Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

k3s version v1.31.4+k3s1 (a562d090) selinux iptables issue #11510

Open
martinsarrionandia opened this issue Dec 31, 2024 · 2 comments
Open

k3s version v1.31.4+k3s1 (a562d090) selinux iptables issue #11510

martinsarrionandia opened this issue Dec 31, 2024 · 2 comments

Comments

@martinsarrionandia
Copy link

Environmental Info:
K3s Version:

[root@rancher ~]# k3s -v
k3s version v1.31.4+k3s1 (a562d09)
go version go1.22.9

Node(s) CPU architecture, OS, and Version:

Linux rancher.sarrionandia.co.uk 5.14.0-542.el9.aarch64 #1 SMP PREEMPT_DYNAMIC Wed Dec 11 17:26:47 UTC 2024 aarch64 aarch64 aarch64 GNU/Linux

Cluster Configuration:

Single Node

Describe the bug:

Something has change in either k3s or the k3s-selinux policy. The latest version of k3s is not able to manipulate iptables with the current and latest version of selinux polices. This WAS working with the previous version of k3s. Performing a setforce 0 allows the pod to start

[root@rancher log]# rpm -q -a|grep selinux
libselinux-3.6-2.el9.aarch64
python3-libselinux-3.6-2.el9.aarch64
libselinux-utils-3.6-2.el9.aarch64
selinux-policy-38.1.50-1.el9.noarch
selinux-policy-targeted-38.1.50-1.el9.noarch
rpm-plugin-selinux-4.16.1.3-36.el9.aarch64
container-selinux-2.233.0-1.el9.noarch
k3s-selinux-1.6-1.el9.noarch

[root@rancher ~]# kubectl logs svclb-traefik-8cd4a817-q768g -n kube-system
Defaulted container "lb-tcp-80" out of: lb-tcp-80, lb-tcp-443

  • trap exit TERM INT
  • BIN_DIR=/sbin
  • check_iptables_mode
  • set +e
    [INFO] nft mode detected
    • lsmod
      grep -qF nf_tables
  • '[' 0 '=' 0 ]
  • mode=nft
  • set -e
  • info 'nft mode detected'
  • set_nft
  • ln -sf /sbin/xtables-nft-multi /sbin/iptables
  • ln -sf /sbin/xtables-nft-multi /sbin/iptables-save
  • ln -sf /sbin/xtables-nft-multi /sbin/iptables-restore
  • ln -sf /sbin/xtables-nft-multi /sbin/ip6tables
  • start_proxy
  • grep -Eq :
  • echo 0.0.0.0/0
  • iptables -t filter -I FORWARD -s 0.0.0.0/0 -p TCP --dport 31164 -j ACCEPT
    Warning: Extension tcp revision 0 not supported, missing kernel module?
    iptables v1.8.10 (nf_tables): RULE_INSERT failed (No such file or directory): rule in chain FORWARD

Steps To Reproduce:

Setup selinux and stuff
Install latest K3S without traefik
Install traefik via helm chart
Install rancher via helm chart

See Script.
https://github.com/martinsarrionandia/aws-rancher/blob/main/modules/rancher-instance/templates/rancher_boot.sh

Expected behavior:

All pods should start

Actual behavior:

svclb-traefik doesn't start

Additional context / logs:
See attached selinux audit.log
@martinsarrionandia
Copy link
Author

audit.log

@martinsarrionandia
Copy link
Author

martinsarrionandia commented Dec 31, 2024
edited
Loading

Quick update. This only happens when EPEL is enabled.

#dnf -y config-manager --set-enabled crb
dnf -y install epel-release epel-next-release
dnf -y install amazon-ec2-utils

🤷🏻‍♂️

Close this if you want. I will just turn EPEL off. Probably it's affecting something in the k3s install script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
K3s Development
Status: New
Milestone
No milestone
Development

No branches or pull requests
1 participant
@martinsarrionandia