k3s iptables policies are being unexpectedly deleted

[garfcat]

The POD has port mapping as follows:

ports:

• containerPort: 80
  hostPort: 8440
  protocol: TCP

When started, it can add iptables policies normally.

A CNI-DN-34d12f4583f5ecbe79fd3 -s 10.42.0.0/24 -p tcp -m tcp --dport 8440 -j CNI-HOSTPORT-SETMARK

But after running for a while, I see the following:

Sep 15 19:25:34 localhost.localdomain k3s[32979]: I0915 19:25:34.522757   32979 iptables.go:243] Adding iptables rule: ! -s 10.42.0.0/16 -d 10.42.0.0/16 -m comment --comment flanneld masq -j MASQUERADE
Sep 15 19:25:34 localhost.localdomain k3s[32979]: I0915 19:25:34.518519   32979 iptables.go:243] Adding iptables rule: ! -s 10.42.0.0/16 -d 10.42.0.0/24 -m comment --comment flanneld masq -j RETURN
Sep 15 19:25:34 localhost.localdomain k3s[32979]: I0915 19:25:34.514776   32979 iptables.go:243] Adding iptables rule: -s 10.42.0.0/16 ! -d 224.0.0.0/4 -m comment --comment flanneld masq -j MASQUERADE
Sep 15 19:25:34 localhost.localdomain k3s[32979]: I0915 19:25:34.510732   32979 iptables.go:243] Adding iptables rule: -s 10.42.0.0/16 -d 10.42.0.0/16 -m comment --comment flanneld masq -j RETURN
Sep 15 19:25:34 localhost.localdomain k3s[32979]: I0915 19:25:34.508023   32979 iptables.go:255] Deleting iptables rule: ! -s 10.42.0.0/16 -d 10.42.0.0/16 -m comment --comment flanneld masq -j MASQUERADE
Sep 15 19:25:34 localhost.localdomain k3s[32979]: I0915 19:25:34.506150   32979 iptables.go:255] Deleting iptables rule: ! -s 10.42.0.0/16 -d 10.42.0.0/24 -m comment --comment flanneld masq -j RETURN
Sep 15 19:25:34 localhost.localdomain k3s[32979]: I0915 19:25:34.504141   32979 iptables.go:255] Deleting iptables rule: -s 10.42.0.0/16 ! -d 224.0.0.0/4 -m comment --comment flanneld masq -j MASQUERADE
Sep 15 19:25:34 localhost.localdomain k3s[32979]: I0915 19:25:34.501900   32979 iptables.go:255] Deleting iptables rule: -s 10.42.0.0/16 -d 10.42.0.0/16 -m comment --comment flanneld masq -j RETURN
Sep 15 19:25:34 localhost.localdomain k3s[32979]: I0915 19:25:34.500228   32979 iptables.go:231] Some iptables rules are missing; deleting and recreating rules
Sep 15 19:25:13 localhost.localdomain k3s[32979]: I0915 19:25:13.852688   32979 iptables.go:243] Adding iptables rule: -d 10.42.0.0/16 -m comment --comment flanneld forward -j ACCEPT
Sep 15 19:25:13 localhost.localdomain k3s[32979]: I0915 19:25:13.846071   32979 iptables.go:243] Adding iptables rule: -s 10.42.0.0/16 -m comment --comment flanneld forward -j ACCEPT
Sep 15 19:25:13 localhost.localdomain k3s[32979]: I0915 19:25:13.843204   32979 iptables.go:255] Deleting iptables rule: -d 10.42.0.0/16 -m comment --comment flanneld forward -j ACCEPT
Sep 15 19:25:13 localhost.localdomain k3s[32979]: I0915 19:25:13.840049   32979 iptables.go:255] Deleting iptables rule: -s 10.42.0.0/16 -m comment --comment flanneld forward -j ACCEPT
Sep 15 19:25:13 localhost.localdomain k3s[32979]: I0915 19:25:13.837915   32979 iptables.go:231] Some iptables rules are missing; deleting and recreating rules

And then, my NAT policies are gone. How can I resolve this?

the version is:

[root@localhost ~]# k3s --version
k3s version v1.23.8+k3s1 (53f2d4e7)
go version go1.17.5

iptables version is 1.4.21

[brandond]

Is your pod trying to manage iptables rules in the host network namespace, or the pod?

The fact that you're seeing messages about rules being missing from the host network namespace suggests that something is removing rules out from underneath flannel. It's hard to say what that might be, but it could also be affecting rules that your pod is adding. What else on your host is managing iptables rules?