-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Submariner doesn't work on Linode k8s clusters #2660
Comments
adding more info:
|
@sridhargaddam was this related to submariner-io/submariner-operator#2769? |
I'm afraid no, this is a different issue. |
Couple of observations after looking at the logs:
Instead of ipipMode, can you try VxLAN mode and see if it works.
This cluster has two nodes, Gateway node (lke126870-188081-64e8b27e9db4) and non-Gateway node(lke126870-188081-64e8b27ef7d6). The above error implies that datapath is not working between the non-GW to the GW node. |
@sridhargaddam
Cluster "lke127833" ✓ Globalnet deployment detected - checking if globalnet CIDRs overlap ✓ Checking Submariner support for the CNI network plugin ✓ Checking if services have been exported properly Cluster "lke127834" ✓ Globalnet deployment detected - checking if globalnet CIDRs overlap ✓ Checking Submariner support for the CNI network plugin ✓ Checking if services have been exported properly
15: vx-submariner: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
bash-5.0# ping 240.0.255.254 |
As per the slack discussion, it seems that Submariner doesn't support Calico as CNI with IP in IP encapsulation mode. @sridhargaddam Do you think this should be moved to enhancement request (support Calico CNI with IP in IP encapsulation)? |
@Jdelachi As Sridhar mentioned this issue is similar to #2489 , A. It would be helpful ( it might give some more pointers) if you can test Submariner after changing default IPPool to VxLAN:always B. As per IPinIP mode, we noticed that Submariner works on some platforms with Calico (like IBM ROKS) also when IPPool encap set to IPinIP always, but yeah further debugging is needed here to understand where and why the packets are getting dropped. |
@yboaron I have tried to set IPPool to When I execute E0831 20:22:48.064276 86865 memcache.go:287] couldn't get resource list for projectcalico.org/v3: the server is currently unable to handle the request When I execute
|
OK, then set it back to IPinIP, Meanwhile as workaround, you can try changing rp_filter to 2 for eth0 (check 1 ) in all non_gw nodes and see if that helps. [1] $ sysctl -w net.ipv4.conf.eth0.rp_filter=2 |
@Jdelachi Any update on this issue ? |
Hi @yboaron , it didn't fix it, same behavior. |
Thanks for the update @Jdelachi , |
A) I attach the zip file with the content B) There is no firewall, just calico CNI using IP in IP encapsulation which enable BGP among nodes. |
Thanks @Jdelachi ,
which suggests a datapath issue between GW_node to NON_GW node. Could you please run test B while tcpdumping all 4 nodes ?
For inter-cluster traffic, ClusterA for example should handle Rx packet with srcIP = some IP from ClusterB GN range (70.1.0.0/16) and destIP = IP from ClusterA pod CIDR range. some INFRAs only allow traffic when both SrcIP and destIP are in the local Cluster pod CIDR range. |
If we get more debugging info or someone with cycles to focus on Calico they can find this with the label. For now, closing due to inactivity. |
I'm also stuck at the same place with RKE1 Engine. It looks like there is a Bug or something. Please refer; ps: I don't use ip in ip mode, But the result is the same. ( RKE 1 setup with Canal CNI)
Any Update on this issue? |
What happened:
I have tried to configure Submariner to establish connectivity between 2 Linode k8s clusters, but the connectivity is not successful.
What you expected to happen:
I expect to be able to establish connectivity between two Linode k8s clusters
How to reproduce it (as minimally and precisely as possible):
subctl deploy-broker --globalnet --globalnet-cidr-range=240.0.0.0/8
subctl join broker-info.subm --clusterid cluster-a --check-broker-certificate=false --clustercidr 10.2.0.0/16 --servicecidr 10.128.0.0/16
subctl join broker-info.subm --clusterid cluster-b --check-broker-certificate=false --clustercidr 10.2.0.0/16 --servicecidr 10.128.0.0/16
curl nginx.default.svc.clusterset.local:8080
Anything else we need to know?:
In Linode the k8s cluster always has the same podCIDR and servicesCIDR.
podCIDR -> 10.2.0.0/16
servicesCIDR-> 10.128.0.0/16
Environment:
subctl diagnose all
):Cluster "lke126869"
✓ Checking Submariner support for the Kubernetes version
✓ Kubernetes version "v1.26.7" is supported
✓ Globalnet deployment detected - checking if globalnet CIDRs overlap
✓ Clusters do not have overlapping globalnet CIDRs
✓ Checking DaemonSet "submariner-gateway"
✓ Checking DaemonSet "submariner-routeagent"
✓ Checking DaemonSet "submariner-globalnet"
✓ Checking DaemonSet "submariner-metrics-proxy"
✓ Checking Deployment "submariner-lighthouse-agent"
✓ Checking Deployment "submariner-lighthouse-coredns"
✓ Checking the status of all Submariner pods
✓ Checking if gateway metrics are accessible from non-gateway nodes
✓ The gateway metrics are accessible
✓ Checking if globalnet metrics are accessible from non-gateway nodes
✓ The globalnet metrics are accessible
✓ Checking Submariner support for the CNI network plugin
✓ The detected CNI network plugin ("calico") is supported
✓ Calico CNI detected, checking if the Submariner IPPool pre-requisites are configured
✓ Checking gateway connections
✓ All connections are established
✓ Checking Submariner support for the kube-proxy mode
✓ The kube-proxy mode is supported
✓ Checking the firewall configuration to determine if intra-cluster VXLAN traffic is allowed
✓ The firewall configuration allows intra-cluster VXLAN traffic
✓ Checking Globalnet configuration
✓ Globalnet is properly configured and functioning
✓ Checking if services have been exported properly
✓ All services have been exported properly
Cluster "lke126870"
✓ Checking Submariner support for the Kubernetes version
✓ Kubernetes version "v1.26.7" is supported
✓ Globalnet deployment detected - checking if globalnet CIDRs overlap
✓ Clusters do not have overlapping globalnet CIDRs
✓ Checking DaemonSet "submariner-gateway"
✓ Checking DaemonSet "submariner-routeagent"
✓ Checking DaemonSet "submariner-globalnet"
✓ Checking DaemonSet "submariner-metrics-proxy"
✓ Checking Deployment "submariner-lighthouse-agent"
✓ Checking Deployment "submariner-lighthouse-coredns"
✓ Checking the status of all Submariner pods
✓ Checking if gateway metrics are accessible from non-gateway nodes
✓ The gateway metrics are accessible
✓ Checking if globalnet metrics are accessible from non-gateway nodes
✓ The globalnet metrics are accessible
✓ Checking Submariner support for the CNI network plugin
✓ The detected CNI network plugin ("calico") is supported
✓ Calico CNI detected, checking if the Submariner IPPool pre-requisites are configured
✓ Checking gateway connections
✓ All connections are established
✓ Checking Submariner support for the kube-proxy mode
✓ The kube-proxy mode is supported
✗ Checking the firewall configuration to determine if intra-cluster VXLAN traffic is allowed
✗ The tcpdump output from the sniffer pod does not contain the expected remote endpoint IP 240.0.0.0. Please check that your firewall configuration allows UDP/4800 traffic. Actual pod output:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vx-submariner, link-type EN10MB (Ethernet), snapshot length 262144 bytes
0 packets captured
0 packets received by filter
0 packets dropped by kernel
✓ Checking Globalnet configuration
✓ Globalnet is properly configured and functioning
✓ Checking if services have been exported properly
✓ All services have been exported properly
Gather information (use
subctl gather
):submariner-20230825140946.zip
Cloud provider or hardware configuration:
2 Linode LKE -> shared CPU, 4GB RAM, 2 Worker Nodes
Install tools:
kubectl
Others:
The text was updated successfully, but these errors were encountered: