Network problems caused by networkpolicy #5371

lanzhiwang · 2021-07-29T11:35:29Z

lanzhiwang
Jul 29, 2021

If k8s uses plugins such as calico and kube-ovn, the networkpolicy created by operators will cause the pods to be unable to ping each other. If you delete the networkpolicy, there will be no such problem.

lanzhiwang · 2021-07-29T11:37:35Z

lanzhiwang
Jul 29, 2021
Author

I think there are two problems we need to figure out. One is why the networkpolicy causes this problem, which is related to the implementation of the network plug-in; the other is that we need to evaluate whether we need to use operators to create a networkpolicy.

2 replies

scholzj Jul 29, 2021
Maintainer

Sorry, but what is the actual problem? I use Strimzi daily with Calico and never had any problems.

lanzhiwang Jul 29, 2021
Author

When networkpolicy exists, they cannot ping each other, and when networkpolicy does not exist, they can ping each other.

lanzhiwang · 2021-07-29T11:49:51Z

lanzhiwang
Jul 29, 2021
Author

[root@master-cce03 strimzi]# kubectl -n kafka get pod -o wide
NAME                                           READY   STATUS    RESTARTS   AGE   IP               NODE             NOMINATED NODE   READINESS GATES
my-kafka241-entity-operator-85dc5f8bbb-pmt9r   3/3     Running   2          47m   172.16.193.95    192.168.25.244   <none>           <none>
my-kafka241-kafka-0                            2/2     Running   1          47m   172.16.193.99    192.168.25.244   <none>           <none>
my-kafka241-kafka-1                            2/2     Running   2          47m   172.16.193.97    192.168.25.244   <none>           <none>
my-kafka241-kafka-2                            2/2     Running   0          47m   172.16.193.102   192.168.25.244   <none>           <none>
my-kafka241-zookeeper-0                        1/1     Running   0          47m   172.16.193.100   192.168.25.244   <none>           <none>
my-kafka241-zookeeper-1                        1/1     Running   2          47m   172.16.193.98    192.168.25.244   <none>           <none>
my-kafka241-zookeeper-2                        1/1     Running   0          47m   172.16.193.101   192.168.25.244   <none>           <none>
strimzi-cluster-operator-659b46ccdc-8gdxl      1/1     Running   0          47m   172.16.193.96    192.168.25.244   <none>           <none>
[root@master-cce03 strimzi]#
[root@master-cce03 strimzi]# kubectl -n kafka exec -ti my-kafka241-zookeeper-0 bash
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
[kafka@my-kafka241-zookeeper-0 kafka]$
[kafka@my-kafka241-zookeeper-0 kafka]$ ping -c 5 172.16.193.99
PING 172.16.193.99 (172.16.193.99) 56(84) bytes of data.

--- 172.16.193.99 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

[kafka@my-kafka241-zookeeper-0 kafka]$
[kafka@my-kafka241-zookeeper-0 kafka]$
[kafka@my-kafka241-zookeeper-0 kafka]$ ping -c 5 172.16.193.97
PING 172.16.193.97 (172.16.193.97) 56(84) bytes of data.

--- 172.16.193.97 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

[kafka@my-kafka241-zookeeper-0 kafka]$
[kafka@my-kafka241-zookeeper-0 kafka]$
[kafka@my-kafka241-zookeeper-0 kafka]$ ping -c 5 172.16.193.102
PING 172.16.193.102 (172.16.193.102) 56(84) bytes of data.

--- 172.16.193.102 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

[kafka@my-kafka241-zookeeper-0 kafka]$
[kafka@my-kafka241-zookeeper-0 kafka]$ ping -c 5 172.16.193.101
PING 172.16.193.101 (172.16.193.101) 56(84) bytes of data.

--- 172.16.193.101 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

[kafka@my-kafka241-zookeeper-0 kafka]$
[kafka@my-kafka241-zookeeper-0 kafka]$ ping -c 5 172.16.193.96
PING 172.16.193.96 (172.16.193.96) 56(84) bytes of data.
64 bytes from 172.16.193.96: icmp_seq=1 ttl=63 time=0.161 ms
64 bytes from 172.16.193.96: icmp_seq=2 ttl=63 time=0.140 ms
64 bytes from 172.16.193.96: icmp_seq=3 ttl=63 time=0.062 ms
64 bytes from 172.16.193.96: icmp_seq=4 ttl=63 time=0.116 ms
64 bytes from 172.16.193.96: icmp_seq=5 ttl=63 time=0.091 ms

--- 172.16.193.96 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 0.062/0.114/0.161/0.035 ms
[kafka@my-kafka241-zookeeper-0 kafka]$

If i delete networkpolicy

[kafka@my-kafka241-zookeeper-0 kafka]$ ping -c 5 172.16.193.99
PING 172.16.193.99 (172.16.193.99) 56(84) bytes of data.
64 bytes from 172.16.193.99: icmp_seq=1 ttl=63 time=0.128 ms
64 bytes from 172.16.193.99: icmp_seq=2 ttl=63 time=0.084 ms
64 bytes from 172.16.193.99: icmp_seq=3 ttl=63 time=0.059 ms
64 bytes from 172.16.193.99: icmp_seq=4 ttl=63 time=0.082 ms
64 bytes from 172.16.193.99: icmp_seq=5 ttl=63 time=0.093 ms

--- 172.16.193.99 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms
rtt min/avg/max/mdev = 0.059/0.089/0.128/0.023 ms
[kafka@my-kafka241-zookeeper-0 kafka]$
[kafka@my-kafka241-zookeeper-0 kafka]$
[kafka@my-kafka241-zookeeper-0 kafka]$ ping -c 5 172.16.193.97
PING 172.16.193.97 (172.16.193.97) 56(84) bytes of data.
64 bytes from 172.16.193.97: icmp_seq=1 ttl=63 time=0.231 ms
64 bytes from 172.16.193.97: icmp_seq=2 ttl=63 time=0.104 ms
64 bytes from 172.16.193.97: icmp_seq=3 ttl=63 time=0.126 ms
64 bytes from 172.16.193.97: icmp_seq=4 ttl=63 time=0.131 ms
64 bytes from 172.16.193.97: icmp_seq=5 ttl=63 time=0.144 ms

--- 172.16.193.97 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4001ms
rtt min/avg/max/mdev = 0.104/0.147/0.231/0.044 ms
[kafka@my-kafka241-zookeeper-0 kafka]$
[kafka@my-kafka241-zookeeper-0 kafka]$
[kafka@my-kafka241-zookeeper-0 kafka]$ ping -c 5 172.16.193.101
PING 172.16.193.101 (172.16.193.101) 56(84) bytes of data.
64 bytes from 172.16.193.101: icmp_seq=1 ttl=63 time=0.209 ms
64 bytes from 172.16.193.101: icmp_seq=2 ttl=63 time=0.066 ms
64 bytes from 172.16.193.101: icmp_seq=3 ttl=63 time=0.062 ms
64 bytes from 172.16.193.101: icmp_seq=4 ttl=63 time=0.074 ms
64 bytes from 172.16.193.101: icmp_seq=5 ttl=63 time=0.078 ms

--- 172.16.193.101 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4000ms
rtt min/avg/max/mdev = 0.062/0.097/0.209/0.057 ms
[kafka@my-kafka241-zookeeper-0 kafka]$

4 replies

scholzj Jul 29, 2021
Maintainer

But why does it matter? What is the point of this?

scholzj Jul 29, 2021
Maintainer

PS: You will be able to disable the network policy creation in 0.25.

lanzhiwang Jul 29, 2021
Author

#3591
#3692
Are these issues related to networkpolicy?

scholzj Jul 29, 2021
Maintainer

Not as far as I know.

lanzhiwang · 2021-07-29T11:53:40Z

lanzhiwang
Jul 29, 2021
Author

calico 3.16.5

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Strimzi

Network problems caused by networkpolicy #5371

{{title}}

Replies: 3 comments 6 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Strimzi

Network problems caused by networkpolicy #5371

lanzhiwang Jul 29, 2021

Replies: 3 comments · 6 replies

lanzhiwang Jul 29, 2021 Author

scholzj Jul 29, 2021 Maintainer

lanzhiwang Jul 29, 2021 Author

lanzhiwang Jul 29, 2021 Author

scholzj Jul 29, 2021 Maintainer

scholzj Jul 29, 2021 Maintainer

lanzhiwang Jul 29, 2021 Author

scholzj Jul 29, 2021 Maintainer

lanzhiwang Jul 29, 2021 Author

lanzhiwang
Jul 29, 2021

Replies: 3 comments 6 replies

lanzhiwang
Jul 29, 2021
Author

scholzj Jul 29, 2021
Maintainer

lanzhiwang Jul 29, 2021
Author

lanzhiwang
Jul 29, 2021
Author

scholzj Jul 29, 2021
Maintainer

scholzj Jul 29, 2021
Maintainer

lanzhiwang Jul 29, 2021
Author

scholzj Jul 29, 2021
Maintainer

lanzhiwang
Jul 29, 2021
Author