Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
c
colossal-television-75726
03/30/2023, 3:12 PMHi
I have a problem with the Flannel VXLAN interface on RKE2 and I'm not quite sure where to put this:
I can't restrict Flannel to listen on a specific address other than 0.0.0.0.
I use Canal as CNI and configured it over a HelmChartConfiguration to use a specific interface.
Although the interface itself is configured correctly, the service listens on 0.0.0.0:8472 (according to netstat -tulpn).
Does anyone know how to fix this? Or do you know on which GitHub repository I should open an Issue?
Thanks in advance!
r
rough-farmer-49135
03/30/2023, 3:55 PMIf I recall correctly, flannel sets items in the routing table for different IP ranges, so I'm not sure you can restrict the IP range it listens on. Though that's a guess, so it might be possible?
c
colossal-television-75726
03/30/2023, 4:31 PMThanks for the input.
I hope there is a way, since it's a security concern to me.
For a little bit of context:
The link shows 10.0.0.1 (not 0.0.0.0) and the interface
abcip -d link show flannel.15: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1370 qdisc noqueue state UNKNOWN mode DEFAULT group default
link/ether aa:bb:cc:dd:ee:ff brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535
vxlan id 1 local 10.0.0.1 dev abc srcport 0 0 dstport 8472 nolearning ttl auto ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535netstat -tulpnudp 0 0 0.0.0.0:8472 0.0.0.0:* -r
rough-farmer-49135
03/30/2023, 4:56 PMLook at the output of
route -nc
colossal-television-75726
03/30/2023, 5:39 PMSince this is (currently) a single node cluster, there is no route to any other Kuberentes node.
But this is very strange:
netstat -tulpnLISTEN8472netstatr
rough-farmer-49135
03/30/2023, 5:56 PMIf you aren't getting a PID why do you conclude it's flannel?
c
colossal-television-75726
03/30/2023, 5:57 PMBecause it is the port listed on the RKE2 page as Flannel VXLAN and the link
flannel.18472c
creamy-pencil-82913
03/30/2023, 6:22 PM^^ that’s where to go ask
c
colossal-television-75726
03/30/2023, 6:48 PMGreat, thanks 🙂
I was unsure whether this is caused by RKE2 config or flannel itself.
Thanks for the help @rough-farmer-49135 and @creamy-pencil-82913
Flannel doesn't seem to cause the problem (confirmed by flannel developer).
Using Calico as CNI yields the same behavior (this time, PID and state is visible, listening on :::5473.
So it's either a misconfiguration on my side or some strange behavior of the CNIs.
After some more research I can say that this has nothing to do with RKE2 components.
Apparently, this is a common behavior for VXLAN interfaces and I can reproduce this by creating the IP link manually.