Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update kubelet.service #526

Merged
merged 2 commits into from
Nov 2, 2020
Merged

Update kubelet.service #526

merged 2 commits into from
Nov 2, 2020

Conversation

rfox-godaddy
Copy link
Contributor

Issue #, if available:

Description of changes:
If kubelet wins the systemd startup race against iptables, then the
ExecStartPre=/sbin/iptables -P FORWARD ACCEPT -w 5 may be clobbered by existing rules.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

If kubelet wins the systemd startup race against iptables, then the 
`ExecStartPre=/sbin/iptables -P FORWARD ACCEPT -w 5` may be clobbered by existing rules.
@GnatorX
Copy link

GnatorX commented Aug 26, 2020

To add more context both https://github.com/awslabs/amazon-eks-ami/blob/master/files/iptables-restore.service#L5 and https://github.com/awslabs/amazon-eks-ami/blob/master/files/kubelet.service#L4 happens at after docker.service. The problem we ran into is that we perform an iptable save as part of our custom AMI. This means that on node startup there is a race between kubelet and iprestore. If kubelet runs first then FORWARD ACCEPT gets clobbered by iprestore. This proposed change will ensure iprestore happens before kubelet to ensure FORWARD ACCEPT will always be applied regardless of what is saved in iptables.

@jacknagel
Copy link
Contributor

We've been impacted by this as well. In fact, if you follow the official instructions for blocking access to IMDS from pods (https://docs.aws.amazon.com/eks/latest/userguide/restrict-ec2-credential-access.html), you end up in this exact situation, where iptables-restore can clobber the kubelet's FORWARD ACCEPT. Now that we understand the issue, we've worked around it, but it would be nice to see this merged.

@heybronson heybronson merged commit a4a1402 into awslabs:master Nov 2, 2020
@rfox-godaddy rfox-godaddy deleted the patch-2 branch November 2, 2020 20:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants