6adc828b84
This commit fixes an issue seen during a k8s upgrade from 1.18.1 to 1.19.13. It was noticed that after upgrading kubelet to 1.19.13, the sw-patch-controller process would continually restart. It was found via packet tracing and logging that traffic from the management interface to the localhost address at port 5489 was being blocked. This indicated a likely issue in iptables. Comparing the iptables rules in 1.18.1 to 1.19.13 shows the reason why: Chain KUBE-FIREWALL (2 references) target prot opt source destination DROP all -- !loopback/8 loopback/8 \ ! ctstate RELATED,ESTABLISHED,DNAT That is, drop all packets _not_ from the loopback interface _to_ the loopback interface that do not have an existing connection state. It was found that this rule was added in the following commit: https://github.com/kubernetes/kubernetes/pull/91569/files Which was added to address the security concern identified here: https://github.com/kubernetes/kubernetes/issues/90259 It appears that the PatchMessageHelloAgent periodically sends messages to both the patch controller's agent address as well as to the localhost address. Since the outgoing socket used for all messages is explicitly bound to the management address, the traffic to the localhost address will hit the drop rule noted above. The solution in this commit is to not explicitly bind the outgoing socket to the management address, so as to have the kernel choosed the correct outgoing interface for both messages. Story: 2008972 Task: 43244 Testing: AIO-SX (unicast traffic), AIO-DX, Standard (multicast traffic). Ensure sw-patch-controller stays up after k8s upgrade. Install a patch on all nodes. Signed-off-by: Steven Webster <steven.webster@windriver.com> Change-Id: I93912b934986dc28196c9ba50f2803bf0fe01513 |
||
---|---|---|
api-ref/source | ||
cgcs-patch | ||
devstack | ||
doc | ||
enable-dev-patch | ||
extras/scripts | ||
patch-alarm | ||
patch-boot-args | ||
patch-scripts | ||
releasenotes | ||
.gitignore | ||
.gitreview | ||
.zuul.yaml | ||
CONTRIBUTORS.wrs | ||
LICENSE | ||
README.rst | ||
centos_build_layer.cfg | ||
centos_dev_wheels.inc | ||
centos_iso_image.inc | ||
centos_pkg_dirs | ||
centos_stable_wheels.inc | ||
pylint.rc | ||
requirements.txt | ||
test-requirements.txt | ||
tox.ini |
README.rst
stx-update
StarlingX Software Management