schmichri's questions

I have the following chain setup by kube-proxy in my iptables on all my Nodes.

Chain KUBE-POSTROUTING (1 references)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service traffic requiring SNAT */ 

All my nodes are behind a Stateless / Static Firewall from the provider. With the following rule setup.

tcp_established: &tcp_established
  name: tcp established
  ip_version: ipv4
  dst_port: '32768-65535'
  action: accept
  protocol: tcp
  tcp_flags: ack

Meaning that traffic from anywhere is allowed on the Ports 32768-65535 TCP / ACK only to ensure reverse connections from outbound traffic.

On all my nodes (Ubuntu 16.04) the following Systemsetting is set.

cat /proc/sys/net/ipv4/ip_local_port_range
32768   60999

When i try to access a remote server e.g. via curl & http I have dropping connections (TCP Spurious Retransmission), coming from Source Ports lower than 32768.

3   1.051525000 80→20092 [SYN, ACK] Seq=0 Ack=1 Win=64876 Len=0 MSS=1336 SACK_PERM=1 TSval=1259153497 TSecr=1768475026 WS=128   THETARGETIP THESOURCEIP TCP 74

4   2.079464000 [TCP Spurious Retransmission] 20092→80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 SACK_PERM=1 TSval=1768476055 TSecr=0 WS=128 THESOURCEIP THETARGETIP TCP 74

Is there a way to "tell" iptables, kube-proxy and/or kernel to limit the range of Source Port using iptables masquarde?

Can I add AccessControlEntry (ACL/ACE) in Active Directory with LDIF Files and ldapadd? With OpenLDAP / Oracle Directory it seems to be possible.

I've tried:

## delegate Control / add ACI
dn: OU=nocluster2,OU=AWS-myaccount,OU=BigData,DC=BLA,DC=COMPANY,DC=COM
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "give csmith full rights"; allow(all) userdn =  "ldap:///CN=noclusteradm2,OU=nocluster2,OU=AWS-myaccount,OU=BigData,DC=BLA,DC=COMPANY,DC=COM";)

Of course I get the error

ldap_modify: No such attribute (16)
    additional info: 00000057: LdapErr: DSID-0C090F64, comment: Error in attribute conversion operation, data 0, v3839

I've to run this commands from Linux/ansible and avoid powershell/DACL.exe/windows calls etc.

I need to setup K8S in HA Mode on hosted Baremetal. If have a vSwitch Network where I can easily assign internal IPs. Is there a Virtual Linuxbased loadbalancer (Active/Passiv) software that allows me to run in L2 network? Where the Passive LB Node assigns the LB IP if the active one is not available in the Network?

edit: is keepalived maybe the answer to my own question?