Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pods unable to access each other, pod CIDR in cali-cidr-block #8675

Open
rf152 opened this issue Mar 29, 2024 · 3 comments
Open

Pods unable to access each other, pod CIDR in cali-cidr-block #8675

rf152 opened this issue Mar 29, 2024 · 3 comments
Labels
kind/support

Comments

@rf152
Copy link

rf152 commented Mar 29, 2024

The ingress-nginx pod is not able to access the other pods in order to allow ingress to the applications running on the cluster. On closer inspection, all traffic inter-pod is not working.

Putting a manual rule at the top of the forward chain to allow inter-pod traffic works, but Calico quickly places its cali-FORWARD rule before it.

The iptables rule it is hitting is in the cali-cidr-block chain:

Chain cali-cidr-block (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      *       0.0.0.0/0            10.1.128.0/18        /* cali:MBFnMC9HO-P01G4D */
   18  1080 DROP       0    --  *      *       0.0.0.0/0            10.1.64.0/18         /* cali:9vWkRqRgEwhV2A-K */

10.1.64.0/18 is the pod network

Expected Behavior

ingress-nginx should be able to reach pods in order to serve applications

Current Behavior

ingress-nginx is not able to reach the pods to serve the applications. no pods are able to communicate with each other.

Steps to Reproduce (for bugs)

  1. Install with kubespray enabling BGP, disabling nat_outgoing, and peering with a BGP router
  2. Deploy ingress-nginx
  3. Deploy a web application and create an ingress resource for it
  4. browse to the newly created ingress

Your Environment

  • Calico version: v3.26.4
  • ClusterType: kubespray,bgp,kubeadm,kdd,k8s
  • Orchestrator version kubernetes
  • Operating System and version: debian 12
  • Link to your project (optional):
@fasaxc
Copy link
Member

fasaxc commented Apr 3, 2024

IIUC, the cali-cidr-block chain drops traffic to advertised cluster IPs that didn't get resolved to Pod IPs by kube-proxy. Perhaps you have misconfigured the service CIDR to overlap with your Pod CIDR range?

@rf152
Copy link
Author

rf152 commented Apr 13, 2024

Definitely don't have overlapping subnets - I have 10.1.0.0/18 for service, 10.1.128.0/18 for load balancers, and 10.1.64.0/18 for pods. It was stood up with kubespray, if that makes any difference?

@rf152
Copy link
Author

rf152 commented May 2, 2024

I've got the same issue on a brand new cluster that I have set up. No pod is able to browse to any service. Browsing directly to the pod IP is fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fasaxc @caseydavenport @rf152