-
First, find out the node that the
clientpod is running on:NODE_NAME=$(kubectl get pod -n client -o=jsonpath='{.items[0].spec.nodeName}') CLIENT_POD_IP=$(kubectl get pod -n client -o=jsonpath='{.items[0].status.podIP}') echo $CLIENT_POD_IP
-
Then utilize the
privilegedpod that was deployed to get a shell into the node:PRIV_POD=$(kubectl get pods -o=jsonpath='{.items[?(@.spec.nodeName=="'"$NODE_NAME"'")].metadata.name}') kubectl exec -it "$PRIV_POD" -- /bin/sh
Once in, get into the host namespace:
chroot /host
-
Find the
cali*interface associated with theclientpod IP usingip routeAssuming as an example, if
CLIENT_POD_IPis10.244.24.179then do:ip route | grep 10.244.24.179This might give an output like:
10.244.24.179 dev cali0cdd47bbdcb scope link
-
Utilize the Calico
calico-bpftool to examine Calico Cloud's BPF maps. First, find the name of thecalico-nodepod of the host of theclientpod:CNX_POD=$(kubectl get pods -ncalico-system -l k8s-app=calico-node -o=jsonpath='{.items[?(@.spec.nodeName=="'"$NODE_NAME"'")].metadata.name}') -
Dump the counters for the relevant
cali-interface:kubectl exec -it -ncalico-system $CNX_POD -c calico-node -- calico-node -bpf counters dump --iface cali0cdd47bbdcb
It should probably look something like this, showing no dropped packets (yet)
+----------+--------------------------------+---------+--------+-----+ | CATEGORY | TYPE | INGRESS | EGRESS | XDP | +----------+--------------------------------+---------+--------+-----+ | Accepted | by Egress gateways | 0 | 0 | N/A | | | by another program | 0 | 0 | N/A | | | by failsafe | 0 | 0 | N/A | | | by policy | 371 | 186 | N/A | | Dropped | by policy | 0 | 0 | N/A | | | failed decapsulation | 0 | 0 | N/A | | | failed encapsulation | 0 | 0 | N/A | | | incorrect checksum | 0 | 0 | N/A | | | malformed IP packets | 0 | 0 | N/A | | | packets hitting blackhole | 0 | 0 | N/A | | | route | | | | | | packets with unknown route | 0 | 0 | N/A | | | packets with unknown source | 0 | 0 | N/A | | | packets with unsupported IP | 0 | 0 | N/A | | | options | | | | | | too short packets | 0 | 0 | N/A | | Total | packets | 2044 | 683 | N/A | +----------+--------------------------------+---------+--------+-----+
-
Try to send traffic from the
clientpod tomanagement-uiagain:kubectl -n client exec -it $(kubectl get po -n client -l role=client -ojsonpath='{.items[0].metadata.name}') -- /bin/bash -c 'curl -m3 -I http://management-ui.management-ui'
and then look at the counters again:
+----------+--------------------------------+---------+--------+-----+ | CATEGORY | TYPE | INGRESS | EGRESS | XDP | +----------+--------------------------------+---------+--------+-----+ | Accepted | by Egress gateways | 0 | 0 | N/A | | | by another program | 0 | 0 | N/A | | | by failsafe | 0 | 0 | N/A | | | by policy | 596 | 297 | N/A | | Dropped | by policy | 4 | 1 | N/A | | | failed decapsulation | 0 | 0 | N/A | | | failed encapsulation | 0 | 0 | N/A | | | incorrect checksum | 0 | 0 | N/A | | | malformed IP packets | 0 | 0 | N/A | | | packets hitting blackhole | 0 | 0 | N/A | | | route | | | | | | packets with unknown route | 0 | 0 | N/A | | | packets with unknown source | 0 | 0 | N/A | | | packets with unsupported IP | 0 | 0 | N/A | | | options | | | | | | too short packets | 0 | 0 | N/A | | Total | packets | 3275 | 1098 | N/A | +----------+--------------------------------+---------+--------+-----+
-
All of the relevant rules can be viewed as well if needed:
kubectl exec -it -ncalico-system $CNX_POD -c calico-node -- calico-node -bpf policy dump cali0cdd47bbdcb all