Back to all scenarios
Scenario #11
Cluster Management
K8s v1.22, On-prem with kube-proxy in IPTables mode

kube-proxy IPTables Rules Overlap Breaking Networking

Services became unreachable due to overlapping custom IPTables rules with kube-proxy rules.

Find this helpful?
What Happened

A system admin added custom IPTables NAT rules for external routing, which inadvertently modified the same chains managed by kube-proxy.

Diagnosis Steps
  • 1DNS and service access failing intermittently.
  • 2Ran iptables-save | grep KUBE- – found modified chains.
  • 3Checked kube-proxy logs: warnings about rule insert failures.
Root Cause

Manual IPTables rules conflicted with KUBE-SERVICES chains, causing rule precedence issues.

Fix/Workaround
• Flushed custom rules and reloaded kube-proxy.
bash
CopyEdit
iptables -F                                                                      ; systemctl restart kube-proxy
Lessons Learned

Never mix manual IPTables rules with kube-proxy-managed chains.

How to Avoid
  • 1Use separate IPTables chains or policy routing.
  • 2Document any node-level firewall rules clearly.
Previous ScenarioNext Scenario