Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/kubernetes/5.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
CentOS(印花布)上启用防火墙的Kubernetes群集不工作_Kubernetes_Calico - Fatal编程技术网
Fatal编程技术网
  • kubernetes/
  • CentOS(印花布)上启用防火墙的Kubernetes群集不工作

CentOS(印花布)上启用防火墙的Kubernetes群集不工作

kubernetes

CentOS(印花布)上启用防火墙的Kubernetes群集不工作,kubernetes,calico,Kubernetes,Calico,我在CentOS 7上启动了Kubernetes集群,其中calico作为CNI,启用了防火墙。我有主节点和工作节点。我能够启动集群,能够列出节点和Kubernetes系统吊舱,所有这些都工作正常。但是,我无法执行dns查找 系统配置 库伯内特斯:1.21.1 印花布:3.19.1 码头工人:20.10.5 CentOS 7.9 已启用IPV 基于VXLAN的网络在印花布生产中的应用 防火墙配置 我启用的端口是 - 6443/tcp - 2379-2381/tcp - 10248-10260/

我在CentOS 7上启动了Kubernetes集群,其中calico作为CNI,启用了防火墙。我有主节点和工作节点。我能够启动集群,能够列出节点和Kubernetes系统吊舱,所有这些都工作正常。但是,我无法执行dns查找

系统配置

库伯内特斯:1.21.1
印花布:3.19.1
码头工人:20.10.5
CentOS 7.9
已启用IPV
基于VXLAN的网络在印花布生产中的应用

防火墙配置

  • 我启用的端口是

    - 6443/tcp
- 2379-2381/tcp
- 10248-10260/tcp
- 30000-32767/tcp
- 8285/udp
- 8472/udp
- 7946/udp
- 7946/tcp
- 7472/tcp
- 7472/udp
- 9100/tcp
- 443/tcp
# cAdvisor Port
- 4149/tcp
# calico
- 179/tcp
- 4789/udp
- 5473/tcp
- 9099/tcp
- 9099/udp
  • 启用的
    伪装

  • 将接口
    kube-ipvs0
    vxlan.calico
    docker0
    添加到受信任区域(但无法将cali*接口添加到受信任区域,因为我无法添加基于正则表达式的接口规则)

问题是
DNS
查找不起作用。尝试了以下步骤来识别
iptables
查找

  • 已安装DNS调试器吊舱
  • 在调度pod的工作节点上启用防火墙调试
  • 现在运行
    nslookup
结果:

   ;; connection timed out; no servers could be reached

   command terminated with exit code 1

    [ 5556.708338] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=49835 PROTO=UDP SPT=52743 DPT=53 LEN=70
    [ 5561.707815] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=52640 PROTO=UDP SPT=52743 DPT=53 LEN=70
    [ 5566.708055] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=54942 PROTO=UDP SPT=52743 DPT=53 LEN=70
  • 获取拒绝数据包的规则
结果:

   ;; connection timed out; no servers could be reached

   command terminated with exit code 1

    [ 5556.708338] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=49835 PROTO=UDP SPT=52743 DPT=53 LEN=70
    [ 5561.707815] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=52640 PROTO=UDP SPT=52743 DPT=53 LEN=70
    [ 5566.708055] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=54942 PROTO=UDP SPT=52743 DPT=53 LEN=70
非常感谢您为解决此问题提供的任何帮助。

coredns运行正常吗?@whites11是的,我没有看到任何错误。注意,当我停止并禁用防火墙时,一切都开始工作 
    dmesg | grep -i reject

    [ 5556.708338] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=49835 PROTO=UDP SPT=52743 DPT=53 LEN=70
    [ 5561.707815] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=52640 PROTO=UDP SPT=52743 DPT=53 LEN=70
    [ 5566.708055] FINAL_REJECT: IN=calib3c61c3cba9 OUT= MAC=ee:ee:ee:ee:ee:ee:de:c8:d5:97:58:87:08:00 SRC=10.244.212.65 DST=10.96.0.10 LEN=90 TOS=0x00 PREC=0x00 TTL=64 ID=54942 PROTO=UDP SPT=52743 DPT=53 LEN=70