Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Network policy slows down traffic with canal #7339

Closed
agvsap1 opened this issue Feb 12, 2023 · 7 comments
Closed

Network policy slows down traffic with canal #7339

agvsap1 opened this issue Feb 12, 2023 · 7 comments
Labels
kind/support

Comments

@agvsap1
Copy link

agvsap1 commented Feb 12, 2023

Hi

I have Rancher v2.5 cluster deployed in IaaS enviroment with 2 workers servers. My appls are workinf fine, but when I apply my networkpolicy to control the traffic between namespaces, the access to my application from outside my cluster is slow.

My networkpoliy slows down traffic to access my applications.

I have network pluging "Canal", is a project that combines Flannel and [Calico] for CNI Networking. It uses Flannel for networking pod traffic between hosts via VXLAN and Calico for network policy enforcement and pod to pod traffic.

This is the log from my canal pod:

I0210 13:18:46.142177 1 main.go:651] Determining IP address of default interface
I0210 13:18:46.142947 1 main.go:698] Using interface with name ens160 and address 10.53.137.37
I0210 13:18:46.142970 1 main.go:720] Defaulting external address to interface address (10.53.137.37)
I0210 13:18:46.142975 1 main.go:733] Defaulting external v6 address to interface address ()
I0210 13:18:46.143026 1 vxlan.go:137] VXLAN config: VNI=1 Port=0 GBP=false Learning=false DirectRouting=false
I0210 13:18:46.143464 1 kube.go:339] Setting NodeNetworkUnavailable
I0210 13:18:46.177745 1 main.go:408] Current network or subnet (10.42.0.0/16, 10.42.3.0/24) is not equal to previous one (0.0.0.0/0, 0.0.0.0/0), trying to recycle old iptables rules
I0210 13:18:46.206318 1 iptables.go:240] Deleting iptables rule: -s 0.0.0.0/0 -d 0.0.0.0/0 -j RETURN
I0210 13:18:46.208227 1 iptables.go:240] Deleting iptables rule: -s 0.0.0.0/0 ! -d 224.0.0.0/4 -j MASQUERADE --random-fully
@caseydavenport
Copy link
Member

How are you measuring this slow down?

@agvsap1
Copy link
Author

agvsap1 commented Feb 28, 2023

Hi, the response time of my application web (https://myappl.domain./path) is more slowly, about 120 secs in the response. Without networkpolicy activate the response in inmediate.

Regards.

@caseydavenport
Copy link
Member

Are you certain that the policy is allowing all of the necessary connections for your application to generate a response? For example, does it allow DNS access?

Would you mind sharing the network policy you've created?

@agvsap1
Copy link
Author

agvsap1 commented Apr 3, 2023

Are you certain that the policy is allowing all of the necessary connections for your application to generate a response? For example, does it allow DNS access?

Would you mind sharing the network policy you've created?

Hi

I am sure that is allowing all of the necessary connections for my application to generate a response, because the application responses well, the problem is the response time. M;y networkpolicy is it:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: siord-plataforma-networkpolicy-ingress-pro
namespace: onesait-platform
spec:
ingress:

  • from:
    • podSelector: {}
    • namespaceSelector:
      matchLabels:
      name: kube-system
      podSelector: {}
    • namespaceSelector:
      matchLabels:
      name: ingress-nginx
      podSelector: {}
    • namespaceSelector:
      matchLabels:
      name: cattle-system
      podSelector: {}
    • namespaceSelector:
      matchLabels:
      name: babel
      podSelector: {}
    • namespaceSelector:
      matchLabels:
      name: cattle-monitoring-system
      podSelector: {}
    • ipBlock:
      cidr: 10.53.137.20/32 #IP del worker-plataforma
    • ipBlock:
      cidr: 10.53.137.21/32 #IP del worker-plataforma
    • ipBlock:
      cidr: 10.53.136.10/32 #IP del rancher
    • ipBlock:
      cidr: 10.53.137.36/32 #IP del worker-babel
    • ipBlock:
      cidr: 10.53.137.37/32 #IP del worker-babel
    • ipBlock:
      cidr: 100.65.0.81/32 #IP del Balanceador
    • ipBlock:
      cidr: 100.65.0.82/32 #IP del Balanceador
    • ipBlock:
      cidr: 10.53.137.2/32 #IP Flotante Balanceador
    • ipBlock:
      cidr: 10.53.137.3/32 #IP Flotante Balanceador
    • ipBlock:
      cidr: 10.53.137.4/32 #IP Flotante Balanceador
    • ipBlock:
      cidr: 192.168.137.0/24 #IP de VPN-DCM
    • ipBlock:
      cidr: 192.168.141.0/24 #IP de VPN-DCM
    • ipBlock:
      cidr: 10.53.148.0/24 #IP de VPN-KIO
      podSelector: {}
      policyTypes:
  • Ingress

@caseydavenport
Copy link
Member

@agvsap1 I'd check whether disabling VXLAN checksum offloading improves things. There is a known kernel bug in some versions of the Linux kernel that results in very long delays in VXLAN traffic.

e.g. #3145

@agvsap1
Copy link
Author

agvsap1 commented Apr 24, 2023

Hi

Thanks a lots.

Could you said me how disable it "isabling VXLAN checksum offloading" in Rancher enviroments?

Regards.

@caseydavenport
Copy link
Member

It's in the linked issue - something like this:

ethtool --offload interface rx off tx off

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@caseydavenport @agvsap1