CentOS(印花布)上启用防火墙的Kubernetes群集不工作
我在CentOS 7上启动了Kubernetes集群,其中calico作为CNI,启用了防火墙。我有主节点和工作节点。我能够启动集群,能够列出节点和Kubernetes系统吊舱,所有这些都工作正常。但是,我无法执行dns查找 系统配置 库伯内特斯:1.21.1CentOS(印花布)上启用防火墙的Kubernetes群集不工作,kubernetes,calico,Kubernetes,Calico,我在CentOS 7上启动了Kubernetes集群,其中calico作为CNI,启用了防火墙。我有主节点和工作节点。我能够启动集群,能够列出节点和Kubernetes系统吊舱,所有这些都工作正常。但是,我无法执行dns查找 系统配置 库伯内特斯:1.21.1 印花布:3.19.1 码头工人:20.10.5 CentOS 7.9 已启用IPV 基于VXLAN的网络在印花布生产中的应用 防火墙配置 我启用的端口是 - 6443/tcp - 2379-2381/tcp - 10248-10260/
印花布:3.19.1
码头工人:20.10.5
CentOS 7.9
已启用IPV
基于VXLAN的网络在印花布生产中的应用 防火墙配置
- 我启用的端口是
- 6443/tcp - 2379-2381/tcp - 10248-10260/tcp - 30000-32767/tcp - 8285/udp - 8472/udp - 7946/udp - 7946/tcp - 7472/tcp - 7472/udp - 9100/tcp - 443/tcp # cAdvisor Port - 4149/tcp # calico - 179/tcp - 4789/udp - 5473/tcp - 9099/tcp - 9099/udp
- 启用的
伪装
- 将接口
、kube-ipvs0
和vxlan.calico
添加到受信任区域(但无法将cali*接口添加到受信任区域,因为我无法添加基于正则表达式的接口规则)docker0
DNS
查找不起作用。尝试了以下步骤来识别iptables
查找
- 已安装DNS调试器吊舱
- 在调度pod的工作节点上启用防火墙调试
- 现在运行
nslookup
;; connection timed out; no servers could be reached
command terminated with exit code 1
[ 5556.708338] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=49835 PROTO=UDP SPT=52743 DPT=53 LEN=70
[ 5561.707815] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=52640 PROTO=UDP SPT=52743 DPT=53 LEN=70
[ 5566.708055] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=54942 PROTO=UDP SPT=52743 DPT=53 LEN=70
- 获取拒绝数据包的规则
;; connection timed out; no servers could be reached
command terminated with exit code 1
[ 5556.708338] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=49835 PROTO=UDP SPT=52743 DPT=53 LEN=70
[ 5561.707815] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=52640 PROTO=UDP SPT=52743 DPT=53 LEN=70
[ 5566.708055] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=54942 PROTO=UDP SPT=52743 DPT=53 LEN=70
非常感谢您为解决此问题提供的任何帮助。coredns运行正常吗?@whites11是的,我没有看到任何错误。注意,当我停止并禁用防火墙时,一切都开始工作
dmesg | grep -i reject
[ 5556.708338] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=49835 PROTO=UDP SPT=52743 DPT=53 LEN=70
[ 5561.707815] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=52640 PROTO=UDP SPT=52743 DPT=53 LEN=70
[ 5566.708055] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=54942 PROTO=UDP SPT=52743 DPT=53 LEN=70