ip-masq-agent receving "error syncing masquerade rules"

Problem

The ip-masq-agent pods keep restarting or showing "error syncing masquerade rules". Command iptables-restore failed on line X, which triggers alarm systems.

Environment

Google Kubernetes Engine
ip-masq-agent installed

Solution

If you are using a version prior to v.2.20 for ip-masq-agent, then these errors will exit on error – crashing the container continuously. You should update ip-masq-agent to a newer version such as: k8s.gcr.io/ip-masq-agent-amd64:v2.5.0 to mitigate the container restarts.

If you already have v2.2.0+, these error messages will not cause container crashes. You can ignore these messages as they are benign.

If you further want to test if the ip-masq-agent is serving its purpose, you can make changes in ip-masq-agent ConfigMap, by adding an IP range to non-masq section. Wait a couple of minutes and then SSH into a Google Kubernetes Engine node and run:

$ iptables -t nat | grep -i masq

Even with the sync errors, you should have new masquerading rules added for the newly added IP range.

Cause

These messages appear most likely due to some other entity already performing an iptables operation on the node, perhaps kubeproxy or some other workload with NET ADMIN privileges.