Kubernetes服务无法按预期工作

时间:2019-01-07 21:09:16

标签: postgresql kubernetes

我无法在kubernetes上部署postgres(单节点,官方映像),并且不允许服务通过ClusterIP服务访问postgres。

配置非常简单-命名空间,部署,服务:

---
apiVersion: v1
kind: Namespace
metadata:
  name: database
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  namespace: database
  name: postgres
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: postgres
    spec:
      containers:
        - name: postgres
          image: postgres:11.1
          imagePullPolicy: "IfNotPresent"
          ports:
            - containerPort: 5432
---
apiVersion: v1
kind: Service
metadata:
  name: pg
  namespace: database
  labels:
    app: postgres
spec:
  selector:
    app: postgres
  ports:
  - protocol: TCP
    name: postgres
    port: 5432
    targetPort: 5432

要进行测试,将“ / bin / bash”执行到pod中,并运行一个简单的psql命令来测试连接。在本地一切正常:

kubectl --kubeconfig $k8sconf -n database exec -it $(kubectl --kubeconfig $k8sconf -n database get pods -o jsonpath='{.items[*].metadata.name}') -- psql -U admin postgresdb -c "\t"
Tuples only is on.

但是,一旦我尝试通过服务访问postgres,命令就会失败:

kubectl --kubeconfig $k8sconf -n database exec -it $(kubectl --kubeconfig $k8sconf -n database get pods -o jsonpath='{.items[*].metadata.name}') -- psql -h pg -U admin postgresdb -c "\t"
psql: could not connect to server: Connection timed out
    Is the server running on host "pg" (10.245.102.15) and accepting
    TCP/IP connections on port 5432?

这是在DigitalOcean单节点群集(1.12.3)上进行的测试。

Postgres在正确的端口上通过*进行了监听,pg_hba.conf的默认外观如下:

...
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            trust
# IPv6 local connections:
host    all             all             ::1/128                 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     trust
host    replication     all             127.0.0.1/32            trust
host    replication     all             ::1/128                 trust
host all all all md5

要复制,请参见this gist

执行通过(请使用新的集群并直通):

export k8sconf=/path/to/your/k8s/confic/file
kubectl --kubeconfig $k8sconf apply -f https://gist.githubusercontent.com/sontags/c364751e7f0d8ba1a02a9805efc68db6/raw/01b1808348541d743d6a861402cfba224bee8971/database.yaml
kubectl --kubeconfig $k8sconf -n database exec -it $(kubectl --kubeconfig $k8sconf -n database get pods -o jsonpath='{.items[*].metadata.name}') -- /bin/bash /reproducer/runtest.sh

任何提示为何该服务不允许连接或执行其他测试?

1 个答案:

答案 0 :(得分:2)

很难告知您是否无法访问您的集群。在我的AWS集群上可以正常工作。一些要看的东西:

  • kube-proxy是否在所有节点上运行?
  • 您的网络覆盖/ CNI是否在所有节点上运行?
  • 这仅发生在pg pod上吗?那其他豆荚呢?
  • 由于pg已解析为10.245.102.15,因此DNS似乎很好
  • 您的节点是否允许Linux端的IP forwarding
  • 您的Digital Ocean防火墙规则是否允许端口5432上的任何来源的流量?请注意,PodCidr和K8s服务IP范围与(您的Droplet的)hostCidr不同。