plain-dress-3090912/27/2022, 7:31 AM
late-needle-8086012/27/2022, 10:31 AM
plain-dress-3090912/27/2022, 12:07 PM
backend. theres no external cni, and k3s flannel should providing network policy engine out-of-the-box and also not need to disable kube-proxy (please correct me if its wrong). iptables:
, Ubuntu 22.04 there is no additional info on
iptables v1.8.7 (nf_tables)
. when I running
journalctl -u k3s-agent
and container’s log is this:
date; while ! echo</dev/tcp/redis/6379; do date; sleep 10; done ; date; echo "succeess"
(strip) Tue Dec 27 12:02:28 UTC 2022 bash: connect: Connection refused bash: /dev/tcp/redis/6379: Connection refused Tue Dec 27 12:02:39 UTC 2022 Tue Dec 27 12:02:49 UTC 2022 succeess
log is only
level=debug msg="cgroupv2 io stats: skipping over unmappable dbytes=0 entry"
level=debug msg="cgroupv2 io stats: skipping over unmappable dios=0 entry"
, even I enabled
level=debug msg="Wrote ping"
late-needle-8086012/27/2022, 12:28 PM
plain-dress-3090912/27/2022, 1:04 PM
So you have default rule of deny all .. that’s why there’s a connection refused to redis in the container logs?
And then up til 10 minutes later the connection goes through because you have a rule that opens up the connection to redis?thats right, redis have a ingress NetworkPolicy that only allows connections from app.
What about just general journalctl - any useful info?there is no useful info…
I can read that flannel do actually not robustly support network policies.
You would need to combine flannel with calico to bring you > https://projectcalico.docs.tigera.io/getting-started/kubernetes/flannel/flannel - canalI considered to use another CNIs, but it means I need to install calico separately, but I want to keep simple (k3s only needs
with some env vars for install; thats one of reasons to use k3s), so I prefer to resolve this with k3s-included flannel/network policy provider if possible… but I will take a look again, thanks.
curl | sh
late-needle-8086012/27/2022, 4:07 PM