no internet connection within pod on K3s --no-flannel #268
Comments
|
hi @segator could you share some details about the topology of your cluster? From the look of this WireGuard configuration, it seems like you have three nodes in a full mesh. Is that right? |
|
Hi, sorry to late answer, what exactly you want to know? 2 nodes behind NAT and 1 node with static public IP and ports opened. |
|
Hi @segator I was curious what the Kilo mesh topology was. Are they in a full mesh? Or are they using --mesh -granularity=location and some have the same location annotation / topology label? |
|
all of them have separate locations labels |
|
Have you also set the persistent-keepalive annotation on the two nodes behind NAT? |
|
25s of persistent keepalive, I have connection, the problem is the pods deployed does not have internet connection but if I try to ping from wg peer to peer works. |
|
ah, sorry, 🙈 I misread the issue |
|
hmm can you please share the output of |
|
this is from the k3s control plane server |
|
Regarding topology. Not sure why appear workers with an IPV6 endpoint (I replaced sensitive data) all nodes have this labels with different value as they are located in diferents "regions" only master (node with static public IP) have this set only workers have set
|
|
Thanks @segator this is really helpful. I'm a bit curious about the default DROP rule on the FORWARD chain. Would you mind trying something? |
|
Hi @squat, it seems to work only on libvirt machines, not hetzner machine (The iptables-save I shown you before is hetzner one) |
|
Ha interesting! The plot thickens! Can you describe how the nodes are different? Are the Herner node and the VMs running the same or different OS? are they configured similarly? Is there some other process managing the firewall on the Hetzner node? (Please do another iptables-save to confirm that the FORWARD chain now defaults to ALLOW) |
|
First of all, Thanks for taking the time to help on my specific case @squat , I guess you have things better to do :) The machines are deployed via terraform so the configuration is completely identical between machines, except master I run k3s as control plane instead of worker. Regarding firewall in hetzner, if I deploy k3s with flannel instead of kilo then we have internet connectivity. I notice now I have internet connection but DNS is not resolving in Hetzner machine, coreDNS is running on Hetzner machine, but workers still have connectivity and DNS resolving. |
|
Umh The issue seems the IP of DNS server |
|
Trying to force coreDNS serviceIP to 10.43.0.10 seems now I can resolve DNS but I still have rejected connections, DNS and Ping to any IP works but curl, wget.. etc not yet, domain is resolved but connection dropped |
|
Hi @segator im a bit confused. By convention, the DNS ServiceIP tends to automatically be 10.x.0.10 (10.43.0.10 in the case of K3s). That would explain why your node cannot resolve DNS. But in that case, none of the nodes should have been able to resolve DNS. Or was /etc/resolv.conf only wrong on one node? |
|
Seems the issue is when installing K3s disabling coreDNS and installing it with helm. The funny part is this issue only ocurs when having Kilo, if I do the same but with flannel for exemple then there is no problem to install coreDNS as helm instead of K3s |
|
Interesting 🤔 would you mind sharing the flannel daemonset yaml that does work? |
|
So, to summarize, Kilo works if you use the stock coreDNS but not if you disable it and later install your own? |
|
Correct |
|
Ack please share the flannel config if you can 🎉 |
|
Ping @segator :) |
|
Hey! I think you can close the issue, I tought it was perfectly working with flannel but it's not. Thanks!! |
Installed k3s on a clean environment disabling default flannel. then installing kilo-k3s.yaml.
between nodes i can ping nodes, wg is properly configured and have connectivity between all 3 nodes.
But seems there is no internet connection inside the pods deployed on workers
The text was updated successfully, but these errors were encountered: