在 RPI 上运行的 K8 集群中无法访问 NGINX 节点端口服务
[英]Unable to access NGINX nodePort service in K8 cluster running on RPI
问题描述
I have set-up a small Kubernetes Cluster on Raspberry Pi currently consisting of 1 Master and 1 Worker.
我在 Raspberry Pi 上设置了一个小型 Kubernetes 集群,目前由 1 个 Master 和 1 个 Worker 组成。 I have created a simple deployment of NGINX and created a NodePort service for this.我创建了 NGINX 的简单部署,并为此创建了 NodePort 服务。 My YAML looks like this:我的 YAML 看起来像这样:
apiVersion: v1
kind: Service
metadata:
name: nginx-service
labels:
app: nginx
spec:
selector:
app: nginx
type: NodePort
ports:
- nodePort: 30333
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
spec:
replicas: 2
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.16.1
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
protocol: TCP
restartPolicy: Always
The PODS are up and running and so is the service PODS 已启动并正在运行,服务也是如此
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-5d66cc795f-bgqdp 1/1 Running 0 65m
nginx-5d66cc795f-mb8qw 1/1 Running 0 65m
$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 13d
nginx-service NodePort 10.104.133.199 <none> 80:30333/TCP 66m
But I am unable to access the NGINX from the master node.但我无法从主节点访问 NGINX。
curl http://192.168.178.101:30333
curl: (7) Failed to connect to 192.168.178.101 port 30333: Connection timed out
If I try from the Worker node it works fine, and NGINX responds.如果我从 Worker 节点尝试它可以正常工作,并且 NGINX 会响应。 From the worker node I can use the IP address:30333 or the hostname:30333, although localhost:30333 does not work!从工作节点我可以使用 IP 地址:30333 或主机名:30333,尽管 localhost:30333 不起作用!
Connectivity from my Master to Worker seems fine.从我的主人到工人的连接似乎很好。 I can ping, SSH from there etc. either on IP address or hostname.我可以在 IP 地址或主机名上从那里 ping SSH 等。
Any ideas what I have done wrong?任何想法我做错了什么?
Output from get nodes -o wide: Output 从获取节点 -o 宽:
$ kubectl get nodes -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
k8-master Ready master 13d v1.17.4 192.168.178.100 <none> Raspbian GNU/Linux 10 (buster) 4.19.97-v7+ docker://19.3.8
k8-w1 Ready worker 13d v1.17.4 192.168.178.101 <none> Raspbian GNU/Linux 10 (buster) 4.19.97-v7+ docker://19.3.8
Output from describe service: Output 来自描述服务:
$ kubectl describe service nginx-service
Name: nginx-service
Namespace: default
Labels: app=nginx
Annotations: kubectl.kubernetes.io/last-applied-configuration:
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app":"nginx"},"name":"nginx-service","namespace":"default"},"s...
Selector: app=nginx
Type: NodePort
IP: 10.104.133.199
Port: <unset> 80/TCP
TargetPort: 80/TCP
NodePort: <unset> 30333/TCP
Endpoints: 10.44.0.1:80,10.44.0.2:80
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
Update: I tried a simple Telnet command to the Worker on the NodePort 30333. But I get a connection timed out error.更新:我尝试对 NodePort 30333 上的 Worker 执行简单的 Telnet 命令。但我收到连接超时错误。
So then, I removed the NodePort service and tried a simple Port forward command然后,我删除了 NodePort 服务并尝试了一个简单的端口转发命令
kubectl port-forward pod/nginx-545b8fdd47-brg7r 8080:80
This worked OK, and I could connect from Master -> Worker via this port.这工作正常,我可以通过这个端口从 Master -> Worker 连接。
But NodePort service still doesn't work!但是NodePort服务还是不行!
1 个解决方案
解决方案1
2 已采纳 2020-04-09 07:36:50
So after many hours and days I think I have found the source of the problem.因此,经过数小时和数天后,我想我找到了问题的根源。
I found this blog: https://limpygnome.com/2019/09/21/raspberry-pi-kubernetes-cluster/我找到了这个博客: https://limpygnome.com/2019/09/21/raspberry-pi-kubernetes-cluster/
Which led me to this bug report: https://github.com/kubernetes-sigs/kubespray/issues/4674这导致我收到这个错误报告: https://github.com/kubernetes-sigs/kubespray/issues/4674
So executing the following would allow the connection:因此执行以下命令将允许连接:
sudo iptables -P FORWARD ACCEPT
But I could not get this to stick after a reboot (even using iptables-persistent), I assume as the rules are updated by Docker/K8s dynamically during startup and after changes.但是我无法在重新启动后坚持这一点(即使使用 iptables-persistent),我认为规则是由 Docker/K8s 在启动期间和更改后动态更新的。
This led me to investigate further and I found information in the Weave network documentation about issues regarding K8s network with hosts that use iptables v 1.8 and higher.这促使我进一步调查,并在 Weave 网络文档中找到了有关使用 iptables v 1.8 及更高版本的主机的 K8s 网络问题的信息。 (This seems to have also applied to other K8s networking providers although some of these might have been resolved). (这似乎也适用于其他 K8s 网络提供商,尽管其中一些可能已经解决)。 I then saw in my Weave log files that it was indeed rejecting requests.然后我在我的 Weave 日志文件中看到它确实拒绝了请求。
So by executing the following on my nodes I was able to get this working permanently.因此,通过在我的节点上执行以下操作,我能够使其永久工作。
sudo update-alternatives --set iptables /usr/sbin/iptables-legacy
I can now access via my NodePort between all nodes, and externally from the cluster onto all nodes.我现在可以通过我的 NodePort 在所有节点之间访问,也可以从集群外部访问所有节点。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.