Sidecar Containers for Services are not accessible

[mbrancato]

What happened?

I'm using a helm chart to deploy an application, and I typically insert an specific proxy I need as a legacy sidecar (after init). However, this helm chart specifically does now allow specifying additional containers (again, legacy sidecar pattern), but it does allow specifying init containers using the newer Sidecar Containers feature.

The sidecar config might look like this with the new sidecar pattern:

      initContainers:
        - name: myproxy
          image: myproxy
          restartPolicy: Always
          ports:
            - containerPort: 8080
              name: proxy-port
              protocol: TCP

After deploying this:

• The v1/Service has endpoints that point to the target pods
• Manually, I can connect to <pod IP>:8080
• Attempting to connect to the service results in a connection refused.

What did you expect to happen?

The connection to the sidecar should work.

How can we reproduce it (as minimally and precisely as possible)?

• Create a pod with a named port in a container under initContainers with restartPolicy: Always
• Create a v1/Service that has a selector that targets the pod
• Attempt to lookup the SRV record

Anything else we need to know?

No response

Kubernetes version

Details

Client Version: v1.31.0
Kustomize Version: v5.4.2
Server Version: v1.30.5-gke.1443001

Cloud provider

Details

GKE

OS version

Details

# On Linux:
$ cat /etc/os-release
# paste output here
$ uname -a
# paste output here

# On Windows:
C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture
# paste output here

Install tools

Details

Container runtime (CRI) and version (if applicable)

Details

Related plugins (CNI, CSI, ...) and versions (if applicable)

Details

[HirazawaUi]

/sig network

[toVersus]

The issue did not reproduce in my local kind cluster running Kubernetes 1.30.4 and 1.30.6.
At first, I thought it might be a bug fixed in #127976, but that doesn’t seem to be the case. Are you specifying the port name (spec.ports[0].name in the following example) defined in the Service? If not specified, the SRV record will not be created. Could you share the complete reproduction steps?

❯ kind create cluster --image kindest/node:v1.30.4@sha256:976ea815844d5fa93be213437e3ff5754cd599b040946b5cca43ca45c2047114
Creating cluster "kind" ...
 ✓ Ensuring node image (kindest/node:v1.30.4) 🖼
 ✓ Preparing nodes 📦
 ✓ Writing configuration 📜
 ✓ Starting control-plane 🕹️
 ✓ Installing CNI 🔌
 ✓ Installing StorageClass 💾
Set kubectl context to "kind-kind"
You can now use your cluster with:

kubectl cluster-info --context kind-kind

Have a nice day! 👋

❯ kubectl get nodes
NAME                 STATUS   ROLES           AGE   VERSION
kind-control-plane   Ready    control-plane   65s   v1.30.4

❯ cat <<EOF | kubectl create -f -
apiVersion: v1
kind: Pod
metadata:
  name: http-server
  labels:
    app: http-server
spec:
  terminationGracePeriodSeconds: 1
  restartPolicy: Never
  initContainers:
  - name: el-sidecar1
    image: registry.k8s.io/e2e-test-images/agnhost:2.52
    args: ["netexec", "--http-port=8090", "--udp-port=-1"]
    restartPolicy: Always
    ports:
    - containerPort: 8090
      name: http-sidecar
      protocol: TCP
  containers:
  - name: el1
    image: registry.k8s.io/e2e-test-images/agnhost:2.52
    args: ["netexec", "--http-port=8080", "--udp-port=-1"]
    ports:
    - containerPort: 8080
      name: http
      protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: http-server
spec:
  ports:
  - name: http-sidecar
    protocol: TCP
    port: 8090
    targetPort: http-sidecar
  selector:
    app: http-server
  type: ClusterIP
EOF
pod/http-server created
service/http-server created

❯ kubectl exec -it http-server -c el1 -- dig SRV _http-sidecar._tcp.http-server.default.svc.cluster.local

; <<>> DiG 9.16.48 <<>> SRV _http-sidecar._tcp.http-server.default.svc.cluster.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7488
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f4bc48863118d01d (echoed)
;; QUESTION SECTION:
;_http-sidecar._tcp.http-server.default.svc.cluster.local. IN SRV

;; ANSWER SECTION:
_http-sidecar._tcp.http-server.default.svc.cluster.local. 27 IN	SRV 0 100 8090 http-server.default.svc.cluster.local.

;; ADDITIONAL SECTION:
http-server.default.svc.cluster.local. 27 IN A	10.96.98.56

;; Query time: 1 msec
;; SERVER: 10.96.0.10#53(10.96.0.10)
;; WHEN: Sat Nov 16 13:00:21 UTC 2024
;; MSG SIZE  rcvd: 263

[mbrancato]

I just want to clarify this means the v1/Service doesn't work as the ultimate result. I traced the cause back to a lack of SRV records for the port in question.

[mbrancato]

Thanks @toVersus - I've taken your example and updated it. I've also updated the issue to be a bit more broad - since it is not a problem with SRV records.

Below is a an example with two services:

• http-server - points to the initContainer port
• http-server-direct - points to the main container port

---
apiVersion: v1
kind: Pod
metadata:
  name: http-server
  labels:
    app: http-server
spec:
  terminationGracePeriodSeconds: 1
  restartPolicy: Never
  initContainers:
  - name: el-sidecar1
    image: registry.k8s.io/e2e-test-images/agnhost:2.52
    args: ["netexec", "--http-port=8090", "--udp-port=-1"]
    restartPolicy: Always
    ports:
    - containerPort: 8090
      name: http-sidecar
      protocol: TCP
  containers:
  - name: el1
    image: registry.k8s.io/e2e-test-images/agnhost:2.52
    args: ["netexec", "--http-port=8080", "--udp-port=-1"]
    ports:
    - containerPort: 8080
      name: http-direct
      protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: http-server
spec:
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: http-sidecar
  selector:
    app: http-server
  type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
  name: http-server-direct
spec:
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: http-direct
  selector:
    app: http-server
  type: ClusterIP

Here the http-server-direct service is accessible (this is from a pod in the cluster):

# curl -v http-server-direct.default.svc.cluster.local
*   Trying 10.43.119.252:80...
* Connected to http-server-direct.default.svc.cluster.local (10.43.119.252) port 80 (#0)
> GET / HTTP/1.1
> Host: http-server-direct.default.svc.cluster.local
> User-Agent: curl/7.88.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Mon, 18 Nov 2024 00:51:35 GMT
< Content-Length: 61
< Content-Type: text/plain; charset=utf-8
< 
* Connection #0 to host http-server-direct.default.svc.cluster.local left intact
NOW: 2024-11-18 00:51:35.820105082 +0000 UTC m=+492.084894194

However, the http-server service is NOT accessible:

# curl -v http-server.default.svc.cluster.local
*   Trying 10.43.62.224:80...
* connect to 10.43.62.224 port 80 failed: Connection refused
* Failed to connect to http-server.default.svc.cluster.local port 80 after 1 ms: Couldn't connect to server
* Closing connection 0
curl: (7) Failed to connect to http-server.default.svc.cluster.local port 80 after 1 ms: Couldn't connect to server

I'm testing with k3s here, but I originally experienced this on a GKE cluster:

% kubectl version
Client Version: v1.31.0
Kustomize Version: v5.4.2
Server Version: v1.30.5+k3s1

[mbrancato]

I think this may have been fixed in #127976 but its only in the 1.32 branch if GitHub's tag matching is correct for the commit.

[aojea]

It is a beta features and only happens with named ports, so it may not be backported, if you use the port number it should work, right?

[toVersus]

The fix #127976 is included in Kubernetes 1.32.0-alpha.3. I tried self-building Kubernetes 1.32.0-beta.0 to verify its behavior.

❯ kind build node-image https://dl.k8s.io/v1.32.0-beta.0/kubernetes-server-linux-arm64.tar.gz
Detected build type: "url"
Building using URL: "https://dl.k8s.io/v1.32.0-beta.0/kubernetes-server-linux-arm64.tar.gz"
Starting to build Kubernetes
Downloading "https://dl.k8s.io/v1.32.0-beta.0/kubernetes-server-linux-arm64.tar.gz"
Finished building Kubernetes
Building node image ...
Building in container: kind-build-1731983820-1912917957
Image "kindest/node:latest" build completed.

❯ kind create cluster --image kindest/node:latest
Creating cluster "kind" ...
 ✓ Ensuring node image (kindest/node:latest) 🖼
 ✓ Preparing nodes 📦
 ✓ Writing configuration 📜
 ✓ Starting control-plane 🕹️
 ✓ Installing CNI 🔌
 ✓ Installing StorageClass 💾
Set kubectl context to "kind-kind"
You can now use your cluster with:

kubectl cluster-info --context kind-kind

Have a nice day! 👋

❯ kubectl get nodes
NAME                 STATUS   ROLES           AGE   VERSION
kind-control-plane   Ready    control-plane   23s   v1.32.0-beta.0

First, when specifying the port number, it worked without any issues.

❯ cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: http-server
  labels:
    app: http-server
spec:
  terminationGracePeriodSeconds: 1
  restartPolicy: Never
  initContainers:
  - name: http-server
    image: registry.k8s.io/e2e-test-images/agnhost:2.52
    args: ["netexec", "--http-port=8080", "--udp-port=-1"]
    restartPolicy: Always
    ports:
    - containerPort: 8080
      name: http-sidecar
      protocol: TCP
  containers:
  - name: sleep
    image: registry.k8s.io/e2e-test-images/agnhost:2.52
    command: ["sleep", "infinity"]
---
apiVersion: v1
kind: Service
metadata:
  name: http-server
spec:
  ports:
  - name: http-sidecar
    protocol: TCP
    port: 8080
    targetPort: 8080
  selector:
    app: http-server
  type: ClusterIP
EOF
pod/http-server created
service/http-server created

❯ cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: client
  labels:
    app: client
spec:
  terminationGracePeriodSeconds: 1
  restartPolicy: Never
  containers:
  - name: client
    image: registry.k8s.io/e2e-test-images/agnhost:2.52
    command: ["sleep", "infinity"]
EOF
pod/client created

❯ kubectl exec -it client -- curl http-server:8080
NOW: 2024-11-19 02:43:27.184136614 +0000 UTC m=+9.417948284

Next, when specifying a named port, an error occurred. It seems that the issue has not been fixed by the changes in #12797.

❯ kubectl delete pod,svc http-server
pod "http-server" deleted
service "http-server" deleted

❯ cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: http-server
  labels:
    app: http-server
spec:
  terminationGracePeriodSeconds: 1
  restartPolicy: Never
  initContainers:
  - name: http-server
    image: registry.k8s.io/e2e-test-images/agnhost:2.52
    args: ["netexec", "--http-port=8080", "--udp-port=-1"]
    restartPolicy: Always
    ports:
    - containerPort: 8080
      name: http-sidecar
      protocol: TCP
  containers:
  - name: sleep
    image: registry.k8s.io/e2e-test-images/agnhost:2.52
    command: ["sleep", "infinity"]
---
apiVersion: v1
kind: Service
metadata:
  name: http-server
spec:
  ports:
  - name: http-sidecar
    protocol: TCP
    port: 8080
    targetPort: http-sidecar
  selector:
    app: http-server
  type: ClusterIP
EOF
pod/http-server created
service/http-server created

❯ kubectl get pods
NAME          READY   STATUS    RESTARTS   AGE
client        1/1     Running   0          7m5s
http-server   2/2     Running   0          23s

❯ kubectl exec -it client -- curl http-server:8080
curl: (7) Failed to connect to http-server port 8080 after 1 ms: Couldn't connect to server
command terminated with exit code 7

[toVersus]

I'm not sure if it is the right place to add the E2E tests, but I’ve added the following test cases in #128850.

1. Add a test case to verify that specifying a port number as the target port for restartable init containers in Service
2. Add a failing test case to verify that specifying a named port as the target port for restartable init containers in Service

I will investigate the route cause of the issue later.

EDIT:

The conversion from the named port to the port number is done correctly, and the correct access info is embedded in the Endpoint.

❯ kubectl get ep
NAME          ENDPOINTS           AGE
http-server   10.244.0.10:8080    24m
kubernetes    192.168.97.2:6443   34m

❯ kubectl get pods -owide
NAME          READY   STATUS    RESTARTS   AGE   IP            NODE                 NOMINATED NODE   READINESS GATES
client        1/1     Running   0          32m   10.244.0.7    kind-control-plane   <none>           <none>
http-server   2/2     Running   0          26m   10.244.0.10   kind-control-plane   <none>           <none>

However, the iptables rules are evaluating as if the Endpoint does not exist, and it seems that a REJECT rule has been added.

root@kind-control-plane:/# iptables -S -t filter
(...)
-A KUBE-SERVICES -d 10.96.28.240/32 -p tcp -m comment --comment "default/http-server:http-sidecar has no endpoints" -m tcp --dport 8080 -j REJECT --reject-with icmp-port-unreachable

It seems that the cause is the false return in the hasEndpoints check here.

kubernetes/pkg/proxy/iptables/proxier.go

Lines 1062 to 1071 in cf480a3

	if !hasEndpoints {
	// The service has no endpoints at all; hasInternalEndpoints and
	// hasExternalEndpoints will also be false, and we will not
	// generate any chains in the "nat" table for the service; only
	// rules in the "filter" table rejecting incoming packets for
	// the service's IPs.
	internalTrafficFilterTarget = "REJECT"
	internalTrafficFilterComment = fmt.Sprintf(`"%s has no endpoints"`, svcPortNameString)
	externalTrafficFilterTarget = "REJECT"
	externalTrafficFilterComment = internalTrafficFilterComment

The hasEndpoints value is returned by CategorizeEndpoints() as hasAnyEndpoints.

kubernetes/pkg/proxy/topology.go

Lines 26 to 40 in cf480a3

	// CategorizeEndpoints returns:
	//
	// - The service's usable Cluster-traffic-policy endpoints (taking topology into account, if
	// relevant). This will be nil if the service does not ever use Cluster traffic policy.
	//
	// - The service's usable Local-traffic-policy endpoints (including terminating endpoints, if
	// relevant). This will be nil if the service does not ever use Local traffic policy.
	//
	// - The combined list of all endpoints reachable from this node (which is the union of the
	// previous two lists, but in the case where it is identical to one or the other, we avoid
	// allocating a separate list).
	//
	// - An indication of whether the service has any endpoints reachable from anywhere in the
	// cluster. (This may be true even if allReachableEndpoints is empty.)
	func CategorizeEndpoints(endpoints []Endpoint, svcInfo ServicePort, nodeLabels map[string]string) (clusterEndpoints, localEndpoints, allReachableEndpoints []Endpoint, hasAnyEndpoints bool) {

Ah, it seems that the Endpoint exists, but the port number is not correctly set in the EndpointSlices.

❯ kubectl get ep,endpointslices
NAME                    ENDPOINTS           AGE
endpoints/http-server   10.244.0.16:8080    13m
endpoints/kubernetes    192.168.97.2:6443   56m

NAME                                               ADDRESSTYPE   PORTS     ENDPOINTS      AGE
endpointslice.discovery.k8s.io/http-server-gtszt   IPv4          <unset>   10.244.0.16    13m
endpointslice.discovery.k8s.io/kubernetes          IPv4          6443      192.168.97.2   56m

The endpoints contain the correct information, but the ports are set to null.

❯ kubectl get endpointslices http-server-c9vbj -oyaml
addressType: IPv4
apiVersion: discovery.k8s.io/v1
endpoints:
- addresses:
  - 10.244.0.18
  conditions:
    ready: true
    serving: true
    terminating: false
  nodeName: kind-control-plane
  targetRef:
    kind: Pod
    name: http-server
    namespace: default
    uid: a2022d7d-7cbc-42c7-9281-62271c1e6e50
kind: EndpointSlice
metadata:
  creationTimestamp: "2024-11-19T03:38:47Z"
  generateName: http-server-
  generation: 3
  labels:
    endpointslice.kubernetes.io/managed-by: endpointslice-controller.k8s.io
    kubernetes.io/service-name: http-server
  name: http-server-c9vbj
  namespace: default
  ownerReferences:
  - apiVersion: v1
    blockOwnerDeletion: true
    controller: true
    kind: Service
    name: http-server
    uid: db792c77-bcc0-4714-bfeb-c3b06cc97be6
  resourceVersion: "5520"
  uid: 4a695da2-6d5e-4a19-87c5-ed61a3c14f3d
ports: null

Here, information about the ports exposed by the Service and Pod is being evaluated.

https://github.com/kubernetes/kubernetes/blob/cf480a3a1a9cb22f3439c0a7922822d9f67f31b5/staging/src/k8s.io/endpointslice/reconciler.go#L175C20-L175C36

There is another findPort() from Pods here.

kubernetes/staging/src/k8s.io/endpointslice/utils.go

Line 89 in cf480a3

portNum, err := findPort(pod, servicePort)

It seems that the cause is similar to the previous fix, where the initContainers case was overlooked here.

kubernetes/staging/src/k8s.io/endpointslice/utils.go

Lines 388 to 394 in cf480a3

	for _, container := range pod.Spec.Containers {
	for _, port := range container.Ports {
	if port.Name == name && port.Protocol == svcPort.Protocol {
	return int(port.ContainerPort), nil
	}
	}
	}

It seems that the impact of moving the EndpointSlice utils to staging repo and making it usable externally has caused the FindPort(), exposed as part of podutils (k8s.io/kubernetes/pkg/api/v1/pod), to become unavailable (because we don't want to depend on k/k in staging repo?). As a result, the code has been copied and is now being managed separately. It appears that the implementation of FindPort() is maintained in two places, and only one of them was updated, leading to the issue.