Docker 连接到ClusterIP时，要设置什么防火墙策略？_Docker_Kubernetes_Project Calico_Metallb

Docker 连接到ClusterIP时，要设置什么防火墙策略？

docker kubernetes

Docker 连接到ClusterIP时，要设置什么防火墙策略？,docker,kubernetes,project-calico,metallb,Docker,Kubernetes,Project Calico,Metallb,我有3个节点，1个主节点和2个工作节点，服务有3个吊舱，每个吊舱位于一个节点上集群有时运行，有时不运行，为什么 [ciuffoly@master-node ~]$ kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP

我有3个节点，1个主节点和2个工作节点，服务有3个吊舱，每个吊舱位于一个节点上

集群有时运行，有时不运行，为什么

[ciuffoly@master-node ~]$ kubectl get services
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP        4h36m
test-web     NodePort    10.111.242.64   <none>        80:31940/TCP   4m27s
.
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
Connected to 10.111.242.64.
Escape character is '^]'.
^]
telnet> q
Connection closed.
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80rying 10.111.242.64...
telnet: connect to address 10.111.242.64: No route to host
[ciuffoly@master-node ~]$ telnet 10.111.242.64 80
Trying 10.111.242.64...
Connected to 10.111.242.64.Escape character is '^]'.
^]
telnet> q
Connection closed.

这可能是点滴吗

sudo watch "iptables-save -c | grep DROP | grep -v 0:0"
[21:840] -A cali-fw-cali89d79c513b6 -m comment --comment "cali:3xIxhDO4pTMF8Lh5" -m conntrack --ctstate INVALID -j DROP

要解决这个问题，是否只需要这些政策新规则

iptables -N "KUBE-FORWARD-PATCH"
iptables -A "KUBE-FORWARD-PATCH" -m "conntrack" --ctstate "INVALID" -j "DROP"
iptables -I FORWARD -m comment --comment "k8s patch PR 74840" -j KUBE-FORWARD-PATCH

也许这还不够，因为我还有一滴

[1:40] -A cali-fw-calia9254886eeb -m comment --comment "cali:HjnHY5RwVCZWkXY9" -m conntrack --ctstate INVALID -j DROP
[1:52] -A cali-tw-cali784c5ba97d5 -m comment --comment "cali:ysoYr4EYrhaf5Y5M" -m conntrack --ctstate INVALID -j DROP
[1:60] -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP

没人能帮我？

iptables -N "KUBE-FORWARD-PATCH"
iptables -A "KUBE-FORWARD-PATCH" -m "conntrack" --ctstate "INVALID" -j "DROP"
iptables -I FORWARD -m comment --comment "k8s patch PR 74840" -j KUBE-FORWARD-PATCH

[1:40] -A cali-fw-calia9254886eeb -m comment --comment "cali:HjnHY5RwVCZWkXY9" -m conntrack --ctstate INVALID -j DROP
[1:52] -A cali-tw-cali784c5ba97d5 -m comment --comment "cali:ysoYr4EYrhaf5Y5M" -m conntrack --ctstate INVALID -j DROP
[1:60] -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP