Calico Windows - SMB mount issues

Expected Behavior

Created a sample windows deployment and added a windows node.
windows pod can mount remote smb shares using net use or New-PSDrive cmdlet

Current Behavior

windows pod can communicate over the tcp port 445 when tested using test-netconnection

PS C:> test-netconnection remote-share -p 445

ComputerName : remote-share
RemoteAddress : remote-ip
RemotePort : 445
InterfaceAlias : vEthernet (3eebfa5489b44238f94e5aecd458f8b859418f7cac936888c187ea627a401574_Calico)
SourceAddress : 10.244.109.74
TcpTestSucceeded : True

When try to use net use command to mount the same share, get an error.

PS C:> net use * “\remote-share\dir” /persistent:no /user:domain\user pwd
System error 53 has occurred.

The network path was not found.

Note: All other network communications appear to work. Able to perform successful curl commands to external http.

Steps to Reproduce (for bugs)

Following setup done as per official documentation with few additions:

Calico setup on control plane for windows support
kubectl patch ipamconfigurations default --type merge --patch=‘{“spec”: {“strictAffinity”: true}}’
kubectl patch installation default --type=merge -p ‘{“spec”: {“calicoNetwork”: {“bgp”: “Disabled”}}}’
kubectl calico patch ippool saga-hybrid-ipv4-ippool -p ‘{“spec”:{“ipipMode”:“Never”,“vxlanMode”:“Always”}}’
kubectl patch installation default --type=‘json’ -p=‘[{“op”: “replace”, “path”: “/spec/calicoNetwork/ipPools/0/encapsulation”, “value”: “VXLAN”}]’

kubectl apply -f - << EOF
kind: ConfigMap
apiVersion: v1
metadata:
name: kubernetes-services-endpoint
namespace: tigera-operator
data:
KUBERNETES_SERVICE_HOST: “controlplane.host.name”
KUBERNETES_SERVICE_PORT: “6443”
EOF

kubectl patch installation default --type merge --patch=‘{“spec”: {“serviceCIDRs”: [“10.96.0.0/12”], “calicoNetwork”: {“windowsDataplane”: “HNS”}}}’
kubectl patch FelixConfiguration default --type merge --patch=‘{“spec”: {“featureDetectOverride”: “ChecksumOffloadBroken=true”}}’
kubectl patch FelixConfiguration default --type merge --patch=‘{“spec”: {“ipipEnabled”: false}}’

curl -L https://raw.githubusercontent.com/kubernetes-sigs/sig-windows-tools/master/hostprocess/calico/kube-proxy/kube-proxy.yml | sed “s/KUBE_PROXY_VERSION/v1.31.2/g” | kubectl apply -f -

Setup a sample windows deployment and ran tests from the pod.

Context

Trying to build a hybrid Kubernetes cluster with calico CNI.

Your Environment

  • Calico version : v3.29.0
  • Calico dataplane (iptables, windows etc.): windowsdataplane - hns
  • Orchestrator version (e.g. kubernetes, mesos, rkt): kubernetes 1.31.2
  • Operating System and version: Microsoft Windows Server 2019 Standard (10.0.17763 N/A Build 17763)
  • Containerd version: 1.7.22

To further narrow this down, I did a packet capture using pktmon on the calico HNS interface, surprisingly the mount attempt doesn’t even trigger any packets on the interface, while all other network operations (like DNS, http) show up in the packet capture.

If i do a test-netconnection via tcp port 445 (smb port) to the same endpoint, it then shows up in the packet capture.

Again, this works totally fine on the node directly, just not on the pod. If anyone has any pointers as to how the workstation service functions at the windows OS level (assuming this is the smb client), and if there is a way to enable additional logging, that would help. At this point, i am inclined to believe that the smb client on the windows container is not even starting the network transaction and returning error 53.

I am further discussing this on the calico issues forum as well to see if any one has any insights.