K8s pod 容器无法ping通外网, kubesphere devOps 无法使用

ShadowOvO · 2021年6月7日

kevendeng · 2021年6月7日

ShadowOvO 你的截图只能说明你的本地客户端到宿主机的30880是连通的，但整个流程还需经过Service、NAT、Flannel的overlay网络、Pod，最后再回包，而你的Flannel配置应该是有问题的。

ShadowOvO · 2021年6月7日

kevendeng 这是容器内的IP

ShadowOvO · 2021年6月7日

kevendeng 对，内网访问没有任何问题。
—————-flannel 配置————————
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: “2021-06-07T07:19:24Z”
generateName: kube-flannel-ds-
labels:
app: flannel
controller-revision-hash: 7fb8b954f9
pod-template-generation: “1”
tier: node
managedFields:

apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:generateName: {}
f:labels:
.: {}
f:app: {}
f:controller-revision-hash: {}
f:pod-template-generation: {}
f:tier: {}
f:ownerReferences:
.: {}
k:{“uid”:“eeffaee4-c706-4902-943a-dc674ed5fac9”}:
.: {}
f:apiVersion: {}
f:blockOwnerDeletion: {}
f:controller: {}
f:kind: {}
f:name: {}
f:uid: {}
f:spec:
f:affinity:
.: {}
f:nodeAffinity:
.: {}
f:requiredDuringSchedulingIgnoredDuringExecution:
.: {}
f:nodeSelectorTerms: {}
f:containers:
k:{“name”:“kube-flannel”}:
.: {}
f:args: {}
f:command: {}
f:env:
.: {}
k:{“name”:“POD_NAME”}:
.: {}
f:name: {}
f:valueFrom:
.: {}
f:fieldRef:
.: {}
f:apiVersion: {}
f:fieldPath: {}
k:{“name”:“POD_NAMESPACE”}:
.: {}
f:name: {}
f:valueFrom:
.: {}
f:fieldRef:
.: {}
f:apiVersion: {}
f:fieldPath: {}
f:image: {}
f:imagePullPolicy: {}
f:name: {}
f:resources:
.: {}
f:limits:
.: {}
f:cpu: {}
f:memory: {}
f:requests:
.: {}
f:cpu: {}
f:memory: {}
f:securityContext:
.: {}
f:capabilities:
.: {}
f:add: {}
f:privileged: {}
f:terminationMessagePath: {}
f:terminationMessagePolicy: {}
f:volumeMounts:
.: {}
k:{“mountPath”:“/etc/kube-flannel/”}:
.: {}
f:mountPath: {}
f:name: {}
k:{“mountPath”:“/run/flannel”}:
.: {}
f:mountPath: {}
f:name: {}
f:dnsPolicy: {}
f:enableServiceLinks: {}
f:hostNetwork: {}
f:initContainers:
.: {}
k:{“name”:“install-cni”}:
.: {}
f:args: {}
f:command: {}
f:image: {}
f:imagePullPolicy: {}
f:name: {}
f:resources: {}
f:terminationMessagePath: {}
f:terminationMessagePolicy: {}
f:volumeMounts:
.: {}
k:{“mountPath”:“/etc/cni/net.d”}:
.: {}
f:mountPath: {}
f:name: {}
k:{“mountPath”:“/etc/kube-flannel/”}:
.: {}
f:mountPath: {}
f:name: {}
f:priorityClassName: {}
f:restartPolicy: {}
f:schedulerName: {}
f:securityContext: {}
f:serviceAccount: {}
f:serviceAccountName: {}
f:terminationGracePeriodSeconds: {}
f:tolerations: {}
f:volumes:
.: {}
k:{“name”:“cni”}:
.: {}
f:hostPath:
.: {}
f:path: {}
f:type: {}
f:name: {}
k:{“name”:“flannel-cfg”}:
.: {}
f:configMap:
.: {}
f:defaultMode: {}
f:name: {}
f:name: {}
k:{“name”:“run”}:
.: {}
f:hostPath:
.: {}
f:path: {}
f:type: {}
f:name: {}
manager: kube-controller-manager
operation: Update
time: “2021-06-07T07:19:24Z”
apiVersion: v1
fieldsType: FieldsV1
fieldsV1:
f:status:
f:conditions:
k:{“type”:“ContainersReady”}:
.: {}
f:lastProbeTime: {}
f:lastTransitionTime: {}
f:status: {}
f:type: {}
k:{“type”:“Initialized”}:
.: {}
f:lastProbeTime: {}
f:lastTransitionTime: {}
f:status: {}
f:type: {}
k:{“type”:“Ready”}:
.: {}
f:lastProbeTime: {}
f:lastTransitionTime: {}
f:status: {}
f:type: {}
f:containerStatuses: {}
f:hostIP: {}
f:initContainerStatuses: {}
f:phase: {}
f:podIP: {}
f:podIPs:
.: {}
k:{“ip”:“172.27.200.160”}:
.: {}
f:ip: {}
f:startTime: {}
manager: kubelet
operation: Update
time: “2021-06-07T07:22:58Z”
name: kube-flannel-ds-zckq2
namespace: kube-system
ownerReferences:
apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: DaemonSet
name: kube-flannel-ds
uid: eeffaee4-c706-4902-943a-dc674ed5fac9
resourceVersion: “45705”
selfLink: /api/v1/namespaces/kube-system/pods/kube-flannel-ds-zckq2
uid: 107e0185-230e-44ca-b6b7-25a153ed91d0
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchFields:
- key: metadata.name
operator: In
values:
- kubernetesdev
containers:
args:
- –ip-masq
- –kube-subnet-mgr
  command:
- /opt/bin/flanneld
  env:
- name: POD_NAME
  valueFrom:
  fieldRef:
  apiVersion: v1
  fieldPath: metadata.name
- name: POD_NAMESPACE
  valueFrom:
  fieldRef:
  apiVersion: v1
  fieldPath: metadata.namespace
  image: quay.io/coreos/flannel:v0.14.0
  imagePullPolicy: IfNotPresent
  name: kube-flannel
  resources:
  limits:
  cpu: 100m
  memory: 50Mi
  requests:
  cpu: 100m
  memory: 50Mi
  securityContext:
  capabilities:
  add:
  - NET_ADMIN
  - NET_RAW
    privileged: false
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
- mountPath: /run/flannel
  name: run
- mountPath: /etc/kube-flannel/
  name: flannel-cfg
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
  name: flannel-token-6nqmq
  readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  hostNetwork: true
  initContainers:
args:
- -f
- /etc/kube-flannel/cni-conf.json
- /etc/cni/net.d/10-flannel.conflist
  command:
- cp
  image: quay.io/coreos/flannel:v0.14.0
  imagePullPolicy: IfNotPresent
  name: install-cni
  resources: {}
  terminationMessagePath: /dev/termination-log
  terminationMessagePolicy: File
  volumeMounts:
- mountPath: /etc/cni/net.d
  name: cni
- mountPath: /etc/kube-flannel/
  name: flannel-cfg
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
  name: flannel-token-6nqmq
  readOnly: true
  nodeName: kubernetesdev
  preemptionPolicy: PreemptLowerPriority
  priority: 2000001000
  priorityClassName: system-node-critical
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: flannel
  serviceAccountName: flannel
  terminationGracePeriodSeconds: 30
  tolerations:
effect: NoSchedule
operator: Exists
effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
effect: NoSchedule
key: node.kubernetes.io/disk-pressure
operator: Exists
effect: NoSchedule
key: node.kubernetes.io/memory-pressure
operator: Exists
effect: NoSchedule
key: node.kubernetes.io/pid-pressure
operator: Exists
effect: NoSchedule
key: node.kubernetes.io/unschedulable
operator: Exists
effect: NoSchedule
key: node.kubernetes.io/network-unavailable
operator: Exists
volumes:
hostPath:
path: /run/flannel
type: ""
name: run
hostPath:
path: /etc/cni/net.d
type: ""
name: cni
configMap:
defaultMode: 420
name: kube-flannel-cfg
name: flannel-cfg
name: flannel-token-6nqmq
secret:
defaultMode: 420
secretName: flannel-token-6nqmq
status:
conditions:
lastProbeTime: null
lastTransitionTime: “2021-06-07T07:19:25Z”
status: “True”
type: Initialized
lastProbeTime: null
lastTransitionTime: “2021-06-07T07:22:49Z”
status: “True”
type: Ready
lastProbeTime: null
lastTransitionTime: “2021-06-07T07:22:49Z”
status: “True”
type: ContainersReady
lastProbeTime: null
lastTransitionTime: “2021-06-07T07:19:24Z”
status: “True”
type: PodScheduled
containerStatuses:
containerID: docker://37ae778489c6ee9202dbb9e0cc376afe12555f5bb6102052c332872532a3bb43
image: quay.io/coreos/flannel:v0.14.0
imageID: docker-pullable://quay.io/coreos/flannel@sha256:4a330b2f2e74046e493b2edc30d61fdebbdddaaedcb32d62736f25be8d3c64d5
lastState:
terminated:
containerID: docker://0adbc7924866769ed23b88816c7f5cf02d397154a0eb44c5ed767427edf16b94
exitCode: 0
finishedAt: “2021-06-07T07:19:30Z”
reason: Completed
startedAt: “2021-06-07T07:19:25Z”
name: kube-flannel
ready: true
restartCount: 1
started: true
state:
running:
startedAt: “2021-06-07T07:22:47Z”
hostIP: 172.27.200.160
initContainerStatuses:
containerID: docker://7d1e1d33afcf0eed98928c71c89e5381c7af2fbd28b413ebaf0a405d641df44d
image: quay.io/coreos/flannel:v0.14.0
imageID: docker-pullable://quay.io/coreos/flannel@sha256:4a330b2f2e74046e493b2edc30d61fdebbdddaaedcb32d62736f25be8d3c64d5
lastState: {}
name: install-cni
ready: true
restartCount: 1
state:
terminated:
containerID: docker://7d1e1d33afcf0eed98928c71c89e5381c7af2fbd28b413ebaf0a405d641df44d
exitCode: 0
finishedAt: “2021-06-07T07:22:46Z”
reason: Completed
startedAt: “2021-06-07T07:22:46Z”
phase: Running
podIP: 172.27.200.160
podIPs:
ip: 172.27.200.160
qosClass: Burstable
startTime: “2021-06-07T07:19:24Z”

kevendeng · 2021年6月7日

ShadowOvO 你插入的masqurade规则的目的是什么，我理解不了，flannel已经设置了对应的规则。

ShadowOvO · 2021年6月7日

kevendeng 就是做SNAT 源地址转换。我本地虚拟机从没有设置过是正常，但测试了两台云服务都需设置

ShadowOvO · 2021年6月7日

kevendeng 另一台云服务之前是能访问控制面板，但容器内无法访问外网，加上这个规则就好了。
这个是进出都不行，加了规则也没用

kevendeng · 2021年6月7日

ShadowOvO 把这一条删掉再重新测试下是否联通吧，这个规则把flannel的masq逻辑打乱了。

ShadowOvO · 2021年6月7日

kevendeng 加上去掉都不行，宿主机可以ping通，外网还是不行

kevendeng · 2021年6月7日

ShadowOvO
你现在外网跟容器双向都不连通是吧，是只有端口不连通还是双向ping也不通？
看看iptables的filter表中的forward链是否允许转发外网与pod的数据包
iptables -nvL FORWARD
看看endpoints是否正常注册了
kubectl -n kubesphere-system get endpoints ks-console
再看看kube-proxy跟flanneld的日志是否有报错

当然，你最好也能在整个链路上每个接口：宿主机 pod上都抓包，看看数据包是在哪一步停止传输的

ShadowOvO · 2021年6月7日

kevendeng 通过在容器上，宿主机上，远端主机抓包发现。容器的数据包能到达宿主机，能到达远端主机，远端主机的数据包能回到宿主机，但宿主机上的数据包无法回到容器

ShadowOvO · 2021年6月7日

ShadowOvO

容器发往公网

宿主机有回包

但容器无法收到回包

kevendeng · 2021年6月7日

ShadowOvO 看看forward链的规则吧，正常情况下flannel会设置两条10.244.0.0的accept规则。

ShadowOvO · 2021年6月7日

kevendeng 默认有16网段，手动加了24网段也不行

kevendeng · 2021年6月7日

ShadowOvO
flannel设置的accept规则就是kubespheredev那两条，说明数据包不是在这被拦截的

ShadowOvO · 2021年6月7日

kevendeng 那就只能进到ks-console看看数据包有没有抵达了

kevendeng · 2021年6月7日

ShadowOvO forward没问题，但是可能被其它链，或者其他机制拦截了

ShadowOvO · 2021年6月7日

kevendeng
ks-console 内部监听，没问题，数据包都进来了也处理返回了，但就宿主机那块儿一直没有回包没法响应浏览器。。。我吐了。加了MASQ怎么就不行呢：）

kevendeng · 2021年6月7日

ShadowOvO 这是你在宿主机访问ks-console的数据吧？不是从远端主机发起的

ShadowOvO · 2021年6月7日

kevendeng 不是，我是用浏览器发起的请求

K8s pod 容器无法ping通外网, kubesphere devOps 无法使用

ShadowOvO

kevendengK零S

ShadowOvO

ShadowOvO

kevendengK零S

ShadowOvO

ShadowOvO

kevendengK零S

ShadowOvO

kevendengK零S

ShadowOvO

ShadowOvO

kevendengK零S

ShadowOvO

kevendengK零S

ShadowOvO

kevendengK零S

ShadowOvO

kevendengK零S

ShadowOvO