-
Notifications
You must be signed in to change notification settings - Fork 908
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Port-forward drops connection to pod after first connection #1169
Comments
@mkfdoherty: This issue is currently awaiting triage. SIG CLI takes a lead on issue triage for this repo, but any Kubernetes member can accept issues by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Possibly related to kubernetes/kubernetes#103526. Though that should have only had an effect when the pod dies anyways. We just stopped hiding the broken behavior. We want to rewrite the port forward for this release as well. |
@eddiezane Yes, I think this is probably related to the "fix" in kubernetes/kubernetes#103526. I put "fix" in quotes because the fix was to allow port-forward to fail when there is an error instead of getting stuck in an unrecoverable non-failed state that can never process connections again. @mkfdoherty You mentioned that this is expected behavior:
But I'm guessing that you continue to get connection refused even though the pod has failed and restarted. It says it is handling the connection, but it fails every time, so it's not really forwarding them. In this case port-forward is still technically running (from a process standpoint on your local machine), but is never able to forward connections again until you stop and restart it. This was behavior of kubectl prior to 1.23.0. @mkfdoherty Can you double-check your kubectl version you were using in both cases? I don't think this problem should be dependent on the cluster version which is why I'm asking. It would surprise me if the behavior of port-forward using the same kubectl version would be different depending on the cluster version. Also, can you check whether your pod has restarted while port-forward is running? If that happens, the behavior from kubectl 1.23.0 and later is for the For reference, I tried reproducing using kubectl 1.23.1 with a 1.24.0-alpha cluster and also with a 1.21 cluster (this one an EKS cluster). I was starting a tcp echo server, like this:
Then connecting like this:
Are you able to reproduce the problem using the tcp echo server I mentioned above? |
@eddiezane and @brianpursley I do agree that it does sound like the "fix" in kubernetes/kubernetes#103526. Which is general is a fix. But I found it unexpected in this specific scenario that could be generalised to other cases of opening and closing connections to a service that a pod is running:
We expected the port-forward to remain open for subsequent psql connections (that we close after each use). This was the case before v1.23.x. I have tested using kubectl
I would not consider this scenario to be an example of a port-forward error occurring that requires the port-forward connection to be closed. Opening a I have run the echo server which does not cause the port-forward to break when using netcat to connect to it. This does indeed work as you have said. I would hope that this same bahaviour would be the case when opening up connections using To be clarify an error in my reproduction from the original post: |
Hmm, so maybe there are different types of errors, some unrecoverable where it makes sense to stop forwarding, but others which are recoverable like your example, which you mentioned. I’ll have to test with psql and see if I can reproduce that way and see what the difference is. It sounds like you are indeed hitting an issue with the change that was made in kubectl 1.23.0. If that’s the case, using kubectl <1.23 should be a workaround for now until we can figure out what is going on here and fix it. |
I'm still trying to reproduce this using kubectl 1.23.3 (and other versions), and still am not able to. There must be something else different about our clusters. First, just so we're on the same page, here is my latest attempt to reproduce. I create a pod running PostgreSQL, forward port 5432, then connect using Terminal 1:
Terminal 2:
After several psql sessions, port forwarding remains running. Even when I issued a command that failed, the port forwarding connection itself remained intact. @mkfdoherty Are my above commands similar to what you are doing when the problem happens? Next, I'd like to try to find out if there is some difference in the clusters which is making this behave differently for you than it is for me. @mkfdoherty Can you post your output of I'm wondering if there is a difference in the container runtime or CNI provider. Thanks for any additional info you can provide. I'm hoping we can get to the bottom of this as I'm sure if you're having this problem, some others will too. |
I also tried using a Minikube cluster...
And EKS as well. |
Thank you so much for your replication attempt. I appreciate you taking the time. I decided to try and replicate this again using a popular PostgreSQL helm chart . To my surprise the behavior is different to that of the PostgreSQL instance I have running with the Patroni replication manager. This likely explains why your replication procedure does not match mine. This appeared quite odd to me given that my PostgreSQL logs and pod appeared completely healthy when closing psql connections, but only the port-forward failed. Leading me to believe that this issue would be standard behavior across psql clients interacting with PostgreSQL servers using kubectl >1.23 port-forwards. So my original assumption that this was a common recoverable error that could affect psql and other common clients communicating with servers over port-fowards seems to be incorrect. I am investigating this less typical issue further but at this point the kubernetes/kubernetes#103526 fix seems to work mostly as intended in the common cases I have tested. I would consider this closed unless I find reason to suspect otherwise. |
Also started happening for us after upgrading to 1.23 from 1.22 - also postgres - only impacting port-forwarding. I'm a little confused, what's the fix for this? |
I experienced a similar issue while doing port-forwarding to a PGO managed database:
At some point the connection get lost. Interestingly the connection also is lost when I exist the local |
I had the same problem, I found that the reason is that the Postgres server sends an RST packet when the client(like psql) disconnecting from the server in TLS mode, because it shut down the sub-process that handling connection without reading the SSL Shutdown packet send from the client. And the new logic introduced in kubernetes/kubernetes#103526 causes the port forward itself to be shut down when an RST packet is read from server side in the connection established via the port forward. If you are just okay with using the plaintext protocol, you can use |
@nic-6443 So is there a fix for this rather than fallback to disabling SSL on postgresql? I am too experiencing this problem. |
FWIW, I'm not sure what I upgraded, but I'm no longer having this issue with DataGrip on the same cluster (so an upgrade to Datagrip or the kubectrl, or the cluster backplane). |
I see. I will see if cluster upgrading works. (my datagrip and kubectl are up to date) |
@Silvenga Which versions have you upgraded the cluster, kubectl and DataGrip to? |
@PKizzle I'm just assuming something changed, since I noticed it stopped happening (disabling SSL for my login is a chore to get done, so I never tried). I recently went though and upgraded all my local software e.g. Windows, Datagrip, etc. Postgres in the cluster wasn't upgrade. I do distinctly remember upgrading the Datagrip Postgres driver. This was also when I migrated to use kubelogin after getting a bit too annoyed with the CLI warnings. 😆 But I doubt kubelogin would have impacted anything. I'm on PTO, I'll check on the cluster's current version when I get back next week. Feel free to poke me if I forget. |
@Silvenga Just a gentle ping on this issue :D Also, can you confirm that your postgresql is using SSL. |
K8s: # kubectl version
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-18T16:12:00Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.8", GitCommit:"bd30c9fbc8dc9668d7ab4b0bd4fdab5c929c1ad7", GitTreeState:"clean", BuildDate:"2022-06-21T17:15:16Z", GoVersion:"go1.17.11", Compiler:"gc", Platform:"linux/amd64"}
# kubelogin --version
kubelogin version
git hash: v0.0.14/f345047a580aaaf133b009041963d50b98d8d2e2
Go version: go1.17.11
Build time: 2022-07-07T17:00:54Z I'm apparently still using the old This cluster ( Datagrip:
All defaults except:
When executing
Where the Previously, the Let me know @panteparak if I missed anything. I would really suspect that the driver was the real fix for me. Of course, I can't discount networking changes in Azure by Microsoft (there have been several since Jun 17, my first comment here). |
Hey, found this issue since I have the same problem but with argocd while trying to access the web UI:
The version is:
(The cluster is a local kubeadm setup on 2 Intel NUCs with Debian). EDIT: |
Same - experiencing this with DBeaver. I am unsure as to why this issue has been closed. Surely just disabling HTTPS is not a long term solution to this problem? |
@panteparak I don't have any good ideas yet, there is also a hack approach (which we currently use in our test environment): create iptables rules in init container to drop TCP RST packets sent from Postgres.
|
This isn't really helpful if the postgres server enforces ssl.. |
Just to add, which in many environments is just not possible given the
security implications.
I have to say, I just don't understand the reasoning behind the original
change that caused this - it's very definitely what I would class as
"breaking", and all of the use cases we've seen in here are hardly what I
would call edge cases. We're talking about proxying to arguably the world's
most popular SQL server.
Right now we're stuck on an old version, this work around doesn't work for
us.
…On Mon, 17 Apr 2023, 09:06 Jakob Müller, ***@***.***> wrote:
This isn't really helpful if the postgres server enforces ssl..
—
Reply to this email directly, view it on GitHub
<#1169 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAJRMSTIU5UZA5433IP22TXBT2XLANCNFSM5M2MZNGA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
I agree. It is just a workaround and does not address the original problem. |
This issue needs reopening |
seeing the same, on several pods.
|
I am facing the same issue with the M1 Mac, this is issue needs reopening |
same problem here. latest k8s, latest kubectl |
Same issue here. kubectl with kind. Port forwarding for port 443 works only once after which the connection is lost and all further requests are left hanging. |
Same issue with M1 MBP, trying to port-forward a redis pod into local 6379 port unsuccessfully |
I have the same issue here, port forwarding 9090 on my load balancer, I create a cluster using Kind. But I solved with add extra mapping in my kind config kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
extraPortMappings:
- containerPort: 80
hostPort: 80
protocol: TCP
- containerPort: 443
hostPort: 443
protocol: TCP
- containerPort: 9090
hostPort: 9090
protocol: TCP
- containerPort: 1833
hostPort: 1833
protocol: TCP
- containerPort: 4222
hostPort: 4222
protocol: TCP
- role: worker
- role: worker
- role: worker |
For those watching, it's possible that this issue is the same as kubernetes/kubernetes#74551, which people believe is actually an issue with the container runtime. There is a proposed PR to fix Also, here is another related issue, for reference: #1368 |
Since I'm seeing the same problem with port-forward closing after the first connection I resorted to downloading a much older version of kubectl to use for the port-forward: https://cdn.dl.k8s.io/release/v1.22.14/bin/linux/amd64/kubectl Newer version of kubectl port-forward:
1.22 version of kubectl port-forward with me connecting and exiting with psql twice. The port-forward remains running.
|
Trouble exist on
|
Same for MariaDB and a simple port-forwarding. No SSL, using default options with JDBC. E0130 14:27:35.925386 25068 portforward.go:406] an error occurred forwarding 3307 -> 3307: error forwarding port 3307 to pod cbe8b3812e0dd7e8c793f4395d80bc3a42679829b7ab8f2c3831eaf7f4003e2b, uid : failed to execute portforward in network namespace "/var/run/netns/cni-0e9c2674-0ed6-b133-3453-140c73d6899b": failed to connect to localhost:3307 inside namespace "cbe8b3812e0dd7e8c793f4395d80bc3a42679829b7ab8f2c3831eaf7f4003e2b", IPv4: dial tcp4 127.0.0.1:3307: connect: connection refused IPv6 dial tcp6: address localhost: no suitable address found |
Just ran into this issue running kube locally. The issue was fixed by increasing available memory usage to the node |
Better than nothing workaround, wrap it in a while true: while true; do kubectl port-forward ...; echo .; done |
Same issue with both server and client are version |
I am also seeing the same issue with a simple nginx pod exposed on port 8080 |
same issue here: # kubectl version
Client Version: v1.29.2
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.18.4-tke.25 ====update==== Just realized that only localhost ports on target pods can be port-forwarded. It'd be good if we could have an option to allow all ports forward-able. |
The related issues are:
It also looks like @sxllwx has a PR which might fix it: kubernetes/kubernetes#117493 |
Same here, had to disable SSL mode in Pycharm Pro to fix the connection being dropped after first attempt |
What happened:
When running Kubernetes
v1.23.1
on Minikube with kubectlv1.23.2
I experienced the following unexpected behaviour when trying to create a port-forward to a pod running an arbitrary service.kubectl version
:What we see is that after the first netcat connection successfully closes we get a lost connection to the pod and the port-forward closes:
kubectl port-forward
to pod output:We would expect the the connection to stay open as is the case with Kubernetes before
v1.23.0
.What you expected to happen:
When running the test against EKS running Kubernetes version
v1.21.5-eks-bc4871b
we get the port-forward behavior we are use to. The port-forward remains open after the first successful netcat connection.kubectl version
:Notice how the kubectl version is v1.23.2 and the server version is v1.21.5-eks-bc4871b. EKS seems to manage version skew on its own somehow.
The output we get after opening multiple connections is what we expect. The connection is not closed after subsequent nc commands (don’t be alarmed by the connection refusal by PostgreSQL, we are not using the right protocol or credentials. We are just trying to test the port-forward behavior and this is a simple approach to express the issue).
kubectl port-forward
to pod output:As we can see the port-forward connection lasts for many netcat connections. This is the behavior we expect.
For completeness this was tested using Minikube running
v1.21.5
Kubernetes. The problem still exists if we don't take into account version skew. But if we match the kubectl and Minikube Kubernetes version tov1.21.5
then we get the expected behavior again of port-forwards remaining open past the first connection.How to reproduce it (as minimally and precisely as possible):
My test is as follows:
kubectl port-forward $POD_WITH_SERVICE 5432:5432
)nc -v localhost 5432
)Tests were conducted against Kubernetes versions (v1.21.5, v1.22.1 and v1.23.1) on Minikube using
minikube start --kubernetes-version=v1.21.5
. Usingminikube kubectl --
we can match the kubectl version to the Kubernetes version Minikube is using to avoid version skew. The problem I describe only appears when running Kubernetes above v1.23.0.Anything else we need to know?:
Based on the above testing it would seem that there is a bug introduced in kubectl >
v1.23.0
which causes port-forwards to close immediately after a successful connection. This is a problem given the above test expects the old behaviour of long lasting kubectl port-forwards. My assumption is that this is a bug based on there being no mention of this behavior explicitly in CHANGELOG-1.23. so it may be a regression. Could someone please shed light on whether this is a regression or expected future behavior now for reasons unbeknown to me?Environment:
kubectl version
): Listed above based on my expectationsv1.21.5-eks-bc4871b
to verify behavior.cat /etc/os-release
): When testing locally on a Docker node:The text was updated successfully, but these errors were encountered: