Update base image to use debian-iptables

[MrHohn]

During a recent debug session, I found out that the previously added ip rules for DNS traffic (#114) don't fully work as expected.

With the current alpine base image, I saw the sport/dport field being omitted:

/ # ip rule show
0:      from all lookup local
29999:  from all lookup main
30000:  from all lookup main
30001:  from all fwmark 0x4000/0x4000 lookup main
30002:  from all iif lo lookup main
30003:  from all iif eth0 lookup 1
32766:  from all lookup main
32767:  from all lookup default

It is likely the ip rule dependencies is at a lower version in the alpine image. Update to use the debian-iptables image from k8s seems to resolve the problem. Built a test image with the base image swapped I saw:

# ip rule show
0:      from all lookup local 
29999:  from all dport 53 lookup main 
30000:  from all sport 53 lookup main 
30001:  from all fwmark 0x4000/0x4000 lookup main 
30002:  from all iif lo lookup main 
30003:  not from all iif eth0 lookup 1 
32766:  from all lookup main 
32767:  from all lookup default

/assign @prameshj @sypakine

[k8s-ci-robot]

@MrHohn: GitHub didn't allow me to assign the following users: prameshj.

Note that only GoogleCloudPlatform members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

During a recent debug session, I found out that the previously added ip rules for DNS traffic (#114) don't fully work as expected.

With the current alpine base image, I saw the sport/dport field being omitted:

/ # ip rule show
0:      from all lookup local
29999:  from all lookup main
30000:  from all lookup main
30001:  from all fwmark 0x4000/0x4000 lookup main
30002:  from all iif lo lookup main
30003:  from all iif eth0 lookup 1
32766:  from all lookup main
32767:  from all lookup default

It is likely the ip rule dependencies is at a lower version in the alpine image. Update to use the debian-iptables image from k8s seems to resolve the problem. Built a test image with the base image swapped I saw:

# ip rule show
0:      from all lookup local 
29999:  from all dport 53 lookup main 
30000:  from all sport 53 lookup main 
30001:  from all fwmark 0x4000/0x4000 lookup main 
30002:  from all iif lo lookup main 
30003:  not from all iif eth0 lookup 1 
32766:  from all lookup main 
32767:  from all lookup default

/assign @prameshj @sypakine

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MrHohn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [MrHohn]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[MrHohn]

The debian-iptables version is taken from kubernetes/release#2373.

[prameshj]

/lgtm

[k8s-ci-robot]

@prameshj: changing LGTM is restricted to collaborators

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[MrHohn]

From the top post, the 30003 rule seems to change from

30003:  from all iif eth0 lookup 1 

to

30003:  not from all iif eth0 lookup 1 

I have double checked on my dev cluster and there seems to be something strange with the busybox base image such that the ip rule command doesn't show all the field.. Executing the same command on the node directly (rather from the netd pod) I see:

root@gke-hostport-test-4-default-pool-ead5f8e1-mnr1:~# ip rule show
0:      from all lookup local 
29999:  from all lookup main 
30000:  from all lookup main 
30001:  from all fwmark 0x4000/0x4000 lookup main 
30002:  from all iif lo lookup main 
30003:  not from all iif eth0 lookup 1 
32766:  from all lookup main 
32767:  from all lookup **default**

(Thanks to @sypakine for noticing this strange bit.)

[sypakine]

/lgtm

Thanks for confirming @MrHohn!

[MrHohn]

Thanks to both for the reviews. Giving one more update. Upon further checking, it turned out the policy routing rules were correctly installed - I logged into one of the netd pods (with the alpine base image), updated the iproute2 package and ran the ip rule show command again, everything shows up correctly.

So the issue I originally described might just be a red-herring. Anyway, still good to migrate to the deian-iptables image and I will follow the general release schedule.