简体繁体 English

Kubernetes pod 上没有出站网络

[英]No outbound networking on Kubernetes pods

原文 2020-09-14 20:49:00 0 2 docker/ networking/ kubernetes/ rke

I am running a one-node Kubernetes cluster in a VM for development and testing purposes.我正在 VM 中运行单节点 Kubernetes 集群以进行开发和测试。 I used Rancher Kubernetes Engine (RKE, Kubernetes version 1.18) to deploy it and MetalLB to enable the LoadBalancer service type.我使用 Rancher Kubernetes Engine（RKE，Kubernetes 版本 1.18）来部署它，并使用 MetalLB 来启用 LoadBalancer 服务类型。 Traefik is version 2.2, deployed via the official Helm chart ( https://github.com/containous/traefik-helm-chart ). Traefik 是 2.2 版本，通过官方 Helm chart ( https://github.com/containous/traefik-helm-chart ) 部署。 I have a few dummy containers deployed to test the setup ( https://hub.docker.com/r/errm/cheese ).我部署了一些虚拟容器来测试设置 ( https://hub.docker.com/r/errm/cheese )。

I can access the Traefik dashboard just fine through the nodes IP (-> MetalLB seems to work).我可以通过节点 IP 很好地访问 Traefik 仪表板（-> MetalLB 似乎可以工作）。 It registers the services and routes for the test containers.它为测试容器注册服务和路由。 Everything is looking fine but when I try to access the test containers in my browser I get a 502 Bad Gateway error.一切看起来都很好，但是当我尝试在浏览器中访问测试容器时，出现 502 Bad Gateway 错误。

Some probing showed that there seems to be an issue with outbound traffic from the pods.一些探测表明，来自 Pod 的出站流量似乎存在问题。 When I SSH into the node I can reach all pods by their service or pod IP.当我通过 SSH 连接到节点时，我可以通过它们的服务或 pod IP 访问所有 pod。 DNS from node to pod works as well.从节点到 pod 的 DNS 也能正常工作。 However, if I start an interactive busybox pod I can't reach any other pod or host from there.但是，如果我启动交互式busybox pod，则无法从那里访问任何其他pod 或主机。 When I wget to any other container (all in the default namespace) I only get wget: can't connect to remote host (10.42.0.7): No route to host.当我wget到任何其他容器（都在默认命名空间中）时，我只会得到wget: can't connect to remote host (10.42.0.7): No route to host. The same is true for servers on the internet.互联网上的服务器也是如此。

I have not installed any network policies and there are none installed by default that I am aware of.我没有安装任何网络策略，我知道默认情况下没有安装任何网络策略。

I have also gone through this: https://kubernetes.io/docs/tasks/debug-application-cluster/debug-service我也经历过这个： https : //kubernetes.io/docs/tasks/debug-application-cluster/debug-service

Everything in the guide is working fine, except that the pods don't seem to have any network connectivity whatsoever.指南中的所有内容都运行良好，只是 pod 似乎没有任何网络连接。

My RKE config is standard, except that I turned off the standard Nginx ingress and enabled etcd encryption-at-rest.我的 RKE 配置是标准配置，只是我关闭了标准的 Nginx 入口并启用了 etcd 静态加密。

Any ideas?有任何想法吗？

2 个解决方案

Maybe just double check that your node's ip forwarding is turned on: sysctl net.ipv4.ip_forward也许只需仔细检查您节点的 ip 转发是否已打开： sysctl net.ipv4.ip_forward

If for some reason it doesn't return: net.ipv4.ip_forward = 1如果由于某种原因它没有返回： net.ipv4.ip_forward = 1

Then you can set it with: sudo sysctl -w net.ipv4.ip_forward=1然后你可以设置它： sudo sysctl -w net.ipv4.ip_forward=1

And to make it permanent:并使其永久化：

edit /etc/sysctl.conf编辑/etc/sysctl.conf
add or uncomment net.ipv4.ip_forward = 1添加或取消注释net.ipv4.ip_forward = 1
and reload via sysctl -p /etc/sysctl.conf并通过sysctl -p /etc/sysctl.conf重新加载

Ok, so I was being stupid (or rather: a noob).好吧，所以我是愚蠢的（或者更确切地说：菜鸟）。 I had an old iptables rule lying around on the host dropping all traffic on the FORWARD chain... removing that rule fixed the problem.我在主机上有一个旧的 iptables 规则，它会丢弃 FORWARD 链上的所有流量……删除该规则可以解决问题。

I feel a bit uneasy just removing that role but I have to admit that I don't fully understand the security implications of this.只是移除这个角色我感到有点不安，但我必须承认我并不完全理解这对安全的影响。 This might take some further research, but that's another topic.这可能需要一些进一步的研究，但这是另一个话题。 And since I'm not currently planning to run this cluster in production but rather use a hosted cluster, it's not really a problem anyways.而且由于我目前不打算在生产中运行此集群，而是使用托管集群，因此无论如何这都不是问题。