KATA updater/KSN connection errors if using proxy server on TCP ports (8080, 8090, 8091) [KATA/KEDRE]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem Description, Symptoms & Impact

It is not possible to use a proxy server for KATA 5.0 and/or KATA 5.1 CN on TCP ports 8080, 8090 or 8091. If you will configure in KATA 5.0/5.1 proxy server connection settings using one of those ports, then such configuration will result in KATA update task failure and KSN connection errors right after those settings will be applied.

This happens due to the fact, that KATA uses ports 8080, 8090 and 8091 for it's internal services and there are preconfigured default iptable rules that prevent incoming and outgoing connection on those ports for external hosts outside of the KATA cluster, which in turn results in connection errors if those ports are also used by the product for outgoing connections to a proxy server.

Diagnostics

It can be easily confirmed if a KATA server will be facing those updater and KSN issues, by either checking the current proxy server configuration in the product's web interface:

if either of the listed ports 8080, 8090 or 8091 is used, then the KATA server is probably facing the issue.

Or alternatively you can run the iptables -nvL DOCKER-USER command and check if the number of the rejected packages in the corresponding rules for ports 8080, 8090 and 8091 steadily increases upon running update task in KATA:

 

Workaround & Solution

To avoid this issue use one of the following 2 options:

1. Do not use proxy server for KATA connections, configure direct internet connection for KATA CN nodes.
2. Use a proxy server on a different port, for example port 3128 is quite standard option in such cases.