linkerd2: Openshift 4.5 Install Fails on IPTables

Bug Report

What is the issue?

linkerd-controller pod wont start

How can it be reproduced?

Install Openshift 4.5.

Install linkerd as follows…

> brew install linkerd
> oc login
> oc new-project linkerd
> oc adm policy add-scc-to-user privileged -z linkerd-controller -n linkerd
> oc adm policy add-scc-to-user privileged -z linkerd-prometheus -n linkerd
> oc adm policy add-scc-to-user privileged -z default -n linkerd
> oc adm policy add-scc-to-user privileged -z linkerd-destination -n linkerd
> oc adm policy add-scc-to-user privileged -z linkerd-grafana -n linkerd
> oc adm policy add-scc-to-user privileged -z linkerd-proxy-injector -n linkerd
> oc adm policy add-scc-to-user privileged -z linkerd-sp-validator -n linkerd
> oc adm policy add-scc-to-user privileged -z linkerd-tap -n linkerd
> oc adm policy add-scc-to-user privileged -z linkerd-web -n linkerd
> oc adm policy add-scc-to-user privileged -z linkerd-identity -n linkerd
> oc describe rolebinding.rbac -n linkerd
> linkerd install | oc apply -f -
> linkerd check

Logs, error output, etc

`linkerd check` output

your output here ...

Environment

Kubernetes Version: Openshift 4.5
Cluster Environment: AWS
Host OS:
Linkerd version:

[I] jkassis@Jeremys-MBP ~/c/c/live> linkerd version 08.07 12:03 Client version: stable-2.8.1 Server version: unavailable

Possible solution

Additional context

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 20 (6 by maintainers)

Most upvoted comments

Have there been any work done on this. We are attempting to install on OpenShift version 4.5.9 UPI on vsphere and are running into the same issues. Thanks!

MattPOlson on Oct 1, 2020

i tried edge with the policy group scc additions you recommended…

` lastState: terminated: exitCode: 1 reason: Error message: >+ mp-port-unreachable

        -A OUTPUT -d 169.254.169.254/32 -p udp -m udp ! --dport 53 -j REJECT
        --reject-with icmp-port-unreachable

        COMMIT

        # Completed on Thu Aug 13 03:00:41 2020




        configuration

        ------------------------------------------------------------

        Will ignore port [4190 4191] on chain PROXY_INIT_REDIRECT

        Will redirect all INPUT ports to proxy

        Ignoring uid 2102

        Will ignore port [443] on chain PROXY_INIT_OUTPUT

        Redirecting all OUTPUT to 4140



        adding rules

        ------------------------------------------------------------

        :; iptables -t nat -N PROXY_INIT_REDIRECT -m comment --comment
        proxy-init/redirect-common-chain/1597287641

        iptables: Chain already exists.


        Aborting firewall configuration

        Error: exit status 1

        Usage:
          proxy-init [flags]

        Flags:
          -h, --help                               help for proxy-init
              --inbound-ports-to-ignore strings    Inbound ports and/or port ranges (inclusive) to ignore and not redirect to proxy. This has higher precedence than any other parameters.
          -p, --incoming-proxy-port int            Port to redirect incoming traffic (default -1)
              --netns string                       Optional network namespace in which to run the iptables commands
              --outbound-ports-to-ignore strings   Outbound ports and/or port ranges (inclusive) to ignore and not redirect to proxy. This has higher precedence than any other parameters.
          -o, --outgoing-proxy-port int            Port to redirect outgoing traffic (default -1)
          -r, --ports-to-redirect ints             Port to redirect to proxy, if no port is specified then ALL ports are redirected
          -u, --proxy-uid int                      User ID that the proxy is running under. Any traffic coming from this user will be ignored to avoid infinite redirection loops. (default -1)
              --simulate                           Don't execute any command, just print what would be executed
              --timeout-close-wait-secs int        Sets nf_conntrack_tcp_timeout_close_wait
          -w, --use-wait-flag                      Appends the "-w" flag to the iptables commands

      startedAt: '2020-08-13T03:00:41Z'
      finishedAt: '2020-08-13T03:00:41Z'
      containerID: >-
        cri-o://6bc4aa7e2ad6419849bb3915a6c4f1729b0235117abe00a332ca88f3dee55df3
  ready: false
  restartCount: 5
  image: 'gcr.io/linkerd-io/proxy-init:v1.3.4'
  imageID: >-
    gcr.io/linkerd-io/proxy-init@sha256:5e9ce6c12258bd398f7961961ffeb6dcc725e192a37c2d2a07e919b9a7ce3101
  containerID: 'cri-o://ff223f79b1601efa8ac81bf0ee2aa7b6eaf82ea1c94c98ef84c6c708a7e305bf'

jkassis on Aug 13, 2020