GuestAgent is ignoring iptable portMappings in CNI-DN

[Nino-K]

Previously, the guestAgent in Rancher Desktop was picking up port mappings from iptables using the GetPorts function from Lima, as seen here. However, since the iptables scanning package was removed from the guestAgent, it no longer retrieves these port mappings.

An example of such a rule in iptables is as follows:

CNI-HOSTPORT-SETMARK  tcp  --  10.42.0.0/24         anywhere             tcp dpt:12345
CNI-HOSTPORT-SETMARK  tcp  --  localhost            anywhere             tcp dpt:12345
DNAT       tcp  --  anywhere             anywhere             tcp dpt:12345 to:10.42.0.100:80
CNI-DN-6ef6bede9244615191a81  tcp  --  anywhere             anywhere             /* dnat name: "cbr0" id: "0344293f74a8790f54a73bdd10f97bfaf98b3fb80b8e88c610f2da8ddf1c241a" */ multiport dports 12345

These rules are generated by the CNI (Container Network Interface) plugin for pod-to-pod communication. They are part of Kubernetes' networking and ensure that traffic on specific host ports (e.g., port 12345) is correctly routed to the appropriate pod, with the CNI plugin managing the handling of that traffic.

Given their role in routing traffic correctly within Kubernetes, it is important that these rules are not overlooked by the guestAgent.

TCP Repro Steps

1. Download echo-server.yaml from https://gist.github.com/mikeseese/cca62f2dba7a453ebe172031a9490760
2. Using Rancher Desktop v1.16.0, K8s v1.30.5, CE: moby, start up the cluster
3. kubectl apply -f echo-server.yaml
4. curl <hostIP>:12345/param?query=demo
5. See that curl can't reach the host
   • It should have returned a JSON object, i.e.:

   {"host":{"hostname":"127.0.0.1","ip":"::ffff:127.0.0.1","ips":[]},"http":{"method":"GET","baseUrl":"","originalUrl":"/param?query=demo","protocol":"http"},"request":{"params":{"0":"/param"},"query":{"query":"demo"},"cookies":{},"body":{},"headers":{"host":"127.0.0.1:12345","user-agent":"curl/8.1.2","accept":"*/*"}},"environment":{"PATH":"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","HOSTNAME":"echo-server","INGRESS_NGINX_CONTROLLER_ADMISSION_SERVICE_PORT_HTTPS_WEBHOOK":"443","INGRESS_NGINX_CONTROLLER_ADMISSION_PORT_443_TCP_ADDR":"10.43.14.22","INGRESS_NGINX_CONTROLLER_SERVICE_PORT_HTTP":"80","INGRESS_NGINX_CONTROLLER_PORT_443_TCP_PORT":"443","KUBERNETES_PORT_443_TCP_ADDR":"10.43.0.1","INGRESS_NGINX_CONTROLLER_ADMISSION_SERVICE_PORT":"443","INGRESS_NGINX_CONTROLLER_PORT_443_TCP":"tcp://10.43.38.178:443","KUBERNETES_SERVICE_PORT":"443","KUBERNETES_SERVICE_PORT_HTTPS":"443","INGRESS_NGINX_CONTROLLER_SERVICE_HOST":"10.43.38.178","INGRESS_NGINX_CONTROLLER_SERVICE_PORT":"80","INGRESS_NGINX_CONTROLLER_PORT_80_TCP_ADDR":"10.43.38.178","INGRESS_NGINX_CONTROLLER_PORT_443_TCP_PROTO":"tcp","INGRESS_NGINX_CONTROLLER_ADMISSION_PORT_443_TCP_PORT":"443","INGRESS_NGINX_CONTROLLER_PORT_80_TCP":"tcp://10.43.38.178:80","INGRESS_NGINX_CONTROLLER_PORT_80_TCP_PROTO":"tcp","KUBERNETES_SERVICE_HOST":"10.43.0.1","KUBERNETES_PORT_443_TCP":"tcp://10.43.0.1:443","KUBERNETES_PORT_443_TCP_PORT":"443","INGRESS_NGINX_CONTROLLER_ADMISSION_SERVICE_HOST":"10.43.14.22","INGRESS_NGINX_CONTROLLER_ADMISSION_PORT":"tcp://10.43.14.22:443","INGRESS_NGINX_CONTROLLER_ADMISSION_PORT_443_TCP":"tcp://10.43.14.22:443","INGRESS_NGINX_CONTROLLER_SERVICE_PORT_HTTPS":"443","INGRESS_NGINX_CONTROLLER_PORT_80_TCP_PORT":"80","KUBERNETES_PORT_443_TCP_PROTO":"tcp","INGRESS_NGINX_CONTROLLER_ADMISSION_PORT_443_TCP_PROTO":"tcp","INGRESS_NGINX_CONTROLLER_PORT":"tcp://10.43.38.178:80","INGRESS_NGINX_CONTROLLER_PORT_443_TCP_ADDR":"10.43.38.178","KUBERNETES_PORT":"tcp://10.43.0.1:443","NODE_VERSION":"16.16.0","YARN_VERSION":"1.22.19","HOME":"/root"}}
   

6. To see what you should have seen, you can forward the port manually: kubectl port-forward pods/echo-server 12345:80 -n default and change the curl command to use the localhost IP curl 127.0.0.1:12345/param?query=demo

I created this issue to discuss the importance of these portMappings that are now ignored in guestAgent.