What is the Custom ICMP-IPv4 Rule in SecurityGroup in ROSA ?
Environment
- Red Hat OpenShift Service on AWS
- 4.x
Issue
- You want to know what is the Custom ICMP-IPv4 Rule in your SecurityGroup.
e.g.> The rule details.
* Type: Custom ICMP-IPv4
* Protocol: Destination Unreachable
* Port range: fragmentation required, and DF flag set
* Source: 0.0.0.0/0
* Description: kubernetes.io/rule/nlb/mtu
- In addition, the rule is allowed any source through 0.0.0.0/0, so you're concerned aspect of your security policy.
Resolution
- If you added any NLB through Services of LoadBalancer type or Custom Domain Operator in your clusters, then the Custom ICMP-IPv4 inbound rule would be added automatically in your Security Groups.
- It's an expected behavior for ensuring that Path MTU Discovery can function correctly and prevent packet loss in NLB.
- Refer the Path MTU Discovery following details.
If the maximum transmission unit (MTU) between hosts in your subnets is different, or your instances communicate with peers over the internet, you must add the following network ACL rule, both inbound and outbound. This ensures that Path MTU Discovery can function correctly and prevent packet loss. Select Custom ICMP Rule for the type and Destination Unreachable, fragmentation required, and DF flag set for the port range (type 3, code 4). If you use traceroute, also add the following rule: select Custom ICMP Rule for the type and Time Exceeded, TTL expired transit for the port range (type 11, code 0). For more information, see Network maximum transmission unit (MTU) for your EC2 instance in the Amazon EC2 User Guide for Linux Instances.
- In NLB cases, "kubernetes.io/rule/nlb/mtu" will be added in "Decription" column according to the following the implementation of AWS APIs.
// NLBMtuDiscoveryRuleDescription is the comment used on a security group rule
// to indicate that it is used for mtu discovery
const NLBMtuDiscoveryRuleDescription = "kubernetes.io/rule/nlb/mtu"
Root Cause
- Path MTU Discovery (PMTUD) is used to determine the path MTU between two devices. This ICMP message instructs the originating host to use the lowest MTU size along the network path and to resend the request. Without this negotiation, packet drop can occur because the request is too large for the receiving host to accept.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments