Outbound connectivity for Init Container

[adarsh-padhi]

What happened?

I am facing an issue where a pod with 2 containers (liquibase & app container) is present. The liquibase container is defined as init container which tries to connect to the database . post valid connection it starts the app container.

When we inject the sidecar container , the init container tries to connect to the database URL , but fails to connect as the sidecar container is not up & running .

getting this connection error in the logs

Error creating bean with name 'liquibase' defined in class path resource [org/springframework/boot/autoconfigure/liquibase/LiquibaseAutoConfiguration$LiquibaseConfiguration.class]: Invocation of init method failed; nested exception is liquibase.exception.DatabaseException
 
Caused by: org.postgresql.util.PSQLException: The connection attempt failed.
 
Caused by: java.net.UnknownHostException: demo-database.postgres.database.azure.com

I have used external services & few annotations prescribed in the docs like

traffic.kuma.io/exclude-outbound-tcp-ports-for-uids
traffic.kuma.io/exclude-outbound-udp-ports-for-uids
traffic.kuma.io/exclude-outbound-ports

but getting same error

we are using kuma-CNI

[michaelbeaumont]

Can you provide exactly what configuration you used when trying the workarounds in the docs?

[jakubdyszkiewicz]

Hey, what is the version of Kuma?
Can you double check with 2.5.0, because there was a bug in CNI that was fixed by #8319

[ravish-kumar-maersk]

Hi @jakubdyszkiewicz
We were using Kuma 2.4.1.

Will upgrade and check for this.

[jakubdyszkiewicz]

Triage: @ravish-kumar-maersk any luck in upgrade?

[ravish-kumar-maersk]

Hi @jakubdyszkiewicz

Will confirm in a fortnight.

[jakubdyszkiewicz]

Triage: closing due to no activity. Feel free to reopen if this is still the problem with the newest version

[adarsh-padhi]

Hii @jakubdyszkiewicz / @michaelbeaumont , we upgraded to kuma version 2.5.2 , and tested this use-case , Unfortunately this issue still persists , can you guide us here.

[github-actions]

Removing closed state labels due to the issue being reopened.

[slonka]

Can you provide exactly what configuration you used when trying the workarounds in the docs?

reposting Mike's question. Also I think it should work with:

traffic.kuma.io/exclude-outbound-ports: "53,5432"

let me know if it works with that setting

[adarsh-padhi]

Can you provide exactly what configuration you used when trying the workarounds in the docs?

reposting Mike's question. Also I think it should work with:

traffic.kuma.io/exclude-outbound-ports: "53,5432"

let me know if it works with that setting

Hii @slonka , I have tried the solution which you have suggested , its not working too.

[slonka]

Yeah, traffic.kuma.io/exclude-outbound-ports works only for tcp and DNS can be tcp/udp - so we need to use traffic.kuma.io/exclude-outbound-ports-for-uids

can you try:

traffic.kuma.io/exclude-outbound-ports-for-uids: "*:5432:CONTAINER_UID;*:53:CONTAINER_UID"

?

[adarsh-padhi]

I have already tested this
https://kuma.io/docs/2.5.x/production/dp-config/dpp-on-kubernetes/#network-calls-to-outside-of-the-mesh
which tells to use similar annotations

traffic.kuma.io/exclude-outbound-tcp-ports-for-uids: "443:1234"
traffic.kuma.io/exclude-outbound-udp-ports-for-uids: "53:1234"

Is the above annotations is different from your suggested one ?

[michaelbeaumont]

@adarsh-padhi just a note, upgrade to Kubernetes v1.29 and Kuma v2.7 if you can. The k8s native sidecar feature support sidesteps all of this.

[adarsh-padhi]

Hii @slonka , I tried the above solution , it is working with port 5432 , but what if its trying to connect to 443 port ?

facing issue with 443 port , its not able to connect

[slonka]

As @michaelbeaumont mentioned if you can upgrade k8s to have native sidecar support that would be great, otherwise you need to list all the ports the container is trying reach. So

traffic.kuma.io/exclude-outbound-ports-for-uids: "*:5432:1234;*:53:1234;*:443:1234"