From 6adc828b84bd6f433aa6130abd2e61c4a732dd3f Mon Sep 17 00:00:00 2001 From: Steven Webster Date: Tue, 7 Sep 2021 10:21:44 -0400 Subject: [PATCH] sw-patch: remove explicit bind on outgoing socket. This commit fixes an issue seen during a k8s upgrade from 1.18.1 to 1.19.13. It was noticed that after upgrading kubelet to 1.19.13, the sw-patch-controller process would continually restart. It was found via packet tracing and logging that traffic from the management interface to the localhost address at port 5489 was being blocked. This indicated a likely issue in iptables. Comparing the iptables rules in 1.18.1 to 1.19.13 shows the reason why: Chain KUBE-FIREWALL (2 references) target prot opt source destination DROP all -- !loopback/8 loopback/8 \ ! ctstate RELATED,ESTABLISHED,DNAT That is, drop all packets _not_ from the loopback interface _to_ the loopback interface that do not have an existing connection state. It was found that this rule was added in the following commit: https://github.com/kubernetes/kubernetes/pull/91569/files Which was added to address the security concern identified here: https://github.com/kubernetes/kubernetes/issues/90259 It appears that the PatchMessageHelloAgent periodically sends messages to both the patch controller's agent address as well as to the localhost address. Since the outgoing socket used for all messages is explicitly bound to the management address, the traffic to the localhost address will hit the drop rule noted above. The solution in this commit is to not explicitly bind the outgoing socket to the management address, so as to have the kernel choosed the correct outgoing interface for both messages. Story: 2008972 Task: 43244 Testing: AIO-SX (unicast traffic), AIO-DX, Standard (multicast traffic). Ensure sw-patch-controller stays up after k8s upgrade. Install a patch on all nodes. Signed-off-by: Steven Webster Change-Id: I93912b934986dc28196c9ba50f2803bf0fe01513 --- cgcs-patch/cgcs-patch/cgcs_patch/base.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cgcs-patch/cgcs-patch/cgcs_patch/base.py b/cgcs-patch/cgcs-patch/cgcs_patch/base.py index cb09c095..8c743c09 100644 --- a/cgcs-patch/cgcs-patch/cgcs_patch/base.py +++ b/cgcs-patch/cgcs-patch/cgcs_patch/base.py @@ -1,5 +1,5 @@ """ -Copyright (c) 2017-2019 Wind River Systems, Inc. +Copyright (c) 2017-2021 Wind River Systems, Inc. SPDX-License-Identifier: Apache-2.0 @@ -61,7 +61,6 @@ class PatchService(object): self.sock_out.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) self.sock_in.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) - self.sock_out.bind((mgmt_ip, 0)) self.sock_in.bind(('', self.port)) if self.mcast_addr: