2024
1
Looks like this issue is still there if calico is used for network policy, as Calico triggers its own rules before the ones that solve the issue, see my comment here #231 (comment)
from amazon-vpc-cni-k8s.
lbernail
commented on May 22, 2024
A solution to this issue would be to mark nodeport traffic and use conntrack to force the reverse path through the primay ENI:
iptables -A PREROUTING -i eht0 -t mangle -p tcp --dport 30000:32767 -j CONNMARK --set-mark 42
iptables -t mangle -A PREROUTING -j CONNMARK -i eni+ --restore-mark
ip rule add fwmark 42 lookup main pref 1024
from amazon-vpc-cni-k8s.
liwenwu-amazon
commented on May 22, 2024
@lbernail can I reproduce this by:
- create a cluster which contains only 1 node
- create enough Pods which will exhausts all addresses on primary ENI
- create a service and its back-end pods, and back-end pods will get IP addresses from 2nd ENIs
- then Pods on primary ENIs will NOT able to communicate with the service which is backed by back-end pods on 2nd ENIs
right? thanks
from amazon-vpc-cni-k8s.
lbernail
commented on May 22, 2024
@liwenwu-amazon yes that would work but you need to access the service using nodeip:nodeport from outside the node: if I recall correctly accessing a nodeport from a pod will redirect you to the standard service endpoints and bypass the nodeport iptables rule
from amazon-vpc-cni-k8s.
liwenwu-amazon
commented on May 22, 2024
@lbernail , we seems only can reproduce this problem when we disable external SNAT. #120 . Can you confirm if this is same case for you? With external SNAT, all traffic for node-port will get sent and received on eth0, so it works. When external SNAT #120 is enabled, the incoming traffic is sent to eth0, and outing traffic is sent to eth1, so it breaks the Linux connection tracking ...
from amazon-vpc-cni-k8s.
lbernail
commented on May 22, 2024
@liwenwu-amazon if the traffic is coming from outside the VPC-CIDR it will be SNATed so yes it will solve the issue. However if the request comes from the VPC-CIDR the answer will be routed using the additional ENI (if the target pod is not on the primary ENI) and you should have the reverse-path issue
from amazon-vpc-cni-k8s.
fasaxc
commented on May 22, 2024
I think this issue impacts anyone who tries to use NodePorts from within the same VPC too, which seems fairly mainline. Since this is impacting my team, I've started working on a fix based on the above suggestion to use the connmark with a couple of changes:
- only use one connmark bit so that it doesn't clash with kube-proxy or Calico's use of the mark
- use an interface match to avoid needing to match on the port number.
Here's my current set of rules:
iptables -t mangle -A PREROUTING -i eth0 -m addrtype --dst-type LOCAL --limit-iface-in -j CONNMARK --set-mark 0x1/0x1
iptables -t mangle -A PREROUTING -i eni+ -j CONNMARK --restore-mark --mask=0x1
from amazon-vpc-cni-k8s.
lbernail
commented on May 22, 2024
@fasaxc : you do it this way to increase performances?
from amazon-vpc-cni-k8s.
fasaxc
commented on May 22, 2024
@lbernail The change to use the addrtype? That does a couple of things:
- It syncs up with kupe-proxy's rule:
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
which also has the addrtype clause; this makes sure that we don't match traffic that isn't heading to an IP assigned to the host (i.e. traffic that is going directly to a pod but happens to be going to a port in the node port range)
- It avoids needing to hard code or configure the NodePort range, which, at least in theory, is configurable. Also, I think you can create a NodePort manually outside that range.
When you combine the two rules, you get <connection seen on eth0 heading to a local IP> AND <connection seen leaving a veth>. Putting those two together, I think it implies that the packet was heading to a NodePort.
from amazon-vpc-cni-k8s.
liwenwu-amazon
commented on May 22, 2024
Today, aws-vpc-cni assigns a native VPC IP address to a Pod. So it works directly with AWS ALB and NLB without any port mapping. In another word, Pod IP can be added ALB and NLB 's target group. This improves network performance, operation, debugging and remove the need to manipulate IP tables or IPVS tables.
There is a woke-in-progress PR/Support routing directly to pods in aws-alb-ingress-controller.
We are also actively working on NLB controller, so that traffic towards a service VIP backed by NLB can directly sent to Pod IP.
from amazon-vpc-cni-k8s.
lbernail
commented on May 22, 2024
👍
This is very good news!
We were actually thinking about working on a similar PR for the ALB ingress
from amazon-vpc-cni-k8s.
Related Issues (20)
- K3S with AWS VPC CNI breaks Pod communication #9716 HOT 3
- using `amazon-vpc-cni-k8s` outside eks HOT 13
- /run/xtables.lock created as directory when installed with Helm HOT 13
- No additional ENIs are attached after prefix delegation HOT 6
- Configurable log output for the aws-eks-nodeagent in the daemonset HOT 1
- Node created in subnet with low number of IP adresses: failed to assign an IP address to container HOT 2
- Can `AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG` be generalized for multi-homed pods? HOT 5
- Pods stuck in `CrashLoopBackoff` when restarting custom EKS node. HOT 7
- WARM_ENI_TARGET is 1. But worker node ENI 2 (with coredns pods used) HOT 2
- Is it possible to route cluster-ip traffic from EC2 instances (the outside of eks, but same vpc) to EKS HOT 2
- What is the difference between `vX.X.X` and `vX.X.X-eksbuild.x` ? HOT 2
- Upgrading from v1.16.0-eksbuild.1 to v1.17 or v1.18 results in failure to assign IP address to container HOT 9
- RefreshSecurityGroups should only be called on ENIs already checked by the ENI/IP reconciler HOT 8
- Conflicts .data.enable-windows-ipam HOT 2
- Improve VPC CNI memory by reducing number of things it is caching HOT 6
- Pod stuck in `ContainerCreating` status while waiting for an IP address to get assigned HOT 12
- ip addresses leaking when there are too many ip in cooldown pool HOT 2
- Should node agent be opt-in on vpc CNI HOT 2
- Enhanced subnet discovery should use configurable tags
- make generate-limits script failed due to ENI limit mismatch HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from amazon-vpc-cni-k8s.