Sheogorath
authored
Currently there is an issue, that the kube-apiserver can't reach the metallb admission webhook, which results in the inability to sync any metallb objects. The reason why this doesn't work is not completely understood yet. It uses an IP address from the Pod CIDR (10.1.0.0/16) which is blocked by the network policies. No single pod has this IP address according to `kubectl get pods --all-namespace -o wide`, which displays the Pods along with their IP addresses. This makes sense, given that the kube-apiserver is a host/node Pod, which is directly define in the kubelet configuration of the control-plane node, which also runs in the host network. As a result the pod has no regular Pod IP from the Pod IP address space. For debugging, I used a calico log rule, which are based on the calico network policies. Reference: https://projectcalico.docs.tigera.io/archive/v3.23/security/calico-network-policy#generate-logs-for-specific-traffic
| Name | Last commit | Last update |
|---|---|---|
| .. | ||
| calico | ||
| cert-manager | ||
| drivers | ||
| firewall | ||
| flux-system | ||
| k8up | ||
| kube-system | ||
| kubenav | ||
| longhorn | ||
| metallb | ||
| monitoring | ||
| nginx-system | ||
| node-features | ||
| postgres | ||
| starboard | ||
| system-upgrades | ||
| tekton | ||
| README.md | ||
| kustomization.yaml | ||