Kubernetes communication between pods and external machines is sometimes blocked by UFW

Andrzej · September 13, 2021, 3:06pm

Cluster information:

Kubernetes version: 1.21.3
Cloud being used: bare-metal
Installation method: apt && kube init
Host OS: Ubuntu 20.04
CNI and version: Calico 3.20.0
CRI and version: Docker 10.10.8

I installed kubernetes on bare metal with configuration as below:

k8s-master - virtual machine attached to private network - 10.35.2.36
k8s-node1 - virtual machine attached to private network - 10.35.2.37
db - virtual machine attached to private network - 10.35.2.34
networking - calico
container runtime: docker

db is outside kubernetes cluster (not attached as worker), k8s cluster is:

STATUS   ROLES                  AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION     CONTAINER-RUNTIME
Ready    control-plane,master   72m   v1.21.3   10.35.2.36    <none>        Ubuntu 20.04.3 LTS   5.4.0-84-generic   docker://20.10.8
Ready    <none>                 49m   v1.21.3   10.35.2.37    <none>        Ubuntu 20.04.3 LTS   5.4.0-84-generic   docker://20.10.8

UWF is set to allow all communication on private network:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW IN    10.35.2.32/27/tcp

Kubernetes was initialized with:

--cluster-cidr=192.168.0.0/16

Calico with config:

 name: CALICO_IPV4POOL_CIDR
              value: "192.168.133.0/24"

My applications deployed to cluster generally workes fine - app can connect from docker (from k8s pod) to db host, pods sees each other.

The problem is: in k8s-node1 machine I see a lot of errors logged from UFW.
Mainly those are errors targeting coredns containers port 53 (DNS):

[UFW BLOCK] IN=calib678d9f2863 OUT=enp1s0 MAC=ee:ee:ee:ee:ee:ee:ce:09:88:b5:fa:70:08:00 SRC=192.168.193.68 DST=10.35.2.34 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=41444 DF PROTO=TCP SPT=35646 DPT=1433 WINDOW=64800 RES=0x00 SYN URGP=0 MARK=0x10000

But there are also entries telling me that communication to my db server is blocked.

[UFW BLOCK] IN=cali39580615a9a OUT=enp1s0 MAC=ee:ee:ee:ee:ee:ee:0a:0c:af:04:cc:e5:08:00 SRC=192.168.133.131 DST=10.35.2.34 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=40304 DF PROTO=TCP SPT=34274 DPT=1433 WINDOW=64800 RES=0x00 SYN URGP=0 MARK=0x10000

Those ufw block are not permanent - as I said my app generally works, only some of connections are dropped and I can’t find the reason.

Yermek-DevOps · September 14, 2021, 12:37pm

Hi, @Andrzej
Seeing the details provided, I understand that you are having those issues not always.
Those are intermittent ones if I understand you correctly.

I would agree that it could be not k8s related, but some general UFW or DNS-related issues.
By any chance, have you already tried to explicitly allow port 53 traffic in UFW & increase log level?

Indeed, seems quite strange that those issues happening only time to time.

thanks, regards, Yermek

willk8s · September 5, 2023, 3:03pm

github.com/projectcalico/calico

UFW blocks certain packets from Calico

opened 10:41PM - 31 May 23 UTC

ausias-armesto

kind/support

While looking at the `ufw` logs I can see that there are certain requests that a…re being blocked and they belong to Calico. I've tried many ufw rules but cannot manage to get the right one that enables that traffic so it is not shown anymore in the logs. ## Expected Behavior I would expect not having any blocker in logs. I've tried with many `ufw` rules but I suppose that there is some conflict between Calico rules and the firewall. ## Current Behavior At the application level I don't appreciate any problem, the apps in Kubernetes are working fine and they don't show any message error, but I don't feel confident seeing some packets being blocked in `ufw` ## Possible Solution I've been able to configure `ufw` rules step by step until I don't see any other packets blocked, but those packets which come from virtual interfaces starting with `cali` and having and attribute `MARK` cannot be unblocked. ## Your Environment This is my current setup - Kubernetes cluster 1.24.6 on metal servers with Debian 10 - Kubernetes distribution is Kubespray with Calico configured to use Iptables - Calico image version `quay.io/calico/node:v3.23.3` - Only 1 worker node (`server-01`) has public IP and acts as a NAT gateway while the other worker nodes only have private IPv4 - There are some iptables rules that forward traffic from worker nodes to the `server-01` allowing those worker nodes to have access to internet. - The worker nodes private IP have the range `10.0.0.0/16` - The Kubernetes pod subnet range is `10.2.0.0/16` - The Kubernetes service subnet range is `10.1.0.0/16` - The ufw firewall configuration is the following ``` root@server-01 /home/debian # ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22/tcp ALLOW IN 10.0.0.0/16 (log) # Allow ssh connections from within the subnet [ 2] 80/tcp ALLOW IN Anywhere (log) # Allow external HTTP connections [ 3] 443/tcp ALLOW IN Anywhere (log) # Allow external HTTPS connections [ 6] Anywhere ALLOW FWD 10.0.0.0/16 (log) # Allow forward subnet NATed traffic [ 7] Anywhere ALLOW IN 10.0.0.0/16 (log) # Allow server subnet internal communication [ 8] Anywhere ALLOW IN 10.2.0.0/16/udp (log) # Allow Kubernetes pods communication through UDP [ 9] Anywhere ALLOW IN 10.2.0.0/16/tcp (log) # Allow Kubernetes pods communication through TCP [10] Anywhere ALLOW FWD 10.2.0.0/16 (log) # Allow Kubernetes pods forward traffic between subnets [11] Anywhere on any ALLOW FWD 10.2.0.0/16 on any (log) # Allow Kubernetes pods forward traffic between subnets ``` - The ufw logs are these: ``` Jun 1 00:19:40 server-01 kernel: [4939271.395479] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:ee:ee:ee:ee:ee:72:24:e2:58:04:64:08:00 SRC=10.2.173.226 DST=10.1.7.90 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=45126 DPT=3300 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x32240000 Jun 1 00:19:40 server-01 kernel: [4939271.395910] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:ee:ee:ee:ee:ee:72:24:e2:58:04:64:08:00 SRC=10.2.173.226 DST=10.1.78.204 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=37816 DPT=3300 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x32240000 Jun 1 00:19:40 server-01 kernel: [4939271.397560] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:ee:ee:ee:ee:ee:72:24:e2:58:04:64:08:00 SRC=10.2.173.226 DST=10.1.7.90 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=45138 DPT=3300 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x32240000 Jun 1 00:19:41 server-01 kernel: [4939271.813207] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:ee:ee:ee:ee:ee:72:24:e2:58:04:64:08:00 SRC=10.2.173.226 DST=10.1.7.90 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=45202 DPT=3300 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x32240000 Jun 1 00:19:41 server-01 kernel: [4939271.813539] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:ee:ee:ee:ee:ee:72:24:e2:58:04:64:08:00 SRC=10.2.173.226 DST=10.1.7.90 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=45202 DPT=3300 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x32240000 Jun 1 00:19:41 server-01 kernel: [4939271.813804] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:ee:ee:ee:ee:ee:72:24:e2:58:04:64:08:00 SRC=10.2.173.226 DST=10.1.78.204 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=37900 DPT=3300 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x32240000 Jun 1 00:19:41 server-01 kernel: [4939272.533437] [UFW BLOCK] IN=calidca318939f1 OUT= MAC=ee:ee:ee:ee:ee:ee:72:24:e2:58:04:64:08:00 SRC=10.2.173.226 DST=10.1.7.90 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=45412 DPT=3300 WINDOW=0 RES=0x00 RST URGP=0 MARK=0x32240000 ```

Topic		Replies	Views
Communication between pods on pods from different remote networks General Discussions	0	601	December 16, 2019
Network isolation requirement General Discussions	4	616	August 13, 2020
Calico Network not connecting Outside application General Discussions security , network	0	228	February 23, 2024
Issue with pod communication with each other General Discussions	1	48	September 17, 2024
Containers on slave nodes can't communicate with apiserver General Discussions network	0	1994	May 14, 2019

Kubernetes communication between pods and external machines is sometimes blocked by UFW

Cluster information:

Related topics