Shulou(Shulou.com)06/01 Report--

Kubernetes node firewall problems lead to pod ip can not access what to do, I believe that many inexperienced people do not know what to do, so this paper summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

Environment:

1. On the hadoop36 machine, the pod ip of the ping hadoop38 machine is 172.30.1.4

two。 The ip of the external-ip of the service of the pod is the ip of the hadoop36

3. The ip of the following machine has already used xx.xx.xx. To replace and add layers to overwrite

Problem: you cannot access the corresponding pod service through the service EXTERNAL-IP+port. To put it bluntly, you cannot access pod ip+port or ping 172.30.1.4.

Steps:

1. Stop the service first.

[root@hadoop38 ~] # systemctl stop etcd flanneld docker kubelet kube-proxy

two。 View the current rule and clear it

[root@hadoop38] # iptables-L-n

[root@hadoop38] # iptables-F & & iptables-X & & iptables-F-t nat & & iptables-X-t nat

[root@hadoop38] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

[root@hadoop38 ~] #

3. Restart iptables and start the service

[root@hadoop38 ~] # systemctl restart iptables

[root@hadoop38 ~] # systemctl start etcd flanneld docker kubelet kube-proxy

4. Check the firewall policy again and clear it out

[root@hadoop38] # iptables-L-n

[root@hadoop38] # iptables-F & & iptables-X & & iptables-F-t nat & & iptables-X-t nat

5. Wait a while and finally check the firewall policy.

[root@hadoop38] # iptables-L-n

Chain INPUT (policy ACCEPT)

Target prot opt source destination

KUBE-FIREWALL all-- 0.0.0.0Universe 0 0.0.0.0Universe 0

Chain FORWARD (policy ACCEPT)

Target prot opt source destination

Chain OUTPUT (policy ACCEPT)

Target prot opt source destination

KUBE-FIREWALL all-- 0.0.0.0Universe 0 0.0.0.0Universe 0

KUBE-SERVICES all-0.0.0.0amp 0 0.0.0.0Comp0 / * kubernetes service portals *

Chain KUBE-FIREWALL (2 references)

Target prot opt source destination

DROP all-0.0.0.0amp 0 0.0.0.0Comp0 / * kubernetes firewall for dropping marked packets * / mark match 0x8000/0x8000

Chain KUBE-SERVICES (1 references)

Target prot opt source destination

[root@hadoop38 ~] # destination

6. Machine verification ping and telnet inspection in 36

[root@hadoop36 dns] # kubectl get all-n cdh-o wide

NAME READY STATUS RESTARTS AGE IP NODE

Po/mysql-master-64k8r 1/1 Running 5 1h 172.30.1.4 xx.xx.xx.38

NAME DESIRED CURRENT READY AGE CONTAINER (S) IMAGE (S) SELECTOR

Rc/mysql-master 1 1 1 1h master hadoop35.jiuye/k8sregister/jiuye/mysql5.6-master:v1.6 name=mysql-master

NAME CLUSTER-IP EXTERNAL-IP PORT (S) AGE SELECTOR

Svc/mysql-master 10.254.56.245 xx.xx.xx.36 13307/TCP 1h name=mysql-master

[root@hadoop36 dns] #

[root@hadoop36 dns] # ping 172.30.1.4

PING 172.30.1.4 (172.30.1.4) 56 (84) bytes of data.

64 bytes from 172.30.1.4: icmp_seq=1 ttl=63 time=0.388 ms

^ Z

[31] + Stopped ping 172.30.1.4

[root@hadoop36 dns] # telnet xx.xx.xx.36 13307

Trying xx.xx.xx..36...

Connected to xx.xx.xx..36.

Escape character is'^]'

Remarks:

1. This has happened twice (both because the vm machine is rebooted), so record the steps for reference.

After reading the above, do you know what to do when Kubernetes node's firewall problems make pod ip unable to access it? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.