我的 pod 無法連接到私有子網
[英]My pod can't connect to the private subnet
問題描述
[Interface:vetha13c9067] 05:57:57.851421 IP 10.28.0.7 > 172.28.10.17: ICMP echo request, id 56, seq 1, length 64
[Interface:cbr0] 05:57:57.851421 IP 10.28.0.7 > 172.28.10.17: ICMP echo request, id 56, seq 1, length 64
[Interface:eth0] 05:57:57.851614 IP 172.18.0.25 > 172.28.10.17: ICMP echo request, id 56, seq 1, length 64
以上日志沒有任何問題10.28.0.7可以與 172.28.10.17 成功通信
[Interface:veth916b4093] 05:57:09.699334 IP 10.20.4.194 > 172.28.10.17: ICMP echo request, id 28, seq 1, length 64
[Interface:cbr0] 05:57:09.699334 IP 10.20.4.194 > 172.28.10.17: ICMP echo request, id 28, seq 1, length 64
[Interface:eth0] 05:57:09.699380 IP 10.20.4.194 > 172.28.10.17: ICMP echo request, id 28, seq 1, length 64
並且上面的日志有一些問題,因為您可以看到它的 eth0 接口請求仍然來自10.20.4.194而不是172.18.0.0/16其子網范圍。
為什么我的 pod 中的請求不是來自子網范圍 (172.18.0.0/16)?
以下是我當前的配置:
bash-5.0# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth0@if135: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc noqueue state UP group default
link/ether 76:f9:ea:bf:d7:1d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.20.4.194/24 scope global eth0
valid_lft forever preferred_lft forever
bash-5.0# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.20.4.1 0.0.0.0 UG 0 0 0 eth0
10.20.4.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
bash-5.0# ip neigh sh
10.20.4.1 dev eth0 lladdr 92:7f:08:52:f9:d4 STALE
bash-5.0# cat /etc/resolv.conf
nameserver 10.85.0.10
search default.svc.cluster.local svc.cluster.local cluster.local c.buzzdata.internal google.internal
options ndots:5
bash-5.0# nslookup kubernetes
Server: 10.85.0.10
Address: 10.85.0.10#53
Name: kubernetes.default.svc.cluster.local
Address: 10.85.0.1
╰─ k describe po netshoot-container
Name: netshoot-container
Namespace: default
Priority: 0
PriorityClassName: <none>
Node: gke-search-cluster-pool-765be39a-gkt4/172.18.0.17
Start Time: Mon, 16 Mar 2020 14:05:32 +0900
Labels: run=netshoot-container
Annotations: kubernetes.io/limit-ranger: LimitRanger plugin set: cpu request for container netshoot-container
Status: Running
IP: 10.20.4.194
Containers:
netshoot-container:
Container ID: docker://0df9d4b262f926d7d89a42f58de672284a5cb5637ab951b752e0c8b34ded676a
Image: nicolaka/netshoot
Image ID: docker-pullable://nicolaka/netshoot@sha256:99d15e34efe1e3c791b0898e05be676084638811b1403fae59120da4109368d4
Port: <none>
Host Port: <none>
Args:
/bin/bash
State: Running
Started: Mon, 16 Mar 2020 14:05:36 +0900
Ready: True
Restart Count: 0
Requests:
cpu: 100m
Environment: <none>
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-xxxx (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
default-token-xxxx:
Type: Secret (a volume populated by a Secret)
SecretName: default-token-xxxx
Optional: false
QoS Class: Burstable
Node-Selectors: kubernetes.io/hostname=gke-xxxx-cluster-pool-xxxx-gkt4
Tolerations: node.kubernetes.io/not-ready:NoExecute for 300s
node.kubernetes.io/unreachable:NoExecute for 300s
Events: <none>
Chain INPUT (policy DROP)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT sctp -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
KUBE-FORWARD all -- anywhere anywhere /* kubernetes forwarding rules */
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT sctp -- anywhere anywhere
Chain OUTPUT (policy DROP)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain KUBE-EXTERNAL-SERVICES (1 references)
target prot opt source destination
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
Chain KUBE-FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* kubernetes forwarding rules */ mark match 0x4000/0x4000
ACCEPT all -- 10.20.0.0/14 anywhere /* kubernetes forwarding conntrack pod source rule */ ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere 10.20.0.0/14 /* kubernetes forwarding conntrack pod destination rule */ ctstate RELATED,ESTABLISHED
Chain KUBE-SERVICES (3 references)
target prot opt source destination
1 個解決方案
解決方案1
1 2020-03-17 06:59:27
我找到了一個原因,那是因為啟用了 IP-MASQ。
如果您遇到了 pod 無法與 172.xxx 等私有子網通信的相同問題,請通過iptables -t nat -L檢查您節點的 iptable 規則
如果你能看到 IP-MASQ 規則並且如果有RETURN all -- anywhere 172.16.0.0/12 /* ip-masq: RFC 1918 reserved range is not subject to MASQUERADE */那么下面!
https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent
手動修改 iptable 可能是解決方案之一,但我認為最好遵循文檔。
無法使用單個 pod 將數據庫容器與服務器容器連接起來
[英]Can't connect database container with server container using a single pod
kubernetes pod無法連接(通過服務)到self,只能連接到其他pod容器
[英]kubernetes pod can't connect (through service) to self, only to other pod-containers
AWS ECS - 無法從同一子網上的 ECS 容器實例連接到 RabbitMQ EC2 實例
[英]AWS ECS - Can't connect to RabbitMQ EC2 instance from ECS container instance on the same subnet
使用 Secrets 作為密碼時無法連接到 Kubernetes 中的 mysql pod(拒絕訪問)
[英]Can't connect to mysql pod in Kubernetes when using Secrets for password (Access denied)
將在 docker (windows) 容器中運行的 webapp 連接到在 AWS 私有子網上運行的 SQL 服務器
[英]Connect webapp running in docker (windows) container to SQL Server running on AWS private subnet
無法連接到我的Elasticsearch實例:NoNodeAvailableException
[英]Can't connect to my Elasticsearch instance: NoNodeAvailableException
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.
相關問題
如何將我的 Kube.netes pod 連接到遠程 Jaeger?
無法使用單個 pod 將數據庫容器與服務器容器連接起來
kubernetes pod無法連接(通過服務)到self,只能連接到其他pod容器
AWS ECS - 無法從同一子網上的 ECS 容器實例連接到 RabbitMQ EC2 實例
使用 Secrets 作為密碼時無法連接到 Kubernetes 中的 mysql pod(拒絕訪問)
將在 docker (windows) 容器中運行的 webapp 連接到在 AWS 私有子網上運行的 SQL 服務器
無法連接到我的Elasticsearch實例:NoNodeAvailableException
如何連接到 Kubernetes Pod 網絡?
無法訪問Pod日志
Dockerfile找不到我的私有ssh密鑰
相關標簽