This commit fixes an issue seen during a k8s upgrade from 1.18.1
to 1.19.13. It was noticed that after upgrading kubelet to 1.19.13,
the sw-patch-controller process would continually restart.
It was found via packet tracing and logging that traffic from the
management interface to the localhost address at port 5489 was being
blocked. This indicated a likely issue in iptables.
Comparing the iptables rules in 1.18.1 to 1.19.13 shows the reason
why:
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- !loopback/8 loopback/8 \
! ctstate RELATED,ESTABLISHED,DNAT
That is, drop all packets _not_ from the loopback interface _to_
the loopback interface that do not have an existing connection
state.
It was found that this rule was added in the following commit:
https://github.com/kubernetes/kubernetes/pull/91569/files
Which was added to address the security concern identified here:
https://github.com/kubernetes/kubernetes/issues/90259
It appears that the PatchMessageHelloAgent periodically sends
messages to both the patch controller's agent address as well
as to the localhost address. Since the outgoing socket used
for all messages is explicitly bound to the management
address, the traffic to the localhost address will hit the
drop rule noted above.
The solution in this commit is to not explicitly bind the
outgoing socket to the management address, so as to have the
kernel choosed the correct outgoing interface for both
messages.
Story: 2008972
Task: 43244
Testing:
AIO-SX (unicast traffic), AIO-DX, Standard (multicast traffic).
Ensure sw-patch-controller stays up after k8s upgrade.
Install a patch on all nodes.
Signed-off-by: Steven Webster <steven.webster@windriver.com>
Change-Id: I93912b934986dc28196c9ba50f2803bf0fe01513