Can Curl out of a pod on Http but not Https - fresh install on Ubuntu 22.04

[tomwilde]

Before creating an issue, make sure you've checked the following:

• You are running the latest released version of k0s
• Make sure you've searched for existing issues, both open and closed
• Make sure you've searched for PRs too, a fix might've been merged already
• You're looking at docs for the released version, "main" branch docs are usually ahead of released versions.

Platform

uname -a
Linux tom-nuc 6.8.0-51-generic #52~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Dec  9 15:00:52 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Version

v1.31.3+k0s.0

Sysinfo

`k0s sysinfo`

Total memory: 15.5 GiB (pass)
File system of /var/lib/k0s: ext4 (pass)
Disk space available for /var/lib/k0s: 388.7 GiB (pass)
Relative disk space available for /var/lib/k0s: 85% (pass)
Name resolution: localhost: [127.0.0.1] (pass)
Operating system: Linux (pass)
  Linux kernel release: 6.8.0-51-generic (pass)
  Max. file descriptors per process: current: 1048576 / max: 1048576 (pass)
  AppArmor: active (pass)
  Executable in PATH: modprobe: /usr/sbin/modprobe (pass)
  Executable in PATH: mount: /usr/bin/mount (pass)
  Executable in PATH: umount: /usr/bin/umount (pass)
  /proc file system: mounted (0x9fa0) (pass)
  Control Groups: version 2 (pass)
    cgroup controller "cpu": available (is a listed root controller) (pass)
    cgroup controller "cpuacct": available (via cpu in version 2) (pass)
    cgroup controller "cpuset": available (is a listed root controller) (pass)
    cgroup controller "memory": available (is a listed root controller) (pass)
    cgroup controller "devices": available (device filters attachable) (pass)
    cgroup controller "freezer": available (cgroup.freeze exists) (pass)
    cgroup controller "pids": available (is a listed root controller) (pass)
    cgroup controller "hugetlb": available (is a listed root controller) (pass)
    cgroup controller "blkio": available (via io in version 2) (pass)
  CONFIG_CGROUPS: Control Group support: built-in (pass)
    CONFIG_CGROUP_FREEZER: Freezer cgroup subsystem: built-in (pass)
    CONFIG_CGROUP_PIDS: PIDs cgroup subsystem: built-in (pass)
    CONFIG_CGROUP_DEVICE: Device controller for cgroups: built-in (pass)
    CONFIG_CPUSETS: Cpuset support: built-in (pass)
    CONFIG_CGROUP_CPUACCT: Simple CPU accounting cgroup subsystem: built-in (pass)
    CONFIG_MEMCG: Memory Resource Controller for Control Groups: built-in (pass)
    CONFIG_CGROUP_HUGETLB: HugeTLB Resource Controller for Control Groups: built-in (pass)
    CONFIG_CGROUP_SCHED: Group CPU scheduler: built-in (pass)
      CONFIG_FAIR_GROUP_SCHED: Group scheduling for SCHED_OTHER: built-in (pass)
        CONFIG_CFS_BANDWIDTH: CPU bandwidth provisioning for FAIR_GROUP_SCHED: built-in (pass)
    CONFIG_BLK_CGROUP: Block IO controller: built-in (pass)
  CONFIG_NAMESPACES: Namespaces support: built-in (pass)
    CONFIG_UTS_NS: UTS namespace: built-in (pass)
    CONFIG_IPC_NS: IPC namespace: built-in (pass)
    CONFIG_PID_NS: PID namespace: built-in (pass)
    CONFIG_NET_NS: Network namespace: built-in (pass)
  CONFIG_NET: Networking support: built-in (pass)
    CONFIG_INET: TCP/IP networking: built-in (pass)
      CONFIG_IPV6: The IPv6 protocol: built-in (pass)
    CONFIG_NETFILTER: Network packet filtering framework (Netfilter): built-in (pass)
      CONFIG_NETFILTER_ADVANCED: Advanced netfilter configuration: built-in (pass)
      CONFIG_NF_CONNTRACK: Netfilter connection tracking support: module (pass)
      CONFIG_NETFILTER_XTABLES: Netfilter Xtables support: module (pass)
        CONFIG_NETFILTER_XT_TARGET_REDIRECT: REDIRECT target support: module (pass)
        CONFIG_NETFILTER_XT_MATCH_COMMENT: "comment" match support: module (pass)
        CONFIG_NETFILTER_XT_MARK: nfmark target and match support: module (pass)
        CONFIG_NETFILTER_XT_SET: set target and match support: module (pass)
        CONFIG_NETFILTER_XT_TARGET_MASQUERADE: MASQUERADE target support: module (pass)
        CONFIG_NETFILTER_XT_NAT: "SNAT and DNAT" targets support: module (pass)
        CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: "addrtype" address type match support: module (pass)
        CONFIG_NETFILTER_XT_MATCH_CONNTRACK: "conntrack" connection tracking match support: module (pass)
        CONFIG_NETFILTER_XT_MATCH_MULTIPORT: "multiport" Multiple port match support: module (pass)
        CONFIG_NETFILTER_XT_MATCH_RECENT: "recent" match support: module (pass)
        CONFIG_NETFILTER_XT_MATCH_STATISTIC: "statistic" match support: module (pass)
      CONFIG_NETFILTER_NETLINK: module (pass)
      CONFIG_NF_NAT: module (pass)
      CONFIG_IP_SET: IP set support: module (pass)
        CONFIG_IP_SET_HASH_IP: hash:ip set support: module (pass)
        CONFIG_IP_SET_HASH_NET: hash:net set support: module (pass)
      CONFIG_IP_VS: IP virtual server support: module (pass)
        CONFIG_IP_VS_NFCT: Netfilter connection tracking: built-in (pass)
        CONFIG_IP_VS_SH: Source hashing scheduling: module (pass)
        CONFIG_IP_VS_RR: Round-robin scheduling: module (pass)
        CONFIG_IP_VS_WRR: Weighted round-robin scheduling: module (pass)
      CONFIG_NF_CONNTRACK_IPV4: IPv4 connetion tracking support (required for NAT): unknown (warning)
      CONFIG_NF_REJECT_IPV4: IPv4 packet rejection: module (pass)
      CONFIG_NF_NAT_IPV4: IPv4 NAT: unknown (warning)
      CONFIG_IP_NF_IPTABLES: IP tables support: module (pass)
        CONFIG_IP_NF_FILTER: Packet filtering: module (pass)
          CONFIG_IP_NF_TARGET_REJECT: REJECT target support: module (pass)
        CONFIG_IP_NF_NAT: iptables NAT support: module (pass)
        CONFIG_IP_NF_MANGLE: Packet mangling: module (pass)
      CONFIG_NF_DEFRAG_IPV4: module (pass)
      CONFIG_NF_CONNTRACK_IPV6: IPv6 connetion tracking support (required for NAT): unknown (warning)
      CONFIG_NF_NAT_IPV6: IPv6 NAT: unknown (warning)
      CONFIG_IP6_NF_IPTABLES: IP6 tables support: module (pass)
        CONFIG_IP6_NF_FILTER: Packet filtering: module (pass)
        CONFIG_IP6_NF_MANGLE: Packet mangling: module (pass)
        CONFIG_IP6_NF_NAT: ip6tables NAT support: module (pass)
      CONFIG_NF_DEFRAG_IPV6: module (pass)
    CONFIG_BRIDGE: 802.1d Ethernet Bridging: module (pass)
      CONFIG_LLC: module (pass)
      CONFIG_STP: module (pass)
  CONFIG_EXT4_FS: The Extended 4 (ext4) filesystem: built-in (pass)
  CONFIG_PROC_FS: /proc file system support: built-in (pass)

What happened?

Can make http calls outbound to the internet but not https. This is on a blank install running a pretty standard, up to date test container. I have seen this error elsewhere in other containers so it appears a generic problem.

Steps to reproduce

1. Running this as root:

curl --proto '=https' --tlsv1.2 -sSf https://get.k0s.sh | sh
k0s install controller --single
systemctl daemon-reload
k0s start

2. Only the basic system pods are running - I then start up a 'debug' container to check connectivity:

kubectl run -i --tty --rm debug --image=nicolaka/netshoot --restart=Never -- bash

Within the shell that comes up I can run this ok:

curl -v http://www.google.com

but when I run it for https:

curl -v httpS://www.google.com

3. I get the following:

curl -v https://www.google.com

• Host www.google.com:443 was resolved.
• IPv6: 2a00:1450:4009:821::2004
• IPv4: 142.250.178.4
• Trying 142.250.178.4:443...
• Connected to www.google.com (142.250.178.4) port 443
• ALPN: curl offers h2,http/1.1
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• CAfile: /etc/ssl/certs/ca-certificates.crt
• CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS alert, record overflow (534):
• OpenSSL/3.3.0: error:0A0000C6:SSL routines::packet length too long
• Closing connection
  curl: (35) OpenSSL/3.3.0: error:0A0000C6:SSL routines::packet length too long

My DNS resolves ok within the container and on the host - this is a single node - my firewall (UFW) is disabled.

Expected behavior

Obviously, I expect to be able to connect to the internet using SSL. 👍
(This is messing with Lets Encrypt initialisation which is why I'm really here..)

Actual behavior

I get a random cryptographic error. The same curl command works perfectly on the host - ironically on an earlier version of curl.

Container curl info:

curl 8.7.1 (x86_64-alpine-linux-musl) libcurl/8.7.1 OpenSSL/3.3.0 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 c-ares/1.28.1 libidn2/2.3.7 libpsl/0.21.5 nghttp2/1.61.0
Release-Date: 2024-03-27
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM PSL SSL threadsafe TLS-SRP UnixSockets zstd

Host curl info:

curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.18
Release-Date: 2022-01-05
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd 

Screenshots and logs

No response

Additional context

Happy to provide extra logs, info as required. Finding K0s to otherwise be awesome!

[jnummelin]

Oh wow, this is weird

Connected to [www.google.com](http://www.google.com/) (142.250.178.4) port 443

So the connection itself can be made, so the traffic does go somewhere.

OpenSSL/3.3.0: error:0A0000C6:SSL routines::packet length too long

Sounds something is messing up the traffic and thus the SSL handshake fails.

This is messing with Lets Encrypt initialisation which is why I'm really here..

Do you see similar SSL level errors on LE pods?

Which CNI are you using?

I'll throw couple things to test just to rule out stuff:

• Could you try with hostnetwork: true pod, just to see if it's CNI layer messing things up?
• Check if you have any proxies configured, either on system or pod level?

[jnummelin]

Trying with netshoot on fresh 1.31.3 cluster on Ubuntu 22.04, I see this:

debug:~# curl -s -o /dev/null -w "%{http_code}" https://www.google.com
200

But if I force the curl command to use port 80 with https I get the exact same issue:

debug:~# curl -v https://www.google.com:80
* Host www.google.com:80 was resolved.
* IPv6: 2a00:1450:4026:803::2004
* IPv4: 216.58.210.132
*   Trying 216.58.210.132:80...
* Connected to www.google.com (216.58.210.132) port 80
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS alert, record overflow (534):
* OpenSSL/3.3.0: error:0A0000C6:SSL routines::packet length too long
* Closing connection
curl: (35) OpenSSL/3.3.0: error:0A0000C6:SSL routines::packet length too long

So I wonder what could happen in your network so that google port 443 would get translated into port 80?
And only when request originates from pod network?

What happens in your env if you force port 443 for plain HTTP? E.g. with:

debug:~# curl -v http://www.google.com:443

[tomwilde]

Hi, thanks for coming back! Its verrry strange... I'll try and add as much info as I can here...

Do you see similar SSL level errors on LE pods?
yep, its across all pods afaict

$ kubectl get nodes -o wide
NAME      STATUS   ROLES           AGE   VERSION       INTERNAL-IP    EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION     CONTAINER-RUNTIME
tom-nuc   Ready    control-plane   18h   v1.31.3+k0s   192.168.0.20   <none>        Ubuntu 22.04.5 LTS   6.8.0-51-generic   containerd://1.7.24

$ k0s config create
apiVersion: k0s.k0sproject.io/v1beta1
kind: ClusterConfig
metadata:
  name: k0s
spec:
  api:
    address: 192.168.0.20
    k0sApiPort: 9443
    port: 6443
    sans:
    - 192.168.0.20
    - 172.17.0.1
    - 10.244.0.1
    - fe80::bb28:340b:b545:b672
    - fe80::42:6cff:fe42:9948
    - fe80::9877:daff:fe27:c3fa
    - fe80::9047:57ff:fee2:ff82
    - fe80::e0fa:96ff:fea0:baac
  controllerManager: {}
  extensions:
    helm:
      concurrencyLevel: 5
  installConfig:
    users:
      etcdUser: etcd
      kineUser: kube-apiserver
      konnectivityUser: konnectivity-server
      kubeAPIserverUser: kube-apiserver
      kubeSchedulerUser: kube-scheduler
  konnectivity:
    adminPort: 8133
    agentPort: 8132
  network:
    clusterDomain: cluster.local
    dualStack:
      enabled: false
    kubeProxy:
      iptables:
        minSyncPeriod: 0s
        syncPeriod: 0s
      ipvs:
        minSyncPeriod: 0s
        syncPeriod: 0s
        tcpFinTimeout: 0s
        tcpTimeout: 0s
        udpTimeout: 0s
      metricsBindAddress: 0.0.0.0:10249
      mode: iptables
      nftables:
        minSyncPeriod: 0s
        syncPeriod: 0s
    kuberouter:
      autoMTU: true
      hairpin: Enabled
      metricsPort: 8080
    nodeLocalLoadBalancing:
      enabled: false
      envoyProxy:
        apiServerBindPort: 7443
        konnectivityServerBindPort: 7132
      type: EnvoyProxy
    podCIDR: 10.244.0.0/16
    provider: kuberouter
    serviceCIDR: 10.96.0.0/12
  scheduler: {}
  storage:
    etcd:
      peerAddress: 192.168.0.20
    type: etcd
  telemetry:
    enabled: true

CNI:

sudo cat /etc/cni/net.d/10-kuberouter.conflist
{"cniVersion":"0.3.0","name":"mynet","plugins":[{"bridge":"kube-bridge","hairpinMode":true,"ipMasq":false,"ipam":{"ranges":[[{"subnet":"10.244.0.0/24"}]],"type":"host-local"},"isDefaultGateway":true,"mtu":1500,"name":"kubernetes","type":"bridge"},{"capabilities"kubectl get pods -n kube-systemue},"type":"portmap"}]}

Explicit Port: shots fired

curl -v http://www.google.com:443
* Host www.google.com:443 was resolved.
* IPv6: 2a00:1450:4009:819::2004
* IPv4: 216.58.201.100
*   Trying 216.58.201.100:443...
* Connected to www.google.com (216.58.201.100) port 443
> GET / HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Fri, 10 Jan 2025 16:32:19 GMT
< Content-Length: 19
< 
404 page not found

IpTables dump:

sudo iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
KUBE-ROUTER-INPUT  all  --  anywhere             anywhere             /* kube-router netpol - 4IA2OSFRMVNDXBVV */
KUBE-PROXY-FIREWALL  all  --  anywhere             anywhere             ctstate NEW /* kubernetes load balancer firewall */
KUBE-NODEPORTS  all  --  anywhere             anywhere             /* kubernetes health check service ports */
KUBE-EXTERNAL-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */
KUBE-FIREWALL  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
KUBE-ROUTER-FORWARD  all  --  anywhere             anywhere             /* kube-router netpol - TEMCG2JMHZYE7H7T */
ACCEPT     all  --  anywhere             anywhere             /* allow outbound node port traffic on node interface with which node ip is associated */
ACCEPT     all  --  anywhere             anywhere             /* allow inbound traffic to pods */
ACCEPT     all  --  anywhere             anywhere             /* allow outbound traffic from pods */
KUBE-PROXY-FIREWALL  all  --  anywhere             anywhere             ctstate NEW /* kubernetes load balancer firewall */
KUBE-FORWARD  all  --  anywhere             anywhere             /* kubernetes forwarding rules */
KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
KUBE-EXTERNAL-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes externally-visible service portals */
DOCKER-USER  all  --  anywhere             anywhere            
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  10.8.0.0/24          anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
KUBE-ROUTER-OUTPUT  all  --  anywhere             anywhere             /* kube-router netpol - VEAAIY32XVBHCSCY */
KUBE-PROXY-FIREWALL  all  --  anywhere             anywhere             ctstate NEW /* kubernetes load balancer firewall */
KUBE-SERVICES  all  --  anywhere             anywhere             ctstate NEW /* kubernetes service portals */
KUBE-FIREWALL  all  --  anywhere             anywhere            

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination         
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            

Chain KUBE-EXTERNAL-SERVICES (2 references)
target     prot opt source               destination         

Chain KUBE-FIREWALL (2 references)
target     prot opt source               destination         
DROP       all  -- !127.0.0.0/8          127.0.0.0/8          /* block incoming localnet connections */ ! ctstate RELATED,ESTABLISHED,DNAT

Chain KUBE-FORWARD (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID nfacct-name  ct_state_invalid_dropped_pkts
ACCEPT     all  --  anywhere             anywhere             /* kubernetes forwarding rules */ mark match 0x4000/0x4000
ACCEPT     all  --  anywhere             anywhere             /* kubernetes forwarding conntrack rule */ ctstate RELATED,ESTABLISHED

Chain KUBE-KUBELET-CANARY (0 references)
target     prot opt source               destination         

Chain KUBE-NODEPORTS (1 references)
target     prot opt source               destination         

Chain KUBE-NWPLCY-DEFAULT (4 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere             /* allow icmp echo requests */ icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             /* allow icmp destination unreachable messages */ icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             /* allow icmp time exceeded messages */ icmp time-exceeded
MARK       all  --  anywhere             anywhere             /* rule to mark traffic matching a network policy */ MARK or 0x10000

Chain KUBE-POD-FW-PPUWBBIA4YUUFR4K (7 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             /* rule to drop invalid state for pod */ ctstate INVALID
ACCEPT     all  --  anywhere             10.244.0.131         /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
KUBE-NWPLCY-DEFAULT  all  --  10.244.0.131         anywhere             /* run through default egress network policy chain */
KUBE-NWPLCY-DEFAULT  all  --  anywhere             10.244.0.131         /* run through default ingress network policy chain */
NFLOG      all  --  anywhere             anywhere             /* rule to log dropped traffic POD name:coredns-7b7b486b6c-92jg2 namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
REJECT     all  --  anywhere             anywhere             /* rule to REJECT traffic destined for POD name:coredns-7b7b486b6c-92jg2 namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
MARK       all  --  anywhere             anywhere             MARK and 0xfffeffff
MARK       all  --  anywhere             anywhere             /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-POD-FW-YBPPYFG7GN5JTNY3 (7 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             /* rule for stateful firewall for pod */ ctstate RELATED,ESTABLISHED
DROP       all  --  anywhere             anywhere             /* rule to drop invalid state for pod */ ctstate INVALID
ACCEPT     all  --  anywhere             10.244.0.130         /* rule to permit the traffic traffic to pods when source is the pod's local node */ ADDRTYPE match src-type LOCAL
KUBE-NWPLCY-DEFAULT  all  --  10.244.0.130         anywhere             /* run through default egress network policy chain */
KUBE-NWPLCY-DEFAULT  all  --  anywhere             10.244.0.130         /* run through default ingress network policy chain */
NFLOG      all  --  anywhere             anywhere             /* rule to log dropped traffic POD name:metrics-server-78c4ccbc7f-7z9xt namespace: kube-system */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
REJECT     all  --  anywhere             anywhere             /* rule to REJECT traffic destined for POD name:metrics-server-78c4ccbc7f-7z9xt namespace: kube-system */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
MARK       all  --  anywhere             anywhere             MARK and 0xfffeffff
MARK       all  --  anywhere             anywhere             /* set mark to ACCEPT traffic that comply to network policies */ MARK or 0x20000

Chain KUBE-PROXY-CANARY (0 references)
target     prot opt source               destination         

Chain KUBE-PROXY-FIREWALL (3 references)
target     prot opt source               destination         

Chain KUBE-ROUTER-FORWARD (1 references)
target     prot opt source               destination         
KUBE-POD-FW-PPUWBBIA4YUUFR4K  all  --  anywhere             10.244.0.131         /* rule to jump traffic destined to POD name:coredns-7b7b486b6c-92jg2 namespace: kube-system to chain KUBE-POD-FW-PPUWBBIA4YUUFR4K */
KUBE-POD-FW-PPUWBBIA4YUUFR4K  all  --  anywhere             10.244.0.131         PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:coredns-7b7b486b6c-92jg2 namespace: kube-system to chain KUBE-POD-FW-PPUWBBIA4YUUFR4K */
KUBE-POD-FW-PPUWBBIA4YUUFR4K  all  --  10.244.0.131         anywhere             /* rule to jump traffic from POD name:coredns-7b7b486b6c-92jg2 namespace: kube-system to chain KUBE-POD-FW-PPUWBBIA4YUUFR4K */
KUBE-POD-FW-PPUWBBIA4YUUFR4K  all  --  10.244.0.131         anywhere             PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:coredns-7b7b486b6c-92jg2 namespace: kube-system to chain KUBE-POD-FW-PPUWBBIA4YUUFR4K */
KUBE-POD-FW-YBPPYFG7GN5JTNY3  all  --  anywhere             10.244.0.130         /* rule to jump traffic destined to POD name:metrics-server-78c4ccbc7f-7z9xt namespace: kube-system to chain KUBE-POD-FW-YBPPYFG7GN5JTNY3 */
KUBE-POD-FW-YBPPYFG7GN5JTNY3  all  --  anywhere             10.244.0.130         PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:metrics-server-78c4ccbc7f-7z9xt namespace: kube-system to chain KUBE-POD-FW-YBPPYFG7GN5JTNY3 */
KUBE-POD-FW-YBPPYFG7GN5JTNY3  all  --  10.244.0.130         anywhere             /* rule to jump traffic from POD name:metrics-server-78c4ccbc7f-7z9xt namespace: kube-system to chain KUBE-POD-FW-YBPPYFG7GN5JTNY3 */
KUBE-POD-FW-YBPPYFG7GN5JTNY3  all  --  10.244.0.130         anywhere             PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:metrics-server-78c4ccbc7f-7z9xt namespace: kube-system to chain KUBE-POD-FW-YBPPYFG7GN5JTNY3 */
ACCEPT     all  --  anywhere             anywhere             /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000

Chain KUBE-ROUTER-INPUT (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             10.96.0.0/12         /* allow traffic to primary/secondary cluster IP range - BVHX2PIHDXXEO43X */
RETURN     tcp  --  anywhere             anywhere             /* allow LOCAL TCP traffic to node ports - LR7XO7NXDBGQJD2M */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767
RETURN     udp  --  anywhere             anywhere             /* allow LOCAL UDP traffic to node ports - 76UCBPIZNGJNWNUZ */ ADDRTYPE match dst-type LOCAL multiport dports 30000:32767
KUBE-POD-FW-PPUWBBIA4YUUFR4K  all  --  10.244.0.131         anywhere             /* rule to jump traffic from POD name:coredns-7b7b486b6c-92jg2 namespace: kube-system to chain KUBE-POD-FW-PPUWBBIA4YUUFR4K */
KUBE-POD-FW-YBPPYFG7GN5JTNY3  all  --  10.244.0.130         anywhere             /* rule to jump traffic from POD name:metrics-server-78c4ccbc7f-7z9xt namespace: kube-system to chain KUBE-POD-FW-YBPPYFG7GN5JTNY3 */
ACCEPT     all  --  anywhere             anywhere             /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000

Chain KUBE-ROUTER-OUTPUT (1 references)
target     prot opt source               destination         
KUBE-POD-FW-PPUWBBIA4YUUFR4K  all  --  anywhere             10.244.0.131         /* rule to jump traffic destined to POD name:coredns-7b7b486b6c-92jg2 namespace: kube-system to chain KUBE-POD-FW-PPUWBBIA4YUUFR4K */
KUBE-POD-FW-PPUWBBIA4YUUFR4K  all  --  10.244.0.131         anywhere             /* rule to jump traffic from POD name:coredns-7b7b486b6c-92jg2 namespace: kube-system to chain KUBE-POD-FW-PPUWBBIA4YUUFR4K */
KUBE-POD-FW-YBPPYFG7GN5JTNY3  all  --  anywhere             10.244.0.130         /* rule to jump traffic destined to POD name:metrics-server-78c4ccbc7f-7z9xt namespace: kube-system to chain KUBE-POD-FW-YBPPYFG7GN5JTNY3 */
KUBE-POD-FW-YBPPYFG7GN5JTNY3  all  --  10.244.0.130         anywhere             /* rule to jump traffic from POD name:metrics-server-78c4ccbc7f-7z9xt namespace: kube-system to chain KUBE-POD-FW-YBPPYFG7GN5JTNY3 */
ACCEPT     all  --  anywhere             anywhere             /* rule to explicitly ACCEPT traffic that comply to network policies */ mark match 0x20000/0x20000

Chain KUBE-SERVICES (2 references)
target     prot opt source               destination    

So, it would appear from the curl test above that port 80 is being mapped to 443 ???

[tomwilde]

oh, also no proxy btw..

[twz123]

So, it would appear from the curl test above that port 80 is being mapped to 443 ???

Not necessarily a port map... I suspect that a whole other server is responding. The curl output says "404 page not found" which is definitely not the expected response from the Google webserver. So you're connecting to something else.

[tomwilde]

So this is a traceroute, I also checked the ip address with a reverseip lookup and its google!

https://mxtoolbox.com/SuperTool.aspx?action=ptr%3a172.217.16.228&run=toolpage#

traceroute www.google.com
traceroute to www.google.com (142.250.180.4), 30 hops max, 46 byte packets
 1  10.244.0.1 (10.244.0.1)  0.011 ms  0.012 ms  0.012 ms
 2  192.168.0.1 (192.168.0.1)  11.006 ms  3.546 ms  4.331 ms
 3  *  *  *
 4  80.255.196.60 (80.255.196.60)  19.812 ms  17.427 ms  15.834 ms
 5  *  *  *
 6  tcl5-ic-7-ae0-0.network.virginmedia.net (213.105.11.198)  19.964 ms  20.374 ms  33.642 ms
 7  74.125.146.42 (74.125.146.42)  32.144 ms  19.041 ms  27.598 ms
 8  *  *  *
 9  216.239.63.218 (216.239.63.218)  32.972 ms  142.251.52.148 (142.251.52.148)  32.087 ms  216.239.41.240 (216.239.41.240)  26.509 ms
10  192.178.98.6 (192.178.98.6)  26.472 ms  192.178.98.4 (192.178.98.4)  27.133 ms  192.178.97.94 (192.178.97.94)  34.186 ms
11  lhr25s32-in-f4.1e100.net (142.250.180.4)  31.089 ms  29.708 ms  28.205 ms

Also ran the curl explicitly to port 433 cmd on the host, different results but equally no problems with https there either..

curl -v http://www.google.com:443
*   Trying 142.250.178.4:443...
* Connected to www.google.com (142.250.178.4) port 443 (#0)
> GET / HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server

[tomwilde]

The IP address 10.244.0.1 in that traceroute is odd.. I can't find what it refers to... its a local to k0s address though.

[tomwilde]

The open ports on it:

sudo nmap -sT -p- 10.244.0.1
Starting Nmap 7.80 ( https://nmap.org ) at 2025-01-10 19:11 GMT
Nmap scan report for 10.244.0.1
Host is up (0.00036s latency).
Not shown: 65520 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
111/tcp   open  rpcbind
2049/tcp  open  nfs
3389/tcp  open  ms-wbt-server
6443/tcp  open  sun-sr-https
8080/tcp  open  http-proxy
10249/tcp open  unknown
10250/tcp open  unknown
10256/tcp open  unknown
20244/tcp open  unknown
40725/tcp open  unknown
44317/tcp open  unknown
48427/tcp open  unknown
50885/tcp open  unknown
60749/tcp open  unknown

[jnummelin]

10.244.0.1 is the kube-router interface on the node

[jnummelin]

Could you try with tcptraceroute, e.g. something like:

tcptraceroute www.google.com <80/443>

that traces the "real" connection to the requested port.

As you see very different[1] responses from us (myself & @twz123 ), we think there's something in your network path that routes the SSL calls to some other service for some reason. Maybe because the traffic originates from the pod network with 10.244.x.y addresses.

[1] This is what I see:

# curl -v http://www.google.com:443
* Host www.google.com:443 was resolved.
* IPv6: 2a00:1450:4026:804::2004
* IPv4: 216.58.209.196
*   Trying 216.58.209.196:443...
* Connected to www.google.com (216.58.209.196) port 443
> GET / HTTP/1.1
> Host: www.google.com:443
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
* Empty reply from server
* Closing connection
curl: (52) Empty reply from server

Notice that I see Empty reply from server where as you got 404

If I connect directly to the IP on https:

# curl -k -v https://216.58.209.196
*   Trying 216.58.209.196:443...
* Connected to 216.58.209.196 (216.58.209.196) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
*  subject: OU=No SNI provided; please fix your client.; CN=invalid2.invalid
*  start date: Jan  1 00:00:00 2015 GMT
*  expire date: Jan  1 00:00:00 2030 GMT
*  issuer: OU=No SNI provided; please fix your client.; CN=invalid2.invalid
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
*   Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://216.58.209.196/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: 216.58.209.196]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.7.1]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: 216.58.209.196
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 301 
< location: http://www.google.com/
< content-type: text/html; charset=UTF-8
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-aYK0lmeTiBvjMSR63IYYVA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< date: Mon, 13 Jan 2025 10:06:00 GMT
< expires: Wed, 12 Feb 2025 10:06:00 GMT
< cache-control: public, max-age=2592000
< server: gws
< content-length: 219
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
< 
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.com/">here</A>.
</BODY></HTML>

Notice the special server cert the server sends me 😄

[tomwilde]

hi, had a chance to run the traceroute...

tcptraceroute www.google.com <80/443>

debug:~# tcptraceroute www.google.com 80
Selected device eth0, address 10.244.0.139, port 58157 for outgoing packets
Tracing the path to www.google.com (142.250.187.196) on TCP port 80 (http), 30 hops max
 1  lhr25s33-in-f4.1e100.net (142.250.187.196) [open]  0.096 ms  0.084 ms  0.078 ms
debug:~# 
debug:~# 
debug:~# tcptraceroute www.google.com 443
Selected device eth0, address 10.244.0.139, port 39003 for outgoing packets
Tracing the path to www.google.com (142.250.187.196) on TCP port 443 (https), 30 hops max
 1  lhr25s33-in-f4.1e100.net (142.250.187.196) [open]  0.089 ms  0.074 ms  0.080 ms