https://rancher.com/ logo
Title
c

colossal-television-75726

03/30/2023, 3:12 PM
Hi I have a problem with the Flannel VXLAN interface on RKE2 and I'm not quite sure where to put this: I can't restrict Flannel to listen on a specific address other than 0.0.0.0. I use Canal as CNI and configured it over a HelmChartConfiguration to use a specific interface. Although the interface itself is configured correctly, the service listens on 0.0.0.0:8472 (according to netstat -tulpn). Does anyone know how to fix this? Or do you know on which GitHub repository I should open an Issue? Thanks in advance!
r

rough-farmer-49135

03/30/2023, 3:55 PM
If I recall correctly, flannel sets items in the routing table for different IP ranges, so I'm not sure you can restrict the IP range it listens on. Though that's a guess, so it might be possible?
c

colossal-television-75726

03/30/2023, 4:31 PM
Thanks for the input. I hope there is a way, since it's a security concern to me. For a little bit of context: The link shows 10.0.0.1 (not 0.0.0.0) and the interface
abc
ip -d link show flannel.1
5: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1370 qdisc noqueue state UNKNOWN mode DEFAULT group default 
    link/ether aa:bb:cc:dd:ee:ff brd ff:ff:ff:ff:ff:ff promiscuity 0 minmtu 68 maxmtu 65535 
    vxlan id 1 local 10.0.0.1 dev abc srcport 0 0 dstport 8472 nolearning ttl auto ageing 300 udpcsum noudp6zerocsumtx noudp6zerocsumrx addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
But flannel listens to 0.0.0.0
netstat -tulpn
udp 0  0 0.0.0.0:8472   0.0.0.0:*    -
Maybe I'm missing something
r

rough-farmer-49135

03/30/2023, 4:56 PM
Look at the output of
route -n
and you'll notice a route to each kubernetes node with the flannel interface. Why it shows up as all in netstat, I'm not sure.
c

colossal-television-75726

03/30/2023, 5:39 PM
Since this is (currently) a single node cluster, there is no route to any other Kuberentes node. But this is very strange:
netstat -tulpn
isn't showing me the PID and the state, so there is no state
LISTEN
on
8472
, but
netstat
lists it. I run wireguard on the machine, and the wireguard port is listed the same way (no state, no PID) and is open. This is why I'm concerned
r

rough-farmer-49135

03/30/2023, 5:56 PM
If you aren't getting a PID why do you conclude it's flannel?
c

colossal-television-75726

03/30/2023, 5:57 PM
Because it is the port listed on the RKE2 page as Flannel VXLAN and the link
flannel.1
shows me
8472
Tearing down the RKE2 cluster results in the port getting closed.
c

creamy-pencil-82913

03/30/2023, 6:22 PM
^^ that’s where to go ask
c

colossal-television-75726

03/30/2023, 6:48 PM
Great, thanks 🙂 I was unsure whether this is caused by RKE2 config or flannel itself. Thanks for the help @rough-farmer-49135 and @creamy-pencil-82913
Flannel doesn't seem to cause the problem (confirmed by flannel developer). Using Calico as CNI yields the same behavior (this time, PID and state is visible, listening on :::5473. So it's either a misconfiguration on my side or some strange behavior of the CNIs.
After some more research I can say that this has nothing to do with RKE2 components. Apparently, this is a common behavior for VXLAN interfaces and I can reproduce this by creating the IP link manually.