Kube-proxy can't talk to localhost in cluster

bjartekub · May 27, 2025, 1:14pm

We have installed 5 servers , 3 server and 2 agent with uipath suite package.
cluster is up and running, seems to be working BUT we get some error in the logs for kube-proxy and if we enable firewall ( nftables) , trafic stops working.
Kube-config is pointing to localhost but we also added tls-san and advertise-address pointing to the servers IP

We get following error
Failed to retrieve node info" err=“Get "https://127.0.0.1:6443/api/v1/nodes/sr004379.*.*\”: dial tcp 127.0.0.1:6443: connect: connection refused"

Cluster information:

Kubernetes version:
Client Version: v1.31.4+rke2r1
Kustomize Version: v5.4.2
Server Version: v1.31.4+rke2r1

Cloud being used: no
Installation method: Uipath+kubernetes
Host OS: RHE 9.5
CNI and version: Cilium - not sure of version
CRI and version: containerd with version 1.7.23-k3s2

s_z · May 27, 2025, 6:30pm

Hii, can we deep dive?

bjartekub · May 27, 2025, 8:11pm

Hi

of course

what do you need to see ?

We have 3 servers with kube-proxy on each node and 2 agent node with kube-proxy.
The agent don’t have same behavior but the servers do.

s_z · May 27, 2025, 8:27pm

kube-proxy manages Service routing via iptables or IPVS. It doesn’t touch localhost behavior directly.

So if behavior involving localhost differs, it usually means:

The software running inside the Pod or node is referencing localhost in a way that only works when certain assumptions are true (e.g. that a service is running on the same machine).
There’s a difference in Pod placement, container config, or host networking setup across your nodes

bjartekub · May 28, 2025, 5:38am

Well i try to change the iptables from iptables-nft to iptables-legacy but after that the kube don’t add all the firewall rules automaticly.

Should the service be on same namespace as the kube-proxy ?

I have kube-proxy and assume it talks to the kube-api ?

bjartekub · May 28, 2025, 7:54am

Becuase we have proxy-mode = iptables

Should we use ipables-legacy as firewall rules ?
Iptables-nft was set first - but we try to use iptables-legacy instead and then kube-proxy don’t create the rules again and we think becuase it try to talk to localhost and failed

spec:
containers:

args:
- –cluster-cidr=10.42.0.0/16
- –conntrack-max-per-core=0
- –conntrack-tcp-timeout-close-wait=0s
- –conntrack-tcp-timeout-established=0s
- –healthz-bind-address=127.0.0.1
- –hostname-override=x
- –kubeconfig=/var/lib/rancher/rke2/agent/kubeproxy.kubeconfig
- –proxy-mode=iptables

Topic		Replies	Views
[Security Advisory] CVE-2020-8558: Kubernetes: Node setting allows for neighboring hosts to bypass localhost boundary Announcements	0	2470	July 8, 2020
Kube proxy to API Server connection refused in RKE2 HA General Discussions network	0	235	January 23, 2025
I keep having issues with my cluster General Discussions	0	628	May 30, 2024
The connection to the server 192.168.0.127:6443 was refused - did you specify the right host or port? General Discussions	1	1756	September 28, 2023
Stuck setting up a multi node K8s cluster. Any advice would be great General Discussions development	1	539	March 12, 2024

Kube-proxy can't talk to localhost in cluster

Cluster information:

Related topics