Hi After updating to 1 32 2 from 1 32 1 I got the following Rancher Users #k3s

Hi, After updating to 1.32.2 from 1.32.1 I got the...

salmon-dress-95863

02/28/2025, 7:15 AM

Hi, After updating to 1.32.2 from 1.32.1 I got the following errors in log:

Copy code

E0227 20:36:41.752351  411079 proxier.go:1564] "Failed to execute iptables-restore" err=<
        exit status 1: Ignoring deprecated --wait-interval option.
        Warning: Extension statistic revision 0 not supported, missing kernel module?
        iptables-restore: line 86 failed
 >
...
411079 reflector.go:166] "Unhandled Error" err="<http://k8s.io/client-go@v1.32.2-k3s1/tools/cache/reflector.go:251|k8s.io/client-go@v1.32.2-k3s1/tools/cache/reflector.go:251>: Failed to watch *v1.PartialObjectMetadata: failed to list *v1.PartialObjectMetadata: the server could not find the requested resource"
411079 reflector.go:569] <http://k8s.io/client-go@v1.32.2-k3s1/tools/cache/reflector.go:251|k8s.io/client-go@v1.32.2-k3s1/tools/cache/reflector.go:251>: failed to list *v1.PartialObjectMetadata: the server could not find the requested resource

Adding

CONFIG_NETFILTER_XT_MATCH_STATISTIC

in kernel fixes the issue. Not sure if it's required in the base k3s. Seems to happen in association with cert-manager because the helm chart was in failed state, I'm not sure. There is no mention of this kernel option in the output of

k3s check-config

. Should it be added?

✅ 1

creamy-pencil-82913

02/28/2025, 8:13 AM

its possible upstream added use of the --wait-interval flag to kube-proxy. Did you check the changelog?

salmon-dress-95863

02/28/2025, 8:14 AM

The error itself is the module is missing. --wait-interval is unrelated (though deprecated apparently)

creamy-pencil-82913

02/28/2025, 8:15 AM

think so?

creamy-pencil-82913

02/28/2025, 8:16 AM

I never know what iptables flags need what modules to work

salmon-dress-95863

02/28/2025, 8:16 AM

Added

CONFIG_NETFILTER_XT_MATCH_STATISTIC

to my kernel and all errors went away at least

creamy-pencil-82913

02/28/2025, 8:17 AM

It looks to me like that option has been required for a long time

salmon-dress-95863

02/28/2025, 8:18 AM

Hmm OK. Yeah, not sure why it started giving errors now. Just wanted to make you aware of it

creamy-pencil-82913

02/28/2025, 8:18 AM

blame on the related kube-proxy code that uses

-m statistic

shows it was added by this commit in 2021, and that was just a move from somewhere else. https://github.com/kubernetes/kubernetes/commit/8ef1255cdde2#diff-2ccafd63d57233fd0697b9852514604ab880e29aeb073035765ad7541cad1b35R1642

salmon-dress-95863

02/28/2025, 8:20 AM

OK. Don't know why it popped up now in that case. Thanks!

creamy-pencil-82913

02/28/2025, 8:21 AM

last change before that touching

-m statistic

was 10 years ago at which point it was also already there… so yeah I’d say it’s always been required.

creamy-pencil-82913

02/28/2025, 8:21 AM

Did you upgrade your kernel at the same time?

salmon-dress-95863

02/28/2025, 8:22 AM

No. Updated k3s and it started giving these errors. Updated kernel + added kernel option above after it happened

creamy-pencil-82913

02/28/2025, 8:22 AM

we haven’t changed anything around kube-proxy in this release, and I am not seeing any related changes upstream. so not sure what to suggest as the cause.

salmon-dress-95863

02/28/2025, 8:23 AM

No problem! Should it be added to the list of requirements in check-config? Otherwise I think it' all OK

creamy-pencil-82913

02/28/2025, 8:34 AM

yeah probably. I don’t know that the list we have in check-config is super up to date. that script is kinda best-effort. If you are up for opening a PR that’d be appreciated.

salmon-dress-95863

02/28/2025, 8:47 AM

https://github.com/k3s-io/k3s/pull/11860

👍 1

108 Views

Open in Slack

Previous Next