0

我有 3 个节点,1 个主节点和 2 个工作节点,该服务有 3 个 pod,每个都在一个节点上。

clusterIP 有时运行有时不运行,为什么?

[ciuffoly@master-node ~]$ kubectl get services
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP        4h36m
test-web     NodePort    10.111.242.64   <none>        80:31940/TCP   4m27s
.
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
Connected to 10.111.242.64.
Escape character is '^]'.
^]
telnet> q
Connection closed.
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80rying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
Connected to 10.111.242.64.Escape character is '^]'.
^]
telnet> q
Connection closed.

kubeadm 版本:1.21

金属LB

印花布

如果我将副本设置为 1,则 pod 仅在主节点上运行,在这种情况下问题不存在。

[ciuffoly@master-node ~]$ kubectl get services
NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        
GE
kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP       
test-web     NodePort    10.109.169.134   <none>        80:30786/TCP
.
[ciuffoly@master-node ~]$ telnet 10.109.169.134 80
Trying 10.109.169.134...
Connected to 10.109.169.134.
Escape character is '^]'.
^]
telnet> q
Connection closed.
[ciuffoly@master-node ~]$ telnet 10.109.169.134 80
Trying 10.109.169.134...
Connected to 10.109.169.134.
Escape character is '^]'.
^]
telnet> q
Connection closed.

我可以解决禁用防火墙的问题,那么添加什么策略?

sudo iptables --flush 
sudo iptables -tnat --flush
sudo systemctl stop firewalld
sudo systemctl disable firewalldhere

会不会是这个滴?

sudo watch "iptables-save -c | grep DROP | grep -v 0:0"
[21:840] -A cali-fw-cali89d79c513b6 -m comment --comment "cali:3xIxhDO4pTMF8Lh5" -m conntrack --ctstate INVALID -j DROP

解决问题是否只需要这些政策新规则?

iptables -N "KUBE-FORWARD-PATCH"
iptables -A "KUBE-FORWARD-PATCH" -m "conntrack" --ctstate "INVALID" -j "DROP"
iptables -I FORWARD -m comment --comment "k8s patch PR 74840" -j KUBE-FORWARD-PATCH

可能这还不够,因为我还有 drop

[1:40] -A cali-fw-calia9254886eeb -m comment --comment "cali:HjnHY5RwVCZWkXY9" -m conntrack --ctstate INVALID -j DROP
[1:52] -A cali-tw-cali784c5ba97d5 -m comment --comment "cali:ysoYr4EYrhaf5Y5M" -m conntrack --ctstate INVALID -j DROP
[1:60] -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
4

0 回答 0