Failed access service external ip in pod

[liuxu623]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

We use cilium vxlan and don't enable nodePort/externalIPs. So we depend kube-proxy handle service external ip.
I found when access service external ip (backend is a pod in another node) in pod, source ip will change to node ip after kube-proxy masquerade.
Because cilium_host ip addr scope is link, kernel ip masquerade wouldn't choose cilium_host even destination ip is another pod, package will send to server pod through cilium_vxlan and source ip is node ip.
Server pod will send reply package to client pod's node (not through cilium_vxlan), maybe network device (like router) didn't recognize server pod ip, it will drop the package.

1. client pod ip -> service external ip
2. client pod ip -> server pod ip (DNAT)
3. client node ip -> server pod ip (Masquerade) through cilium_vxlan
4. server pod ip -> client node ip (direct route, not through cilium_vxlan)

I try to change cilium_host ip addr scope to global, it works.
So I think we should remove scope link in init.sh to fix this issue.

Cilium Version

v1.10.15

Kernel Version

5.4.119

Kubernetes Version

v1.22.5

Sysdump

KubeProxyReplacement Details:
Status: Partial
Session Affinity: Enabled
Services:

• ClusterIP: Enabled
• NodePort: Disabled
• LoadBalancer: Disabled
• externalIPs: Disabled
• HostPort: Disabled

Relevant log output

No response

Anything else?

client pod is 172.17.0.3
client node is 192.168.2.219
client cilium_host is 172.17.0.28
external ip is 119.28.229.32
server pod is 172.17.0.177

$ ip a show cilium_host
4: cilium_host@cilium_net: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether da:5d:4c:d9:e4:7e brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.28/32 scope link cilium_host
       valid_lft forever preferred_lft forever
    inet6 fe80::d85d:4cff:fed9:e47e/64 scope link
       valid_lft forever preferred_lft forever

iptables

-A KUBE-SERVICES -d 119.28.229.32/32 -p tcp -m comment --comment "default/kubernetes-extranet:https loadbalancer IP" -m tcp --dport 443 -j KUBE-FW-JRLK3S5QDR5VE4WN
# Warning: iptables-legacy tables present, use iptables-legacy-save to see them
-A KUBE-FW-JRLK3S5QDR5VE4WN -m comment --comment "default/kubernetes-extranet:https loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-JRLK3S5QDR5VE4WN -m comment --comment "default/kubernetes-extranet:https loadbalancer IP" -j KUBE-SVC-JRLK3S5QDR5VE4WN
-A KUBE-FW-JRLK3S5QDR5VE4WN -m comment --comment "default/kubernetes-extranet:https loadbalancer IP" -j KUBE-MARK-DROP

$ conntrack -E -d 119.28.229.32

[NEW] tcp      6 120 SYN_SENT src=172.17.0.3 dst=119.28.229.32 sport=42614 dport=443 [UNREPLIED] src=172.17.0.177 dst=192.168.2.219 sport=443 dport=34294

After remove scope link

$ ip a del 172.17.0.28/32 dev cilium_host
$ ip a add 172.17.0.28/32 dev cilium_host
$ ip a show cilium_host
4: cilium_host@cilium_net: <BROADCAST,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether da:5d:4c:d9:e4:7e brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.28/32 scope global cilium_host
       valid_lft forever preferred_lft forever
    inet6 fe80::d85d:4cff:fed9:e47e/64 scope link
       valid_lft forever preferred_lft forever

$ conntrack -E -d 119.28.229.32

    [NEW] tcp      6 120 SYN_SENT src=172.17.0.3 dst=119.28.229.32 sport=43612 dport=443 [UNREPLIED] src=172.17.0.177 dst=172.17.0.28 sport=443 dport=27012

1. client pod ip -> service external ip
2. client pod ip -> server pod ip (DNAT)
3. client's cilium_host ip -> server pod ip (Masquerade) through cilium_vxlan
4. server pod ip -> client's cilium_host ip through cilium_vxlan

We can see kernel ip masquerade choose cilium_host's ip 172.17.0.28 instead of node ip 192.168.2.219, and reply package also through cilium_vxlan.

Code of Conduct

• I agree to follow this project's Code of Conduct

[pchaigno]

I found when access service external ip (backend is a pod in another node) in pod, source ip will change to node ip after kube-proxy masquerade.

Why is the traffic masqueraded if it's going through the tunnel? If the client pod is managed by Cilium, it's traffic destined to a pod on another node should be sent straight to the cilium_vxlan interface without going through masquerading. Is the client pod managed by Cilium?

Because cilium_host ip addr scope is link, kernel ip masquerade wouldn't choose cilium_host even destination ip is another pod

IMO, it should never pick the CiliumInternalIP (i.e., cilium_host IP) for masquerading. That's an IP address specific to Cilium and allocated from the same CIDR as the pod IP addresses.

[liuxu623]

I found when access service external ip (backend is a pod in another node) in pod, source ip will change to node ip after kube-proxy masquerade.

Why is the traffic masqueraded if it's going through the tunnel? If the client pod is managed by Cilium, it's traffic destined to a pod on another node should be sent straight to the cilium_vxlan interface without going through masquerading. Is the client pod managed by Cilium?

$ cilium status

KubeProxyReplacement Details:
Status: Partial
Session Affinity: Enabled
Services:

ClusterIP: Enabled
NodePort: Disabled
LoadBalancer: Disabled
externalIPs: Disabled
HostPort: Disabled

Because we didn't enable NodePort and externalIPs, if we access externalIP in a pod , cilium's eBPF will not handle.
Cilium's eBPF only handle service clusterIP in our environment, kube-proxy's iptables rule handle NodePort and externalIP.

[pchaigno]

Because we didn't enable NodePort and externalIPs, if we access externalIP in a pod , cilium's eBPF will not handle.

Ah, right. So Cilium will pass the packet to the stack and kube-proxy will perform the DNAT. But why is the packet masqueraded? Once DNATed it should have a pod IP address as destination and that doesn't need masquerading since it will go through the tunnel. That's why I think there is a bug or config error w.r.t. the iptables-based masquerading.

[liuxu623]

Because we didn't enable NodePort and externalIPs, if we access externalIP in a pod , cilium's eBPF will not handle.

Ah, right. So Cilium will pass the packet to the stack and kube-proxy will perform the DNAT. But why is the packet masqueraded? Once DNATed it should have a pod IP address as destination and that doesn't need masquerading since it will go through the tunnel. That's why I think there is a bug or config error w.r.t. the iptables-based masquerading.

We must use masquerade, if we don't use masquerade, the server pod will direct reply to client pod.
But client pod access external ip, if reply packet source ip is server ip, it will drop packet.
So kube-proxy use masquerade to make reply packet source ip is external ip.

iptables

-A KUBE-FW-JRLK3S5QDR5VE4WN -m comment --comment "default/kubernetes-extranet:https loadbalancer IP" -j KUBE-MARK-MASQ
-A KUBE-FW-JRLK3S5QDR5VE4WN -m comment --comment "default/kubernetes-extranet:https loadbalancer IP" -j KUBE-SVC-JRLK3S5QDR5VE4WN
-A KUBE-FW-JRLK3S5QDR5VE4WN -m comment --comment "default/kubernetes-extranet:https loadbalancer IP" -j KUBE-MARK-DROP

[liuxu623]

There is a article tell why kube-proxy need masquerade, but it wrote by chinese.
https://morningspace.github.io/tech/k8s-net-externalip-nodeport/#%E5%9C%B0%E5%9D%80%E4%BC%AA%E8%A3%85%E7%9A%84%E4%BD%9C%E7%94%A8

[pchaigno]

We must use masquerade, if we don't use masquerade, the server pod will direct reply to client pod.

I suspect the only reason we need masquerading today is because we bypass the reverse-DNAT for the reply packet when it comes from cilium_vxlan and goes to the lxc device. cc @brb

[liuxu623]

@pchaigno This case is not related with eBPF, we don't need consider eBPF, in this case cilium vxlan is similar as flannel vxlan.
I build a flannel test environment (CNI flannel vxlan, kube-proxy use iptables mode ), I found flannel.1 ip addr scope is global.

root@ubuntu-2:~# ip a show flannel.1

3: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
    link/ether 6a:de:0e:bb:9c:d9 brd ff:ff:ff:ff:ff:ff
    inet 100.64.2.0/32 scope global flannel.1
       valid_lft forever preferred_lft forever
    inet6 fe80::68de:eff:febb:9cd9/64 scope link
       valid_lft forever preferred_lft forever

When access service external ip in pod, iptables masquerade will choose flannel.1 ip addr, it just like cilium_host.
If change flannel.1 ip addr scope from global to link, it also can reproduce this bug.

[liuxu623]

I found we can use sysctl -w net.ipv4.conf.eth0.rp_filter=1 to reproduce this bug in any environment.

[sathieu]

I found we can use sysctl -w net.ipv4.conf.eth0.rp_filter=1 to reproduce this bug in any environment.

I confirm that sysctl -w net.ipv4.conf.eth0.rp_filter=0 fixes the problem for me.

EDIT: Actually, it's not working. Changing the scope to global is working:

$ ip a del 172.17.0.28/32 dev cilium_host
$ ip a add 172.17.0.28/32 dev cilium_host