netkit mode with networkpolicy drops k3s kubelet Liveness/Readiness probe packets but veth mode did not

[networkhermit]

Is there an existing issue for this?

• I have searched the existing issues

Version

higher than v1.16.0 and lower than v1.17.0

What happened?

Recently I upgrade my homelab k3s cluster from cilium 1.15.7 to 1.16.0 and experiment with the netkit datapath mode, but I found that all the pods in the flux-system namespace fail to start, the remaining pods in the cluster are working as expected. I tried reboot the node but the issue persists.

In the hubble UI, I found that in netkit mode the k3s kubelet healthcheck packets are dropped by cilium. The flux-system namespace uses some k8s networkpolicies to deny all ingress traffic by default, but it is working fine if I switched to veth mode.

How can we reproduce the issue?

1. install a single node k3s cluster without default cni or networkpolicy addons
   • It's maybe worth mentioning that I have two network interfaces in my setup - eth0 (default route) and wg0, and my k3s node-ip is the wg0 ip, might also reproduced with eth0 and eth1 setup or just single main interface.
2. install cilium 1.16.0, enable netkit datapath mode and use default networkpolicy behavior
3. create a test k8s namespace and some k8s ingress/egress networkpolicies, e.g. flux-system
4. create a demo k8s deployment with Liveness/Readiness probe
5. all the pod in the test namespace are in CrashLoopBackOff state due to failed healthcheck probe
6. check the verdicts in hubble ui showing flow dropped due to Policy denied
   • One of the top source IP of ingress dropped is from the main network interface - eth0.

Cilium Version

1.16.0

Kernel Version

6.10.1

Kubernetes Version

v1.30.2+k3s1

Regression

No response

Sysdump

cilium-sysdump-20240727-212749.zip

Relevant log output

No response

Anything else?

No response

Cilium Users Document

• Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

• I agree to follow this project's Code of Conduct

[jrife]

Do you have a minimally reproducible example with an exact Deployment and NetworkPolicy? I just tried the following in my environment and could not reproduce this issue. Note that there are some environment differences between what you describe and what I tested, but before tweaking anything there I want to make sure I'm deploying exactly what fails in your environment.

My Environment Details

• Kernel Version: 6.10.6
• Kubernetes Version: v1.31.0
• Kind Cluster
• Cilium Version: 2387d597752132e1f2fc351f11bc04c2d76ea6e9 (current main - between 1.16 and 1.17)
• Cilium Configuration: Basic kind configuration with the following tweaks:

  bpf:
    monitorAggregation: none
    datapathMode: netkit
    masquerade: true
  routingMode: native
  ipv4NativeRoutingCIDR: 10.244.0.0/16
  autoDirectNodeRoutes: true
  kubeProxyReplacement: true

Steps

1. Created a Deployment running an nginx container with a tcpSocket readiness and liveness probe

   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: server
     labels:
       app: server
   spec:
     replicas: 2
     selector:
       matchLabels:
         app: server
     template:
       metadata:
         labels:
           app: server
        spec:
         affinity:
           podAntiAffinity:
             requiredDuringSchedulingIgnoredDuringExecution:
             - labelSelector:
                 matchLabels:
                   app: client
               topologyKey: kubernetes.io/hostname
         containers:
         - name: server
           image: nginx
           ports:
           - containerPort: 80
           livenessProbe:
             tcpSocket:
               port: 80
             initialDelaySeconds: 15
             periodSeconds: 10
           readinessProbe:
             tcpSocket:
               port: 80
             initialDelaySeconds: 15
             periodSeconds: 10

Result

All pods start up fine.

jrife@ubuntu-2204:~/contexts$ kubectl get pods
NAME                      READY   STATUS    RESTARTS   AGE
server-6dd59b76d9-bp2ck   1/1     Running   0          13m
server-6dd59b76d9-g488m   1/1     Running   0          13m

[jfroy]

I don't have a minimal repro case yet, but I can repo on my home cluster.

Environment

Kernel: 6.10.3-talos
Kubernetes: v1.30.2
Distribution: Talos 1.7.6
Cilium: 1.16.1

My cluster is dual stack. The full cilium configuration is in the sysdumps.

My cluster is managed by flux and the repo is public.

Sysdumps

sysdump in veth mode:
cilium-sysdump-20240820-174545.zip

sysdump in netkit mode:
cilium-sysdump-20240820-175948.zip

Steps

Starting in veth mode, run cilium config set datapath-mode netkit on a client. After the cilium agent pod comes back up, run kubectl -n kube-system exec ds/cilium -- cilium-health status.

Results

Defaulted container "cilium-agent" out of: cilium-agent, config (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), clean-cilium-state (init), install-cni-binaries (init)
Probe time:   2024-08-21T01:01:48Z
Nodes:
  kantai/kantai1 (localhost):
    Host connectivity to 192.168.1.13:
      ICMP to stack:   OK, RTT=267.34µs
      HTTP to agent:   OK, RTT=338.28µs
    Endpoint connectivity to 10.11.0.144:
      ICMP to stack:   Connection timed out
      HTTP to agent:   Get "http://10.11.0.144:4240/hello": dial tcp 10.11.0.144:4240: connect: connection timed out

The built-in health check immediately switches to netkit (no other pod is restarted in this procedure) and immediately starts failing.

Network policies

I have a cluster network policy that allows ingress from entity "cluster". Per the documentation, this should allow connections from the host for health checks.

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  creationTimestamp: "2024-08-20T03:44:57Z"
  generation: 1
  labels:
    app.kubernetes.io/name: cilium-config
    kustomize.toolkit.fluxcd.io/name: cilium-config
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: cluster-ingress-allow
  resourceVersion: "29583520"
  uid: 8031d421-9a8b-458f-aeac-4d6ebf4cd383
spec:
  endpointSelector: {}
  ingress:
  - fromEntities:
    - cluster
status:
  conditions:
  - lastTransitionTime: "2024-08-20T03:44:57Z"
    message: Policy validation succeeded
    status: "True"
    type: Valid

Additional data

Running kubectl exec -ti -n kube-system ds/cilium -- cilium monitor --type drop shows that cilium is dropping health checks:

xx drop (Policy denied) flow 0xc2eaff1c to endpoint 1082, ifindex 2746, file bpf_lxc.c:2133, , identity world-ipv4->health: 192.168.1.13:44848 -> 10.11.0.144:4240 tcp SYN

It seems that the flow is categorized as "world" instead of "host" and is therefore getting blocked by the policy? Both the Node and the CiliumNode objects report that 192.168.1.13 is the node InternalIP v4.

[networkhermit]

Do you have a minimally reproducible example with an exact Deployment and NetworkPolicy?

For NetworkPolicy you can use https://github.com/fluxcd/flux2/tree/main/manifests/policies, as that's where my flux deployments fails with.

I can make a minimally reproducible example when I got time if it is needed.

BTW, I don't know if this issue is k3s only.

[arsiesys]

Hi,

I was able to reproduce this behaviour on a lab cluster deployed using CAPI (w/ metal3) + kubeadm.
I will share the test setup hoping it could help.

Host: ubuntu 22.04 6.8.0-40-generic with Mellanox 5 Nics
Kubernetes version: 1.30.4 (Pod net: 10.100.0.0/16, Service net: 10.101.0.0/16, Node net: 192.168.90.0/24)
Cilium version: 1.16.1
Cilium setup:

helm template cilium cilium/cilium --version 1.16.1 --namespace kube-system 
--set kubeProxyReplacement=true \
--set k8sServiceHost=192.168.90.2  \
--set k8sServicePort=6443  \
--set loadBalancer.acceleration=native \
--set loadBalancer.mode=hybrid  \
--set=ipam.mode=kubernetes  \
--set=l2announcements.enabled=true  \
--set=bgpControlPlane.enabled=true  \
--set=routingMode=native  \
--set=autoDirectNodeRoutes=true  \
--set=ipv4NativeRoutingCIDR=10.100.0.0/15  \
--set bpf.datapathMode=netkit  \
--set endpointRoutes.enabled=true` 

I used the following test deployment:

---
# nginx-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
        environment: test
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80
        readinessProbe:
          tcpSocket:
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 10
---
# nginx-service.yaml
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
---
# nginx-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: nginx-network-policy
spec:
  podSelector:
    matchLabels:
      app: nginx
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: nginx
    ports:
    - protocol: TCP
      port: 80
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: nginx
    ports:
    - protocol: TCP
      port: 80

In that case, the readyness probe will fail:

Warning  Unhealthy         38s (x33 over 5m28s)  kubelet            Readiness probe failed: dial tcp 10.100.7.48:80: i/o timeout

xx drop (Unsupported L3 protocol) flow 0x0 to endpoint 480, ifindex 395, file bpf_lxc.c:2388, , identity worxx drop (Policy denied) flow 0x1082fe0a to endpoint 480, ifindex 395, file bpf_lxc.c:2133, , identity world->21419: 192.168.90.195:35224 -> 10.100.1.203:80 tcp SYN

If I disable netkit and use veth, there is no issue.

Note that the traffic between the PODs themselves (allowed by the network policy) are working as expected in either veth or netkit, only the probes seems to be impacted (aka, from kubelet).

[jrife]

Just wanted to confirm that I was also able to reproduce this locally inside a QEMU VM using the example provided by @arsiesys. I'll keep poking around at it and see what I can find out.

[jrife]

Upon further investigation here is what I found.

TL;DR

It's possible that I'm missing something obvious here, but it looks like the netkit driver clears the packet mark before running the BPF programs that enforce policy. This mark is used to indicate whether the packet was sent from a host namespace process. In netkit mode the packet looks like it is coming from world so it is denied while in veth mode it looks like it is coming from host. I don't know if clearing skb->mark in netkit_xmit() is intentional or not, but preserving its value makes this use case work again and allows cil_to_container() to correctly identify the packet's source as host.

My Environment

I created an Ubuntu 22.04 VM in QEMU via virt manager. I used k3s to create a one node cluster inside that VM then installed Cilium 1.16.1 enabling endpoint routes, native routing, BPF masquerade, and kube-proxy replacement. I applied the YAML provided by @arsiesys.

Observations: datapath-mode=veth vs datapath-mode=netkit

First, switching between datapath-mode=veth and datapath-mode=netkit I noticed some differences in the output of cilium monitor.

veth

cilium@cilium-test:~$ kubectl exec -it -n kube-system cilium-x67f4 -- cilium monitor | grep 10.42.0.198
Defaulted container "cilium-agent" out of: cilium-agent, config (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), clean-cilium-state (init), install-cni-binaries (init)
Policy verdict log: flow 0x99d0103e local EP ID 112, remote ID host, proto 6, ingress, action allow, auth: disabled, match L3-Only, 192.168.122.202:39618 -> 10.42.0.198:80 tcp SYN
-> endpoint 112 flow 0x99d0103e , identity host->4808 state new ifindex lxc98dd402d76cd orig-ip 192.168.122.202: 192.168.122.202:39618 -> 10.42.0.198:80 tcp SYN
-> stack flow 0xde82a2f7 , identity 4808->host state reply ifindex 0 orig-ip 0.0.0.0: 10.42.0.198:80 -> 192.168.122.202:39618 tcp SYN, ACK
-> endpoint 112 flow 0x99d0103e , identity host->4808 state established ifindex lxc98dd402d76cd orig-ip 192.168.122.202: 192.168.122.202:39618 -> 10.42.0.198:80 tcp ACK
-> endpoint 112 flow 0x99d0103e , identity host->4808 state established ifindex lxc98dd402d76cd orig-ip 192.168.122.202: 192.168.122.202:39618 -> 10.42.0.198:80 tcp ACK, FIN
-> stack flow 0xde82a2f7 , identity 4808->host state reply ifindex 0 orig-ip 0.0.0.0: 10.42.0.198:80 -> 192.168.122.202:39618 tcp ACK, FIN
-> endpoint 112 flow 0x99d0103e , identity host->4808 state established ifindex lxc98dd402d76cd orig-ip 192.168.122.202: 192.168.122.202:39618 -> 10.42.0.198:80 tcp ACK

netkit

cilium@cilium-test:~$ kubectl exec -it -n kube-system cilium-59bl7 -- cilium monitor | grep 10.42.0.176
Defaulted container "cilium-agent" out of: cilium-agent, config (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), clean-cilium-state (init), install-cni-binaries (init)
Policy verdict log: flow 0x32e1b137 local EP ID 3045, remote ID world, proto 6, ingress, action deny, auth: disabled, match none, 192.168.122.202:59620 -> 10.42.0.176:80 tcp SYN
xx drop (Policy denied) flow 0x32e1b137 to endpoint 3045, ifindex 25, file bpf_lxc.c:2133, , identity world->4808: 192.168.122.202:59620 -> 10.42.0.176:80 tcp SYN

We can see that in netkit mode the incoming packet takes on the world identity while in veth mode it is correctly marked as host. It makes sense that the policy would deny the incoming packet if it sees the source asworld. So then the question is why in netkit mode is this marked as world? From my read of the code Cilium installs some iptables/nftables rules to set a packet mark from any packets coming from host namespace processes.

	chain CILIUM_OUTPUT {
		meta mark & 0x00000e00 == 0x00000a00  counter packets 0 bytes 0 accept
		meta mark & 0x00000e00 == 0x00000800  counter packets 0 bytes 0 accept
		meta mark & 0x00000f00 != 0x00000e00 meta mark & 0x00000f00 != 0x00000d00 meta mark & 0x00000f00 != 0x00000400 meta mark & 0x00000e00 != 0x00000a00 meta mark & 0x00000e00 != 0x00000800 meta mark & 0x00000f00 != 0x00000f00  counter packets 67151 bytes 15007423 meta mark set mark and 0xfffff0ff xor 0xc00 
	}

Later, once the packet gets routed to the Pod's lxc interface (directly since we're using endpoint routes) it gets processed by cil_to_container which calls inherit_identity_from_host() in an attempt to read this packet mark and determine if it was sent from the host in which case identity is set to HOST_ID. WORLD_ID is the fall through here if magic does not match any known values.

netkit code

As far as I could tell the datapath is basically identical whether the lxc device is veth or netkit but the packet mark seemed to be different in the latter case. This led me to wondering if the Netkit driver itself was clearing skb->mark before it hit cil_to_container(). The netkit driver executes BPF hooks inside netkit_xmit(), the function that gets called every time a packet gets sent through a Netkit device:

static netdev_tx_t netkit_xmit(struct sk_buff *skb, struct net_device *dev)
{
	struct netkit *nk = netkit_priv(dev);
	enum netkit_action ret = READ_ONCE(nk->policy);
	netdev_tx_t ret_dev = NET_XMIT_SUCCESS;
	const struct bpf_mprog_entry *entry;
	struct net_device *peer;
	int len = skb->len;

	rcu_read_lock();
	peer = rcu_dereference(nk->peer);
	if (unlikely(!peer || !(peer->flags & IFF_UP) ||
		     !pskb_may_pull(skb, ETH_HLEN) ||
		     skb_orphan_frags(skb, GFP_ATOMIC)))
		goto drop;
	netkit_prep_forward(skb, !net_eq(dev_net(dev), dev_net(peer)));
	eth_skb_pkt_type(skb, peer);
	skb->dev = peer;
	entry = rcu_dereference(nk->active);
	if (entry)
		ret = netkit_run(entry, skb, ret);

Here, netkit_run() is what runs any attached programs. Before it executes these programs (which would be cil_to_container in this case) it runs netkit_prep_forward().

static void netkit_prep_forward(struct sk_buff *skb, bool xnet)
{
	skb_scrub_packet(skb, xnet);
	skb->priority = 0;
	nf_skip_egress(skb, true);
	skb_reset_mac_header(skb);
}

It turns out that skb_scrub_packet() clears skb->mark in cases where you are forwarding the packet to a different networking namespace.

void skb_scrub_packet(struct sk_buff *skb, bool xnet)
{
	skb->pkt_type = PACKET_HOST;
	skb->skb_iif = 0;
	skb->ignore_df = 0;
	skb_dst_drop(skb);
	skb_ext_reset(skb);
	nf_reset_ct(skb);The
	nf_reset_trace(skb);

#ifdef CONFIG_NET_SWITCHDEV
	skb->offload_fwd_mark = 0;
	skb->offload_l3_fwd_mark = 0;
#endif

	if (!xnet)
		return;

	ipvs_reset(skb);
	skb->mark = 0;
	skb_clear_tstamp(skb);
}
EXPORT_SYMBOL_GPL(skb_scrub_packet);

Patching the netkit code

To test the theory that the packet mark was getting cleared inside netkit_xmit() before cil_to_container() was executed I patched the code in netkit_prep_forward() to preserve the mark.

 static void netkit_prep_forward(struct sk_buff *skb, bool xnet)
 {
+       u32 save_mark = skb->mark;
        skb_scrub_packet(skb, xnet);
+       skb->mark = save_mark;
        skb->priority = 0;
        nf_skip_egress(skb, true);
        skb_reset_mac_header(skb);

After applying this patch to the latest net-next tree and installing this modified kernel the packet is identified as coming from the host.

cilium@cilium-test:~$ kubectl get pods -o wide
NAME                                READY   STATUS    RESTARTS   AGE   IP            NODE          NOMINATED NODE   READINESS GATES
nginx-deployment-866bf5cff6-kj66z   1/1     Running   0          31s   10.42.0.55    cilium-test   <none>           <none>
...
cilium@cilium-test:~$ kubectl exec -it -n kube-system cilium-m7ww4 -- cilium monitor | grep 10.42.0.55
Defaulted container "cilium-agent" out of: cilium-agent, config (init), mount-cgroup (init), apply-sysctl-overwrites (init), mount-bpf-fs (init), clean-cilium-state (init), install-cni-binaries (init)
Policy verdict log: flow 0xa7aa82af local EP ID 3722, remote ID host, proto 6, ingress, action allow, auth: disabled, match L3-Only, 192.168.122.202:34842 -> 10.42.0.55:80 tcp SYN
-> endpoint 3722 flow 0xa7aa82af , identity host->4808 state new ifindex lxcabe8634cfe2a orig-ip 192.168.122.202: 192.168.122.202:34842 -> 10.42.0.55:80 tcp SYN
-> stack flow 0xc8f37666 , identity 4808->host state reply ifindex 0 orig-ip 0.0.0.0: 10.42.0.55:80 -> 192.168.122.202:34842 tcp SYN, ACK
-> endpoint 3722 flow 0xa7aa82af , identity host->4808 state established ifindex lxcabe8634cfe2a orig-ip 192.168.122.202: 192.168.122.202:34842 -> 10.42.0.55:80 tcp ACK
-> endpoint 3722 flow 0xa7aa82af , identity host->4808 state established ifindex lxcabe8634cfe2a orig-ip 192.168.122.202: 192.168.122.202:34842 -> 10.42.0.55:80 tcp ACK, FIN
-> stack flow 0xc8f37666 , identity 4808->host state reply ifindex 0 orig-ip 0.0.0.0: 10.42.0.55:80 -> 192.168.122.202:34842 tcp ACK, FIN
-> endpoint 3722 flow 0xa7aa82af , identity host->4808 state established ifindex lxcabe8634cfe2a orig-ip 192.168.122.202: 192.168.122.202:34842 -> 10.42.0.55:80 tcp ACK
cilium@cilium-test:~$ ip route
...
10.42.0.55 dev lxcabe8634cfe2a proto kernel scope link 
... 
cilium@cilium-test:~$ sudo ethtool -i lxcabe8634cfe2a
[sudo] password for cilium: 
driver: netkit
version: 6.11.0-rc7+
firmware-version: 
expansion-rom-version: 
bus-info: 
supports-statistics: no
supports-test: no
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: no

Still, there may be something I'm missing. I'm not sure of the reasons behind wanting to clear skb->mark or if maybe there's a different way that identity is supposed to be forwarded here without skb->mark. CC @borkmann who wrote the netkit driver and knows a lot more than me here.