[英]Kubernetes: VPN server and DNS issues
I spinned a docker-openvpn
container in my (local) Kubernetes cluster to access my Services securely and debug dependent services locally. 我在我的(本地) Kubernetes集群中旋转了一个docker docker-openvpn
容器来安全地访问我的服务并在本地调试相关服务 。
I can connect to the cluster via the openVPN server. 我可以通过openVPN服务器连接到集群。 However I can't resolve my Services via DNS . 但是我无法通过DNS解析我的服务 。
I managed to get to the point where after setting routes on the VPN server: 我设法在VPN服务器上设置路由后达到了这一点:
subnet 10.2.0.0/16
) 我可以通过IP ( subnet 10.2.0.0/16
一个Pod subnet 10.3.0.0/16
like the DNS which is at 10.3.0.10
) 我可以通过IP ping一个服务 ( subnet 10.3.0.0/16
类似于DNS,即10.3.0.10
) curl
to a Services by IP and get the data I need. 我可以通过IP curl
服务并获取我需要的数据。 but when i nslookup kubernetes
or any Service , I get: 但是当我nslookup kubernetes
或任何服务时 ,我得到:
nslookup kubernetes
;; Got recursion not available from 10.3.0.10, trying next server
;; Got SERVFAIL reply from 10.3.0.10, trying next server
I am still missing something for the data to return from the DNS server, but can't figure what I need to do. 我仍然缺少从DNS服务器返回的数据,但无法确定我需要做什么。
How do I debug this SERVFAIL
issue in Kubernetes DNS ? 如何在Kubernetes DNS中调试此SERVFAIL
问题?
EDIT: 编辑:
Things I have noticed and am looking to understand: 我注意到并希望了解的事情:
nslookup
works to resolve Service name in any pod except the openvpn Pod nslookup
用于解析除openvpn Pod之外的任何pod中的服务名称 nslookup
works in those other Pods, ping
does not. 虽然nslookup
可以在其他Pod中运行,但ping
不会。 traceroute
in those other Pods leads to the flannel layer 10.0.2.2
and then stops there. 同样,其他10.0.2.2
traceroute
导致法兰绒层10.0.2.2
然后停在那里。 from this I guess ICMP must be blocked at the flannel layer, and that doesn't help me figure where DNS is blocked. 从这个我想ICMP必须在法兰绒层被阻止,这并没有帮助我找出DNS被阻止的地方。
EDIT2: EDIT2:
I finally figured how to get nslookup to work: I had to push the DNS search domain to the client with 我终于想出了如何让nslookup工作:我不得不将DNS搜索域推送到客户端
push "dhcp-option DOMAIN-SEARCH cluster.local"
push "dhcp-option DOMAIN-SEARCH svc.cluster.local"
push "dhcp-option DOMAIN-SEARCH default.svc.cluster.local"
add with the -p
option in the docker-openvpn
image 在docker-openvpn
图像中添加-p
选项
so i end up with 所以我最终得到了
docker run -v /etc/openvpn:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig \
-u udp://192.168.10.152:1194 \
-n 10.3.0.10 \
-n 192.168.10.1 \
-n 8.8.8.8 \
-n 75.75.75.75 \
-n 75.75.75.76 \
-s 10.8.0.0/24 \
-d \
-p "route 10.2.0.0 255.255.0.0" \
-p "route 10.3.0.0 255.255.0.0" \
-p "dhcp-option DOMAIN cluster.local" \
-p "dhcp-option DOMAIN-SEARCH svc.cluster.local" \
-p "dhcp-option DOMAIN-SEARCH default.svc.cluster.local"
Now, nslookup
works but curl
still does not 现在, nslookup
工作但curl
仍然没有
finally my config looks like this: 最后我的配置看起来像这样:
docker run -v /etc/openvpn:/etc/openvpn --rm kylemanna/openvpn ovpn_genconfig \
-u udp://192.168.10.152:1194 \
-n 10.3.0.10 \
-n 192.168.10.1 \
-n 8.8.8.8 \
-n 75.75.75.75 \
-n 75.75.75.76 \
-s 10.8.0.0/24 \
-N \
-p "route 10.2.0.0 255.255.0.0" \
-p "route 10.3.0.0 255.255.0.0" \
-p "dhcp-option DOMAIN-SEARCH cluster.local" \
-p "dhcp-option DOMAIN-SEARCH svc.cluster.local" \
-p "dhcp-option DOMAIN-SEARCH default.svc.cluster.local"
-u
for the VPN server address and port -u
用于VPN服务器地址和端口
-n
for all the DNS servers to use -n
用于所有要使用的DNS服务器
-s
to define the VPN subnet (as it defaults to 10.2.0.0 which is used by Kubernetes already) -s
定义VPN子网(默认为10.2.0.0,已由Kubernetes使用)
-d
to disable NAT -d
禁用NAT
-p
to push options to the client -p
将选项推送到客户端
-N
to enable NAT: it seems critical for this setup on Kubernetes -N
启用NAT:对Kubernetes的这种设置似乎至关重要
the last part, pushing the search domains to the client, was the key to getting nslookup
etc.. to work. 最后一部分,将搜索域推送到客户端,是让nslookup
等工作的关键。
note that curl didn't work at first, but seems to start working after a few seconds. 请注意,curl最初没有工作,但似乎在几秒钟后开始工作。 So it does work but it takes a bit of time for curl to be able to resolve. 所以它确实有效,但curl需要一点时间才能解决。
Try curl -4. 尝试卷曲-4。 Maybe it's resolving to the AAAA even if A is present. 即使A存在,也许它正在解决AAAA问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.