Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Canal on K8s v1.8 with chain append mode no longer respects networkpolicies #4037

Closed
KashifSaadat opened this issue Dec 11, 2017 · 7 comments · Fixed by #6469
Closed

Canal on K8s v1.8 with chain append mode no longer respects networkpolicies #4037

KashifSaadat opened this issue Dec 11, 2017 · 7 comments · Fixed by #6469
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@KashifSaadat
Copy link
Contributor

KashifSaadat commented Dec 11, 2017
edited
Loading

The information around this issue is documented here: projectcalico/canal#115

Depending on the outcome from the above issue, we will likely need updates to the following files:

Versions

  • Calico version: v2.6.2
  • Flannel version: v0.9.1 (the issue was introduced in this version, v0.9.0 works fine)
  • Kops version: v1.8.0
  • Operating System and version: CoreOS stable v1520.8.0

Cluster Spec (networking block)

  networking:
    canal:
      chainInsertMode: append
      defaultEndpointToHostAction: RETURN
      prometheusMetricsEnabled: true

CC @chrislovecnm
@caseydavenport
Copy link
Member

@KashifSaadat just to confirm, this is only an issue when the chainInsertMode has been set to append - the default insert continues to work as expected.

@KashifSaadat
Copy link
Contributor Author

Yes I believe so, because the flannel rules are then at the bottom of the FORWARD chain and so the Calico rules will be processed first.

@caseydavenport
Copy link
Member

See my comment here.

Essentially, Calico is behaving as expected for the given config. There's probably room for a change in flannel to play nicer in this situation, but if possible I'd recommend using the default chainInsertMode.

@KashifSaadat KashifSaadat mentioned this issue Dec 12, 2017
Merged
k8s-github-robot pushed a commit that referenced this issue Dec 13, 2017
Merge pull request #4047 from KashifSaadat/canal-flannel-downgrade
db09337 
Automatic merge from submit-queue.

Downgrade Flannel in Canal deployment to v0.9.0

Flannel v0.9.1 introduces a single change to add 2 iptables rules to the `FORWARD` chain, permitting traffic in/out of the pod network (introduced to improve compatibility with newer versions of Docker). This change is unnecessary for Canal deployments for the following reasons:
- Calico's `DefaultEndpointToHostAction` is set to `ACCEPT` in the manifest deployed by kops, allowing traffic by default once all other Calico rules are processed.
- If Calico's `ChainInsertMode` is set to `APPEND`, the flannel rules will be processed before the Calico rules, accepting traffic by default, and so Kubernetes network policies will not take effect

This change is temporary until a more permanent resolution is available with Flannel, such as providing a configurable option to disable the addition of these rules when deployed with Calico.

Related to #4037
@tomdee
Copy link
Contributor

tomdee commented Jan 30, 2018

@KashifSaadat Could you raise an issue against flannel to make this configurable

@KashifSaadat KashifSaadat mentioned this issue Feb 1, 2018
Closed
@KashifSaadat
Copy link
Contributor Author

@tomdee sure, I've raised the following issue to track this: flannel-io/flannel#938

@KashifSaadat KashifSaadat mentioned this issue Apr 10, 2018
Merged
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label May 2, 2018
@KashifSaadat
Copy link
Contributor Author

/remove-lifecycle stale
/lifecycle frozen

I've raised this PR to address the issue within flannel: flannel-io/flannel#978
Until it's merged, it is not recommended to update the flannel version in the canal manifest file.

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels May 2, 2018
@KashifSaadat KashifSaadat mentioned this issue Feb 14, 2019
Merged
@KashifSaadat KashifSaadat mentioned this issue Apr 3, 2020
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Updated Canal manifest to v3.5.0 for k8s v1.12+ appvia/kops
5 participants
@tomdee @caseydavenport @KashifSaadat @k8s-ci-robot @fejta-bot