Cilium endpoint list is empty and network policies doesn't work

[thoslin]

Bug reports

Title

Cilium endpoint list is empty and network policies doesn't work

General Information

• Cilium version (run cilium version)

Cilium 0.13.90 3a5da2c Thu, 16 Nov 2017 00:39:22 +0100 go version go1.9 linux/amd64

Actually I'm using this docker image https://hub.docker.com/r/cilium/cilium/builds/bkdezkwu8ga7pjtbtzhaggj/

• Kernel version (run uname -a)

Linux ip-172-20-34-175.ec2.internal 4.13.9-coreos #1 SMP Thu Oct 26 03:21:00 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

• Orchestration system version in use (e.g. kubectl version, Mesos, ...)

Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.1", GitCommit:"f38e43b221d08850172a9a4ea785a86a3ffa3b3a", GitTreeState:"clean", BuildDate:"2017-10-11T23:27:35Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.2", GitCommit:"922a86cfcd65915a9b2f69f3f193b8907d741d9c", GitTreeState:"clean", BuildDate:"2017-07-21T08:08:00Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

The cluster is created using Kops with 4 worker nodes.

• Link to relevant artifacts (policies, deployments scripts, ...)
  cilium: https://github.com/cilium/cilium/blob/master/examples/kubernetes/cilium.yaml
  deployment & policy: https://github.com/cilium/cilium/blob/master/examples/minikube

How to reproduce the issue

I'm following the instructions on the Getting Start with Kubernetes page http://cilium.readthedocs.io/en/latest/gettingstarted/#getting-started-using-kubernetes.

1. Install cilium
   Since the version of etcd on my cluster is lower than v3.1.0. As a workround, I deployed a consul cluster as kv store.
   I have 4 worker nodes. Cilium on each node starts Ok. However with a few error logs as followed:

time="2017-11-16T07:41:09Z" level=error msg="bpf: Unable to update in tunnel endpoint map" error="Unable to get object /sys/fs/bpf/tc/globals/tunnel_endpoint_map: no such file or directory" ipAddr=100.96.3.0/24
time="2017-11-16T07:41:09Z" level=error msg="bpf: Unable to update in tunnel endpoint map" error="Unable to update element: invalid argument" ipAddr="f00d::6460:300:0:0/112"

time="2017-11-16T07:41:16Z" level=error msg="bpf: Unable to delete in tunnel endpoint map" error="Unable to delete element: invalid argument" ipAddr=100.96.3.0/24
time="2017-11-16T07:41:16Z" level=error msg="bpf: Unable to delete in tunnel endpoint map" error="Unable to delete element: invalid argument" ipAddr="f00d::6460:300:0:0/112"
time="2017-11-16T07:41:16Z" level=error msg="bpf: Unable to update in tunnel endpoint map" error="Unable to update element: invalid argument" ipAddr=100.96.3.0/24
time="2017-11-16T07:41:16Z" level=error msg="bpf: Unable to update in tunnel endpoint map" error="Unable to update element: invalid argument" ipAddr="f00d::6460:300:0:0/96"

The full log could be found from here: https://pastebin.com/E9Ecv6us. I'm not sure if this error is related to the issue.

Cilium status shows OK on all nodes though:

/# cilium status                                                                                                                                                 
KVStore:            Ok   Consul: 100.124.241.78:8300
ContainerRuntime:   Ok   
Kubernetes:         Ok   OK
Kubernetes APIs:    ["core/v1::Service", "core/v1::Endpoint", "extensions/v1beta1::Ingress", "core/v1::Node", "CustomResourceDefinition", "cilium/v2::CiliumNetworkPolicy", "extensions/v1beta1::NetworkPolicy", "networking.k8s.io/v1::NetworkPolicy"]
Cilium:             Ok   OK
NodeMonitor:        Listening for events on 2 CPUs with 64x4096 of shared memory

2. Deploy the demo

Deploy the demo from https://github.com/cilium/cilium/blob/master/examples/minikube/demo.yaml

3. Check endpoint list

$ kubectl -n kube-system exec cilium-xhpvt cilium endpoint list
ENDPOINT   POLICY        IDENTITY   LABELS (source:key[=value])   IPv6   IPv4   STATUS   
           ENFORCEMENT                                                                   

Nothing shows up in the endpoint list. And network policies doesn't work, ie, restricted apps are still accessible.

Now I'm not sure how to proceed with this issue, which part should I check? Any tools to debug? I tried cilium monitor, but no packets are captured.

Any advice would be appreciated.Thanks!

[thoslin]

FWIW, my cluster uses Calico for networking.

[tgraf]

FWIW, my cluster uses Calico for networking.

OK, that explains it then. How did you deploy Cilium then? Calico and Cilium are both CNI plugins. You most likely have two CNI configurations present in the cluster now and Calico is taking precedence. I'm assuming the pods are still being managed by Calico so Cilium has no means to enforce policy on them.

Cilium does not support policy enforcement on top of other CNI plugins yet.

[thoslin]

@tgraf Oops. I thought it is a plugin on top of other CNI providers. I deployed Cilium as daemon set.
So does this mean I have to remove Calico in order to make Cilium work? Or should I initially create the cluster with Cilium as a networking provider? Is there any documentation on this operation?

[tgraf]

So does this mean I have to remove Calico in order to make Cilium work? Or should I initially create the cluster with Cilium as a networking provider? Is there any documentation on this operation?

Yes, you can use Cilium as your networking plugin as described in the link below.
http://docs.cilium.io/en/stable/gettingstarted/#step-1-installing-cilium

The DaemonSet automatically installs itself as CNI plugin by writing a configuration file to /etc/cni/net.d. When you remove the DaemonSet, it will automatically uninstall itself as CNI plugin.

If you have multiple CNI plugins installed, CNI will pick one of them based on the name. (https://github.com/containernetworking/cni). I'm assuming that in your current cluster, Calico is installed as 10-calico.conf and Cilium is installed as 10-cilium.conf. The alphabetical order would prefer Cailco in this case. You can overwrite the name of the CNI configuration file via an environment variable like this:

        env:
          - name: CNI_CONF_NAME
            value: "09-cilium.conf"

I've uploaded the full DaemonSet file I used for testing here:
https://pastebin.com/e5bhnE9P

[thoslin]

Thanks @tgraf for the detailed explanation. I redeployed cilium per your instructions.

Now the CNI config files look like this on Calico pod:

 $ kubectl exec -it calico-node-fwwk4 -n kube-system -c install-cni -- sh
/opt/cni/bin # ls /host/etc/cni/net.d/
09-cilium.conf     10-calico.conf     calico-kubeconfig
/opt/cni/bin # ls /host/opt/cni/bin/
bridge       calico       calico-ipam  cilium-cni   flannel      host-local   loopback     ptp

Calico volumn mounts:

    Mounts:
      /host/etc/cni/net.d from cni-net-dir (rw)
      /host/opt/cni/bin from cni-bin-dir (rw)
Volumns:
  cni-bin-dir:
    Type:  HostPath (bare host directory volume)
    Path:  /opt/cni/bin
  cni-net-dir:
    Type:  HostPath (bare host directory volume)
    Path:  /etc/cni/net.d

However Cilium endpoint list is still empty:

$ kubectl exec -it cilium-lzr48 -n kube-system -- cilium endpoint list
ENDPOINT   POLICY        IDENTITY   LABELS (source:key[=value])   IPv6   IPv4   STATUS   
           ENFORCEMENT                        

Test of L3-L4 policy doesn't work as exepcted:

$ kubectl get networkpolicies
NAME             POD-SELECTOR   AGE
access-backend   id=app1        18h
$ APP2_POD=$(kubectl get pods -l id=app2 -o jsonpath='{.items[0].metadata.name}')
$ SVC_IP=$(kubectl get svc app1-service -o jsonpath='{.spec.clusterIP}')
$ kubectl exec $APP2_POD -- curl -s $SVC_IP
<html><body><h1>It works!</h1></body></html>
$ APP3_POD=$(kubectl get pods -l id=app3 -o jsonpath='{.items[0].metadata.name}')
$ kubectl exec $APP3_POD -- curl -s $SVC_IP
<html><body><h1>It works!</h1></body></html>

[danwent]

@thoslin were the containers you are testing with deployed AFTER you made Cilium the CNI plugin? I do not believe Cilium will "take-over" the networking of containers deployed before it was the CNI plugin.

[thoslin]

@danwent Yes. They are deployed after Cilium is made as the CNI plugin. So to reproduce this issue, I tested on a clean cluster today, I'm still getting a empty list of endpoints. The detailed steps are as followed:

Deploy consul

Per instructions: https://github.com/kelseyhightower/consul-on-kubernetes

$ kubectl get pods
NAME                    READY     STATUS    RESTARTS   AGE
consul-0                1/1       Running   0          54m
consul-1                1/1       Running   0          51m
consul-2                1/1       Running   0          51m

Use consul as cilium kv store

          - "--kvstore"
          - "consul"
          - "--kvstore-opt"
          - "consul.address=100.125.138.131:8500"

Deploy cilium

$ kubectl get pods -n kube-system
NAME                                                    READY     STATUS    RESTARTS   AGE
calico-node-2z8sb                                       2/2       Running   0          4h
calico-node-7zl1w                                       2/2       Running   0          4h
calico-node-972pg                                       2/2       Running   0          4h
calico-node-cbrcx                                       2/2       Running   0          4h
calico-policy-controller-3446986630-8ff2k               1/1       Running   0          4h
cilium-72l81                                            1/1       Running   0          4m
cilium-9j6rk                                            1/1       Running   0          4m
cilium-dbz98                                            1/1       Running   0          4m
cilium-t0nr4                                            1/1       Running   0          4m
dns-controller-2354318375-vf4zh                         1/1       Running   0          4h
etcd-server-events-ip-172-20-55-217.ec2.internal        1/1       Running   0          4h
etcd-server-ip-172-20-55-217.ec2.internal               1/1       Running   0          4h
kube-apiserver-ip-172-20-55-217.ec2.internal            1/1       Running   14         4h
kube-controller-manager-ip-172-20-55-217.ec2.internal   1/1       Running   10         4h
kube-dns-1311260920-hh4kw                               3/3       Running   0          3h
kube-dns-1311260920-tf211                               3/3       Running   0          3h
kube-dns-autoscaler-1818915203-b26kp                    1/1       Running   0          4h
kube-proxy-ip-172-20-38-83.ec2.internal                 1/1       Running   0          4h
kube-proxy-ip-172-20-48-118.ec2.internal                1/1       Running   0          4h
kube-proxy-ip-172-20-53-198.ec2.internal                1/1       Running   0          4h
kube-proxy-ip-172-20-55-217.ec2.internal                1/1       Running   0          4h
kube-scheduler-ip-172-20-55-217.ec2.internal            1/1       Running   10         4h

Deploy apps

$ kubectl create -f https://raw.githubusercontent.com/cilium/cilium/HEAD/examples/minikube/demo.yaml
service "app1-service" created
deployment "app1" created
deployment "app2" created
deployment "app3" created

$ kubectl get pods -w
NAME                    READY     STATUS    RESTARTS   AGE
app1-3720119688-0bnbm   1/1       Running   0          59s
app1-3720119688-hcw3w   1/1       Running   0          59s
app2-1798985037-3rh1b   1/1       Running   0          58s
app3-2097142386-1tcxq   1/1       Running   0          58s
consul-0                1/1       Running   0          20m
consul-1                1/1       Running   0          18m
consul-2                1/1       Running   0          17m

Check cilium endpoint list

tom@tom-HP-xw9400-Workstation ~/workspace/ck $ kubectl exec cilium-72l81 -n kube-system -- cilium endpoint list
ENDPOINT   POLICY        IDENTITY   LABELS (source:key[=value])   IPv6   IPv4   STATUS
           ENFORCEMENT                                                                   

Cilium log output

https://pastebin.com/ZL2sKJej

[thoslin]

A little update. After I manually deleted all app pods. They successfully came up on the endpoint list.

[tgraf]

@thoslin Based on the output above, the only explanation I have is that at the time you initially deployed the apps, Calico was still the primary CNI plugin at the time. Everything looks correct from a Cilium status perspective otherwise.

[thoslin]

@tgraf I might have deployed them in consecutive way. However Is there any way to check whether Cilium is the primary plugin? Should I just wait for it?

[tgraf]

However Is there any way to check whether Cilium is the primary plugin? Should I just wait for it?

Good question. The easiest way is to look at /etc/cni/net.d.

I also just realized that you quoted the output of the cilium endpoint list command. Are you aware that this will only ist the endpoints which are running on that particular node? We are working on reporting endpoints cluster wide via Kubernetes but have not completed it yet.

[thoslin]

@tgraf Yes. I was a little confusing at first then I found that endpoint list only output the pods managed by Cilium on that particular node. I got 4 worker nodes, and here's what I've got for the demo application:

$ kubectl exec cilium-72l81 -n kube-system -- cilium endpoint list
ENDPOINT   POLICY        IDENTITY   LABELS (source:key[=value])               IPv6                    IPv4           STATUS
           ENFORCEMENT                                                                                                        
14594      Disabled      257        k8s:id=app2                               f00d::6460:200:0:3902   100.96.2.120   ready
                                    k8s:io.kubernetes.pod.namespace=default                                                   
20084      Disabled      259        k8s:id=app1                               f00d::6460:200:0:4e74   100.96.2.150   ready
                                    k8s:io.kubernetes.pod.namespace=default

$ kubectl exec cilium-9j6rk -n kube-system -- cilium endpoint list
ENDPOINT   POLICY        IDENTITY   LABELS (source:key[=value])               IPv6                    IPv4           STATUS   
           ENFORCEMENT                                                                                                        
19080      Disabled      259        k8s:id=app1                               f00d::6460:300:0:4a88   100.96.3.188   ready    
                                    k8s:io.kubernetes.pod.namespace=default

$ kubectl exec cilium-dbz98 -n kube-system -- cilium endpoint list
ENDPOINT   POLICY        IDENTITY   LABELS (source:key[=value])               IPv6                    IPv4          STATUS   
           ENFORCEMENT                                                                                                       
12075      Disabled      258        k8s:id=app3                               f00d::6460:100:0:2f2b   100.96.1.79   ready    
                                    k8s:io.kubernetes.pod.namespace=default

$ kubectl exec cilium-t0nr4 -n kube-system -- cilium endpoint list
ENDPOINT   POLICY        IDENTITY   LABELS (source:key[=value])   IPv6   IPv4   STATUS   
           ENFORCEMENT                                                                   

[thoslin]

In order to make DNS pod managed by Cilium. I restarted kube-dns pods(by deleting the pod), the logs show they started OK, however DNS is not working since. Now Kafka is unable to locate zookeeper in the Kafka demo.

[2017-11-21 02:39:22,259] FATAL Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
org.I0Itec.zkclient.exception.ZkException: Unable to connect to zook:2181
	at org.I0Itec.zkclient.ZkConnection.connect(ZkConnection.java:72)
	at org.I0Itec.zkclient.ZkClient.connect(ZkClient.java:1228)
	at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:157)
	at org.I0Itec.zkclient.ZkClient.<init>(ZkClient.java:131)
	at kafka.utils.ZkUtils$.createZkClientAndConnection(ZkUtils.scala:115)
	at kafka.utils.ZkUtils$.withMetrics(ZkUtils.scala:92)
	at kafka.server.KafkaServer.initZk(KafkaServer.scala:350)
	at kafka.server.KafkaServer.startup(KafkaServer.scala:194)
	at kafka.server.KafkaServerStartable.startup(KafkaServerStartable.scala:38)
	at kafka.Kafka$.main(Kafka.scala:92)
	at kafka.Kafka.main(Kafka.scala)
Caused by: java.net.UnknownHostException: zook: Name or service not known
	at java.net.Inet6AddressImpl.lookupAllHostAddr(Native Method)
	at java.net.InetAddress$2.lookupAllHostAddr(InetAddress.java:928)
	at java.net.InetAddress.getAddressesFromNameService(InetAddress.java:1323)
	at java.net.InetAddress.getAllByName0(InetAddress.java:1276)
	at java.net.InetAddress.getAllByName(InetAddress.java:1192)
	at java.net.InetAddress.getAllByName(InetAddress.java:1126)
	at org.apache.zookeeper.client.StaticHostProvider.<init>(StaticHostProvider.java:61)
	at org.apache.zookeeper.ZooKeeper.<init>(ZooKeeper.java:445)
	at org.apache.zookeeper.ZooKeeper.<init>(ZooKeeper.java:380)
	at org.I0Itec.zkclient.ZkConnection.connect(ZkConnection.java:70)
	... 10 more
[2017-11-21 02:39:22,264] INFO shutting down (kafka.server.KafkaServer)
[2017-11-21 02:39:22,285] INFO shut down completed (kafka.server.KafkaServer)
[2017-11-21 02:39:22,287] FATAL Exiting Kafka. (kafka.server.KafkaServerStartable)
[2017-11-21 02:39:22,299] INFO shutting down (kafka.server.KafkaServer)

$ kubectl get svc
NAME            TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                                                                            AGE
app1-service    ClusterIP   100.69.43.223   <none>        80/TCP                                                                             16h
consul          ClusterIP   None            <none>        8500/TCP,8443/TCP,8400/TCP,8301/TCP,8301/UDP,8302/TCP,8302/UDP,8300/TCP,8600/TCP   17h
kafka-service   ClusterIP   100.66.223.91   <none>        9092/TCP                                                                           13h
zook            ClusterIP   100.70.202.32   <none>        2181/TCP                                                                           11m

$ kubectl get pods -n kube-system|grep dns
dns-controller-2354318375-t5ctc                         1/1       Running   0          13h
kube-dns-1311260920-mf3st                               3/3       Running   0          13h
kube-dns-1311260920-sqd0l                               3/3       Running   0          36m
kube-dns-autoscaler-1818915203-b26kp                    1/1       Running   0          20h