Resolving Kubernetes SNAT Port Exhaustion and Masquerade Collisions
What's the problem?
Fix intermittent packet drops and latency in Kubernetes networking caused by SNAT port collisions. Learn how to implement --random-fully for robust traffic routing.
Why does this happen?
Under high concurrency, the Linux kernel's default MASQUERADE target often selects the same source port for different flows, leading to collisions. These collisions cause the kernel to drop packets, resulting in connection resets and degraded network performance.
Code Example
iptables -t nat -A POSTROUTING -m comment --comment "k8s-masquerade" -j MASQUERADE --random-fullyHow to fix it
To resolve this, ensure your node's iptables version is at least 1.6.2 and implement the '--random-fully' flag. This forces the kernel to randomize source ports for all SNAT traffic, eliminating deterministic port reuse. You must update your cluster's proxy configuration to dynamically detect this capability and append the flag to masquerade rules, ensuring high-traffic stability across your services.