Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Iptables rules in kubelet.service #332

Closed
SMR39 opened this issue Sep 11, 2019 · 7 comments
Closed

Iptables rules in kubelet.service #332

SMR39 opened this issue Sep 11, 2019 · 7 comments
Labels
question Further information is requested

Comments

@SMR39
Copy link

SMR39 commented Sep 11, 2019

Hello,

I was trying to understand the need for having this iptables rule here. https://github.com/awslabs/amazon-eks-ami/blob/master/files/kubelet.service#L8

If this was introduced to fix docker trying to change rule from ACCEPT to DROP then I think this was indeed fixed in kubernetes/kubernetes#59656 and that line can be removed to avoid further confusions.
@mogren mogren mentioned this issue Sep 27, 2019
Closed
@mogren
Copy link

mogren commented Apr 27, 2020

I do think we should verify this. The change seems to be

https://github.com/kubernetes/kubernetes/pull/62007/files#diff-97649d13432b01b4e7669d728a2e2e82R1324-R1329

@mogren mogren mentioned this issue Jul 15, 2020
Closed
@GnatorX
Copy link

GnatorX commented Aug 22, 2020
edited
Loading

We are noticing that kubelet runs pretty close to when iptables restore runs. Due to the close proximity, we notice there are nodes with FORWARD DROP that came back from the restore (we think) since it may happen after kubelet's FORWARD ACCEPT. Given that kubelet and ipstable-restore both are only depending on docker service to finish
https://github.com/awslabs/amazon-eks-ami/blob/master/files/kubelet.service#L4
https://github.com/awslabs/amazon-eks-ami/blob/master/files/iptables-restore.service#L5

Not sure if anyone is running into this or if this is the cause of the issue

@GnatorX
Copy link

GnatorX commented Aug 26, 2020

An update on the issue I raise. It seems like, for us, an iptable save was performed prior to startup of the node which meant we saved FORWARD DROP. On startup, since kubelet and iptable restore happens around the same time, we run into a race condition where FORWARD DROP may be applied over FORWARD ACCEPT if iptable restore after kubelet start.

@yongzhang
Copy link

I have another question, in https://github.com/awslabs/amazon-eks-ami/blob/v20210830/scripts/install-worker.sh#L99, I'm curious why only a copy there without starting the service? How the service been started?

@yongzhang
Copy link

I have another question, in https://github.com/awslabs/amazon-eks-ami/blob/v20210830/scripts/install-worker.sh#L99, I'm curious why only a copy there without starting the service? How the service been started?

Sorry, found it in bootstrap.sh.

@hovo972
Copy link

hovo972 commented Dec 17, 2021

Is it a really good idea to have a move here https://github.com/awslabs/amazon-eks-ami/blob/v20210830/scripts/install-worker.sh#L99 (as opposed to having a copy)?

It cost me a day to figure out why re-running bootstrap.sh was failing to start my cluster :/

@cartermckinnon
Copy link
Member

I don't know why this was added in #90, I think the reviewers overlooked it. It's not clear to me why this would be necessary, as components like kube-proxy that rely on iptables rules should be managing those themselves.

@nithu0115 was the author, who might be able to provide more info. Otherwise, I'll try removing it when I have some time.

@cartermckinnon cartermckinnon added the question Further information is requested label Dec 8, 2022
@varun-armis varun-armis mentioned this issue May 1, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mogren @GnatorX @cartermckinnon @SMR39 @yongzhang @hovo972