Kubernetes 从另一台主机连接时Traefik入口超时,从本地主机正常工作
我正在尝试让Kubernetes集群在单个Redhat7.7服务器上运行 我以前曾在Centos 7和AWS上的Redhat 7.7 AMI上实现过 Traefik HTTP入口控制器出现并正在运行,但是Traefik入口控制器HTTP服务的节点端口上的所有HTTP请求都超时 kubectl get services的输出| grep traefik 起初,我假设入口本身有问题,但如果您尝试从服务器内部卷曲,它就可以正常工作 为了消除某种防火墙问题,我在我的一些服务中添加了一个节点端口,可以很好地访问它们 每当我在服务器内部使用curl时,traefik入口控制器pod的日志上就会出现一条调试消息:Kubernetes 从另一台主机连接时Traefik入口超时,从本地主机正常工作,kubernetes,traefik,traefik-ingress,Kubernetes,Traefik,Traefik Ingress,我正在尝试让Kubernetes集群在单个Redhat7.7服务器上运行 我以前曾在Centos 7和AWS上的Redhat 7.7 AMI上实现过 Traefik HTTP入口控制器出现并正在运行,但是Traefik入口控制器HTTP服务的节点端口上的所有HTTP请求都超时 kubectl get services的输出| grep traefik 起初,我假设入口本身有问题,但如果您尝试从服务器内部卷曲,它就可以正常工作 为了消除某种防火墙问题,我在我的一些服务中添加了一个节点端口,可以很
level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request"
对于超时的请求,没有调试消息
使用netstat-anp后,我注意到kube proxy拥有我尝试使用的端口,因此我还查看了kube proxy pod的日志,并与我成功安装的日志进行了比较,唯一的区别是这一行,它只显示在失败的服务器安装上:
node.go:135]已成功检索到节点IP:192.168.215.172
暂时我做了一个端口转发,效果很好:
nohup kubectl port-forward --address 0.0.0.0 svc/traefik-ingress-controller-http-service 30225:443 -n traefik &
我的版本是:
库伯内特斯:1.17.3
特拉菲克:1.7
Traefik配置:
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-ingress-configmap
namespace: traefik
data:
traefik.toml: |
defaultEntryPoints = ["https","http"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[[entryPoints.https.tls.certificates]]
CertFile = "/ssl/tls.crt"
KeyFile = "/ssl/tls.key"
[kubernetes]
[kubernetes.ingressEndpoint]
publishedService = "traefik/traefik-ingress-controller-http-service"
[ping]
entryPoint = "http"
服务:
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-controller-http-service
namespace: traefik
annotations: {}
spec:
selector:
k8s-app: traefik-ingress-controller
ports:
- protocol: TCP
port: 80
name: http
- protocol: TCP
port: 443
name: https
nodePort: 30220
type: NodePort
Traefik部署:
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: traefik
labels:
k8s-app: traefik-ingress-controller
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-controller
template:
metadata:
labels:
k8s-app: traefik-ingress-controller
name: traefik-ingress-controller
spec:
serviceAccountName: traefik-ingress-serviceaccount
terminationGracePeriodSeconds: 35
volumes:
- name: traefik-ui-tls-cert
secret:
secretName: traefik-ui-tls-cert
- name: traefik-ingress-configmap
configMap:
name: traefik-ingress-configmap
containers:
- image: traefik:v1.7
name: traefik-ingress-controller
imagePullPolicy: Always
resources:
limits:
cpu: 200m
memory: 384Mi
requests:
cpu: 25m
memory: 128Mi
livenessProbe:
failureThreshold: 2
httpGet:
path: /ping
port: 80
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 5
readinessProbe:
failureThreshold: 2
httpGet:
path: /ping
port: 80
scheme: HTTP
periodSeconds: 5
volumeMounts:
- mountPath: "/ssl"
name: "traefik-ui-tls-cert"
- mountPath: "/config"
name: "traefik-ingress-configmap"
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: dashboard
containerPort: 8080
args:
- --logLevel=DEBUG
- --configfile=/config/traefik.toml
- --insecureskipverify
欢迎任何想法:)我开始跟踪所有相关网络接口上的tcp包,我意识到通过DNAT和IP表进行DNS查找和平衡的traefik服务的群集IP无法回复SYN初始包 在这种情况下,我必须将externalTrafficPolicy设置为Local,以允许Traefik HTTP入口控制器Pod使用实际的客户端IP来应答,而不是屏蔽的NAT IP/端口
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-controller-http-service
namespace: traefik
annotations: {}
spec:
selector:
k8s-app: traefik-ingress-controller
ports:
- protocol: TCP
port: 80
name: http
- protocol: TCP
port: 443
name: https
nodePort: 30220
type: NodePort
externalTrafficPolicy: Local