kevendeng 对,内网访问没有任何问题。
—————-flannel 配置————————
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: “2021-06-07T07:19:24Z”
generateName: kube-flannel-ds-
labels:
app: flannel
controller-revision-hash: 7fb8b954f9
pod-template-generation: “1”
tier: node
managedFields:

  • apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
    f:metadata:
    f:generateName: {}
    f:labels:
    .: {}
    f:app: {}
    f:controller-revision-hash: {}
    f:pod-template-generation: {}
    f:tier: {}
    f:ownerReferences:
    .: {}
    k:{“uid”:“eeffaee4-c706-4902-943a-dc674ed5fac9”}:
    .: {}
    f:apiVersion: {}
    f:blockOwnerDeletion: {}
    f:controller: {}
    f:kind: {}
    f:name: {}
    f:uid: {}
    f:spec:
    f:affinity:
    .: {}
    f:nodeAffinity:
    .: {}
    f:requiredDuringSchedulingIgnoredDuringExecution:
    .: {}
    f:nodeSelectorTerms: {}
    f:containers:
    k:{“name”:“kube-flannel”}:
    .: {}
    f:args: {}
    f:command: {}
    f:env:
    .: {}
    k:{“name”:“POD_NAME”}:
    .: {}
    f:name: {}
    f:valueFrom:
    .: {}
    f:fieldRef:
    .: {}
    f:apiVersion: {}
    f:fieldPath: {}
    k:{“name”:“POD_NAMESPACE”}:
    .: {}
    f:name: {}
    f:valueFrom:
    .: {}
    f:fieldRef:
    .: {}
    f:apiVersion: {}
    f:fieldPath: {}
    f:image: {}
    f:imagePullPolicy: {}
    f:name: {}
    f:resources:
    .: {}
    f:limits:
    .: {}
    f:cpu: {}
    f:memory: {}
    f:requests:
    .: {}
    f:cpu: {}
    f:memory: {}
    f:securityContext:
    .: {}
    f:capabilities:
    .: {}
    f:add: {}
    f:privileged: {}
    f:terminationMessagePath: {}
    f:terminationMessagePolicy: {}
    f:volumeMounts:
    .: {}
    k:{“mountPath”:“/etc/kube-flannel/”}:
    .: {}
    f:mountPath: {}
    f:name: {}
    k:{“mountPath”:“/run/flannel”}:
    .: {}
    f:mountPath: {}
    f:name: {}
    f:dnsPolicy: {}
    f:enableServiceLinks: {}
    f:hostNetwork: {}
    f:initContainers:
    .: {}
    k:{“name”:“install-cni”}:
    .: {}
    f:args: {}
    f:command: {}
    f:image: {}
    f:imagePullPolicy: {}
    f:name: {}
    f:resources: {}
    f:terminationMessagePath: {}
    f:terminationMessagePolicy: {}
    f:volumeMounts:
    .: {}
    k:{“mountPath”:“/etc/cni/net.d”}:
    .: {}
    f:mountPath: {}
    f:name: {}
    k:{“mountPath”:“/etc/kube-flannel/”}:
    .: {}
    f:mountPath: {}
    f:name: {}
    f:priorityClassName: {}
    f:restartPolicy: {}
    f:schedulerName: {}
    f:securityContext: {}
    f:serviceAccount: {}
    f:serviceAccountName: {}
    f:terminationGracePeriodSeconds: {}
    f:tolerations: {}
    f:volumes:
    .: {}
    k:{“name”:“cni”}:
    .: {}
    f:hostPath:
    .: {}
    f:path: {}
    f:type: {}
    f:name: {}
    k:{“name”:“flannel-cfg”}:
    .: {}
    f:configMap:
    .: {}
    f:defaultMode: {}
    f:name: {}
    f:name: {}
    k:{“name”:“run”}:
    .: {}
    f:hostPath:
    .: {}
    f:path: {}
    f:type: {}
    f:name: {}
    manager: kube-controller-manager
    operation: Update
    time: “2021-06-07T07:19:24Z”
  • apiVersion: v1
    fieldsType: FieldsV1
    fieldsV1:
    f:status:
    f:conditions:
    k:{“type”:“ContainersReady”}:
    .: {}
    f:lastProbeTime: {}
    f:lastTransitionTime: {}
    f:status: {}
    f:type: {}
    k:{“type”:“Initialized”}:
    .: {}
    f:lastProbeTime: {}
    f:lastTransitionTime: {}
    f:status: {}
    f:type: {}
    k:{“type”:“Ready”}:
    .: {}
    f:lastProbeTime: {}
    f:lastTransitionTime: {}
    f:status: {}
    f:type: {}
    f:containerStatuses: {}
    f:hostIP: {}
    f:initContainerStatuses: {}
    f:phase: {}
    f:podIP: {}
    f:podIPs:
    .: {}
    k:{“ip”:“172.27.200.160”}:
    .: {}
    f:ip: {}
    f:startTime: {}
    manager: kubelet
    operation: Update
    time: “2021-06-07T07:22:58Z”
    name: kube-flannel-ds-zckq2
    namespace: kube-system
    ownerReferences:
  • apiVersion: apps/v1
    blockOwnerDeletion: true
    controller: true
    kind: DaemonSet
    name: kube-flannel-ds
    uid: eeffaee4-c706-4902-943a-dc674ed5fac9
    resourceVersion: “45705”
    selfLink: /api/v1/namespaces/kube-system/pods/kube-flannel-ds-zckq2
    uid: 107e0185-230e-44ca-b6b7-25a153ed91d0
    spec:
    affinity:
    nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
    nodeSelectorTerms:
    - matchFields:
    - key: metadata.name
    operator: In
    values:
    - kubernetesdev
    containers:
  • args:
    • –ip-masq
    • –kube-subnet-mgr
      command:
    • /opt/bin/flanneld
      env:
    • name: POD_NAME
      valueFrom:
      fieldRef:
      apiVersion: v1
      fieldPath: metadata.name
    • name: POD_NAMESPACE
      valueFrom:
      fieldRef:
      apiVersion: v1
      fieldPath: metadata.namespace
      image: quay.io/coreos/flannel:v0.14.0
      imagePullPolicy: IfNotPresent
      name: kube-flannel
      resources:
      limits:
      cpu: 100m
      memory: 50Mi
      requests:
      cpu: 100m
      memory: 50Mi
      securityContext:
      capabilities:
      add:
      • NET_ADMIN
      • NET_RAW
        privileged: false
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
    • mountPath: /run/flannel
      name: run
    • mountPath: /etc/kube-flannel/
      name: flannel-cfg
    • mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: flannel-token-6nqmq
      readOnly: true
      dnsPolicy: ClusterFirst
      enableServiceLinks: true
      hostNetwork: true
      initContainers:
  • args:
    • -f
    • /etc/kube-flannel/cni-conf.json
    • /etc/cni/net.d/10-flannel.conflist
      command:
    • cp
      image: quay.io/coreos/flannel:v0.14.0
      imagePullPolicy: IfNotPresent
      name: install-cni
      resources: {}
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
      volumeMounts:
    • mountPath: /etc/cni/net.d
      name: cni
    • mountPath: /etc/kube-flannel/
      name: flannel-cfg
    • mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: flannel-token-6nqmq
      readOnly: true
      nodeName: kubernetesdev
      preemptionPolicy: PreemptLowerPriority
      priority: 2000001000
      priorityClassName: system-node-critical
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: flannel
      serviceAccountName: flannel
      terminationGracePeriodSeconds: 30
      tolerations:
  • effect: NoSchedule
    operator: Exists
  • effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
  • effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
  • effect: NoSchedule
    key: node.kubernetes.io/disk-pressure
    operator: Exists
  • effect: NoSchedule
    key: node.kubernetes.io/memory-pressure
    operator: Exists
  • effect: NoSchedule
    key: node.kubernetes.io/pid-pressure
    operator: Exists
  • effect: NoSchedule
    key: node.kubernetes.io/unschedulable
    operator: Exists
  • effect: NoSchedule
    key: node.kubernetes.io/network-unavailable
    operator: Exists
    volumes:
  • hostPath:
    path: /run/flannel
    type: ""
    name: run
  • hostPath:
    path: /etc/cni/net.d
    type: ""
    name: cni
  • configMap:
    defaultMode: 420
    name: kube-flannel-cfg
    name: flannel-cfg
  • name: flannel-token-6nqmq
    secret:
    defaultMode: 420
    secretName: flannel-token-6nqmq
    status:
    conditions:
  • lastProbeTime: null
    lastTransitionTime: “2021-06-07T07:19:25Z”
    status: “True”
    type: Initialized
  • lastProbeTime: null
    lastTransitionTime: “2021-06-07T07:22:49Z”
    status: “True”
    type: Ready
  • lastProbeTime: null
    lastTransitionTime: “2021-06-07T07:22:49Z”
    status: “True”
    type: ContainersReady
  • lastProbeTime: null
    lastTransitionTime: “2021-06-07T07:19:24Z”
    status: “True”
    type: PodScheduled
    containerStatuses:
  • containerID: docker://37ae778489c6ee9202dbb9e0cc376afe12555f5bb6102052c332872532a3bb43
    image: quay.io/coreos/flannel:v0.14.0
    imageID: docker-pullable://quay.io/coreos/flannel@sha256:4a330b2f2e74046e493b2edc30d61fdebbdddaaedcb32d62736f25be8d3c64d5
    lastState:
    terminated:
    containerID: docker://0adbc7924866769ed23b88816c7f5cf02d397154a0eb44c5ed767427edf16b94
    exitCode: 0
    finishedAt: “2021-06-07T07:19:30Z”
    reason: Completed
    startedAt: “2021-06-07T07:19:25Z”
    name: kube-flannel
    ready: true
    restartCount: 1
    started: true
    state:
    running:
    startedAt: “2021-06-07T07:22:47Z”
    hostIP: 172.27.200.160
    initContainerStatuses:
  • containerID: docker://7d1e1d33afcf0eed98928c71c89e5381c7af2fbd28b413ebaf0a405d641df44d
    image: quay.io/coreos/flannel:v0.14.0
    imageID: docker-pullable://quay.io/coreos/flannel@sha256:4a330b2f2e74046e493b2edc30d61fdebbdddaaedcb32d62736f25be8d3c64d5
    lastState: {}
    name: install-cni
    ready: true
    restartCount: 1
    state:
    terminated:
    containerID: docker://7d1e1d33afcf0eed98928c71c89e5381c7af2fbd28b413ebaf0a405d641df44d
    exitCode: 0
    finishedAt: “2021-06-07T07:22:46Z”
    reason: Completed
    startedAt: “2021-06-07T07:22:46Z”
    phase: Running
    podIP: 172.27.200.160
    podIPs:
  • ip: 172.27.200.160
    qosClass: Burstable
    startTime: “2021-06-07T07:19:24Z”

    ShadowOvO 你插入的masqurade规则的目的是什么,我理解不了,flannel已经设置了对应的规则。

        kevendeng 就是做SNAT 源地址转换。我本地虚拟机从没有设置过是正常,但测试了两台云服务都需设置

            kevendeng 另一台云服务之前是能访问控制面板,但容器内无法访问外网,加上这个规则就好了。
            这个是进出都不行,加了规则也没用

              ShadowOvO 把这一条删掉再重新测试下是否联通吧,这个规则把flannel的masq逻辑打乱了。

                  ShadowOvO
                  你现在外网跟容器双向都不连通是吧,是只有端口不连通还是双向ping也不通?
                  看看iptables的filter表中的forward链是否允许转发外网与pod的数据包
                  iptables -nvL FORWARD
                  看看endpoints是否正常注册了
                  kubectl -n kubesphere-system get endpoints ks-console
                  再看看kube-proxy跟flanneld的日志是否有报错

                  当然,你最好也能在整个链路上每个接口:宿主机 pod上都抓包,看看数据包是在哪一步停止传输的

                      kevendeng 通过在容器上,宿主机上,远端主机抓包发现。容器的数据包能到达宿主机,能到达远端主机,远端主机的数据包能回到宿主机,但宿主机上的数据包无法回到容器

                          ShadowOvO 看看forward链的规则吧,正常情况下flannel会设置两条10.244.0.0的accept规则。

                              ShadowOvO
                              flannel设置的accept规则就是kubespheredev那两条,说明数据包不是在这被拦截的

                                  kevendeng
                                  ks-console 内部监听,没问题,数据包都进来了也处理返回了,但就宿主机那块儿一直没有回包没法响应浏览器。。。我吐了。加了MASQ怎么就不行呢:)

                                      ShadowOvO 从目前的信息来看我认为组件都工作正常,唯一可能是人为的错误配置或者别的组件,不过我没注意到的。
                                      期待你查到root cause并分享。