我正在评估Kubernetes并在this tutorial之后在CentOS 7.2盒和VMware VM上安装它。我的环境有一个Docker Registry,一个Etcd服务器,一个Kube Master和两个Kube节点。由于法兰绒和优秀的Kubernetes文档和论文,每一段交流都像魅力一样。一个例外:一个节点与服务的clusterIP之间的通信。
有关我的环境的一些信息:
$ kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE NODE
nginx-a2klb 1/1 Running 2 1d 10.200.81.54
$ kubectl get pods/nginx-a2klb -o yaml | grep podIP
podIP: 10.252.54.2
$ kubectl get svc/nginx -o yaml | grep clusterIP
clusterIP: 10.254.0.7
尝试来自10.200.81.54(pod的节点)的通信:
$ curl http://10.254.0.7
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
来自10.200.81.53(另一个节点):
$ curl http://10.252.54.2 # podIP
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
...
$ curl http://10.254.0.7 # clusterIP
curl: (7) Failed connect to 10.254.0.7:80; Connection timed out
长话短说:内部容器通信始终工作,来自同一节点或其他节点。使用podIP,通信也始终有效。 ExternalIP或NodePort始终可以工作,甚至可以在集群外部工作。使用clusterIP,通信仅在运行唯一pod的同一VM中运行,而不是从其他节点或Kube Master运行。这种行为有望吗?我该怎么做才能分析并解决这个问题?
UPDATE1
kubelet proxy,apiserver,scheduler等)通过hyperkube UPDATE2
iptables的相关部分(请注意自第一篇帖子以来pod和服务IP已更改):
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 10.252.36.0/24 ! -o docker0 -j MASQUERADE
-A POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4d415351 -j MASQUERADE
-A KUBE-SEP-722QG7UQNTPWDFBY -s 10.200.81.52/32 -m comment --comment "default/kubernetes:" -j MARK --set-xmark 0x4d415351/0xffffffff
-A KUBE-SEP-722QG7UQNTPWDFBY -p tcp -m comment --comment "default/kubernetes:" -m tcp -j DNAT --to-destination 10.200.81.52:443
-A KUBE-SEP-7F6QLYX4EVXMHVGW -s 10.252.45.6/32 -m comment --comment "default/ng:" -j MARK --set-xmark 0x4d415351/0xffffffff
-A KUBE-SEP-7F6QLYX4EVXMHVGW -p tcp -m comment --comment "default/ng:" -m tcp -j DNAT --to-destination 10.252.45.6:80
-A KUBE-SEP-SFIQGU7OZTZRBGQ6 -s 10.252.45.2/32 -m comment --comment "kube-system/kube-dns:dns" -j MARK --set-xmark 0x4d415351/0xffffffff
-A KUBE-SEP-SFIQGU7OZTZRBGQ6 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.252.45.2:53
-A KUBE-SEP-WT6RQUWXRXGAUOJF -s 10.252.45.2/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j MARK --set-xmark 0x4d415351/0xffffffff
-A KUBE-SEP-WT6RQUWXRXGAUOJF -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.252.45.2:53
-A KUBE-SERVICES -d 10.254.0.114/32 -p tcp -m comment --comment "default/ng: cluster IP" -m tcp --dport 80 -j KUBE-SVC-LYRG26ZZO4GOQOI3
-A KUBE-SERVICES -d 10.254.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.254.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.254.0.1/32 -p tcp -m comment --comment "default/kubernetes: cluster IP" -m tcp --dport 443 -j KUBE-SVC-6N4SJQIF3IX3FORG
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-6N4SJQIF3IX3FORG -m comment --comment "default/kubernetes:" -j KUBE-SEP-722QG7UQNTPWDFBY
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-WT6RQUWXRXGAUOJF
-A KUBE-SVC-LYRG26ZZO4GOQOI3 -m comment --comment "default/ng:" -j KUBE-SEP-7F6QLYX4EVXMHVGW
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-SFIQGU7OZTZRBGQ6
我已修复此问题添加路线:
ip route add 10.254.0.0/24 dev flannel.1
10.254.0.0/24是我的--service-cluster-ip-range。这是有效的,但对我来说听起来比一个真正的修复更幸运。我可以在群集中检查,测试或改进其他内容吗?