Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

duplicate Hubble DNS flows and ingress/egress labeling bug when DNS request lands on another Node #584

Open
huntergregory opened this issue Aug 7, 2024 · 1 comment
Open

duplicate Hubble DNS flows and ingress/egress labeling bug when DNS request lands on another Node #584

huntergregory opened this issue Aug 7, 2024 · 1 comment
Labels
area/flows

Comments

@huntergregory
Copy link
Contributor

huntergregory commented Aug 7, 2024
edited
Loading

For a Retina cluster with Hubble enabled, when a Pod makes a DNS request (to the kube-dns service), if the request lands on a coredns Pod on another Node, then running hubble observe flows will produce double the necessary number of flows. Additionally, there seems to be a small bug in labeling the traffic as ingress versus egress.

In the DNS experiment below, there exist identical copies of DNS flows (looking at JSON format), resulting in 48 DNS flows between toolbox-pod and coredns-5fc6484dd7-bnzlf, while there are 24 UDP packets when adding packets leaving Node 1 (src=toolbox, dst=coredns), entering Node 2 (src=toolbox, dst=coredns), leaving Node 2 (dst=toolbox, src=coredns), then entering Node 1 (dst=toolbox, src=coredns).

Also in this experiment, there seems to be a bug as exemplified below. A single packet travels from toolbox to coredns-5fc6484dd7-bnzlf, and a single packet is sent back. Yet there is this discrepancy in egress vs. ingress counts. Presumably, the first and second flows are traced on one Node, and the third and fourth flows are traced on the other Node.

toolbox -> bnzlf

  1. EGRESS, TO_NETWORK
  2. EGRESS, TO_NETWORK
  3. EGRESS, TO_NETWORK
  4. INGRESS, FROM_NETWORK

toolbox <- bnzlf

  1. EGRESS, TO_NETWORK
  2. EGRESS, TO_NETWORK
  3. INGRESS, FROM_NETWORK
  4. INGRESS, FROM_NETWORK

Setup

  • Two-node AKS cluster.
  • Agent image: mcr.microsoft.com/containernetworking/retina-agent-enterprise:v0.0.8
  • Relay image: mcr.microsoft.com/oss/cilium/hubble-relay:v1.15.0
  • Below toolbox-pod:
apiVersion: v1
kind: Pod
metadata:
  name: toolbox-pod
spec:
  containers:
  - name: toolbox-container
    image: acnpublic.azurecr.io/toolbox
    ports:
    - containerPort: 80

DNS Experiment

Pods, Nodes, and IPs

We will focus on coredns-5fc6484dd7-bnzlf, which is on a different Node than toolbox-pod.

$ k get po -owide
NAME                             READY   STATUS    RESTARTS   AGE   IP             NODE                                
toolbox-pod                      1/1     Running   0          24h   10.224.0.106   aks-nodepool1-32351195-vmss000000
$ k get po -n kube-system -owide
NAME                                 READY   STATUS    RESTARTS   AGE   IP             NODE
coredns-5fc6484dd7-bnzlf             1/1     Running   0          27h   10.224.1.85    aks-nodepool1-32351195-vmss000001
coredns-5fc6484dd7-k8vl4             1/1     Running   0          27h   10.224.0.189   aks-nodepool1-32351195-vmss000000

Experiment

Apply these iptables rules to each node to count UDP packets between the two Pods:

iptables -I FORWARD -d 10.224.0.106 -s 10.224.1.85 --protocol udp --sport 53
iptables -I FORWARD -s 10.224.0.106 -d 10.224.1.85 --protocol udp --dport 53

Curl bing.com

$ k exec toolbox-pod -- curl bing.com

Before curling, start observing flows (focus only on the flows to/from coredns-5fc6484dd7-bnzlf):

$ hubble observe flows -f --protocol dns | grep bing.com | grep -v "kube-system/kube-dns"
Aug  6 23:50:54.601: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.default.svc.cluster.local. A)
Aug  6 23:50:54.601: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.default.svc.cluster.local. A)
Aug  6 23:50:54.601: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.default.svc.cluster.local. AAAA)
Aug  6 23:50:54.601: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.default.svc.cluster.local. AAAA)
Aug  6 23:50:54.604: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.default.svc.cluster.local. A)
Aug  6 23:50:54.604: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.default.svc.cluster.local. AAAA)
Aug  6 23:50:54.604: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.default.svc.cluster.local. A)
Aug  6 23:50:54.604: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.default.svc.cluster.local. AAAA)
Aug  6 23:50:54.605: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.default.svc.cluster.local. AAAA))
Aug  6 23:50:54.605: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.default.svc.cluster.local. AAAA))
Aug  6 23:50:54.605: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.default.svc.cluster.local. AAAA))
Aug  6 23:50:54.605: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.default.svc.cluster.local. A))
Aug  6 23:50:54.605: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.default.svc.cluster.local. A))
Aug  6 23:50:54.605: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.default.svc.cluster.local. A))
Aug  6 23:50:54.613: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.default.svc.cluster.local. AAAA))
Aug  6 23:50:54.613: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.default.svc.cluster.local. A))
Aug  6 23:50:54.614: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.svc.cluster.local. A)
Aug  6 23:50:54.614: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.svc.cluster.local. A)
Aug  6 23:50:54.614: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.svc.cluster.local. AAAA)
Aug  6 23:50:54.614: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.svc.cluster.local. AAAA)
Aug  6 23:50:54.616: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.svc.cluster.local. AAAA))
Aug  6 23:50:54.616: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.svc.cluster.local. A))
Aug  6 23:50:54.617: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.svc.cluster.local. A)
Aug  6 23:50:54.617: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.svc.cluster.local. AAAA)
Aug  6 23:50:54.617: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.cluster.local. A)
Aug  6 23:50:54.617: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.cluster.local. A)
Aug  6 23:50:54.617: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.svc.cluster.local. A)
Aug  6 23:50:54.617: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.cluster.local. AAAA)
Aug  6 23:50:54.617: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.svc.cluster.local. AAAA)
Aug  6 23:50:54.617: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.cluster.local. AAAA)
Aug  6 23:50:54.618: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.svc.cluster.local. AAAA))
Aug  6 23:50:54.618: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.svc.cluster.local. AAAA))
Aug  6 23:50:54.618: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.svc.cluster.local. AAAA))
Aug  6 23:50:54.618: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.svc.cluster.local. A))
Aug  6 23:50:54.618: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.svc.cluster.local. A))
Aug  6 23:50:54.618: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.svc.cluster.local. A))
Aug  6 23:50:54.619: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.cluster.local. A))
Aug  6 23:50:54.619: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.cluster.local. AAAA))
Aug  6 23:50:54.619: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-k8vl4 (ID:4330) dns-request  FORWARDED (DNS Query bing.com.lxgomovm4wuubbz0evyk1mkg3b.xx.internal.cloudapp.net. A)
Aug  6 23:50:54.619: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-k8vl4 (ID:4330) dns-request  FORWARDED (DNS Query bing.com.lxgomovm4wuubbz0evyk1mkg3b.xx.internal.cloudapp.net. AAAA)
Aug  6 23:50:54.619: coredns-5fc6484dd7-k8vl4 (ID:4330) -> 168.63.129.16 (world) dns-request  FORWARDED (DNS Query bing.com.lxgomovm4wuubbz0evyk1mkg3b.xx.internal.cloudapp.net. A)
Aug  6 23:50:54.619: 10.224.0.4 (host) -> 168.63.129.16 (world) dns-request  FORWARDED (DNS Query bing.com.lxgomovm4wuubbz0evyk1mkg3b.xx.internal.cloudapp.net. A)
Aug  6 23:50:54.619: 10.224.0.4 (host) -> 168.63.129.16 (world) dns-request  FORWARDED (DNS Query bing.com.lxgomovm4wuubbz0evyk1mkg3b.xx.internal.cloudapp.net. A)
Aug  6 23:50:54.620: coredns-5fc6484dd7-k8vl4 (ID:4330) -> 168.63.129.16 (world) dns-request  FORWARDED (DNS Query bing.com.lxgomovm4wuubbz0evyk1mkg3b.xx.internal.cloudapp.net. AAAA)
Aug  6 23:50:54.620: 10.224.0.4 (host) -> 168.63.129.16 (world) dns-request  FORWARDED (DNS Query bing.com.lxgomovm4wuubbz0evyk1mkg3b.xx.internal.cloudapp.net. AAAA)
Aug  6 23:50:54.620: 10.224.0.4 (host) -> 168.63.129.16 (world) dns-request  FORWARDED (DNS Query bing.com.lxgomovm4wuubbz0evyk1mkg3b.xx.internal.cloudapp.net. AAAA)
Aug  6 23:50:54.620: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.cluster.local. A)
Aug  6 23:50:54.620: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.cluster.local. AAAA)
Aug  6 23:50:54.620: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.cluster.local. A)
Aug  6 23:50:54.620: toolbox-pod (ID:1679) -> coredns-5fc6484dd7-bnzlf (ID:4330) dns-request  FORWARDED (DNS Query bing.com.cluster.local. AAAA)
Aug  6 23:50:54.621: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.cluster.local. A))
Aug  6 23:50:54.621: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.cluster.local. A))
Aug  6 23:50:54.621: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.cluster.local. A))
Aug  6 23:50:54.621: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.cluster.local. AAAA))
Aug  6 23:50:54.621: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.cluster.local. AAAA))
Aug  6 23:50:54.621: toolbox-pod (ID:1679) <- coredns-5fc6484dd7-bnzlf (ID:4330) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.cluster.local. AAAA))
Aug  6 23:50:54.622: 10.224.0.4 (host) <- 168.63.129.16 (world) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.lxgomovm4wuubbz0evyk1mkg3b.xx.internal.cloudapp.net. A))
Aug  6 23:50:54.622: coredns-5fc6484dd7-k8vl4 (ID:4330) <- 168.63.129.16 (world) dns-response  FORWARDED (DNS Answer RCode: Non-Existent Domain (Query bing.com.lxgomovm4wuubbz0evyk1mkg3b.xx.internal.cloudapp.net. A))

The packets sent/received were:

Node 0:

root@aks-nodepool1-32351195-vmss000000:/# iptables -vnL FORWARD | grep 10.224.0.106
# Warning: iptables-legacy tables present, use iptables-legacy to see them
    0     0            udp  --  *      *       10.224.1.85          10.224.0.106         udp spt:53
    0     0            udp  --  *      *       10.224.0.106         10.224.1.85          udp dpt:53
root@aks-nodepool1-32351195-vmss000000:/#
root@aks-nodepool1-32351195-vmss000000:/# iptables -vnL FORWARD | grep 10.224.0.106
# Warning: iptables-legacy tables present, use iptables-legacy to see them
    6   998            udp  --  *      *       10.224.1.85          10.224.0.106         udp spt:53
    6   440            udp  --  *      *       10.224.0.106         10.224.1.85          udp dpt:53

Node 1:

root@aks-nodepool1-32351195-vmss000001:/# iptables -vnL FORWARD | grep 10.224.0.106
# Warning: iptables-legacy tables present, use iptables-legacy to see them
    0     0            udp  --  *      *       10.224.0.106         10.224.1.85          udp dpt:53
    0     0            udp  --  *      *       10.224.1.85          10.224.0.106         udp spt:53
root@aks-nodepool1-32351195-vmss000001:/#
root@aks-nodepool1-32351195-vmss000001:/# iptables -vnL FORWARD | grep 10.224.0.106
# Warning: iptables-legacy tables present, use iptables-legacy to see them
    6   440            udp  --  *      *       10.224.0.106         10.224.1.85          udp dpt:53
    6   998            udp  --  *      *       10.224.1.85          10.224.0.106         udp spt:53

When inspecting JSON output of the flows (hubble observe -ojson), we see the flows are duplicated and there exists the ingress/egress labeling bug described at the top. Here is an example looking at the tester.default.svc.cluster.local query:

====TOOLBOX -> BNZLF====
{"flow":{"time":"2024-08-06T20:09:10.316833065Z","verdict":"FORWARDED","IP":{"source":"10.224.0.106","destination":"10.224.1.85","ipVersion":"IPv4"},"source":{"ID":1679,"identity":1679,"namespace":"default","labels":[],"pod_name":"toolbox-pod"},"destination":{"ID":4330,"identity":4330,"namespace":"kube-system","labels":[],"pod_name":"coredns-5fc6484dd7-bnzlf"},"Type":"L7","l7":{"type":"REQUEST","dns":{"query":"tester.default.svc.cluster.local.","rcode":24,"qtypes":["A"]}},"event_type":{"type":129},"source_service":{},"destination_service":{},"traffic_direction":"EGRESS","trace_observation_point":"TO_NETWORK","is_reply":false,"Summary":"DNS Query tester.default.svc.cluster.local. A"},"time":"2024-08-06T20:09:10.316833065Z"}
{"flow":{"time":"2024-08-06T20:09:10.316848165Z","verdict":"FORWARDED","IP":{"source":"10.224.0.106","destination":"10.224.1.85","ipVersion":"IPv4"},"source":{"ID":1679,"identity":1679,"namespace":"default","labels":[],"pod_name":"toolbox-pod"},"destination":{"ID":4330,"identity":4330,"namespace":"kube-system","labels":[],"pod_name":"coredns-5fc6484dd7-bnzlf"},"Type":"L7","l7":{"type":"REQUEST","dns":{"query":"tester.default.svc.cluster.local.","rcode":24,"qtypes":["A"]}},"event_type":{"type":129},"source_service":{},"destination_service":{},"traffic_direction":"EGRESS","trace_observation_point":"TO_NETWORK","is_reply":false,"Summary":"DNS Query tester.default.svc.cluster.local. A"},"time":"2024-08-06T20:09:10.316848165Z"}
{"flow":{"time":"2024-08-06T20:09:10.320490428Z","verdict":"FORWARDED","IP":{"source":"10.224.0.106","destination":"10.224.1.85","ipVersion":"IPv4"},"source":{"ID":1679,"identity":1679,"namespace":"default","labels":[],"pod_name":"toolbox-pod"},"destination":{"ID":4330,"identity":4330,"namespace":"kube-system","labels":[],"pod_name":"coredns-5fc6484dd7-bnzlf"},"Type":"L7","l7":{"type":"REQUEST","dns":{"query":"tester.default.svc.cluster.local.","rcode":24,"qtypes":["A"]}},"event_type":{"type":129},"source_service":{},"destination_service":{},"traffic_direction":"EGRESS","trace_observation_point":"TO_NETWORK","is_reply":false,"Summary":"DNS Query tester.default.svc.cluster.local. A"},"time":"2024-08-06T20:09:10.320490428Z"}
{"flow":{"time":"2024-08-06T20:09:10.320385227Z","verdict":"FORWARDED","IP":{"source":"10.224.0.106","destination":"10.224.1.85","ipVersion":"IPv4"},"source":{"ID":1679,"identity":1679,"namespace":"default","labels":[],"pod_name":"toolbox-pod"},"destination":{"ID":4330,"identity":4330,"namespace":"kube-system","labels":[],"pod_name":"coredns-5fc6484dd7-bnzlf"},"Type":"L7","l7":{"type":"REQUEST","dns":{"query":"tester.default.svc.cluster.local.","rcode":24,"qtypes":["A"]}},"event_type":{"type":129},"source_service":{},"destination_service":{},"traffic_direction":"INGRESS","trace_observation_point":"FROM_NETWORK","is_reply":false,"Summary":"DNS Query tester.default.svc.cluster.local. A"},"time":"2024-08-06T20:09:10.320385227Z"}

====TOOLBOX <- BNZLF====
{"flow":{"time":"2024-08-06T20:09:10.320865029Z","verdict":"FORWARDED","IP":{"source":"10.224.1.85","destination":"10.224.0.106","ipVersion":"IPv4"},"source":{"ID":4330,"identity":4330,"namespace":"kube-system","labels":[],"pod_name":"coredns-5fc6484dd7-bnzlf"},"destination":{"ID":1679,"identity":1679,"namespace":"default","labels":[],"pod_name":"toolbox-pod"},"Type":"L7","l7":{"type":"RESPONSE","dns":{"query":"tester.default.svc.cluster.local.","rcode":3,"qtypes":["A"]}},"event_type":{"type":129},"source_service":{},"destination_service":{},"traffic_direction":"EGRESS","trace_observation_point":"TO_NETWORK","is_reply":true,"Summary":"DNS Answer RCode: Non-Existent Domain (Query tester.default.svc.cluster.local. A)"},"time":"2024-08-06T20:09:10.320865029Z"}
{"flow":{"time":"2024-08-06T20:09:10.320871330Z","verdict":"FORWARDED","IP":{"source":"10.224.1.85","destination":"10.224.0.106","ipVersion":"IPv4"},"source":{"ID":4330,"identity":4330,"namespace":"kube-system","labels":[],"pod_name":"coredns-5fc6484dd7-bnzlf"},"destination":{"ID":1679,"identity":1679,"namespace":"default","labels":[],"pod_name":"toolbox-pod"},"Type":"L7","l7":{"type":"RESPONSE","dns":{"query":"tester.default.svc.cluster.local.","rcode":3,"qtypes":["A"]}},"event_type":{"type":129},"source_service":{},"destination_service":{},"traffic_direction":"EGRESS","trace_observation_point":"TO_NETWORK","is_reply":true,"Summary":"DNS Answer RCode: Non-Existent Domain (Query tester.default.svc.cluster.local. A)"},"time":"2024-08-06T20:09:10.320871330Z"}
{"flow":{"time":"2024-08-06T20:09:10.318756683Z","verdict":"FORWARDED","IP":{"source":"10.224.1.85","destination":"10.224.0.106","ipVersion":"IPv4"},"source":{"ID":4330,"identity":4330,"namespace":"kube-system","labels":[],"pod_name":"coredns-5fc6484dd7-bnzlf"},"destination":{"ID":1679,"identity":1679,"namespace":"default","labels":[],"pod_name":"toolbox-pod"},"Type":"L7","l7":{"type":"RESPONSE","dns":{"query":"tester.default.svc.cluster.local.","rcode":3,"qtypes":["A"]}},"event_type":{"type":129},"source_service":{},"destination_service":{},"traffic_direction":"INGRESS","trace_observation_point":"FROM_NETWORK","is_reply":true,"Summary":"DNS Answer RCode: Non-Existent Domain (Querytester.default.svc.cluster.local. A)"},"time":"2024-08-06T20:09:10.318756683Z"}
{"flow":{"time":"2024-08-06T20:09:10.320806929Z","verdict":"FORWARDED","IP":{"source":"10.224.1.85","destination":"10.224.0.106","ipVersion":"IPv4"},"source":{"ID":4330,"identity":4330,"namespace":"kube-system","labels":[],"pod_name":"coredns-5fc6484dd7-bnzlf"},"destination":{"ID":1679,"identity":1679,"namespace":"default","labels":[],"pod_name":"toolbox-pod"},"Type":"L7","l7":{"type":"RESPONSE","dns":{"query":"tester.default.svc.cluster.local.","rcode":3,"qtypes":["A"]}},"event_type":{"type":129},"source_service":{},"destination_service":{},"traffic_direction":"INGRESS","trace_observation_point":"FROM_NETWORK","is_reply":true,"Summary":"DNS Answer RCode: Non-Existent Domain (Querytester.default.svc.cluster.local. A)"},"time":"2024-08-06T20:09:10.320806929Z"}
@huntergregory huntergregory changed the title double the expected Hubble DNS flows when DNS request lands on another Node double the expected Hubble flows for inter-Node traffic Aug 7, 2024
@huntergregory huntergregory changed the title double the expected Hubble flows for inter-Node traffic duplicated info in Hubble DNS flows when DNS request lands on another Node Aug 7, 2024
@huntergregory huntergregory changed the title duplicated info in Hubble DNS flows when DNS request lands on another Node duplicate Hubble DNS flows and ingress/egress labeling bug when DNS request lands on another Node Aug 7, 2024
@huntergregory
Copy link
Contributor Author

huntergregory commented Aug 7, 2024
edited
Loading

This HTTP experiment shows that for TCP, we similarly have double the number of flows as there are packets, yet we specify different trace_observation_point for the otherwise duplicate flow. We also do not have the ingress/egress labeling bug. That is, we have:

toolbox -> dep-http

  1. EGRESS, TO_STACK
  2. EGRESS, TO_NETWORK
  3. INGRESS, FROM_NETWORK
  4. INGRESS, TO_ENDPOINT

toolbox <- dep-http

  1. EGRESS, TO_STACK
  2. EGRESS, TO_NETWORK
  3. INGRESS, FROM_NETWORK
  4. INGRESS, TO_ENDPOINT

Additional Setup

  • Below http-dep:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dep-http
spec:
  replicas: 1
  selector:
    matchLabels:
      pod: http
  template:
    metadata:
      labels:
        pod: http
    spec:
      containers:
      - command:
        - /agnhost
        - serve-hostname
        - --http=true
        - --port
        - "80"
        image: k8s.gcr.io/e2e-test-images/agnhost:2.33
        imagePullPolicy: IfNotPresent
        name: cont-80-tcp
        ports:
        - containerPort: 80
          name: serve-80-tcp
          protocol: TCP
      nodeSelector:
        kubernetes.io/os: linux
        vm: "1"
  • Label the node which does NOT have toolbox-pod on it with kubectl label node <name> vm=1.

HTTP Experiment

Pods, Nodes, and IPs

NAME                             READY   STATUS    RESTARTS   AGE   IP             NODE
dep-http-84f64997bd-j622q        1/1     Running   0          16m   10.224.1.166   aks-nodepool1-32351195-vmss000001
toolbox-pod                      1/1     Running   0          44h   10.224.0.106   aks-nodepool1-32351195-vmss000000

Experiment

Apply these iptables rules to each node to count TCP packets between the two Pods:

iptables-nft -I FORWARD -s 10.224.0.106 -d 10.224.1.166 --protocol tcp --dport 80
iptables-nft -I FORWARD -d 10.224.0.106 -s 10.224.1.166 --protocol tcp --sport 80

Curl the http server:

k exec toolbox-pod -- curl 10.224.1.166:80

Before curling, start observing flows:

 $ hubble observe flows --protocol tcp -f | grep "toolbox-pod\|dep-http"
Aug  7 19:39:39.821: toolbox-pod:36600 (ID:1679) -> dep-http-84f64997bd-j622q:80 (ID:23273) to-stack FORWARDED (TCP Flags: SYN:true)
Aug  7 19:39:39.821: toolbox-pod:36600 (ID:1679) -> dep-http-84f64997bd-j622q:80 (ID:23273) to-network FORWARDED (TCP Flags: SYN:true)
Aug  7 19:39:39.823: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) from-network FORWARDED (TCP Flags: SYN:true  ACK:true)
Aug  7 19:39:39.823: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-endpoint FORWARDED (TCP Flags: SYN:true  ACK:true)
Aug  7 19:39:39.824: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-stack FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.824: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-network FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.831: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-stack FORWARDED (TCP Flags: PSH:true  ACK:true)
Aug  7 19:39:39.831: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-network FORWARDED (TCP Flags: PSH:true  ACK:true)
Aug  7 19:39:39.832: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) from-network FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.832: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-endpoint FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.832: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) from-network FORWARDED (TCP Flags: PSH:true  ACK:true)
Aug  7 19:39:39.832: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-endpoint FORWARDED (TCP Flags: PSH:true  ACK:true)
Aug  7 19:39:39.832: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-stack FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.832: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-network FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.844: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-stack FORWARDED (TCP Flags: FIN:true  ACK:true)
Aug  7 19:39:39.844: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-network FORWARDED (TCP Flags: FIN:true  ACK:true)
Aug  7 19:39:39.845: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) from-network FORWARDED (TCP Flags: FIN:true  ACK:true)
Aug  7 19:39:39.845: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-endpoint FORWARDED (TCP Flags: FIN:true  ACK:true)
Aug  7 19:39:39.845: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-stack FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.845: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-network FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.825: toolbox-pod:36600 (ID:1679) -> dep-http-84f64997bd-j622q:80 (ID:23273) from-network FORWARDED (TCP Flags: SYN:true)
Aug  7 19:39:39.825: toolbox-pod:36600 (ID:1679) -> dep-http-84f64997bd-j622q:80 (ID:23273) to-endpoint FORWARDED (TCP Flags: SYN:true)
Aug  7 19:39:39.825: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-stack FORWARDED (TCP Flags: SYN:true  ACK:true)
Aug  7 19:39:39.825: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-network FORWARDED (TCP Flags: SYN:true  ACK:true)
Aug  7 19:39:39.826: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) from-network FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.826: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-endpoint FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.833: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) from-network FORWARDED (TCP Flags: PSH:true  ACK:true)
Aug  7 19:39:39.834: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-endpoint FORWARDED (TCP Flags: PSH:true  ACK:true)
Aug  7 19:39:39.834: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-stack FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.834: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-network FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.834: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) from-network FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.834: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-endpoint FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.846: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) from-network FORWARDED (TCP Flags: FIN:true  ACK:true)
Aug  7 19:39:39.846: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-endpoint FORWARDED (TCP Flags: FIN:true  ACK:true)
Aug  7 19:39:39.846: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-stack FORWARDED (TCP Flags: FIN:true  ACK:true)
Aug  7 19:39:39.846: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-network FORWARDED (TCP Flags: FIN:true  ACK:true)
Aug  7 19:39:39.847: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) from-network FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.847: dep-http-84f64997bd-j622q:80 (ID:23273) <- toolbox-pod:36600 (ID:1679) to-endpoint FORWARDED (TCP Flags: ACK:true)
Aug  7 19:39:39.834: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-stack FORWARDED (TCP Flags: PSH:true  ACK:true)
Aug  7 19:39:39.834: toolbox-pod:36600 (ID:1679) <- dep-http-84f64997bd-j622q:80 (ID:23273) to-network FORWARDED (TCP Flags: PSH:true  ACK:true)

The packets sent/received were:

Node 0:

root@aks-nodepool1-32351195-vmss000000:/# iptables -vnL FORWARD | grep 10.224.1.166
# Warning: iptables-legacy tables present, use iptables-legacy to see them
    0     0            tcp  --  *      *       10.224.1.166         10.224.0.106         tcp spt:80
    0     0            tcp  --  *      *       10.224.0.106         10.224.1.166         tcp dpt:80
root@aks-nodepool1-32351195-vmss000000:/#
root@aks-nodepool1-32351195-vmss000000:/# iptables -vnL FORWARD | grep 10.224.1.166
# Warning: iptables-legacy tables present, use iptables-legacy to see them
    4   358            tcp  --  *      *       10.224.1.166         10.224.0.106         tcp spt:80
    6   396            tcp  --  *      *       10.224.0.106         10.224.1.166         tcp dpt:80

Node 1:

root@aks-nodepool1-32351195-vmss000001:/# iptables -vnL FORWARD | grep 10.224.1.166
# Warning: iptables-legacy tables present, use iptables-legacy to see them
    0     0            tcp  --  *      *       10.224.1.166         10.224.0.106         tcp spt:80
    0     0            tcp  --  *      *       10.224.0.106         10.224.1.166         tcp dpt:80
root@aks-nodepool1-32351195-vmss000001:/#
root@aks-nodepool1-32351195-vmss000001:/# iptables -vnL FORWARD | grep 10.224.1.166
# Warning: iptables-legacy tables present, use iptables-legacy to see them
    4   358            tcp  --  *      *       10.224.1.166         10.224.0.106         tcp spt:80
    6   396            tcp  --  *      *       10.224.0.106         10.224.1.166         tcp dpt:80

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/flows
Projects
Retina Triage Board
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@huntergregory