What does "--to-destination :0" mean in iptables rules generated by kube-proxy

bluven · July 13, 2023, 3:22am

Cluster information:

Kubernetes version: 1.22.5
Cloud being used: bare-metal
Installation method: kubeadm
Host OS: centos7 (Linux shanghai 6.2.10-1.el7.elrepo.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Apr 4 13:58:32 EDT 2023 x86_64 x86_64 x86_64 GNU/Linux)

CNI and version: flannel v0.19.2
CRI and version: docker 18.06

I happened to find that kube-proxy in my cluster output KUBE-SEP rules like this:

iptables -t nat -S | grep to-destination
-A KUBE-SEP-3N5FIJS2DHSEENTB -p tcp -m comment --comment "openelb-system/layer2-svc:http" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0:0 --random --persistent
-A KUBE-SEP-4U5LVJUBLXSJ5MTI -p tcp -m comment --comment "fabedge/service-hub" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0:0 --persistent
-A KUBE-SEP-7XYRAQHCDMWOB56C -p tcp -m comment --comment "fabedge/fabedge-operator" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0:0 --persistent
-A KUBE-SEP-ADM7IEO333MANCKX -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 
-A KUBE-SEP-AICPCLO2RM743DP7 -p tcp -m comment --comment "kubeedge/cloudcore:cloudhub-quic" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0:0 --random
-A KUBE-SEP-B4EZC3GTFACZCIHF -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 
-A KUBE-SEP-BY2PGPM3WYHNPOOJ -p tcp -m comment --comment "kubeedge/cloudcore:tunnelport" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0:0 --random
-A KUBE-SEP-GFU26SYT7KV3U67A -p tcp -m comment --comment "default/nginx:https" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0
-A KUBE-SEP-HM343LOZLYWXUGFZ -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0 --persistent
-A KUBE-SEP-HQEZVK3DRSQIM56O -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 
-A KUBE-SEP-HWLPML2HRDEHBAFK -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 
-A KUBE-SEP-I5JKKND3RXBIZWK7 -p tcp -m comment --comment "kubeedge/cloudcore:cloudhub-https" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0:0 --random
-A KUBE-SEP-JJ2LDLIAIZGYJX77 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 
-A KUBE-SEP-O52MRVHRAQJS3OJY -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 
-A KUBE-SEP-P7EKVAR4RJO622DO -p tcp -m comment --comment "kubeedge/cloudcore:cloudhub" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0:0 --random
-A KUBE-SEP-QBB7I64OUWAJZV3L -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0:0
-A KUBE-SEP-QNLFKXKINW5DMADC -p tcp -m comment --comment "kubeedge/cloudcore:cloudstream" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0:0 --random
-A KUBE-SEP-YI3PTOL7SCBZQ23K -p tcp -m comment --comment "openelb-system/openelb-admission:https-webhook" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0
-A KUBE-SEP-YXWM7XVI4J4II4AY -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0:0
-A KUBE-SEP-ZLW6P3TMQ6G24ULY -p tcp -m comment --comment "default/nginx:https" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0

As above displayed, the “–to-desination” parameter of DNAT target is “:0” or “0.0.0.0”, and appeared multiple times on each KUBE-SEP rule,

What does “:0” mean here? How did rules like those can forward traffic to a endpoint?

I read the source code of kube-proxy 1.22.5 and found this:

args = append(args, "-m", protocol, "-p", protocol, "-j", "DNAT", "--to-destination", epInfo.Endpoint)

It seems there is no chance to generate rules like above.

I also checked another cluster which deployed in similar enviroment except kernel is “3.10.0-1160.el7.x86_64”, it’s KUBE-SEP rules are what I expected:

 iptables -t nat -S | grep "to-destination"
-A KUBE-SEP-2BSL7AUA5YFD4HRD -p tcp -m comment --comment "fabedge-e2e-test/cloud-nginx-617:https" -m tcp -j DNAT --to-destination 10.233.102.152:30443
-A KUBE-SEP-45XJUG3YHUJ7V7XK -p tcp -m comment --comment "kubeedge/cloudcore:cloudhub-https" -m tcp -j DNAT --to-destination 10.22.46.11:10002
-A KUBE-SEP-4IR55IEMV6ID5FDL -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.233.102.138:53
-A KUBE-SEP-4IVK6V6RGNDRYL6Q -p tcp -m comment --comment "calico-apiserver/calico-api:apiserver" -m tcp -j DNAT --to-destination 10.233.75.18:5443
-A KUBE-SEP-4VUKK2VECAAMVKDP -p tcp -m comment --comment "fabedge/fabedge-operator" -m tcp -j DNAT --to-destination 10.233.116.88:3030
-A KUBE-SEP-4YXNTTQG3OUFS55S -p tcp -m comment --comment "fabedge-e2e-test/cloud-nginx-617:https" -m tcp -j DNAT --to-destination 10.233.75.31:30443
-A KUBE-SEP-6CJPTSKABJ5EOYJX -p tcp -m comment --comment "fabedge-e2e-test/edge-nginx-908:http" -m tcp -j DNAT --to-destination 10.237.195.16:30080
-A KUBE-SEP-6ELEAKTABD6HG7AY -p tcp -m comment --comment "fabedge-e2e-test/host-cloud-nginx-143:https" -m tcp -j DNAT --to-destination 10.22.46.11:30443
-A KUBE-SEP-6KVJ2LFJLWIPSUZI -p tcp -m comment --comment "fabedge-e2e-test/host-cloud-nginx-143:http" -m tcp -j DNAT --to-destination 10.22.46.25:30080
-A KUBE-SEP-6UWXO4ZXY463KUOG -p tcp -m comment --comment "fabedge-e2e-test/cloud-nginx-617:http" -m tcp -j DNAT --to-destination 10.233.116.103:30080
-A KUBE-SEP-6YYGNU4B54RRUVJI -p tcp -m comment --comment "default/nginx:https" -m tcp -j DNAT --to-destination 10.233.68.22:443
-A KUBE-SEP-AG6A2TE2TFTV5GA6 -p tcp -m comment --comment "fabedge-e2e-test/host-edge-nginx-367:https" -m tcp -j DNAT --to-destination 10.22.46.6:30443
-A KUBE-SEP-B7NMJGBOPUM2N7HH -p tcp -m comment --comment "calico-apiserver/calico-api:apiserver" -m tcp -j DNAT --to-destination 10.233.75.13:5443
-A KUBE-SEP-BAG5WD64LLF72XDL -p tcp -m comment --comment "kubeedge/cloudcore:tunnelport" -m tcp -j DNAT --to-destination 10.22.46.11:10004
-A KUBE-SEP-CGKQ7TMHICEMSUQX -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination 10.233.75.19:80
-A KUBE-SEP-CWUEIU3QRBVKEQ4Z -p tcp -m comment --comment "calico-system/calico-typha:calico-typha" -m tcp -j DNAT --to-destination 10.22.46.25:5473
-A KUBE-SEP-F3ITHY2UIMF5RYSY -p tcp -m comment --comment "kubeedge/cloudcore:cloudhub-quic" -m tcp -j DNAT --to-destination 10.22.46.11:10001
-A KUBE-SEP-FCK6UPK4D6AGZY2M -p tcp -m comment --comment "fabedge-e2e-test/host-cloud-nginx-143:https" -m tcp -j DNAT --to-destination 10.22.46.23:30443
-A KUBE-SEP-FYIT4BIQTU737E4Q -p tcp -m comment --comment "fabedge/fabdns:dns-tcp" -m tcp -j DNAT --to-destination 10.233.75.12:53
-A KUBE-SEP-JJNORG74KR6U55N7 -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination 10.233.75.20:80
-A KUBE-SEP-KBZ4O3HWKUHEXIEV -p tcp -m comment --comment "fabedge-e2e-test/host-cloud-nginx-143:http" -m tcp -j DNAT --to-destination 10.22.46.23:30080
-A KUBE-SEP-LQT22CWUGFFHSVXG -p tcp -m comment --comment "kubeedge/cloudcore:cloudstream" -m tcp -j DNAT --to-destination 10.22.46.11:10003
-A KUBE-SEP-NIIHHGFNJZ5CJEYD -p tcp -m comment --comment "fabedge-e2e-test/cloud-nginx-617:http" -m tcp -j DNAT --to-destination 10.233.102.152:30080
-A KUBE-SEP-O4QQ7PYHCSAD3DDV -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.233.102.138:53
-A KUBE-SEP-OBHFBUFD3JD5LGNZ -p tcp -m comment --comment "fabedge-e2e-test/edge-nginx-908:https" -m tcp -j DNAT --to-destination 10.237.195.16:30443
-A KUBE-SEP-OHELGRNTYNMFQ4ME -p tcp -m comment --comment "kubeedge/cloudcore:cloudhub" -m tcp -j DNAT --to-destination 10.22.46.11:10000
-A KUBE-SEP-OMPSVYWSYL6OGUAQ -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination 10.233.68.22:80
-A KUBE-SEP-P6P54WOUT5D5KIPA -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.233.102.136:53
-A KUBE-SEP-QJN4UMBCZOSUHAMX -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.233.102.136:9153
-A KUBE-SEP-S3LJCMSJURSPV66C -p tcp -m comment --comment "calico-system/calico-typha:calico-typha" -m tcp -j DNAT --to-destination 10.22.46.23:5473
-A KUBE-SEP-SPOEOSRKJ7CERS52 -p tcp -m comment --comment "calico-system/calico-typha:calico-typha" -m tcp -j DNAT --to-destination 10.22.46.11:5473
-A KUBE-SEP-TEY5JZWZXB3GZVR5 -p tcp -m comment --comment "fabedge-e2e-test/host-cloud-nginx-143:https" -m tcp -j DNAT --to-destination 10.22.46.25:30443
-A KUBE-SEP-UAGVYUCFFQBWFXPN -p tcp -m comment --comment "default/nginx:http" -m tcp -j DNAT --to-destination 10.233.116.87:80
-A KUBE-SEP-UFPK3ZHRPQM35HRS -p tcp -m comment --comment "default/nginx:https" -m tcp -j DNAT --to-destination 10.233.75.20:443
-A KUBE-SEP-UOBSJAPI7DZLBTPR -p tcp -m comment --comment "default/nginx:https" -m tcp -j DNAT --to-destination 10.233.75.19:443
-A KUBE-SEP-USW67C33ZIYU4F5G -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 10.22.46.11:6443
-A KUBE-SEP-UUY5KIIT7PRZECUW -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.233.102.136:53
-A KUBE-SEP-UYGPVTDY5P4T7CVN -p tcp -m comment --comment "fabedge-e2e-test/host-cloud-nginx-143:http" -m tcp -j DNAT --to-destination 10.22.46.11:30080
-A KUBE-SEP-XC6LYREWBA6L2MK2 -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.233.102.138:9153
-A KUBE-SEP-XEZU3EBQ2WW4MLUB -p tcp -m comment --comment "default/nginx:https" -m tcp -j DNAT --to-destination 10.233.116.87:443
-A KUBE-SEP-XPEYKKEBDZSIJHW5 -p udp -m comment --comment "fabedge/fabdns:dns-udp" -m udp -j DNAT --to-destination 10.233.75.12:53
-A KUBE-SEP-XT27XZITR6CMTMQB -p tcp -m comment --comment "fabedge/service-hub" -m tcp -j DNAT --to-destination 10.233.116.86:3000
-A KUBE-SEP-Y3O5BDI3CQOEDQOD -p tcp -m comment --comment "fabedge-e2e-test/cloud-nginx-617:https" -m tcp -j DNAT --to-destination 10.233.116.103:30443
-A KUBE-SEP-YKTS33H3MUEAGOO7 -p tcp -m comment --comment "fabedge-e2e-test/cloud-nginx-617:http" -m tcp -j DNAT --to-destination 10.233.75.31:30080
-A KUBE-SEP-YN6VQZ2MOGFBD53Y -p tcp -m comment --comment "calico-system/calico-kube-controllers-metrics:metrics-port" -m tcp -j DNAT --to-destination 10.233.75.16:9094
-A KUBE-SEP-ZKAWUXOV35PNOVEC -p tcp -m comment --comment "fabedge-e2e-test/host-edge-nginx-367:http" -m tcp -j DNAT --to-destination 10.22.46.6:30080

Can anyone help me figure out what happened in first cluster?

It seems wierd compatiblity problem, after I executed iptables command in kube-proxy container, the output is normal. I upgraded the kernel of all nodes of the first cluster, this might cause some problem.

Jianying_Luo · July 19, 2023, 8:46am

I got the same output. That confused me a few days to understand how the K8S service sends traffic to backend pods. Finally I found the iptables version difference between kube-proxy container (which is 1.8) and the K8S node(which is 1.4). If running the kube-proxy iptables binary on K8S node, it will give the expected results.
e.g. # /run/containerd/io.containerd.runtime.v2.task/k8s.io/3d5b95000c749a6a91cbe7fdbcad0c97d3c7e83aa15076629fa2dd35dcc2b711/rootfs/usr/sbin/iptables -t nat -L -n

Cheers!

lyyao09 · September 14, 2023, 3:05am

github.com/kubernetes/kubernetes

kube-proxy generates the wrong iptables dnat rule

opened 11:38AM - 16 Dec 22 UTC

closed 06:54AM - 16 Jan 23 UTC

cyclinder

kind/bug sig/network needs-triage

### What happened? kube-proxy generates the wrong iptables dnat rule, as show…n following: ``` [root@controller-node-1 ~]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.233.0.1 <none> 443/TCP 3h18m my-dep ClusterIP 10.233.60.220 <none> 80/TCP 26m my-svc ClusterIP 10.233.48.3 <none> 80/TCP 26m [root@worker1 ~]# iptables-save -t nat | grep '10.233.0.1' -A KUBE-SERVICES -d 10.233.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y -A KUBE-SVC-NPX46M4PTMTKRN6Y ! -s 10.233.64.0/18 -d 10.233.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ [root@worker1 ~]# iptables-save -t nat | grep KUBE-SVC-NPX46M4PTMTKRN6Y :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] -A KUBE-SERVICES -d 10.233.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y -A KUBE-SVC-NPX46M4PTMTKRN6Y ! -s 10.233.64.0/18 -d 10.233.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https -> 10.6.214.21:6443" -j KUBE-SEP-CC3HXZSKU6BR4DDB [root@worker1 ~]# iptables-save -t nat | grep KUBE-SEP-CC3HXZSKU6BR4DDB :KUBE-SEP-CC3HXZSKU6BR4DDB - [0:0] -A KUBE-SEP-CC3HXZSKU6BR4DDB -s 10.6.214.21/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ -A KUBE-SEP-CC3HXZSKU6BR4DDB -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0 --persistent -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https -> 10.6.214.21:6443" -j KUBE-SEP-CC3HXZSKU6BR4DDB ``` This causes the worker node to be unable to access the apiserver because of this incorrect iptables rule. ### What did you expect to happen? kube-proxy should be generates correct iptables rule ### How can we reproduce it (as minimally and precisely as possible)? - Create a cluster via kubespray, All are works. ``` [root@controller-node-1 ~]# kubectl get nodes -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME controller-node-1 Ready control-plane 129m v1.25.3 10.6.214.12 <none> CentOS Linux 7 (Core) 5.19.10-1.el7.elrepo.x86_64 containerd://1.6.8 ``` - Join a node ``` [root@controller-node-1 ~]# kubectl get nodes -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME controller-node-1 Ready control-plane 129m v1.25.3 10.6.214.12 <none> CentOS Linux 7 (Core) 5.19.10-1.el7.elrepo.x86_64 containerd://1.6.8 worker1 NotReady <none> 85m v1.25.3 10.6.214.13 <none> CentOS Linux 7 (Core) 5.4.197-1.el7.elrepo.x86_64 containerd://1.6.8 ``` And I found some hostNetwork Pod on work1 failed to start. Since these pods failed to visit apiServer， I check that the firewall has been disable. I found kube-proxy generates incorrect iptables rule： ``` [root@worker1 ~]# iptables-save -t nat | grep KUBE-SEP-CC3HXZSKU6BR4DDB :KUBE-SEP-CC3HXZSKU6BR4DDB - [0:0] -A KUBE-SEP-CC3HXZSKU6BR4DDB -s 10.6.214.21/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ -A KUBE-SEP-CC3HXZSKU6BR4DDB -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0 --persistent -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https -> 10.6.214.21:6443" -j KUBE-SEP-CC3HXZSKU6BR4DDB ``` `--to-destination :0 --persistent --to-destination :0 --persistent --to-destination 0.0.0.0 --persistent` ? In controller-node-1, it works fine. ``` [root@controller-node-1 ~]# iptables-save -t nat | grep KUBE-SEP-CC3HXZSKU6BR4DDB :KUBE-SEP-CC3HXZSKU6BR4DDB - [0:0] -A KUBE-SEP-CC3HXZSKU6BR4DDB -s 10.6.214.21/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ -A KUBE-SEP-CC3HXZSKU6BR4DDB -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 10.6.214.21:6443 -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https -> 10.6.214.21:6443" -j KUBE-SEP-CC3HXZSKU6BR4DDB ``` I tried to create a new service, but the iptables rules generated by kube-proxy have the same problem. ``` [root@controller-node-1 ~]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.233.0.1 <none> 443/TCP 3h18m my-dep ClusterIP 10.233.60.220 <none> 80/TCP 26m my-svc ClusterIP 10.233.48.3 <none> 80/TCP 26m ``` ``` [root@worker1 ~]# iptables-save -t nat | grep 10.233.60.220 -A KUBE-SERVICES -d 10.233.60.220/32 -p tcp -m comment --comment "default/my-dep cluster IP" -m tcp --dport 80 -j KUBE-SVC-YIDRKHK4K7YFNT5I -A KUBE-SVC-YIDRKHK4K7YFNT5I ! -s 10.233.64.0/18 -d 10.233.60.220/32 -p tcp -m comment --comment "default/my-dep cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ [root@worker1 ~]# iptables-save -t nat | grep KUBE-SVC-YIDRKHK4K7YFNT5I :KUBE-SVC-YIDRKHK4K7YFNT5I - [0:0] -A KUBE-SERVICES -d 10.233.60.220/32 -p tcp -m comment --comment "default/my-dep cluster IP" -m tcp --dport 80 -j KUBE-SVC-YIDRKHK4K7YFNT5I -A KUBE-SVC-YIDRKHK4K7YFNT5I ! -s 10.233.64.0/18 -d 10.233.60.220/32 -p tcp -m comment --comment "default/my-dep cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ -A KUBE-SVC-YIDRKHK4K7YFNT5I -m comment --comment "default/my-dep -> 10.233.74.77:80" -j KUBE-SEP-CKROCXU3WMRQYCUN [root@worker1 ~]# iptables-save -t nat | grep KUBE-SEP-CKROCXU3WMRQYCUN :KUBE-SEP-CKROCXU3WMRQYCUN - [0:0] -A KUBE-SEP-CKROCXU3WMRQYCUN -s 10.233.74.77/32 -m comment --comment "default/my-dep" -j KUBE-MARK-MASQ -A KUBE-SEP-CKROCXU3WMRQYCUN -p tcp -m comment --comment "default/my-dep" -m tcp -j DNAT --to-destination :0 --persistent --to-destination :0 --persistent --to-destination -A KUBE-SVC-YIDRKHK4K7YFNT5I -m comment --comment "default/my-dep -> 10.233.74.77:80" -j KUBE-SEP-CKROCXU3WMRQYCUN [root@worker1 ~]# curl 10.233.60.220 ``` ### Anything else we need to know? _No response_ ### Kubernetes version <details> ```console $ kubectl version # paste output here [root@controller-node-1 ~]# kubectl version WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version. Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.3", GitCommit:"434bfd82814af038ad94d62ebe59b133fcb50506", GitTreeState:"clean", BuildDate:"2022-10-12T10:57:26Z", GoVersion:"go1.19.2", Compiler:"gc", Platform:"linux/amd64"} Kustomize Version: v4.5.7 Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.3", GitCommit:"434bfd82814af038ad94d62ebe59b133fcb50506", GitTreeState:"clean", BuildDate:"2022-10-12T10:49:09Z", GoVersion:"go1.19.2", Compiler:"gc", Platform:"linux/amd64"} ``` </details> ### Cloud provider <details> </details> ### OS version <details> ```console # On Linux: $ cat /etc/os-release [root@worker1 ~]# cat /etc/os-release NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" $ uname -a [root@controller-node-1 ~]# uname -a Linux controller-node-1 5.19.10-1.el7.elrepo.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Sep 17 11:34:40 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux [root@worker1 ~]# uname -a Linux worker1 5.4.197-1.el7.elrepo.x86_64 #1 SMP Sat Jun 4 08:43:19 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux # On Windows: C:\> wmic os get Caption, Version, BuildNumber, OSArchitecture # paste output here ``` </details> ### Install tools <details> kubespray </details> ### Container runtime (CRI) and version (if applicable) <details> </details> ### Related plugins (CNI, CSI, ...) and versions (if applicable) <details> </details>

Topic		Replies	Views
Kube-apiserver container is down General Discussions	6	3444	September 20, 2022
About the iptables settings that kube-proxy sets at startup microk8s	0	785	January 22, 2022
Kube-proxy really wants to use my ISP's nameservers General Discussions	4	708	April 1, 2022
Kubernetes.io Blog: Introducing kube-iptables-tailer: Better Networking Visibility in Kubernetes Clusters General Discussions k8s-blog	0	842	April 19, 2019
Exporting kubever General Discussions	0	766	June 10, 2022

What does "--to-destination :0" mean in iptables rules generated by kube-proxy

Cluster information:

Related Topics