k3s server kube-system CrashLoopBackOff after installing nftables v1.1.0

[shakibamoshiri]

Environmental Info:
K3s Version:

k3s --version 
k3s version v1.30.3+k3s1 (f6466040)
go version go1.22.5

Node(s) CPU architecture, OS, and Version:

kubectl get node -o wide
NAME    STATUS   ROLES                       AGE     VERSION        INTERNAL-IP      EXTERNAL-IP      OS-IMAGE                         KERNEL-VERSION    CONTAINER-RUNTIME
100b1   Ready    agent,backup,se,xr          2d14h   v1.30.3+k3s1   172.31.100.10    ***     Debian GNU/Linux 11 (bullseye)   5.10.0-27-amd64   containerd://1.7.17-k3s1
100m1   Ready    control-plane,etcd,master   11d     v1.30.3+k3s1   172.31.100.254   ***    Debian GNU/Linux 11 (bullseye)   5.10.0-32-amd64   containerd://1.7.17-k3s1
100w1   Ready    agent,se,worker             11d     v1.30.3+k3s1   172.31.100.1     ***   Debian GNU/Linux 11 (bullseye)   5.10.0-30-amd64   containerd://1.7.17-k3s1
100w2   Ready    agent,worker,xr             2d14h   v1.30.3+k3s1   172.31.100.2     ***   Debian GNU/Linux 11 (bullseye)   5.10.0-29-amd64   containerd://1.7.17-k3s1

Cluster Configuration:

export INSTALL_K3S_VERSION=v1.30.3+k3s1
curl -sfL https://get.k3s.io | sh -s - server --cluster-init \
    --disable=traefik \
     --node-label=100m1 \
    --flannel-ipv6-masq \
    --flannel-iface=tap_k3s \
    --cluster-cidr=10.12.0.0/16,2001:cafe:12::/56 \
    --service-cidr=10.13.0.0/16,2001:cafe:13::/112  \
    --node-external-ip=95.215.59.201,2a13:c640::13

Describe the bug:
k3s is installed on Debian 11, but sometimes (randomly) when nftables 1.1.0 is also installed on that machine , then k3s server kube-system pods are failed . This tested in two ways

• first install nft 1.1.0 then k3s
• second install k3s then nft 1.1.0

If we install nft 1.1.0 and then k3s server immediately all kube-system pods fail
if we install k3s first , there is no error, but immediately after installing nft 1.1.0 all kube-system pods fail

Steps To Reproduce:

• Installed K3s
• install nfstable 1.1.0 (should be compiled from source)

Expected behavior:
No kube-system pod failure

Actual behavior:
all of them seem to fail due to liveness/readiness probe failure

Additional context / logs:

kubectl get all   -n kube-system 
NAME                                          READY   STATUS             RESTARTS         AGE
pod/coredns-576bfc4dc7-w7q9r                  0/1     Running            8 (67m ago)      11d
pod/local-path-provisioner-6795b5f9d8-8kvxb   0/1     CrashLoopBackOff   73 (4m52s ago)   11d
pod/metrics-server-557ff575fb-cqh58           0/1     CrashLoopBackOff   70 (4m58s ago)   11d

NAME                     TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)                  AGE
service/kube-dns         ClusterIP   10.13.0.10     <none>        53/UDP,53/TCP,9153/TCP   11d
service/metrics-server   ClusterIP   10.13.202.13   <none>        443/TCP                  11d

NAME                                     READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/coredns                  0/1     1            0           11d
deployment.apps/local-path-provisioner   0/1     1            0           11d
deployment.apps/metrics-server           0/1     1            0           11d

NAME                                                DESIRED   CURRENT   READY   AGE
replicaset.apps/coredns-576bfc4dc7                  1         1         0       11d
replicaset.apps/local-path-provisioner-6795b5f9d8   1         1         0       11d
replicaset.apps/metrics-server-557ff575fb           1         1         0       11d

---

checking the metrics-server

root(0)100m1(0) k3s# 
root(0)100m1(0) k3s# kubectl describe pod -n kube-system metrics-server-557ff575fb-cqh58
Name:                 metrics-server-557ff575fb-cqh58
Namespace:            kube-system
Priority:             2000001000
Priority Class Name:  system-node-critical
Service Account:      metrics-server
Node:                 100m1/172.31.100.254
Start Time:           Sun, 01 Sep 2024 12:43:24 +0330
Labels:               k8s-app=metrics-server
                      pod-template-hash=557ff575fb
Annotations:          <none>
Status:               Running
IP:                   10.12.0.33
IPs:
  IP:           10.12.0.33
  IP:           2001:cafe:12::21
Controlled By:  ReplicaSet/metrics-server-557ff575fb
Containers:
  metrics-server:
    Container ID:  containerd://cfffeb75fb79cf7327867cb885f834f10fe0bff3526f60f7ebb2a524c1273b32
    Image:         rancher/mirrored-metrics-server:v0.7.0
    Image ID:      docker.io/rancher/mirrored-metrics-server@sha256:20b8b36f8cac9e25aa2a0ff35147b13643bfec603e7e7480886632330a3bbc59
    Port:          10250/TCP
    Host Port:     0/TCP
    Args:
      --cert-dir=/tmp
      --secure-port=10250
      --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
      --kubelet-use-node-status-port
      --metric-resolution=15s
      --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    State:          Waiting
      Reason:       CrashLoopBackOff
    Last State:     Terminated
      Reason:       Error
      Exit Code:    2
      Started:      Thu, 12 Sep 2024 23:46:58 +0330
      Finished:     Thu, 12 Sep 2024 23:47:29 +0330
    Ready:          False
    Restart Count:  68
    Requests:
      cpu:        100m
      memory:     70Mi
    Liveness:     http-get https://:https/livez delay=60s timeout=1s period=10s #success=1 #failure=3
    Readiness:    http-get https://:https/readyz delay=0s timeout=1s period=2s #success=1 #failure=3
    Environment:  <none>
    Mounts:
      /tmp from tmp-dir (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-mnk58 (ro)
Conditions:
  Type                        Status
  PodReadyToStartContainers   True 
  Initialized                 True 
  Ready                       False 
  ContainersReady             False 
  PodScheduled                True 
Volumes:
  tmp-dir:
    Type:       EmptyDir (a temporary directory that shares a pod's lifetime)
    Medium:     
    SizeLimit:  <unset>
  kube-api-access-mnk58:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   Burstable
Node-Selectors:              <none>
Tolerations:                 CriticalAddonsOnly op=Exists
                             node-role.kubernetes.io/control-plane:NoSchedule op=Exists
                             node-role.kubernetes.io/master:NoSchedule op=Exists
                             node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
  Type     Reason     Age                  From     Message
  ----     ------     ----                 ----     -------
  Warning  Unhealthy  25m (x11 over 25m)   kubelet  Readiness probe failed: Get "https://10.12.0.33:10250/readyz": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
  Warning  Unhealthy  25m (x5 over 25m)    kubelet  Readiness probe failed: Get "https://10.12.0.33:10250/readyz": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
  Warning  Unhealthy  25m                  kubelet  Readiness probe failed: Get "https://10.12.0.33:10250/readyz": dial tcp 10.12.0.33:10250: connect: connection refused
  Warning  BackOff    24m (x2 over 25m)    kubelet  Back-off restarting failed container metrics-server in pod metrics-server-557ff575fb-cqh58_kube-system(b8eb3707-b5a2-461a-8f36-8a256c57b18e)
  Normal   Pulled     24m (x2 over 25m)    kubelet  Container image "rancher/mirrored-metrics-server:v0.7.0" already present on machine
  Normal   Created    24m (x2 over 25m)    kubelet  Created container metrics-server
  Normal   Started    24m (x2 over 25m)    kubelet  Started container metrics-server
  Warning  Unhealthy  20m (x2 over 20m)    kubelet  Readiness probe failed: Get "https://10.12.0.33:10250/readyz": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
  Warning  Unhealthy  19m (x14 over 20m)   kubelet  Readiness probe failed: Get "https://10.12.0.33:10250/readyz": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
  Warning  Unhealthy  19m                  kubelet  Readiness probe failed: Get "https://10.12.0.33:10250/readyz": dial tcp 10.12.0.33:10250: connect: connection refused
  Warning  BackOff    19m (x2 over 19m)    kubelet  Back-off restarting failed container metrics-server in pod metrics-server-557ff575fb-cqh58_kube-system(b8eb3707-b5a2-461a-8f36-8a256c57b18e)
  Normal   Created    19m (x2 over 20m)    kubelet  Created container metrics-server
  Normal   Pulled     19m (x2 over 20m)    kubelet  Container image "rancher/mirrored-metrics-server:v0.7.0" already present on machine
  Normal   Started    19m (x2 over 20m)    kubelet  Started container metrics-server
  Normal   Created    19m                  kubelet  Created container metrics-server
  Warning  Unhealthy  19m                  kubelet  Readiness probe failed: Get "https://10.12.0.33:10250/readyz": dial tcp 10.12.0.33:10250: connect: connection refused
  Normal   Started    19m                  kubelet  Started container metrics-server
  Warning  Unhealthy  18m (x2 over 19m)    kubelet  Readiness probe failed: Get "https://10.12.0.33:10250/readyz": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
  Warning  Unhealthy  18m (x2 over 19m)    kubelet  Readiness probe failed: Get "https://10.12.0.33:10250/readyz": context deadline exceeded
  Warning  Unhealthy  18m (x17 over 19m)   kubelet  Readiness probe failed: Get "https://10.12.0.33:10250/readyz": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
  Normal   Pulled     14m (x5 over 19m)    kubelet  Container image "rancher/mirrored-metrics-server:v0.7.0" already present on machine
  Warning  BackOff    4m7s (x59 over 18m)  kubelet  Back-off restarting failed container metrics-server in pod metrics-server-557ff575fb-cqh58_kube-system(b8eb3707-b5a2-461a-8f36-8a256c57b18e)

here is the error for this pod

https://10.12.0.33:10250/readyz": dial tcp 10.12.0.33:10250: connect: connection refused

also nc the ip and port fail

nc -t -zv 10.12.0.33 10250 
nc: connect to 10.12.0.33 port 10250 (tcp) failed: Connection refused

but can ping it

ping -c4 10.12.0.33
PING 10.12.0.33 (10.12.0.33) 56(84) bytes of data.
64 bytes from 10.12.0.33: icmp_seq=1 ttl=64 time=0.243 ms
64 bytes from 10.12.0.33: icmp_seq=2 ttl=64 time=0.084 ms
64 bytes from 10.12.0.33: icmp_seq=3 ttl=64 time=0.223 ms
64 bytes from 10.12.0.33: icmp_seq=4 ttl=64 time=0.081 ms

and the logs of this pod

kubectl logs -n kube-system metrics-server-557ff575fb-cqh58
Error: unable to load configmap based request-header-client-ca-file: Get "https://10.13.0.1:443/api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication": dial tcp 10.13.0.1:443: i/o timeout
Usage:
   [flags]

Metrics server flags:

      --kubeconfig string            The path to the kubeconfig used to connect to the Kubernetes API server and the Kubelets (defaults to in-cluster config)
      --metric-resolution duration   The resolution at which metrics-server will retain metrics, must set value at least 10s. (default 1m0s)
      --version   
...
...
...

panic: unable to load configmap based request-header-client-ca-file: Get "https://10.13.0.1:443/api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication": dial tcp 10.13.0.1:443: i/o timeout

goroutine 1 [running]:
main.main()
	sigs.k8s.io/metrics-server/cmd/metrics-server/metrics-server.go:37 +0x8b

within the host , the endpoint is available

root(0)100m1(0) k3s# curl -k https://10.13.0.1:443/api/v1/namespaces/kube-system/configmaps/extension-apiserver-authentication
{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "Unauthorized",
  "reason": "Unauthorized",
  "code": 401
}root(0)100m1(0) k3s# 

and nc

nc -t -zv 10.13.0.1 443 
Connection to 10.13.0.1 443 port [tcp/https] succeeded!

---

Blaming the nftables for the cause of issue, I uninstalled nft 1.1.0 and its related files but did did help
Also

iptables --version 
iptables v1.8.7 (nf_tables)

has not changed and iptables-save has no error

lastly I should mention that ntables 1.1.0 just installed without applying any rule so there is no rule to have conflict with legacy iptables

iptables-save.txt

Any idea why kube-system pods fail ?

[brandond]

When you say you're installing it after building it from source, what exactly do you mean? Are you just replacing the binary on the host? Are you perhaps building and installing a package that triggers post install scripts that interfere with Kubernetes networking? It really looks like something you're doing is breaking the flannel or kube-proxy iptables rules.

[shakibamoshiri]

When you say you're installing it after building it from source, what exactly do you mean? Are you just replacing the binary on the host? Are you perhaps building and installing a package that triggers post install scripts that interfere with Kubernetes networking? It really looks like something you're doing is breaking the flannel or kube-proxy iptables rules.

Debian 11 , nft version is nftables v0.9.8 (E.D.S.) for installing 1.1.0, two libraries should be compiled + nft cli in order to have 1.1.0 . The problem is that it happens randomly . At the moment I have another k3s server with nft 1.1.0 and kube-system pods are fine but on the newer machine kube-system fails

Even if assume the cause is just nftables 1.1.0, why after uninstalling it sill pods fails ?
Also I took a snapshot before installing nft 1.1.0 and restoring it after uninstalling nft 1.1.0 but did not help

I can think if a library dependency that has been overridden by nft 1.1.0 causing the issue for kube-proxy or flannel , for testing this I uninstalled iptable, nft-libs* all of them

dpkg -l | grep nft
ii  libnftables1:amd64             0.9.8-3.1+deb11u2              amd64        Netfilter nftables high level userspace API library
ii  libnftnl-dev:amd64             1.1.9-1                        amd64        Development files for libnftnl
ii  libnftnl11:amd64               1.1.9-1                        amd64        Netfilter nftables userspace API library
ii  nftables                       0.9.8-3.1+deb11u2              amd64        Program to control packet filtering rules by Netfilter project

but did not help either

Also reinstalling the default Debian 11 nft dd not help :|

Any idea to trace more and find the root cause ?

[shakibamoshiri]

I deleted all pods in kube-system so be created again

kubectl get pods  -n kube-system 
NAME                                      READY   STATUS    RESTARTS      AGE
coredns-576bfc4dc7-hfvbx                  0/1     Running   0             42s
local-path-provisioner-6795b5f9d8-dmrz2   1/1     Running   1 (15s ago)   46s
metrics-server-557ff575fb-rrjck           1/1     Running   0             23m

now metrics-server is fine , local-path keeps restarting, and coredns does not get ready

CoreDNS error

Warning  Unhealthy  4m16s (x22 over 4m55s)  kubelet            Readiness probe failed: HTTP probe failed with statuscode: 503

Local Path error

  Warning  BackOff    5s (x9 over 3m20s)   kubelet            Back-off restarting failed container local-path-provisioner in pod local-path-provisioner-6795b5f9d8-dmrz2_kube-system(48ac961f-da91-4b20-9aa3-e6f5323725d4)

[brandond]

K3s is statically linked and does not directly call into nft itself. It does however use the host iptables commands, and if you're breaking the iptables-nft backend by replacing the nft libraries with a completely different major version that causes subtle changes in behavior, that would be a problem.

You can tell k3s to use our statically linked iptables binaries, instead of the host iptables wrappers, by starting k3s with --prefer-bundled-bin. You might see if that helps you at all.

I'm going to convert this to a discussion, because I don't see that there is anything wrong with k3s itself. You're replacing distro packages with incompatible versions and stuff is breaking.

[shakibamoshiri]

rebuild the machine with Debian 12 , which has nft 1.0.6 by default , kube-system pods are failing on a fresh Debian 12

get pods -n kube-system  
NAME                                      READY   STATUS    RESTARTS      AGE
coredns-576bfc4dc7-9p24q                  1/1     Running   0             2m3s
local-path-provisioner-6795b5f9d8-llb2d   0/1     Error     2 (55s ago)   117s
metrics-server-557ff575fb-cqhkc           0/1     Running   2 (46s ago)   110s

os

cat /etc/os-*
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm

is k3s supported on Debian 12 ?

[shakibamoshiri]

I did not find the exact root cause of the issue , but further testing showed the same error on Debian 12 as well .
Next tested on Ubuntu 22 and I saw no error , I suspect legacy iptable on Debian 11 and 12.

Now I have k3s server with nft 1.1.0 with no issue

I someone knows the exact root cause please let me know