0

1 つのマスターと 2 つのワーカーの 3 つのノードがあり、サービスには 3 つのポッドがあり、それぞれが 1 つのノードにあります。

clusterIP が実行される場合と実行されない場合があるのはなぜですか?

[ciuffoly@master-node ~]$ kubectl get services
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP        4h36m
test-web     NodePort    10.111.242.64   <none>        80:31940/TCP   4m27s
.
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
Connected to 10.111.242.64.
Escape character is '^]'.
^]
telnet> q
Connection closed.
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80rying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
Connected to 10.111.242.64.Escape character is '^]'.
^]
telnet> q
Connection closed.

kubeadm バージョン:1.21

メタルLB

キャリコ

レプリカを 1 に設定すると、ポッドはマスター ノードでのみ実行され、この場合、問題は発生しません。

[ciuffoly@master-node ~]$ kubectl get services
NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        
GE
kubernetes   ClusterIP   10.96.0.1        <none>        443/TCP       
test-web     NodePort    10.109.169.134   <none>        80:30786/TCP
.
[ciuffoly@master-node ~]$ telnet 10.109.169.134 80
Trying 10.109.169.134...
Connected to 10.109.169.134.
Escape character is '^]'.
^]
telnet> q
Connection closed.
[ciuffoly@master-node ~]$ telnet 10.109.169.134 80
Trying 10.109.169.134...
Connected to 10.109.169.134.
Escape character is '^]'.
^]
telnet> q
Connection closed.

ファイアウォールを無効にすることで問題を解決できるので、ポリシーを追加するにはどうすればよいですか?

sudo iptables --flush 
sudo iptables -tnat --flush
sudo systemctl stop firewalld
sudo systemctl disable firewalldhere

これはドロップでしょうか?

sudo watch "iptables-save -c | grep DROP | grep -v 0:0"
[21:840] -A cali-fw-cali89d79c513b6 -m comment --comment "cali:3xIxhDO4pTMF8Lh5" -m conntrack --ctstate INVALID -j DROP

問題を解決するには、これらのポリシーの新しいルールのみが必要ですか?

iptables -N "KUBE-FORWARD-PATCH"
iptables -A "KUBE-FORWARD-PATCH" -m "conntrack" --ctstate "INVALID" -j "DROP"
iptables -I FORWARD -m comment --comment "k8s patch PR 74840" -j KUBE-FORWARD-PATCH

まだドロップがあるので、おそらくこれでは十分ではありません

[1:40] -A cali-fw-calia9254886eeb -m comment --comment "cali:HjnHY5RwVCZWkXY9" -m conntrack --ctstate INVALID -j DROP
[1:52] -A cali-tw-cali784c5ba97d5 -m comment --comment "cali:ysoYr4EYrhaf5Y5M" -m conntrack --ctstate INVALID -j DROP
[1:60] -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
4

0 に答える 0