OS: Ubuntu 18.04.6
Firewall type: IPtables. UFW is Disabled.
I have Kubernetes cluster with 3 nodes that provide the controlplane and etcd services, named cp01, cp02 and cp03.
I see that etcd
traffic from each of the Controlplane/etcd nodes works fine. The etcd application seems to be working, although I noticed that I cannot do some things like etcdctl elect
a new leader.
I noticed that sometimes the return traffic is getting blocked. Here's an example log message showing the block:
May 23 09:34:55 cp02 kernel: [1245818.175864] DROP-INPUT: IN=eth2 OUT= MAC=00:50:AA:BB:CC:DD:00:50:AA:BB:CC:11:08:00 SRC=192.168.101.188 DST=192.168.101.189 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=2380 DPT=36532 WINDOW=0 RES=0x00 RST URGP=0
I don't understand why these packets are getting dropped. IPtables has a rule to accept all RELATED,ESTABLISHED
traffic. It seems like on occasion, that's not happening and the packets are actually getting dropped.
Here is the relevant section of IPtables. Note the following:
- Lines 1-3 are inserted by Kubernetes.
- Lines 4-7 are standard rules (I believe they are.)
- Lines 22 & 23 will log then drop all packets that didn't match an existing rule
- Line 7 accepts all RELATED,ESTABLISHED traffic-- that is, if the traffic went out through this host it can return to this host since it marked as related or established traffic. However, the log message above suggests this is not happening.
cp03:~ # iptables -t filter -L INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 2763 407K cali-INPUT all
2 2763 407K KUBE-FIREWALL all
3 32 6559 KUBE-EXTERNAL-SERVICES all
4 1 84 ACCEPT icmp
5 773 112K ACCEPT all
6 0 0 REJECT all
7 1958 288K ACCEPT all
8 0 0 ACCEPT tcp
9 0 0 ACCEPT udp
10 0 0 ACCEPT udp
11 0 0 ACCEPT udp
12 0 0 ACCEPT tcp
13 0 0 ACCEPT tcp
14 0 0 ACCEPT tcp
15 4 220 ACCEPT tcp
16 4 220 ACCEPT tcp
17 0 0 ACCEPT tcp
18 0 0 ACCEPT tcp
19 0 0 ACCEPT tcp
20 0 0 ACCEPT tcp
21 1 40 LOG all
22 1 40 DROP all