记一次calico网络策略denyall误伤事件

kubectl get pods
# 报 refused/handshake timeout

crictl ps -a | egrep 'etcd|kube-apiserver'
# kube-apiserver Exited / etcd 抖动

# 常见：apiserver 日志提示连不上 127.0.0.1:2379
crictl logs $(crictl ps -a | awk '/kube-apiserver/{print $1; exit}') --tail=80

CIDR=10.168.1.0/24

# 先保命：loopback
iptables -I INPUT  1 -i lo -j ACCEPT
iptables -I OUTPUT 1 -o lo -j ACCEPT

# 尽量抢在 Calico 前面：raw/mangle 置顶放通
for t in raw mangle; do
  iptables -t $t -I PREROUTING 1 -p tcp -s $CIDR -m multiport --dports 2379,2380,6443,10250 -j ACCEPT
  iptables -t $t -I OUTPUT     1 -p tcp -d $CIDR -m multiport --dports 2379,2380,6443,10250 -j ACCEPT
done

# filter 兜底
iptables -I INPUT  1 -p tcp -s $CIDR -m multiport --dports 2379,2380,6443,10250 -j ACCEPT
iptables -I OUTPUT 1 -p tcp -d $CIDR -m multiport --dports 2379,2380,6443,10250 -j ACCEPT

# 示例：在 10.168.1.21 上
nc -zvw2 10.168.1.174 2380; nc -zvw2 10.168.1.219 2380
nc -zvw2 10.168.1.174 2379; nc -zvw2 10.168.1.219 2379

# 同理在 10.168.1.174 / 10.168.1.219 上分别测对方

# 放通 127/8（先救活再收口）
iptables -t raw    -I OUTPUT     1 -d 127.0.0.0/8 -j ACCEPT
iptables -t raw    -I PREROUTING 1 -i lo -j ACCEPT
iptables -t raw    -I OUTPUT     1 -o lo -j ACCEPT

iptables -t mangle -I PREROUTING 1 -i lo -j ACCEPT
iptables -t mangle -I INPUT      1 -i lo -j ACCEPT
iptables -t mangle -I OUTPUT     1 -o lo -j ACCEPT
iptables -t mangle -I OUTPUT     1 -d 127.0.0.0/8 -j ACCEPT
iptables -t mangle -I INPUT      1 -s 127.0.0.0/8 -j ACCEPT

iptables -I OUTPUT 1 -d 127.0.0.0/8 -j ACCEPT
iptables -I INPUT  1 -s 127.0.0.0/8 -j ACCEPT

# 复测：必须 Connected
nc -zvw2 127.0.0.1 2379

systemctl restart kubelet
sleep 5
ss -lnpt | egrep ':(6443)\b' || true
curl -k https://127.0.0.1:6443/healthz

# 删除你下发的 deny-all GNP（按实际名字）
kubectl delete globalnetworkpolicy hep-denyall-ingress-firewalld