feat(network): add IP forwarding monitor to detect disabled ip_forward breaking K8s networking #13
Description
Summary
Add a new network monitor to detect when net.ipv4.ip_forward is disabled, which breaks Kubernetes overlay networking.
Problem
Kubernetes CNI plugins (Canal, Calico, Flannel, etc.) require net.ipv4.ip_forward=1 for pod-to-pod and pod-to-external networking. However, this setting can be unexpectedly disabled by:
- TuneD re-applying
/etc/sysctl.d/files after profile switches - System updates or security hardening tools
- Manual sysctl configuration errors
- Cloud-init or other provisioning tools
When ip_forward=0, overlay networking silently breaks - pods can't communicate across nodes and external connectivity fails.
Proposed Solution
Create a new monitor network-ip-forwarding that:
- Checks IPv4 forwarding: Reads
/proc/sys/net/ipv4/ip_forward - Checks IPv6 forwarding: Reads
/proc/sys/net/ipv6/conf/all/forwarding - Checks per-interface forwarding (optional):
/proc/sys/net/ipv4/conf/*/forwarding - Reports conditions:
IPForwardingDisabledwhen forwarding is off - Reports events: Warning/Error with clear remediation guidance
Implementation Details
File Location
pkg/monitors/network/ip_forwarding.go
Monitor Type
network-ip-forwarding
Configuration Options
monitors:
- name: ip-forwarding-check
type: network-ip-forwarding
enabled: true
interval: 30s
config:
checkIPv4: true # Check net.ipv4.ip_forward
checkIPv6: true # Check net.ipv6.conf.all.forwarding
checkPerInterface: false # Check per-interface settings
interfaces: [] # Specific interfaces to check (empty = all)Conditions to Report
| Condition | Status | When |
|---|---|---|
IPForwardingDisabled |
True | IPv4 or IPv6 forwarding is disabled |
IPForwardingDisabled |
False | All checked forwarding settings are enabled |
Events to Report
| Event | Severity | When |
|---|---|---|
IPv4ForwardingDisabled |
Error | /proc/sys/net/ipv4/ip_forward = 0 |
IPv6ForwardingDisabled |
Warning | /proc/sys/net/ipv6/conf/all/forwarding = 0 |
IPForwardingHealthy |
Info | All forwarding settings are enabled |
Remediation Suggestions
The monitor should include remediation guidance in event messages:
- "Run: sysctl -w net.ipv4.ip_forward=1"
- "Check /etc/sysctl.d/ for conflicting settings"
- "If using TuneD, consider setting reapply_sysctl=0 or using reapply_sysctl_exclude"
Acceptance Criteria
- Monitor reads
/proc/sys/net/ipv4/ip_forwardcorrectly - Monitor reads
/proc/sys/net/ipv6/conf/all/forwardingcorrectly - Reports
IPForwardingDisabledcondition when forwarding is off - Includes actionable remediation guidance in events
- Unit tests with mock
/procfilesystem - Documentation in
docs/monitors.md - Default configuration in
deployment/configmap.yaml
Implementation Notes
The implementation should follow the existing gateway.go pattern in pkg/monitors/network/:
// pkg/monitors/network/ip_forwarding.go
func init() {
monitors.MustRegister(monitors.MonitorInfo{
Type: "network-ip-forwarding",
Factory: NewIPForwardingMonitor,
Validator: ValidateIPForwardingConfig,
Description: "Monitors IP forwarding settings required for Kubernetes networking",
DefaultConfig: &types.MonitorConfig{
Name: "ip-forwarding-check",
Type: "network-ip-forwarding",
Enabled: true,
IntervalString: "30s",
TimeoutString: "5s",
Config: map[string]interface{}{
"checkIPv4": true,
"checkIPv6": true,
"checkPerInterface": false,
},
},
})
}Related
- Common issue affecting Kubernetes clusters with overlay networking
- TuneD's
reapply_sysctlfeature can reset these settings unexpectedly