https://rancher.com/ logo
Title
a

acceptable-soccer-28720

03/29/2023, 1:43 PM
RD 1.8.1 on Windows 10 with gvisor or networkingTunnel=true does not run successfully svclb-traefik. Environment has a company internal proxy. Situation occurs with or without (at the office) VPN.
kube-system   svclb-traefik-4hbl4                       0/2     CrashLoopBackOff   212        5d4h
kubectl describe pod -n kube-system svclb-traefik-4hbl4
Events:
  Type     Reason          Age                   From     Message
  ----     ------          ----                  ----     -------
  Warning  BackOff         4d21h (x649 over 5d)  kubelet  Back-off restarting failed container
  Warning  FailedMount     110s                  kubelet  MountVolume.SetUp failed for volume "kube-api-access-lbpcr" : [failed to fetch token: serviceaccounts "default" is forbidden: User "system:node:mynode" cannot create resource "serviceaccounts/token" in API group "" in the namespace "kube-system": no relationship found between node 'mynode' and this object, failed to sync configmap cache: timed out waiting for the condition]
  Warning  FailedMount     108s                  kubelet  MountVolume.SetUp failed for volume "kube-api-access-lbpcr" : failed to sync configmap cache: timed out waiting for the condition
  Normal   SandboxChanged  107s                  kubelet  Pod sandbox changed, it will be killed and re-created.
  Normal   Pulled          87s (x2 over 102s)    kubelet  Container image "rancher/klipper-lb:v0.3.4" already present on machine
  Normal   Created         87s (x2 over 101s)    kubelet  Created container lb-port-80
  Normal   Started         87s (x2 over 101s)    kubelet  Started container lb-port-80
  Normal   Pulled          87s (x2 over 101s)    kubelet  Container image "rancher/klipper-lb:v0.3.4" already present on machine
  Normal   Created         86s (x2 over 101s)    kubelet  Created container lb-port-443
  Normal   Started         86s (x2 over 101s)    kubelet  Started container lb-port-443
  Warning  BackOff         70s (x5 over 101s)    kubelet  Back-off restarting failed container
  Warning  BackOff         70s (x5 over 101s)    kubelet  Back-off restarting failed container
kubectl logs -n kube-system svclb-traefik-4hbl4
Defaulted container "lb-port-80" out of: lb-port-80, lb-port-443
+ trap exit TERM INT
+ echo this-ip
+ grep -Eq :
+ cat /proc/sys/net/ipv4/ip_forward
+ '[' 0 '!=' 1 ]
+ exit 1
working reference from another RD 1.8.1 on Windows 10:
kubectl logs -n kube-system svclb-traefik...

+ trap exit TERM INT
+ echo 0.0.0.0/0
+ grep -Eq :
+ iptables -t filter -I FORWARD -s 0.0.0.0/0 -p TCP --dport 80 -j ACCEPT
+ echo some-ip
+ grep -Eq :
+ cat /proc/sys/net/ipv4/ip_forward
+ '[' 1 '==' 1 ]
+ iptables -t filter -A FORWARD -d some-ip/32 -p TCP --dport 80 -j DROP
+ iptables -t nat -I PREROUTING '!' -s some-ip/32 -p TCP --dport 80 -j DNAT --to some-ip:80
+ iptables -t nat -I POSTROUTING -d some-ip/32 -p TCP -j MASQUERADE
+ '[' '!' -e /pause ]
+ mkfifo /pause
c

calm-sugar-3169

03/29/2023, 7:30 PM
Thanks for brining this up, I have a few questions for you.
working reference from another RD 1.8.1 on Windows 10
does it mean it works with gvisor off? also, are you able to grab the logs and send them to me? (feel free to send them to me direct) thanks
a

acceptable-soccer-28720

03/30/2023, 4:34 AM
It does not work with gvisor off. With gvisor off no pod reaches the running state. Note that the second example, labeled with "working reference" is in an environment without proxy, just a regular Windows environment, thus without gvisor. I am going to collect the logs and send it to you.
c

calm-sugar-3169

03/30/2023, 9:47 PM
Note that the second example, labeled with “working reference” is in an environment without proxy, just a regular Windows environment, thus without gvisor
got it, that makes sense
Also, thanks for the logs