0 0 Share PDF

Fix UCP Calico config for RP filter

Article ID: KB000945

Issue

The default value of the Linux kernel setting net.ipv4.conf.all.rp_filter is 1. If it is set to a non-default value, such as 2, you will see that some of your Calico pods are crashing if you source an admin client bundle and run:

$ kubectl get pods -n kube-system
NAME                                      READY     STATUS             RESTARTS   AGE
calico-kube-controllers-c97f976d4-6qhjq   1/1       Running            0          16h
calico-node-f8kj6                         2/2       Running            277        16h
calico-node-wxns9                         1/2       CrashLoopBackOff   281        16h
calico-node-xvp84                         1/2       CrashLoopBackOff   283        16h
compose-9d997b755-lz2jn                   1/1       Running            0          16h
kube-dns-5f96fd8fbd-6wgtp                 3/3       Running            0          16h


$ kubectl logs --tail=3 calico-node-wxns9 -n kube-system calico-node
2018-03-18 16:18:03.742 [INFO][358] ipsets.go 116: Queueing IP set for creation family="inet" setID="masq-ipam-pools" setType="hash:net"
2018-03-18 16:18:03.742 [INFO][358] int_dataplane.go 382: Registering to report health.
2018-03-18 16:18:03.742 [FATAL][358] int_dataplane.go 768: Kernel's RPF check is set to 'loose'.  This would allow endpoints to spoof their IP address.  Calico requires net.ipv4.conf.all.rp_filter to be set to 0 or 1. If you require loose RPF and you are not concerned about spoofing, this check can be disabled by setting the IgnoreLooseRPF configuration parameter to 'true'.

Resolution

To fix this, use the following steps:

  1. Follow the 'Configure calicoctl' step in the UCP documentation to set up the calicoctl tool on a manager node in the cluster.

  2. Test out your calicoctl connectivity and check the default Felix configuration:

    $ calicoctl get felixconfiguration -o yaml
    apiVersion: projectcalico.org/v3
    items:
    - apiVersion: projectcalico.org/v3
      kind: FelixConfiguration
      metadata:
        creationTimestamp: 2018-04-04T16:44:57Z
        name: default
        resourceVersion: "90"
        uid: 828a1779-3827-11e8-9543-021ee5fdf754
      spec:
        ipipEnabled: true
        logSeverityScreen: Info
        reportingInterval: 0s
    - apiVersion: projectcalico.org/v3
      kind: FelixConfiguration
      metadata:
        creationTimestamp: 2018-04-04T16:44:57Z
        name: node.ip-172-31-35-236
        resourceVersion: "91"
        uid: 828c4ca0-3827-11e8-9543-021ee5fdf754
      spec:
        defaultEndpointToHostAction: Return
    - apiVersion: projectcalico.org/v3
      kind: FelixConfiguration
      metadata:
        creationTimestamp: 2018-04-04T16:52:24Z
        name: node.ip-172-31-37-148
        resourceVersion: "778"
        uid: 8cf2b1c6-3828-11e8-a008-023fa2163550
      spec:
        defaultEndpointToHostAction: Return
    - apiVersion: projectcalico.org/v3
      kind: FelixConfiguration
      metadata:
        creationTimestamp: 2018-04-04T16:52:27Z
        name: node.ip-172-31-39-4
        resourceVersion: "803"
        uid: 8e46b395-3828-11e8-8bb4-02f00e690bce
      spec:
        defaultEndpointToHostAction: Return
    kind: FelixConfigurationList
    metadata:
      resourceVersion: "81643"
    
  3. Create a new Felix configuration with ignore loose RPF enabled. Save this to a file called felix.yaml (https://docs.projectcalico.org/v3.0/reference/calicoctl/resources/felixconfig):

    $ cat felix.yaml
    apiVersion: projectcalico.org/v3
    kind: FelixConfiguration
    metadata:
      name: default
    spec:
      ipipEnabled: true
      logSeverityScreen: Info
      reportingInterval: 0s
      ignoreLooseRPF: true
    
  4. Apply the new Felix configuration file:

    $ calicoctl apply -f - < felix.yaml
    
  5. Within a few minutes, you should be able to see the Calico-Node pods coming back up with kubectl:

    $ kubectl get pods -n kube-system
    NAME                                      READY     STATUS    RESTARTS   AGE
    calico-kube-controllers-c97f976d4-6qhjq   1/1       Running   0          17h
    calico-node-f8kj6                         2/2       Running   277        17h
    calico-node-wxns9                         2/2       Running   282        17h
    calico-node-xvp84                         2/2       Running   286        17h
    compose-9d997b755-lz2jn                   1/1       Running   0          17h
    kube-dns-5f96fd8fbd-6wgtp                 3/3       Running   0          17h