2

I am running kubernetes 1.11.6 and having connection reset issue. For this fix below blog recommend to add iptables rule. When I try to add the rule. it flushed automatically. I assume this is done by kube-proxy

https://medium.com/swlh/fix-a-random-network-connection-reset-issue-in-docker-kubernetes-5c57a11de170

iptables -I KUBE-FORWARD 1 -m conntrack --ctstate INVALID -j DROP

iptables -t filter -L KUBE-FORWARD --line-numbers -n

Chain KUBE-FORWARD (1 references)
num  target     prot opt source               destination
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes forwarding rules */ mark match 0x4000/0x4000
3    ACCEPT     all  --  10.42.0.0/16         0.0.0.0/0            /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
4    ACCEPT     all  --  0.0.0.0/0            10.42.0.0/16         /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED

After some time, I see it is gone.

iptables -t filter -L KUBE-FORWARD --line-numbers -n

Chain KUBE-FORWARD (1 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes forwarding rules */ mark match 0x4000/0x4000
2    ACCEPT     all  --  10.42.0.0/16         0.0.0.0/0            /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
3    ACCEPT     all  --  0.0.0.0/0            10.42.0.0/16         /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED

I am trying to persist above rule.

user2235866
  • 41
  • 3
  • IP tables are not persistent by default and will be gone after rebooting. Is that the case here? Do you want them to stay even after rebooting? – Wytrzymały Wiktor Jun 18 '20 at 09:36
  • 1
    All KUBE-* iptables chains are replaced by kube-proxy each time when cluster objects like Pods/Services/Endpoints have changed. You have to put the rule into the FORWARD chain of the filter table. To keep it in place you have to find the way to insert your rule before -j KUBE-FORWARD rule after each node reboot. – VAS Jul 09 '20 at 12:15

1 Answers1

0

You can try to use iptables-persistent.

Install it by executing: apt-get install iptables-persistent and any currently erected iptables rulles will be saved to corresponding IPv4 and IPv6:

/etc/iptables/rules.v4

/etc/iptables/rules.v6

To update persistent iptables with new rules simply use iptables command to include new rules into your system. To make changes permanent after reboot run iptables-save command:

iptables-save > /etc/iptables/rules.v4

OR

ip6tables-save > /etc/iptables/rules.v6

Here is an another guide regarding that topic.

Also, the version of Kubernetes that you are running is quite old. Consider upgrading to the more current one.

Please let me know if that helped.

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37