weave: Weave down with: '[boltDB] Unable to open /weavedb/weave-netdata.db: timeout'
What you expected to happen?
Weave to be working 🌮
What happened?
Cluster’s docker version was downgraded from 17.06 to 1.12.6 a few days ago but seemed to be working normally, and it seems weave broke over the weekend.
logs of the weave container consist solely of:
[boltDB] Unable to open /weavedb/weave-netdata.db: timeout
How to reproduce it?
no idea
Anything else we need to know?
k8s 1.8.7 on openstack docker 1.12.6 weave 2.2.0 coreOS stable 1632.2.1
Versions:
see above ^^
Logs:
weave logs:
[boltDB] Unable to open /weavedb/weave-netdata.db: timeout
kubelet logs:
bash[4519]: weave-cni: unable to release IP address: Delete http://127.0.0.1:6784/ip/499c90a7945d984024acf1fbc87fde11d9b0ee496c4ffe7d98c7509a7af2c001: dial tcp 127.0.0.1:6784: i/o timeout
Network:
Taken from a k8s node:
$ ip route
default via 10.118.0.1 dev eth0 proto dhcp src 10.118.10.110 metric 1024
10.118.0.0/18 dev eth0 proto kernel scope link src 10.118.10.110
10.118.0.1 dev eth0 proto dhcp scope link src 10.118.10.110 metric 1024
172.31.0.0/17 dev weave proto kernel scope link src 172.31.0.1
172.31.255.0/24 dev docker0 proto kernel scope link src 172.31.255.1 linkdown
$ ip -4 -o addr
1: lo inet 127.0.0.1/8 scope host lo\ valid_lft forever preferred_lft forever
2: eth0 inet 10.118.10.110/18 brd 10.118.63.255 scope global dynamic eth0\ valid_lft 85496sec preferred_lft 85496sec
3: docker0 inet 172.31.255.1/24 scope global docker0\ valid_lft forever preferred_lft forever
20: weave inet 172.31.0.1/17 brd 172.31.127.255 scope global weave\ valid_lft forever preferred_lft forever
$ sudo iptables-save
# Generated by iptables-save v1.4.21 on Mon Feb 26 10:48:08 2018
*mangle
:PREROUTING ACCEPT [102640:151203753]
:INPUT ACCEPT [58344:140882171]
:FORWARD ACCEPT [44296:10321582]
:OUTPUT ACCEPT [59065:96962763]
:POSTROUTING ACCEPT [103143:107271265]
:WEAVE-IPSEC-IN - [0:0]
:WEAVE-IPSEC-IN-MARK - [0:0]
:WEAVE-IPSEC-OUT - [0:0]
:WEAVE-IPSEC-OUT-MARK - [0:0]
-A INPUT -j WEAVE-IPSEC-IN
-A OUTPUT -j WEAVE-IPSEC-OUT
-A WEAVE-IPSEC-IN-MARK -j MARK --set-xmark 0x20000/0x20000
-A WEAVE-IPSEC-OUT-MARK -j MARK --set-xmark 0x20000/0x20000
COMMIT
# Completed on Mon Feb 26 10:48:08 2018
# Generated by iptables-save v1.4.21 on Mon Feb 26 10:48:08 2018
*nat
:PREROUTING ACCEPT [16:960]
:INPUT ACCEPT [16:960]
:OUTPUT ACCEPT [17:1138]
:POSTROUTING ACCEPT [17:1138]
:DOCKER - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-2KXSWJ3G64R65RSP - [0:0]
:KUBE-SEP-3J6NXYWQBOXIKDXB - [0:0]
:KUBE-SEP-3MOV7KWFT6UOYARV - [0:0]
:KUBE-SEP-5H7MKIBPE32CQD3K - [0:0]
:KUBE-SEP-ABDII4QYMLMHPYA5 - [0:0]
:KUBE-SEP-DV6SJO4IQHTDYRZ5 - [0:0]
:KUBE-SEP-EH66SQ2S7KAF5AVN - [0:0]
:KUBE-SEP-EM4A7OIKMC6H2HNS - [0:0]
:KUBE-SEP-GJD4Q2SPT7EL6UD2 - [0:0]
:KUBE-SEP-HEYMHQVMDGZCYJZM - [0:0]
:KUBE-SEP-HNAQAA5N5P44RFQM - [0:0]
:KUBE-SEP-I63WX7TZ7WRRCAO3 - [0:0]
:KUBE-SEP-IFO4224EIEA4JSJJ - [0:0]
:KUBE-SEP-JMFPT52EVMG2AWSX - [0:0]
:KUBE-SEP-KX23O7ZWXBQIDYQQ - [0:0]
:KUBE-SEP-LWPDFQBPELW5WK2N - [0:0]
:KUBE-SEP-N4KWIQINASDGWGIJ - [0:0]
:KUBE-SEP-QFD7WIJ65TV7YG4S - [0:0]
:KUBE-SEP-QY5RVKWGFSN5VJ6B - [0:0]
:KUBE-SEP-R2RKL262VYLJJJ6A - [0:0]
:KUBE-SEP-RF5ORNUSDLCPBDFL - [0:0]
:KUBE-SEP-SBUZYW6REI5IHNXW - [0:0]
:KUBE-SEP-U23MNYABAPTDSZ3Z - [0:0]
:KUBE-SEP-V7HFTMXQJ4MBLXA6 - [0:0]
:KUBE-SEP-WQ3TYKXP7F26PYTE - [0:0]
:KUBE-SEP-WQCEDX6RSXGUJRIH - [0:0]
:KUBE-SEP-XJLLKZMUATQQRDBE - [0:0]
:KUBE-SEP-YFMETSEPEPL5MZTR - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-2H5WWL56CE74R6US - [0:0]
:KUBE-SVC-3YSE6J6DKVCBUJMI - [0:0]
:KUBE-SVC-4KXUCK74MO3GQCXU - [0:0]
:KUBE-SVC-4L43JJRJOXWXYSYV - [0:0]
:KUBE-SVC-4M4DNSF4I6KEKCAI - [0:0]
:KUBE-SVC-6G7NRX456DTKJAZT - [0:0]
:KUBE-SVC-6HTUXGVEB5TGYK3K - [0:0]
:KUBE-SVC-6SHOD27LJ4JHFMBU - [0:0]
:KUBE-SVC-AT4GZAEQMF4HLK53 - [0:0]
:KUBE-SVC-B3QNTUNNAMROEJGW - [0:0]
:KUBE-SVC-BAGAGJF3VCWDN7J4 - [0:0]
:KUBE-SVC-BJM46V3U5RZHCFRZ - [0:0]
:KUBE-SVC-DHUDXRTLNJWBORS6 - [0:0]
:KUBE-SVC-EABB5ZD3QVIYK33K - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-F7IWZEEUI5ZAH7RS - [0:0]
:KUBE-SVC-FCXHW3UZM24LF5S3 - [0:0]
:KUBE-SVC-FPVLEE3QB77AOS4G - [0:0]
:KUBE-SVC-GJFMYARFU4V4XKG3 - [0:0]
:KUBE-SVC-HTZZPU24M3GCLVIG - [0:0]
:KUBE-SVC-I256EYRIZRR4EWBV - [0:0]
:KUBE-SVC-IB7EXPLWLWRICQP2 - [0:0]
:KUBE-SVC-IDSLTWPEKDYIGO53 - [0:0]
:KUBE-SVC-JFYOZBC5JJM6SW3E - [0:0]
:KUBE-SVC-KPEG4KXA2VRTBHTG - [0:0]
:KUBE-SVC-KV2GSBGFJ4SJNZ5U - [0:0]
:KUBE-SVC-KZ56ELFAUCIGRFV6 - [0:0]
:KUBE-SVC-KZIWI6ZSF2FW4XYS - [0:0]
:KUBE-SVC-NADYEGAMELJXYB22 - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-NVTFCNULI3Y3YUAZ - [0:0]
:KUBE-SVC-OZQJFAV7V22GSG3X - [0:0]
:KUBE-SVC-POWXKCKDC3QGLZYQ - [0:0]
:KUBE-SVC-PQQ3MNWQ6ABTL4V3 - [0:0]
:KUBE-SVC-PXI6OZZMUNBHO43Q - [0:0]
:KUBE-SVC-RFEWFH5KXN3S5IUZ - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SVC-U3722Z4PISVTHSIP - [0:0]
:KUBE-SVC-X5DJKYMEOW7KWC7G - [0:0]
:KUBE-SVC-XHIIIAPK4PYSZYSE - [0:0]
:KUBE-SVC-XIG6MK4FMRNPQBKQ - [0:0]
:KUBE-SVC-YEKPHTHQKQIELXVJ - [0:0]
:KUBE-SVC-YN4PYMRMOF3OES5E - [0:0]
:KUBE-SVC-YNN6W32JE36JQY6C - [0:0]
:KUBE-SVC-YZZTCQRXVLATHIAK - [0:0]
:KUBE-SVC-ZI22QPPC6BY5KODT - [0:0]
:WEAVE - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 172.31.255.0/24 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j WEAVE
-A DOCKER -i docker0 -j RETURN
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-gcr:https" -m tcp --dport 30397 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-gcr:https" -m tcp --dport 30397 -j KUBE-SVC-YNN6W32JE36JQY6C
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-oceanreleases:https" -m tcp --dport 32515 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-oceanreleases:https" -m tcp --dport 32515 -j KUBE-SVC-YZZTCQRXVLATHIAK
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:scanningrig-freezer-wcs" -m tcp --dport 30000 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:scanningrig-freezer-wcs" -m tcp --dport 30000 -j KUBE-SVC-OZQJFAV7V22GSG3X
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-hub:https" -m tcp --dport 30266 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-hub:https" -m tcp --dport 30266 -j KUBE-SVC-4KXUCK74MO3GQCXU
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:https" -m tcp --dport 32443 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:https" -m tcp --dport 32443 -j KUBE-SVC-BAGAGJF3VCWDN7J4
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-quay:https" -m tcp --dport 30287 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-quay:https" -m tcp --dport 30287 -j KUBE-SVC-KZIWI6ZSF2FW4XYS
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-internal:https" -m tcp --dport 30560 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-internal:https" -m tcp --dport 30560 -j KUBE-SVC-F7IWZEEUI5ZAH7RS
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-ospcfc:https" -m tcp --dport 30090 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-ospcfc:https" -m tcp --dport 30090 -j KUBE-SVC-ZI22QPPC6BY5KODT
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:http" -m tcp --dport 32080 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:http" -m tcp --dport 32080 -j KUBE-SVC-6SHOD27LJ4JHFMBU
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-ocean:https" -m tcp --dport 32141 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-extra/registry-mirror-ocean:https" -m tcp --dport 32141 -j KUBE-SVC-4L43JJRJOXWXYSYV
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-2KXSWJ3G64R65RSP -s 172.31.24.16/32 -m comment --comment "kube-extra/registry-mirror-ocean:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-2KXSWJ3G64R65RSP -p tcp -m comment --comment "kube-extra/registry-mirror-ocean:https" -m tcp -j DNAT --to-destination 172.31.24.16:5000
-A KUBE-SEP-3J6NXYWQBOXIKDXB -s 172.31.56.5/32 -m comment --comment "gandalf/gandalf:" -j KUBE-MARK-MASQ
-A KUBE-SEP-3J6NXYWQBOXIKDXB -p tcp -m comment --comment "gandalf/gandalf:" -m tcp -j DNAT --to-destination 172.31.56.5:80
-A KUBE-SEP-3MOV7KWFT6UOYARV -s 172.31.16.18/32 -m comment --comment "gandalf/smtp:" -j KUBE-MARK-MASQ
-A KUBE-SEP-3MOV7KWFT6UOYARV -p tcp -m comment --comment "gandalf/smtp:" -m tcp -j DNAT --to-destination 172.31.16.18:25
-A KUBE-SEP-5H7MKIBPE32CQD3K -s 172.31.56.13/32 -m comment --comment "kube-extra/nginx-ingress-controller:scanningrig-freezer-wcs" -j KUBE-MARK-MASQ
-A KUBE-SEP-5H7MKIBPE32CQD3K -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:scanningrig-freezer-wcs" -m tcp -j DNAT --to-destination 172.31.56.13:30000
-A KUBE-SEP-ABDII4QYMLMHPYA5 -s 172.31.16.11/32 -m comment --comment "kube-system/heapster:" -j KUBE-MARK-MASQ
-A KUBE-SEP-ABDII4QYMLMHPYA5 -p tcp -m comment --comment "kube-system/heapster:" -m tcp -j DNAT --to-destination 172.31.16.11:8082
-A KUBE-SEP-DV6SJO4IQHTDYRZ5 -s 172.31.24.14/32 -m comment --comment "kufi/prometheus:web" -j KUBE-MARK-MASQ
-A KUBE-SEP-DV6SJO4IQHTDYRZ5 -p tcp -m comment --comment "kufi/prometheus:web" -m tcp -j DNAT --to-destination 172.31.24.14:9090
-A KUBE-SEP-EH66SQ2S7KAF5AVN -s 172.31.24.1/32 -m comment --comment "kube-extra/registry-mirror-gcr:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-EH66SQ2S7KAF5AVN -p tcp -m comment --comment "kube-extra/registry-mirror-gcr:https" -m tcp -j DNAT --to-destination 172.31.24.1:5000
-A KUBE-SEP-EM4A7OIKMC6H2HNS -s 172.31.24.11/32 -m comment --comment "jetbrainslicense/prometheus:web" -j KUBE-MARK-MASQ
-A KUBE-SEP-EM4A7OIKMC6H2HNS -p tcp -m comment --comment "jetbrainslicense/prometheus:web" -m tcp -j DNAT --to-destination 172.31.24.11:9090
-A KUBE-SEP-GJD4Q2SPT7EL6UD2 -s 172.31.28.11/32 -m comment --comment "gandalf/gandalf:" -j KUBE-MARK-MASQ
-A KUBE-SEP-GJD4Q2SPT7EL6UD2 -p tcp -m comment --comment "gandalf/gandalf:" -m tcp -j DNAT --to-destination 172.31.28.11:80
-A KUBE-SEP-HEYMHQVMDGZCYJZM -s 172.31.24.3/32 -m comment --comment "kube-extra/registry-mirror-hub:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-HEYMHQVMDGZCYJZM -p tcp -m comment --comment "kube-extra/registry-mirror-hub:https" -m tcp -j DNAT --to-destination 172.31.24.3:5000
-A KUBE-SEP-HNAQAA5N5P44RFQM -s 172.31.16.9/32 -m comment --comment "kube-e2etests-deployment-scale-service/kubee2etests:" -j KUBE-MARK-MASQ
-A KUBE-SEP-HNAQAA5N5P44RFQM -p tcp -m comment --comment "kube-e2etests-deployment-scale-service/kubee2etests:" -m tcp -j DNAT --to-destination 172.31.16.9:80
-A KUBE-SEP-I63WX7TZ7WRRCAO3 -s 172.31.16.15/32 -m comment --comment "ospcfccloudplatform/slack-proxy:web" -j KUBE-MARK-MASQ
-A KUBE-SEP-I63WX7TZ7WRRCAO3 -p tcp -m comment --comment "ospcfccloudplatform/slack-proxy:web" -m tcp -j DNAT --to-destination 172.31.16.15:8000
-A KUBE-SEP-IFO4224EIEA4JSJJ -s 172.31.28.12/32 -m comment --comment "kube-extra/default-http-backend:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-IFO4224EIEA4JSJJ -p tcp -m comment --comment "kube-extra/default-http-backend:http" -m tcp -j DNAT --to-destination 172.31.28.12:8080
-A KUBE-SEP-JMFPT52EVMG2AWSX -s 172.31.28.9/32 -m comment --comment "kube-monitoring/kube-state-metrics:http-metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-JMFPT52EVMG2AWSX -p tcp -m comment --comment "kube-monitoring/kube-state-metrics:http-metrics" -m tcp -j DNAT --to-destination 172.31.28.9:8080
-A KUBE-SEP-KX23O7ZWXBQIDYQQ -s 172.31.24.2/32 -m comment --comment "ospcfccloudplatform/alertmanager:http-metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-KX23O7ZWXBQIDYQQ -p tcp -m comment --comment "ospcfccloudplatform/alertmanager:http-metrics" -m tcp -j DNAT --to-destination 172.31.24.2:9093
-A KUBE-SEP-LWPDFQBPELW5WK2N -s 172.31.24.19/32 -m comment --comment "kube-extra/registry-mirror-gcr:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-LWPDFQBPELW5WK2N -p tcp -m comment --comment "kube-extra/registry-mirror-gcr:https" -m tcp -j DNAT --to-destination 172.31.24.19:5000
-A KUBE-SEP-N4KWIQINASDGWGIJ -s 172.31.56.18/32 -m comment --comment "screenful/postgres:postgres" -j KUBE-MARK-MASQ
-A KUBE-SEP-N4KWIQINASDGWGIJ -p tcp -m comment --comment "screenful/postgres:postgres" -m tcp -j DNAT --to-destination 172.31.56.18:5432
-A KUBE-SEP-QFD7WIJ65TV7YG4S -s 172.31.28.14/32 -m comment --comment "ospcfccloudplatform/pagerduty-proxy:web" -j KUBE-MARK-MASQ
-A KUBE-SEP-QFD7WIJ65TV7YG4S -p tcp -m comment --comment "ospcfccloudplatform/pagerduty-proxy:web" -m tcp -j DNAT --to-destination 172.31.28.14:8000
-A KUBE-SEP-QY5RVKWGFSN5VJ6B -s 172.31.16.12/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-QY5RVKWGFSN5VJ6B -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 172.31.16.12:53
-A KUBE-SEP-R2RKL262VYLJJJ6A -s 172.31.16.13/32 -m comment --comment "kube-extra/kubernetes-dashboard:" -j KUBE-MARK-MASQ
-A KUBE-SEP-R2RKL262VYLJJJ6A -p tcp -m comment --comment "kube-extra/kubernetes-dashboard:" -m tcp -j DNAT --to-destination 172.31.16.13:9090
-A KUBE-SEP-RF5ORNUSDLCPBDFL -s 172.31.56.8/32 -m comment --comment "cfcvisualizer/cfc1-visualizer:web" -j KUBE-MARK-MASQ
-A KUBE-SEP-RF5ORNUSDLCPBDFL -p tcp -m comment --comment "cfcvisualizer/cfc1-visualizer:web" -m tcp -j DNAT --to-destination 172.31.56.8:8080
-A KUBE-SEP-SBUZYW6REI5IHNXW -s 172.31.56.13/32 -m comment --comment "kube-extra/nginx-ingress-controller:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-SBUZYW6REI5IHNXW -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:https" -m tcp -j DNAT --to-destination 172.31.56.13:443
-A KUBE-SEP-U23MNYABAPTDSZ3Z -s 172.31.56.13/32 -m comment --comment "kube-extra/nginx-ingress-controller:http" -j KUBE-MARK-MASQ
-A KUBE-SEP-U23MNYABAPTDSZ3Z -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:http" -m tcp -j DNAT --to-destination 172.31.56.13:80
-A KUBE-SEP-V7HFTMXQJ4MBLXA6 -s 172.31.16.17/32 -m comment --comment "kube-e2etests-http-update/kubee2etests:" -j KUBE-MARK-MASQ
-A KUBE-SEP-V7HFTMXQJ4MBLXA6 -p tcp -m comment --comment "kube-e2etests-http-update/kubee2etests:" -m tcp -j DNAT --to-destination 172.31.16.17:80
-A KUBE-SEP-WQ3TYKXP7F26PYTE -s 172.31.24.17/32 -m comment --comment "kube-extra/registry-mirror-ospcfc:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-WQ3TYKXP7F26PYTE -p tcp -m comment --comment "kube-extra/registry-mirror-ospcfc:https" -m tcp -j DNAT --to-destination 172.31.24.17:5000
-A KUBE-SEP-WQCEDX6RSXGUJRIH -s 10.118.10.109/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-WQCEDX6RSXGUJRIH -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-WQCEDX6RSXGUJRIH --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.118.10.109:443
-A KUBE-SEP-XJLLKZMUATQQRDBE -s 172.31.24.7/32 -m comment --comment "kube-extra/registry-mirror-oceanreleases:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-XJLLKZMUATQQRDBE -p tcp -m comment --comment "kube-extra/registry-mirror-oceanreleases:https" -m tcp -j DNAT --to-destination 172.31.24.7:5000
-A KUBE-SEP-YFMETSEPEPL5MZTR -s 172.31.16.12/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-YFMETSEPEPL5MZTR -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 172.31.16.12:53
-A KUBE-SERVICES -d 172.31.129.114/32 -p tcp -m comment --comment "cfcoutbounddocs/template-hook:template-hook cluster IP" -m tcp --dport 80 -j KUBE-SVC-XIG6MK4FMRNPQBKQ
-A KUBE-SERVICES -d 172.31.129.209/32 -p tcp -m comment --comment "kube-monitoring/e2etests-status:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-FCXHW3UZM24LF5S3
-A KUBE-SERVICES -d 172.31.129.5/32 -p tcp -m comment --comment "kube-extra/registry-mirror-gcr:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-YNN6W32JE36JQY6C
-A KUBE-SERVICES -d 172.31.130.83/32 -p tcp -m comment --comment "kube-extra/prometheus-operator:http cluster IP" -m tcp --dport 8080 -j KUBE-SVC-JFYOZBC5JJM6SW3E
-A KUBE-SERVICES -d 172.31.129.52/32 -p tcp -m comment --comment "isup/isup: cluster IP" -m tcp --dport 80 -j KUBE-SVC-IDSLTWPEKDYIGO53
-A KUBE-SERVICES -d 172.31.129.45/32 -p tcp -m comment --comment "kube-extra/registry-mirror-oceanreleases:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-YZZTCQRXVLATHIAK
-A KUBE-SERVICES -d 172.31.128.26/32 -p tcp -m comment --comment "kube-e2etests-http/kubee2etests: cluster IP" -m tcp --dport 10 -j KUBE-SVC-DHUDXRTLNJWBORS6
-A KUBE-SERVICES -d 172.31.131.105/32 -p tcp -m comment --comment "screenful/screenful:api cluster IP" -m tcp --dport 4000 -j KUBE-SVC-4M4DNSF4I6KEKCAI
-A KUBE-SERVICES -d 172.31.129.233/32 -p tcp -m comment --comment "kube-extra/default-http-backend:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-3YSE6J6DKVCBUJMI
-A KUBE-SERVICES -d 172.31.128.150/32 -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:scanningrig-freezer-wcs cluster IP" -m tcp --dport 30000 -j KUBE-SVC-OZQJFAV7V22GSG3X
-A KUBE-SERVICES -d 172.31.128.186/32 -p tcp -m comment --comment "kube-e2etests-http-update/kubee2etests: cluster IP" -m tcp --dport 10 -j KUBE-SVC-XHIIIAPK4PYSZYSE
-A KUBE-SERVICES -d 172.31.128.207/32 -p tcp -m comment --comment "jetbrainslicense/prometheus:web cluster IP" -m tcp --dport 80 -j KUBE-SVC-B3QNTUNNAMROEJGW
-A KUBE-SERVICES -d 172.31.129.97/32 -p tcp -m comment --comment "cfcoutbounddocs/gollum:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-KPEG4KXA2VRTBHTG
-A KUBE-SERVICES -d 172.31.128.137/32 -p tcp -m comment --comment "screenful/postgres:postgres cluster IP" -m tcp --dport 5432 -j KUBE-SVC-2H5WWL56CE74R6US
-A KUBE-SERVICES -d 172.31.128.2/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 172.31.129.64/32 -p tcp -m comment --comment "kube-extra/registry-mirror-hub:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-4KXUCK74MO3GQCXU
-A KUBE-SERVICES -d 172.31.131.99/32 -p tcp -m comment --comment "kube-monitoring/kube-state-metrics:http-metrics cluster IP" -m tcp --dport 8080 -j KUBE-SVC-AT4GZAEQMF4HLK53
-A KUBE-SERVICES -d 172.31.128.124/32 -p tcp -m comment --comment "ospcfccloudplatform/pagerduty-proxy:web cluster IP" -m tcp --dport 80 -j KUBE-SVC-RFEWFH5KXN3S5IUZ
-A KUBE-SERVICES -d 172.31.128.150/32 -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-BAGAGJF3VCWDN7J4
-A KUBE-SERVICES -d 172.31.129.121/32 -p tcp -m comment --comment "cfcvisualizer/cfc1-visualizer:web cluster IP" -m tcp --dport 80 -j KUBE-SVC-IB7EXPLWLWRICQP2
-A KUBE-SERVICES -d 172.31.128.176/32 -p tcp -m comment --comment "kube-monitoring/e2etests-prometheus:prometheus cluster IP" -m tcp --dport 80 -j KUBE-SVC-NADYEGAMELJXYB22
-A KUBE-SERVICES -d 172.31.128.51/32 -p tcp -m comment --comment "kufi/kufi:http-metrics cluster IP" -m tcp --dport 80 -j KUBE-SVC-PQQ3MNWQ6ABTL4V3
-A KUBE-SERVICES -d 172.31.128.2/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 172.31.129.203/32 -p tcp -m comment --comment "kube-monitoring/weave-scope-app:app cluster IP" -m tcp --dport 80 -j KUBE-SVC-NVTFCNULI3Y3YUAZ
-A KUBE-SERVICES -d 172.31.128.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 172.31.129.224/32 -p tcp -m comment --comment "kube-extra/registry-mirror-quay:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-KZIWI6ZSF2FW4XYS
-A KUBE-SERVICES -d 172.31.128.233/32 -p tcp -m comment --comment "kube-extra/registry-mirror-internal:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-F7IWZEEUI5ZAH7RS
-A KUBE-SERVICES -d 172.31.128.181/32 -p tcp -m comment --comment "kube-monitoring/grafana:web cluster IP" -m tcp --dport 3000 -j KUBE-SVC-X5DJKYMEOW7KWC7G
-A KUBE-SERVICES -d 172.31.130.89/32 -p tcp -m comment --comment "gandalf/gandalf: cluster IP" -m tcp --dport 80 -j KUBE-SVC-GJFMYARFU4V4XKG3
-A KUBE-SERVICES -d 172.31.130.115/32 -p tcp -m comment --comment "kube-monitoring/prometheus:web cluster IP" -m tcp --dport 9090 -j KUBE-SVC-U3722Z4PISVTHSIP
-A KUBE-SERVICES -d 172.31.129.122/32 -p tcp -m comment --comment "jetbrainslicense/app:web cluster IP" -m tcp --dport 80 -j KUBE-SVC-FPVLEE3QB77AOS4G
-A KUBE-SERVICES -d 172.31.128.244/32 -p tcp -m comment --comment "ospcfccloudplatform/slack-proxy:web cluster IP" -m tcp --dport 80 -j KUBE-SVC-PXI6OZZMUNBHO43Q
-A KUBE-SERVICES -d 172.31.128.60/32 -p tcp -m comment --comment "kube-e2etests-deployment-scale-service/kubee2etests: cluster IP" -m tcp --dport 10 -j KUBE-SVC-I256EYRIZRR4EWBV
-A KUBE-SERVICES -d 172.31.128.77/32 -p tcp -m comment --comment "cfcvisualizer/cfc2-visualizer:web cluster IP" -m tcp --dport 80 -j KUBE-SVC-6HTUXGVEB5TGYK3K
-A KUBE-SERVICES -d 172.31.128.113/32 -p tcp -m comment --comment "plantuml/plantuml:web cluster IP" -m tcp --dport 8080 -j KUBE-SVC-6G7NRX456DTKJAZT
-A KUBE-SERVICES -d 172.31.129.155/32 -p tcp -m comment --comment "cfcoutbounddocs/wiki-hook:wiki-hook cluster IP" -m tcp --dport 80 -j KUBE-SVC-EABB5ZD3QVIYK33K
-A KUBE-SERVICES -d 172.31.131.39/32 -p tcp -m comment --comment "kube-system/heapster: cluster IP" -m tcp --dport 80 -j KUBE-SVC-BJM46V3U5RZHCFRZ
-A KUBE-SERVICES -d 172.31.130.40/32 -p tcp -m comment --comment "kube-extra/kubernetes-dashboard: cluster IP" -m tcp --dport 80 -j KUBE-SVC-KZ56ELFAUCIGRFV6
-A KUBE-SERVICES -d 172.31.131.105/32 -p tcp -m comment --comment "screenful/screenful:web cluster IP" -m tcp --dport 80 -j KUBE-SVC-YN4PYMRMOF3OES5E
-A KUBE-SERVICES -d 172.31.131.239/32 -p tcp -m comment --comment "ospcfccloudplatform/alertmanager:http-metrics cluster IP" -m tcp --dport 9090 -j KUBE-SVC-KV2GSBGFJ4SJNZ5U
-A KUBE-SERVICES -d 172.31.128.188/32 -p tcp -m comment --comment "kube-extra/registry-mirror-ospcfc:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-ZI22QPPC6BY5KODT
-A KUBE-SERVICES -d 172.31.131.185/32 -p tcp -m comment --comment "kufi/prometheus:web cluster IP" -m tcp --dport 80 -j KUBE-SVC-YEKPHTHQKQIELXVJ
-A KUBE-SERVICES -d 172.31.129.48/32 -p tcp -m comment --comment "kube-e2etests-deployment-service/kubee2etests: cluster IP" -m tcp --dport 10 -j KUBE-SVC-POWXKCKDC3QGLZYQ
-A KUBE-SERVICES -d 172.31.128.150/32 -p tcp -m comment --comment "kube-extra/nginx-ingress-controller:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-6SHOD27LJ4JHFMBU
-A KUBE-SERVICES -d 172.31.128.56/32 -p tcp -m comment --comment "gandalf/smtp: cluster IP" -m tcp --dport 25 -j KUBE-SVC-HTZZPU24M3GCLVIG
-A KUBE-SERVICES -d 172.31.129.96/32 -p tcp -m comment --comment "kube-extra/registry-mirror-ocean:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-4L43JJRJOXWXYSYV
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-2H5WWL56CE74R6US -m comment --comment "screenful/postgres:postgres" -j KUBE-SEP-N4KWIQINASDGWGIJ
-A KUBE-SVC-3YSE6J6DKVCBUJMI -m comment --comment "kube-extra/default-http-backend:http" -j KUBE-SEP-IFO4224EIEA4JSJJ
-A KUBE-SVC-4KXUCK74MO3GQCXU -m comment --comment "kube-extra/registry-mirror-hub:https" -j KUBE-SEP-HEYMHQVMDGZCYJZM
-A KUBE-SVC-4L43JJRJOXWXYSYV -m comment --comment "kube-extra/registry-mirror-ocean:https" -j KUBE-SEP-2KXSWJ3G64R65RSP
-A KUBE-SVC-6SHOD27LJ4JHFMBU -m comment --comment "kube-extra/nginx-ingress-controller:http" -j KUBE-SEP-U23MNYABAPTDSZ3Z
-A KUBE-SVC-AT4GZAEQMF4HLK53 -m comment --comment "kube-monitoring/kube-state-metrics:http-metrics" -j KUBE-SEP-JMFPT52EVMG2AWSX
-A KUBE-SVC-B3QNTUNNAMROEJGW -m comment --comment "jetbrainslicense/prometheus:web" -j KUBE-SEP-EM4A7OIKMC6H2HNS
-A KUBE-SVC-BAGAGJF3VCWDN7J4 -m comment --comment "kube-extra/nginx-ingress-controller:https" -j KUBE-SEP-SBUZYW6REI5IHNXW
-A KUBE-SVC-BJM46V3U5RZHCFRZ -m comment --comment "kube-system/heapster:" -j KUBE-SEP-ABDII4QYMLMHPYA5
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-YFMETSEPEPL5MZTR
-A KUBE-SVC-GJFMYARFU4V4XKG3 -m comment --comment "gandalf/gandalf:" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-GJD4Q2SPT7EL6UD2
-A KUBE-SVC-GJFMYARFU4V4XKG3 -m comment --comment "gandalf/gandalf:" -j KUBE-SEP-3J6NXYWQBOXIKDXB
-A KUBE-SVC-HTZZPU24M3GCLVIG -m comment --comment "gandalf/smtp:" -j KUBE-SEP-3MOV7KWFT6UOYARV
-A KUBE-SVC-I256EYRIZRR4EWBV -m comment --comment "kube-e2etests-deployment-scale-service/kubee2etests:" -j KUBE-SEP-HNAQAA5N5P44RFQM
-A KUBE-SVC-IB7EXPLWLWRICQP2 -m comment --comment "cfcvisualizer/cfc1-visualizer:web" -j KUBE-SEP-RF5ORNUSDLCPBDFL
-A KUBE-SVC-KV2GSBGFJ4SJNZ5U -m comment --comment "ospcfccloudplatform/alertmanager:http-metrics" -j KUBE-SEP-KX23O7ZWXBQIDYQQ
-A KUBE-SVC-KZ56ELFAUCIGRFV6 -m comment --comment "kube-extra/kubernetes-dashboard:" -j KUBE-SEP-R2RKL262VYLJJJ6A
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-WQCEDX6RSXGUJRIH --mask 255.255.255.255 --rsource -j KUBE-SEP-WQCEDX6RSXGUJRIH
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-WQCEDX6RSXGUJRIH
-A KUBE-SVC-OZQJFAV7V22GSG3X -m comment --comment "kube-extra/nginx-ingress-controller:scanningrig-freezer-wcs" -j KUBE-SEP-5H7MKIBPE32CQD3K
-A KUBE-SVC-PXI6OZZMUNBHO43Q -m comment --comment "ospcfccloudplatform/slack-proxy:web" -j KUBE-SEP-I63WX7TZ7WRRCAO3
-A KUBE-SVC-RFEWFH5KXN3S5IUZ -m comment --comment "ospcfccloudplatform/pagerduty-proxy:web" -j KUBE-SEP-QFD7WIJ65TV7YG4S
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-QY5RVKWGFSN5VJ6B
-A KUBE-SVC-XHIIIAPK4PYSZYSE -m comment --comment "kube-e2etests-http-update/kubee2etests:" -j KUBE-SEP-V7HFTMXQJ4MBLXA6
-A KUBE-SVC-YEKPHTHQKQIELXVJ -m comment --comment "kufi/prometheus:web" -j KUBE-SEP-DV6SJO4IQHTDYRZ5
-A KUBE-SVC-YNN6W32JE36JQY6C -m comment --comment "kube-extra/registry-mirror-gcr:https" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-EH66SQ2S7KAF5AVN
-A KUBE-SVC-YNN6W32JE36JQY6C -m comment --comment "kube-extra/registry-mirror-gcr:https" -j KUBE-SEP-LWPDFQBPELW5WK2N
-A KUBE-SVC-YZZTCQRXVLATHIAK -m comment --comment "kube-extra/registry-mirror-oceanreleases:https" -j KUBE-SEP-XJLLKZMUATQQRDBE
-A KUBE-SVC-ZI22QPPC6BY5KODT -m comment --comment "kube-extra/registry-mirror-ospcfc:https" -j KUBE-SEP-WQ3TYKXP7F26PYTE
-A WEAVE -s 172.31.0.0/17 -d 224.0.0.0/4 -j RETURN
-A WEAVE ! -s 172.31.0.0/17 -d 172.31.0.0/17 -j MASQUERADE
-A WEAVE -s 172.31.0.0/17 ! -d 172.31.0.0/17 -j MASQUERADE
COMMIT
# Completed on Mon Feb 26 10:48:08 2018
# Generated by iptables-save v1.4.21 on Mon Feb 26 10:48:08 2018
*filter
:INPUT ACCEPT [245:420936]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [292:280248]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
:WEAVE-IPSEC-IN - [0:0]
:WEAVE-NPC - [0:0]
:WEAVE-NPC-DEFAULT - [0:0]
:WEAVE-NPC-INGRESS - [0:0]
-A INPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -j KUBE-FIREWALL
-A INPUT -j WEAVE-IPSEC-IN
-A FORWARD -o weave -m comment --comment "NOTE: this must go before \'-j KUBE-FORWARD\'" -j WEAVE-NPC
-A FORWARD -o weave -m state --state NEW -j NFLOG --nflog-group 86
-A FORWARD -o weave -j DROP
-A FORWARD -i weave ! -o weave -j ACCEPT
-A FORWARD -o weave -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m comment --comment "kubernetes forward rules" -j KUBE-FORWARD
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A OUTPUT ! -p esp -m policy --dir out --pol none -m mark --mark 0x20000/0x20000 -j DROP
-A DOCKER-ISOLATION -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-SERVICES -d 172.31.129.114/32 -p tcp -m comment --comment "cfcoutbounddocs/template-hook:template-hook has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.129.209/32 -p tcp -m comment --comment "kube-monitoring/e2etests-status:http has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.130.83/32 -p tcp -m comment --comment "kube-extra/prometheus-operator:http has no endpoints" -m tcp --dport 8080 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.129.52/32 -p tcp -m comment --comment "isup/isup: has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.128.26/32 -p tcp -m comment --comment "kube-e2etests-http/kubee2etests: has no endpoints" -m tcp --dport 10 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.131.105/32 -p tcp -m comment --comment "screenful/screenful:api has no endpoints" -m tcp --dport 4000 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.129.97/32 -p tcp -m comment --comment "cfcoutbounddocs/gollum:http has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.128.176/32 -p tcp -m comment --comment "kube-monitoring/e2etests-prometheus:prometheus has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.128.51/32 -p tcp -m comment --comment "kufi/kufi:http-metrics has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.129.203/32 -p tcp -m comment --comment "kube-monitoring/weave-scope-app:app has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -p tcp -m comment --comment "kube-extra/registry-mirror-quay:https has no endpoints" -m addrtype --dst-type LOCAL -m tcp --dport 30287 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.129.224/32 -p tcp -m comment --comment "kube-extra/registry-mirror-quay:https has no endpoints" -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -p tcp -m comment --comment "kube-extra/registry-mirror-internal:https has no endpoints" -m addrtype --dst-type LOCAL -m tcp --dport 30560 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.128.233/32 -p tcp -m comment --comment "kube-extra/registry-mirror-internal:https has no endpoints" -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.128.181/32 -p tcp -m comment --comment "kube-monitoring/grafana:web has no endpoints" -m tcp --dport 3000 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.130.115/32 -p tcp -m comment --comment "kube-monitoring/prometheus:web has no endpoints" -m tcp --dport 9090 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.129.122/32 -p tcp -m comment --comment "jetbrainslicense/app:web has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.128.77/32 -p tcp -m comment --comment "cfcvisualizer/cfc2-visualizer:web has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.128.113/32 -p tcp -m comment --comment "plantuml/plantuml:web has no endpoints" -m tcp --dport 8080 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.129.155/32 -p tcp -m comment --comment "cfcoutbounddocs/wiki-hook:wiki-hook has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.131.105/32 -p tcp -m comment --comment "screenful/screenful:web has no endpoints" -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A KUBE-SERVICES -d 172.31.129.48/32 -p tcp -m comment --comment "kube-e2etests-deployment-service/kubee2etests: has no endpoints" -m tcp --dport 10 -j REJECT --reject-with icmp-port-unreachable
-A WEAVE-NPC -m state --state RELATED,ESTABLISHED -j ACCEPT
-A WEAVE-NPC -d 224.0.0.0/4 -j ACCEPT
-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-DEFAULT
-A WEAVE-NPC -m state --state NEW -j WEAVE-NPC-INGRESS
-A WEAVE-NPC -m set ! --match-set weave-local-pods dst -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-#EheO3ZItEJ.^x%PP*MH[/9E+ dst -m comment --comment "DefaultAllow isolation for namespace: gandalf" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-.fv|;78)[sGktF6)=*]jI4Tzo dst -m comment --comment "DefaultAllow isolation for namespace: gitlabrunnerocean" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-GaJTl9EvYyV)Ui{J20t!7~+(H dst -m comment --comment "DefaultAllow isolation for namespace: kube-extra" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-t9WH]%=*W+xUp]c*NGE.lh258 dst -m comment --comment "DefaultAllow isolation for namespace: kube-e2etests-deployment-scale" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-;oEHxPZ|LYQq3KH=Z7.9+WiZz dst -m comment --comment "DefaultAllow isolation for namespace: kube-e2etests-service" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-?b%zl9GIe0AET1(QI^7NWe*fO dst -m comment --comment "DefaultAllow isolation for namespace: kube-system" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-TzHghne5mZ=1atGdjfBnT]l$t dst -m comment --comment "DefaultAllow isolation for namespace: screenful" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-zcX@UIG[?l$U%$E#%D$#coMtR dst -m comment --comment "DefaultAllow isolation for namespace: kube-e2etests-deployment-pvc" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-!PXEDV0])TiN5$Ka{}?|Y=T@v dst -m comment --comment "DefaultAllow isolation for namespace: kube-e2etests-deployment-scale-service" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-+lUL3KHugjNi|hV_4BE)7KB6( dst -m comment --comment "DefaultAllow isolation for namespace: kube-e2etests-deployment-service" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-J|~O_zT{YJG@Wk1K*J4Xa%F~6 dst -m comment --comment "DefaultAllow isolation for namespace: plantuml" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-E.1.0W^NGSp]0_t5WwH/]gX@L dst -m comment --comment "DefaultAllow isolation for namespace: default" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-x3(I@nj+n0UeHz:1s[0Vtq$^E dst -m comment --comment "DefaultAllow isolation for namespace: jira" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-_;}sn~[IsWL91CmlA^OZ.YFNF dst -m comment --comment "DefaultAllow isolation for namespace: kube-e2etests-deployment" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-B#x0ps?1iBmscA+9EEF*O!tL] dst -m comment --comment "DefaultAllow isolation for namespace: kube-monitoring" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-0EHD/vdN#O4]V?o4Tx7kS;APH dst -m comment --comment "DefaultAllow isolation for namespace: kube-public" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-[^!sa.btx]%tLV%@B+ydb3pnv dst -m comment --comment "DefaultAllow isolation for namespace: wibble" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-m;%)4zjL=PkY4X+f:!KDJzo^t dst -m comment --comment "DefaultAllow isolation for namespace: cfcoutbounddocs" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-iwih12$kp.{h5MubUa7Sry;KH dst -m comment --comment "DefaultAllow isolation for namespace: k8sbackup" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-0n[?CWWqs9TdzQdqfi7u!sR~$ dst -m comment --comment "DefaultAllow isolation for namespace: kube-e2etests-deployment-update" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-gzf@2cfciqd8j{O]xX/V=.FuB dst -m comment --comment "DefaultAllow isolation for namespace: kube-e2etests-http-update" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-nsgme7?2w4ng/cvjqQ[Q]9kgb dst -m comment --comment "DefaultAllow isolation for namespace: referee" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-o*_v7aCg6Eoi|c??FXQ=FNfJz dst -m comment --comment "DefaultAllow isolation for namespace: cfcvisualizer" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-x_{Gk/BE.SzODFcYd~mr*{qjr dst -m comment --comment "DefaultAllow isolation for namespace: gitlab-ci-runner" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-!94c*z+5Z4_*UnD=wQYvR7VK5 dst -m comment --comment "DefaultAllow isolation for namespace: gitlabrunneratmosphere" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-Ht2!qT$(=SFvg.@H+.YIa**?7 dst -m comment --comment "DefaultAllow isolation for namespace: jetbrainslicense" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-x@!J22P{IAf[##kV$XcGDgU.P dst -m comment --comment "DefaultAllow isolation for namespace: kufi" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-o*_rB|Y:TBp_x(GZUtHh@oaoU dst -m comment --comment "DefaultAllow isolation for namespace: gitlabrunnerospcfc" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-k}p)VSR73ma+sXQn^Y)jrb2sV dst -m comment --comment "DefaultAllow isolation for namespace: isup" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-x69P=(mxyEVYqgnA8vGKCD%@S dst -m comment --comment "DefaultAllow isolation for namespace: kube-e2etests-http" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-vzOp$M]@$|DaK5T+^CH|V|%?q dst -m comment --comment "DefaultAllow isolation for namespace: ospcfccloudplatform" -j ACCEPT
-A WEAVE-NPC-DEFAULT -m set --match-set weave-j~!0[i?Vp[9oXoRhHYQe.;6uf dst -m comment --comment "DefaultAllow isolation for namespace: someappid-old" -j ACCEPT
-A WEAVE-NPC-INGRESS -p udp -m set --match-set weave-zEoo^_Rj?zrFYdzVmFr+/0pSC src -m set --match-set weave-zEoo^_Rj?zrFYdzVmFr+/0pSC dst -m udp --dport 6783 -m comment --comment "pods: namespace: kube-system, selector: name=weave-net -> pods: namespace: kube-system, selector: name=weave-net" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-zEoo^_Rj?zrFYdzVmFr+/0pSC src -m set --match-set weave-zEoo^_Rj?zrFYdzVmFr+/0pSC dst -m tcp --dport 6784 -m comment --comment "pods: namespace: kube-system, selector: name=weave-net -> pods: namespace: kube-system, selector: name=weave-net" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-EILUbui)olb+;L0.jx^wcdopt src -m set --match-set weave-zEoo^_Rj?zrFYdzVmFr+/0pSC dst -m tcp --dport 6782 -m comment --comment "namespaces: selector: appId=kube,component=monitoring -> pods: namespace: kube-system, selector: name=weave-net" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-zEoo^_Rj?zrFYdzVmFr+/0pSC src -m set --match-set weave-zEoo^_Rj?zrFYdzVmFr+/0pSC dst -m tcp --dport 6783 -m comment --comment "pods: namespace: kube-system, selector: name=weave-net -> pods: namespace: kube-system, selector: name=weave-net" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-9_PlPr(s6{H85!WoFBPVFC#9u dst -m tcp --dport 8080 -m comment --comment "anywhere -> pods: namespace: plantuml, selector: app=plantuml" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-p][tP41OWT#]xFiMbn*qOsqqk dst -m tcp --dport 80 -m comment --comment "anywhere -> pods: namespace: cfcoutbounddocs, selector: app=cfcoutbounddocs" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-p][tP41OWT#]xFiMbn*qOsqqk dst -m tcp --dport 8081 -m comment --comment "anywhere -> pods: namespace: cfcoutbounddocs, selector: app=cfcoutbounddocs" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-p][tP41OWT#]xFiMbn*qOsqqk dst -m tcp --dport 8082 -m comment --comment "anywhere -> pods: namespace: cfcoutbounddocs, selector: app=cfcoutbounddocs" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-psK~Lggl{2*BD]fxz.!{Xu){s dst -m tcp --dport 3000 -m comment --comment "anywhere -> pods: namespace: kube-monitoring, selector: app=grafana" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-f(o|hf6K([;umS[JRWSHgn/3L dst -m tcp --dport 9090 -m comment --comment "anywhere -> pods: namespace: kube-monitoring, selector: app=prometheus,prometheus=k8s" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-!c9pI_##3e58_C5?kpcLE3U:M dst -m tcp --dport 4040 -m comment --comment "anywhere -> pods: namespace: kube-monitoring, selector: app=weave-scope,weave-scope-component=app" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-EILUbui)olb+;L0.jx^wcdopt src -m set --match-set weave-Q[jhI=WQ~)k6~AgT2mcT$dg[c dst -m tcp --dport 10252 -m comment --comment "namespaces: selector: appId=kube,component=monitoring -> pods: namespace: kube-system, selector: k8s-app=kube-controller-manager" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-QYIlr%V?kjp#HJ7cHYQjMOivC dst -m tcp --dport 4000 -m comment --comment "anywhere -> pods: namespace: screenful, selector: app=screenful" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-QYIlr%V?kjp#HJ7cHYQjMOivC dst -m tcp --dport 80 -m comment --comment "anywhere -> pods: namespace: screenful, selector: app=screenful" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-ST*pe=)mU+~l#ghpA0xl5M[J} dst -m tcp --dport 8080 -m comment --comment "anywhere -> pods: namespace: cfcvisualizer, selector: app=cfcvisualizer" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-ST*pe=)mU+~l#ghpA0xl5M[J} dst -m tcp --dport 8081 -m comment --comment "anywhere -> pods: namespace: cfcvisualizer, selector: app=cfcvisualizer" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-$?1kPZe/X%44ZOmOods4]Ib}N dst -m tcp --dport 8081 -m comment --comment "anywhere -> pods: namespace: kube-monitoring, selector: app=e2etests" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-f(o|hf6K([;umS[JRWSHgn/3L src -m set --match-set weave-$?1kPZe/X%44ZOmOods4]Ib}N dst -m tcp --dport 9102 -m comment --comment "pods: namespace: kube-monitoring, selector: app=prometheus,prometheus=k8s -> pods: namespace: kube-monitoring, selector: app=e2etests" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-EILUbui)olb+;L0.jx^wcdopt src -m set --match-set weave-?%D#jARXI/G:A}z8dn=9/Eq.L dst -m tcp --dport 10251 -m comment --comment "namespaces: selector: appId=kube,component=monitoring -> pods: namespace: kube-system, selector: k8s-app=kube-scheduler" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-QYIlr%V?kjp#HJ7cHYQjMOivC src -m set --match-set weave-5*HDryZlO=b4*738kizjErDH) dst -m tcp --dport 5432 -m comment --comment "pods: namespace: screenful, selector: app=screenful -> pods: namespace: screenful, selector: app=postgres" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-vwjtOZ;zXcva[Wp=L)BmY|SI9 dst -m tcp --dport 8080 -m comment --comment "anywhere -> pods: namespace: kube-monitoring, selector: app=kube-state-metrics" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-f(o|hf6K([;umS[JRWSHgn/3L src -m set --match-set weave-!0?~=:Rt]u)YW7GBSl]BUCc^Z dst -m tcp --dport 9100 -m comment --comment "pods: namespace: kube-monitoring, selector: app=prometheus,prometheus=k8s -> pods: namespace: kube-monitoring, selector: app=node-exporter" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-AP^MH|~0Y8)_jx|h6*p%/F[vH dst -m tcp --dport 443 -m comment --comment "anywhere -> pods: namespace: kube-system, selector: k8s-app=kube-apiserver" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-EILUbui)olb+;L0.jx^wcdopt src -m set --match-set weave-g2L[E!OSd/v~?QhC7d{GUA2^[ dst -m tcp --dport 10054 -m comment --comment "namespaces: selector: appId=kube,component=monitoring -> pods: namespace: kube-system, selector: k8s-app=kube-dns" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-EILUbui)olb+;L0.jx^wcdopt src -m set --match-set weave-g2L[E!OSd/v~?QhC7d{GUA2^[ dst -m tcp --dport 10055 -m comment --comment "namespaces: selector: appId=kube,component=monitoring -> pods: namespace: kube-system, selector: k8s-app=kube-dns" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-g2L[E!OSd/v~?QhC7d{GUA2^[ dst -m tcp --dport 53 -m comment --comment "anywhere -> pods: namespace: kube-system, selector: k8s-app=kube-dns" -j ACCEPT
-A WEAVE-NPC-INGRESS -p udp -m set --match-set weave-g2L[E!OSd/v~?QhC7d{GUA2^[ dst -m udp --dport 53 -m comment --comment "anywhere -> pods: namespace: kube-system, selector: k8s-app=kube-dns" -j ACCEPT
-A WEAVE-NPC-INGRESS -p tcp -m set --match-set weave-fMg_;:uQnd6|.+W$[ZPB/K2B] dst -m tcp --dport 8082 -m comment --comment "anywhere -> pods: namespace: kube-system, selector: k8s-app=heapster" -j ACCEPT
COMMIT
About this issue
- Original URL
- State: open
- Created 6 years ago
- Comments: 45 (19 by maintainers)
Is this only on one node or on several?
That path should be mapped (by the DaemonSet) from
/var/lib/weave- could you runlsofon the host and see if something else has the file open?