kivikakk.ee

just keep looking deeper! the answer is in there!

kubernetes networking

La herramienta del día es nftrace. I couldn’t work out why some pods weren’t able to communicate with each other across the Tailscale mesh. Suspected ACLs, suspected routes weren’t getting installed correctly (p.s. ip route show table 52 (!?)), suspected local firewalls, suspected so much. tcpdump only gets you so far.

Finally, on the target node:

$ doas -s

# nix shell nixpkgs#nftrace nixpkgs#nftables

# nftrace add ip daddr 10.59.1.213

# nftrace monitor

Try the request that isn’t making it through a bunch of times until you can isolate the exact sequence. ^C, nftrace remove, and read carefully:

trace id daac839a inet nftrace-table nftrace-chain packet: iif "tailscale0" ip saddr

    100.67.157.26 ip daddr 10.59.1.213 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 32261

    ip protocol tcp ip length 60 tcp sport 33233 tcp dport 9090 tcp flags == syn tcp

    window 64480

trace id daac839a inet nftrace-table nftrace-chain rule ip daddr 10.59.1.213 meta nftrace

    set 1 (verdict continue)

trace id daac839a inet nftrace-table nftrace-chain policy accept

trace id daac839a ip filter FORWARD packet: iif "tailscale0" oif "cni0" ip saddr 100.67.157.26

    ip daddr 10.59.1.213 ip dscp cs0 ip ecn not-ect ip ttl 63 ip id 32261 ip length 60 tcp

    sport 33233 tcp dport 9090 tcp flags == syn tcp window 64480

trace id daac839a ip filter FORWARD rule  counter packets 44827 bytes 28768164 jump

    KUBE-ROUTER-FORWARD (verdict jump KUBE-ROUTER-FORWARD)

trace id daac839a ip filter KUBE-ROUTER-FORWARD rule ip daddr 10.59.1.213  counter packets

    5001 bytes 6279235 jump KUBE-POD-FW-FIAOHC4WHRKERAQ6 (verdict jump

    KUBE-POD-FW-FIAOHC4WHRKERAQ6)

trace id daac839a ip filter KUBE-POD-FW-FIAOHC4WHRKERAQ6 rule  counter packets 5 bytes 300

    jump KUBE-NWPLCY-ZYSQVVSY5LQY7Q46 (verdict jump KUBE-NWPLCY-ZYSQVVSY5LQY7Q46)

trace id daac839a ip filter KUBE-NWPLCY-ZYSQVVSY5LQY7Q46 rule  limit rate 10/minute burst 10

    packets meta mark & 0x00010000 != 0x00010000 counter packets 5 bytes 300 log prefix

    "DROP by policy monitoring/prometheus-k8s" group 100 (verdict continue)

trace id daac839a ip filter KUBE-POD-FW-FIAOHC4WHRKERAQ6 rule  meta mark & 0x00010000 !=

    0x00010000 limit rate 10/minute burst 10 packets counter packets 5 bytes 300 log group

    100 (verdict continue)

trace id daac839a ip filter KUBE-POD-FW-FIAOHC4WHRKERAQ6 rule  meta mark & 0x00010000 !=

    0x00010000 counter packets 5 bytes 300 reject (verdict drop)

What’s that? log prefix "DROP by policy monitoring/prometheus-k8s"?? Guuaaaaauuuuu.
newer post
lock tf in!! older post
devops? devops! (part 1)