如何解决K8s NodePort 端口在 VMware Fusion 上的 kali 节点中不可通行
我的k8s环境是minikube部署的;
egrep -i 'vmx|svm' /proc/cpuinfo
vmx flags : vnmi invvpid ept_x_only ept_ad tsc_.......
systemctl show --property=Environment docker
Environment=HTTP_PROXY=http://172.16.1.135:3128/ HTTPS_PROXY=http://172.16.1.135:3128/ "NO_PROXY=localhost,127.0.0.1,\$(minikube ip)"
minikube version
minikube version: v1.16.0
commit: 617f26b52345843a63d1a0715c4abf6625cb8862
k get pods -n kube-system
NAME READY STATUS RESTARTS AGE
coredns-54d67798b7-k6t5x 1/1 Running 2 120m
etcd-minikube 1/1 Running 2 120m
kube-apiserver-minikube 1/1 Running 2 120m
kube-controller-manager-minikube 1/1 Running 3 120m
kube-proxy-86pv4 1/1 Running 1 96m
kube-scheduler-minikube 1/1 Running 2 120m
storage-provisioner 1/1 Running 5 120m
k logs -f kube-proxy-86pv4 -n kube-system ✔ 1325 16:55:53
I0128 08:53:34.188328 1 node.go:172] Successfully retrieved node IP: 192.168.49.2
I0128 08:53:34.188524 1 server_others.go:142] kube-proxy node IP is an IPv4 address (192.168.49.2),assume IPv4 operation
I0128 08:53:34.391356 1 server_others.go:258] Using ipvs Proxier.
I0128 08:53:34.392942 1 server.go:650] Version: v1.20.0
I0128 08:53:34.393378 1 conntrack.go:100] Set sysctl 'net/netfilter/nf_conntrack_max' to 131072
I0128 08:53:34.393412 1 conntrack.go:52] Setting nf_conntrack_max to 131072
I0128 08:53:34.393483 1 conntrack.go:100] Set sysctl 'net/netfilter/nf_conntrack_tcp_timeout_established' to 86400
I0128 08:53:34.393528 1 conntrack.go:100] Set sysctl 'net/netfilter/nf_conntrack_tcp_timeout_close_wait' to 3600
I0128 08:53:34.395556 1 config.go:315] Starting service config controller
I0128 08:53:34.397797 1 config.go:224] Starting endpoint slice config controller
I0128 08:53:34.397839 1 shared_informer.go:240] Waiting for caches to sync for endpoint slice config
I0128 08:53:34.397979 1 shared_informer.go:240] Waiting for caches to sync for service config
I0128 08:53:34.498555 1 shared_informer.go:247] Caches are synced for service config
I0128 08:53:34.498572 1 shared_informer.go:247] Caches are synced for endpoint slice config
当我练习 Interactive Tutorial - Exposing Your App 我发现 NodePort 在我的节点上无法访问
k get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 124m
kubernetes-bootcamp NodePort 10.98.71.49 <none> 8080:30159/TCP 3m31s
curl 10.98.71.49:8080
curl: (7) Failed to connect to 10.98.71.49 port 8080: Connection refused
telnet 10.98.71.49 8080
Trying 10.98.71.49...
telnet: Unable to connect to remote host: No route to host
nc -nvv 10.98.71.49 8080
Ncat: Version 7.91 ( https://nmap.org/ncat )
NCAT DEBUG: Using system default trusted CA certificates and those in /etc/ssl/certs/ca-certificates.crt.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 10.98.71.49:8080 (IOD #1) EID 8
libnsock nsock_trace_handler_callback(): Callback: CONNECT ERROR [Connection refused (111)] for EID 8 [10.98.71.49:8080]
Ncat: Connection refused.
sof -i:30159
curl 127.0.0.1:30159
curl: (7) Failed to connect to 127.0.0.1 port 30159: Connection refused
curl $(minikube ip):30159
curl: (7) Failed to connect to 192.168.49.2 port 30159: Connection refused
在“交互式教程 - 公开您的应用程序”中,它是可访问的; 我练习本教程取决于“交互式教程 - 公开您的应用程序”, kube-proxy 是 noraml,kubelet 也是正常的。
journalctl -l -u kubelet SIGINT(2) ↵ 1340 17:04:31
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm','systemd-journal' can see all messages.
Pass -q to turn off this notice.
-- Journal begins at Sat 2020-12-12 19:12:36 CST,ends at Thu 2021-01-28 16:51:26 CST. --
-- No entries --
ifconfig docker0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:01:c7:42:b8 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.49.0 0.0.0.0 255.255.255.0 U 0 0 0 br-1bb4185a80c7
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
kubernetes-bootcamp 服务配置:
1 │ # Please edit the object below. Lines beginning with a '#' will be ignored,2 │ # and an empty file will abort the edit. If an error occurs while saving this file will be
3 │ # reopened with the relevant failures.
4 │ #
5 │ apiVersion: v1
6 │ kind: Service
7 │ metadata:
8 │ creationTimestamp: "2021-01-28T09:13:52Z"
9 │ labels:
10 │ app: kubernetes-bootcamp
11 │ name: kubernetes-bootcamp
12 │ namespace: default
13 │ resourceVersion: "3495"
14 │ uid: 471eca22-d276-45e5-b68f-aa21d461ea49
15 │ spec:
16 │ clusterIP: 10.111.216.90
17 │ clusterIPs:
18 │ - 10.111.216.90
19 │ externalTrafficPolicy: Cluster
20 │ ports:
21 │ - nodePort: 32129
22 │ port: 8080
23 │ protocol: TCP
24 │ targetPort: 8080
25 │ selector:
26 │ app: kubernetes-bootcamp
27 │ sessionAffinity: None
28 │ type: NodePort
29 │ status:
30 │ loadBalancer: {}
我将 kube-proxy 模式切换为 iptable 并重新启动 kube-proxy,iptables -F, 情况仍然如此。 我不知道这个。有人可以帮我吗?
解决方法
编辑:
根据您提供的配置,您似乎在尝试卷入服务时使用了错误的 NodePort
值。应该是:
curl $(minikube ip):32129
而不是:curl $(minikube ip):30159
。
注意端口应该取自 Service
定义:
20 │ ports:
21 │ - nodePort: 32129
为了在未来调试此问题和任何其他类似问题,应采取一些建议的步骤。
为了Debug Services,您应该尝试回答以下问题:
-
Does the Service exist?:在您的情况下,我们看到确实如此。
-
Does the Service work by DNS name?:客户端使用服务的最常见方式之一是通过 DNS 名称。
-
Does the Service work by IP?:假设您已确认 DNS 有效,接下来要测试的是您的服务是否通过其 IP 地址有效。
-
Is the Service defined correctly?:您应该仔细检查您的服务是否正确并与您的 Pod 端口匹配。还有:
-
您尝试访问的服务端口是否列在
spec.ports[]
中? -
targetPort
是否适用于您的 Pod(某些 Pod 使用与服务不同的端口)? -
如果您打算使用数字端口,是数字 (9376) 还是字符串“9376”?
-
如果您打算使用命名端口,那么您的 Pod 是否公开了同名端口?
-
端口的
protocol
是否适合您的 Pod?
-
Does the Service have any Endpoints?:检查您运行的 Pod 是否确实被服务选中。
-
Are the Pods working?:再次检查 Pod 是否确实在工作。
-
Is the kube-proxy working?:确认
kube-proxy
正在您的节点上运行。
我假设您仍在学习 Kubernetes。这些步骤不仅可以帮助您缩小问题的范围,还可以教您如何处理此类问题。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。