calico: Windows Pod cannot access external network

On Windows, Pods cannot access external networks, but Nodes in the cluster are able to communicate.

Expected Behavior

From inside the Pod on Windows, it should be possible to access external networks, such as Google.com.

Current Behavior

My Service Exception: image

Use the docker exec command to enter the container and execute the ping command. image

Ping the nodes in the cluster. image

Possible Solution

  • None

Steps to Reproduce (for bugs)

  1. On Linux master, I disabled the IPinIP feature and ran the calicoctl ipam configure --strictaffinity=true command to prevent the Linux node from borrowing the Windows IP address.
  2. Follow the documentation for Install Calico for Windows.(BGP mode.)

Context

IPPool

[root@k8s-master bin]# cat ippool.yaml 
apiVersion: projectcalico.org/v3
kind: IPPool
metadata:
  creationTimestamp: "2022-03-14T03:18:58Z"
  name: default-ipv4-ippool
  resourceVersion: "540"
  uid: 044e9f56-c143-4cab-8136-90a9706d36be
spec:
  blockSize: 26
  cidr: 100.64.0.0/10
  ipipMode: Never
  natOutgoing: true
  nodeSelector: all()
  vxlanMode: Never

felixconfig

[root@k8s-master bin]# cat felixconfig.yaml 
apiVersion: crd.projectcalico.org/v1
kind: FelixConfiguration
metadata:
  annotations:
    projectcalico.org/metadata: '{"uid":"52bf77b0-a467-4502-871e-f5840161c593","creationTimestamp":"2022-03-14T03:18:58Z"}'
  creationTimestamp: "2022-03-14T03:18:58Z"
  generation: 2
  managedFields:
  - apiVersion: crd.projectcalico.org/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:projectcalico.org/metadata: {}
      f:spec:
        .: {}
        f:bpfLogLevel: {}
        f:ipipEnabled: {}
        f:logSeverityScreen: {}
        f:reportingInterval: {}
    manager: Go-http-client
    operation: Update
    time: "2022-03-14T03:18:58Z"
  name: default
  resourceVersion: "542"
  uid: 52bf77b0-a467-4502-871e-f5840161c593
spec:
  bpfLogLevel: ""
  ipipEnabled: false
  logSeverityScreen: Info
  reportingInterval: 0s

Logs Everything seems to be working fine and there are no error messages. image

Your Environment

  • Calico version: v3.22.0
  • Orchestrator version: Kubernetes 1.20.15
  • Operating System and version: Windows Server 2019 - 1809 - 17763.2686

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 28 (9 by maintainers)

Most upvoted comments

@song-jiang @lmm Thank you very much for your help, it works fine now.

+3
real-zony on Apr 4, 2022

@real-zony this is a limitation of Kubernetes networking on Windows. More details on this page (scroll down to the section named Outbound communication using the ICMP protocol)

What you’ll find is that the pings to external networks are going out (assuming ICMP traffic is allowed out of the Windows node), but that the replies aren’t coming back. If you need to check external connectivity, replace ping with something else like curl.

+1
lmm on Mar 16, 2022
Read more comments on GitHub
← calico: Windows Calico: denied traffic from other namespaces, but calls to NodePort service are not blocked
calico: With non-Calico CNI, Calico networkpolicy enforcement does not allow Terminating pods to gracefully shut down →