我有2个EKS群集,分别在2个不同的AWS帐户中,并且我可能假定使用不同的防火墙(我无权访问)。第一个(Dev)没问题,但是,使用相同的配置,UAT群集Pod正在努力解析DNS。节点可以解决,似乎还可以。
1)ping 8.8.8.8有效
--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
2)我可以ping google(和其他)的IP,但不能ping实际的DNS名称。
我们的配置:
ami-059c6874350e63ca9
用于1.14 kubernetes版本。我不确定问题是否出在某处的防火墙,coredns,需要更新的配置或“愚蠢的错误”。任何帮助将不胜感激。
答案 0 :(得分:1)
请注意,此问题可能以多种形式出现(例如 DNS 无法解析只是一种可能的情况)。 terraform-awk-eks
模块公开 terraform 输入以创建必要的安全组规则,以允许这些工作组/节点组间通信:worker_create_cluster_primary_security_group_rules
。此 terraform-awk-eks
问题中的更多信息 https://github.com/terraform-aws-modules/terraform-aws-eks/issues/1089
启用输入后,terraform 会创建以下安全组规则:
# module.eks.module.eks.aws_security_group_rule.cluster_primary_ingress_workers[0] will be created
+ resource "aws_security_group_rule" "cluster_primary_ingress_workers" {
+ description = "Allow pods running on workers to send communication to cluster primary security group (e.g. Fargate pods)."
+ from_port = 0
+ id = (known after apply)
+ protocol = "-1"
+ security_group_id = "sg-03bb33d3318e4aa03"
+ self = false
+ source_security_group_id = "sg-0fffc4d49a499a1d8"
+ to_port = 65535
+ type = "ingress"
}
# module.eks.module.eks.aws_security_group_rule.workers_ingress_cluster_primary[0] will be created
+ resource "aws_security_group_rule" "workers_ingress_cluster_primary" {
+ description = "Allow pods running on workers to receive communication from cluster primary security group (e.g. Fargate pods)."
+ from_port = 0
+ id = (known after apply)
+ protocol = "-1"
+ security_group_id = "sg-0fffc4d49a499a1d8"
+ self = false
+ source_security_group_id = "sg-03bb33d3318e4aa03"
+ to_port = 65535
+ type = "ingress"
}
答案 1 :(得分:0)
经过几天的调试,这是问题所在:
我已经允许节点之间的所有通信,但是all traffic
是TCP,而不是UDP。
基本上在AWS中只有一行: 在辅助节点SG中,向/从辅助节点端口53协议DNS(UDP)添加入站规则。
如果使用terraform,它应该看起来像这样:
resource "aws_security_group_rule" "eks-node-ingress-cluster-dns" {
description = "Allow pods DNS"
from_port = 53
protocol = 17
security_group_id = "${aws_security_group.SG-eks-WorkerNodes.id}"
source_security_group_id = "${aws_security_group.SG-eks-WorkerNodes.id}"
to_port = 53
type = "ingress"
}