Linux 如何访问外部IP上的pod
我在控制机上运行了一个叫kube nginx的吊舱和前向端口。我是库伯内特斯大学的新生Linux 如何访问外部IP上的pod,linux,nginx,kubernetes,Linux,Nginx,Kubernetes,我在控制机上运行了一个叫kube nginx的吊舱和前向端口。我是库伯内特斯大学的新生 [root@k8smaster ~]# kubectl version Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", Gi
[root@k8smaster ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-18T16:12:00Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-18T16:03:00Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
[root@k8smaster ~]# cat /opt/pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: kube-nginx
spec:
containers:
- name: nginx
image: nginx
[root@k8smaster ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
kube-nginx 1/1 Running 0 38m
[root@k8smaster ~]# kubectl port-forward pod/kube-nginx 10086:80
Forwarding from 127.0.0.1:10086 -> 80
Forwarding from [::1]:10086 -> 80
我可以访问本地主机上的pod,但无法访问扩展IP上的pod
[root@k8smaster opt]# ip a | awk '/^2: ens33/,/^3: docker/{print $2}' | sed -n '3P'
192.168.80.201/24
[root@k8smaster opt]# nc -vz localhost 10086
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to ::1:10086.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.
在外部IP主机上,我可以ping k8smaster,但无法访问其中的pod
[root@k8snode01 opt]# ping -c 3 192.168.80.201
PING 192.168.80.201 (192.168.80.201) 56(84) bytes of data.
64 bytes from 192.168.80.201: icmp_seq=1 ttl=64 time=0.367 ms
64 bytes from 192.168.80.201: icmp_seq=2 ttl=64 time=0.215 ms
64 bytes from 192.168.80.201: icmp_seq=3 ttl=64 time=0.248 ms
--- 192.168.80.201 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 0.215/0.276/0.367/0.068 ms
[root@k8snode01 opt]# ip a | awk '/^2: ens33/,/^3: docker/{print $2}' | sed -n '3p'
192.168.80.202/24
[root@k8snode01 opt]# nc -nvz 192.168.80.201 10086
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: No route to host.
路由表如下所示
[root@k8snode01 opt]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 ens33
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.16.128 192.168.80.201 255.255.255.192 UG 0 0 0 ens33
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
防火墙设置
[root@k8smaster ~]# iptables-save | egrep -w -- INPUT
:INPUT ACCEPT [78784:15851659]
-A INPUT -j INPUT_direct
:INPUT ACCEPT [0:0]
:INPUT ACCEPT [61299:11943644]
-A INPUT -j INPUT_direct
:INPUT ACCEPT [0:0]
:cali-INPUT - [0:0]
-A INPUT -m comment --comment "cali:Cz_u1IQiXIMmKD4c" -j cali-INPUT
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A cali-INPUT -p udp -m comment --comment "cali:w7ud0UgQSEi_zKuQ" -m comment --comment "Allow VXLAN packets from whitelisted hosts" -m multiport --dports 4789 -m set --match-set cali40all-vxlan-net src -m addrtype --dst-type LOCAL -j ACCEPT
-A cali-INPUT -p udp -m comment --comment "cali:4cgmbdWsLmozYhJh" -m comment --comment "Drop VXLAN packets from non-whitelisted hosts" -m multiport --dports 4789 -m addrtype --dst-type LOCAL -j DROP
-A cali-INPUT -i cali+ -m comment --comment "cali:t45BUBhpu3Wsmi1_" -g cali-wl-to-host
-A cali-INPUT -m comment --comment "cali:NOmsycyknYZaGOFf" -m mark --mark 0x10000/0x10000 -j ACCEPT
-A cali-INPUT -m comment --comment "cali:Or0B7eoenKO2p8Bf" -j MARK --set-xmark 0x0/0xf0000
-A cali-INPUT -m comment --comment "cali:AmIfvPGG2lYUK6mj" -j cali-from-host-endpoint
-A cali-INPUT -m comment --comment "cali:79fWWn1SpufdO7SE" -m comment --comment "Host endpoint policy accepted packet." -m mark --mark 0x10000/0x10000 -j ACCEPT
[root@k8smaster ~]# firewall-cmd --list-all
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: ens33
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
如何排除故障?在端口10086上侦听所有地址,转发到pod中的80
kubectl port-forward --address 0.0.0.0 pod/kube-nginx 10086:80
您可以附加服务类型Loadbalances,如下所示:
kind: Service
apiVersion: v1
metadata:
name: kube-nginx
namespace: <your namespace>
labels:
app: kube-nginx
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "your certificate"
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'
spec:
type: LoadBalancer
selector:
app: kube-nginx
ports:
- name: http
port: 80
targetPort: proxy
- name: https
port: 443
targetPort: http
种类:服务
版本:v1
元数据:
姓名:kube nginx
名称空间:
标签:
app:kube nginx
注释:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert:“您的证书”
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy:“ELBSecurityPolicy-TLS-1-2-2017-01”
service.beta.kubernetes.io/aws-load-balancer-backend-protocol:“tcp”
service.beta.kubernetes.io/aws-load-balancer-ssl-ports:“443”
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol:“*”
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout:'3600'
规格:
类型:负载平衡器
选择器:
app:kube nginx
端口:
-名称:http
港口:80
目标端口:代理
-名称:https
港口:443
targetPort:http
记住以下陈述:
我是库伯内特斯大学的新生
[root@k8smaster ~]# kubectl version
Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-18T16:12:00Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.4", GitCommit:"e87da0bd6e03ec3fea7933c4b5263d151aafd07c", GitTreeState:"clean", BuildDate:"2021-02-18T16:03:00Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
[root@k8smaster ~]# cat /opt/pod.yaml
apiVersion: v1
kind: Pod
metadata:
name: kube-nginx
spec:
containers:
- name: nginx
image: nginx
[root@k8smaster ~]# kubectl get pod
NAME READY STATUS RESTARTS AGE
kube-nginx 1/1 Running 0 38m
[root@k8smaster ~]# kubectl port-forward pod/kube-nginx 10086:80
Forwarding from 127.0.0.1:10086 -> 80
Forwarding from [::1]:10086 -> 80
我认为有一些问题需要解决:
- 关于这个问题的一般性思考
$kubectl端口转发…
- 工作示例
关于这个问题的一般性思考 Kubernetes作为一个平台,有一个特定的对象来完成某些事情/任务。您已经创建了一个名为
kube nginx
的Pod
,它在节点的一个上生成
要为内部/外部源公开pod
(如您的kube nginx
),您需要使用服务
。您可以通过以下官方文档了解更多信息:
服务
将运行在一组pod上的应用程序作为网络服务公开的抽象方法。
使用Kubernetes,您不需要修改应用程序以使用不熟悉的服务发现机制。Kubernetes为POD提供自己的IP地址和一组POD的单个DNS名称,并可以在它们之间实现负载平衡
--
您的Pod
定义是正确的,它将生成一个带有nginx
图像的Pod
,但由于清单中缺少特定字段,Kubernetes将无法将其暴露给外部源(除了$kubectl port forward
之外,我稍后将对其进行说明)
应使用服务
公开的最小示例:
apiVersion:v1
种类:豆荚
元数据:
姓名:kube nginx
标签:
app:nginx
规格:
容器:
-姓名:nginx
图片:nginx
我还认为您应该使用其他Kubernetes对象,例如部署:
此外,您还没有向清单中添加任何内容来强制将Pod
安排在k8smaster
上。它可以安排在k8snode01
上。您可以通过以下方式检查您的Pod
正在运行的节点:
$kubectl获得吊舱/kube nginx-o宽
NAME READY STATUS RESTARTS AGE IP-->NODE raven-6k6m也许这会有帮助-@Raman Sailopal文档使用种类部署来运行Pod,但我想使用种类Pod来运行Pod。可以将端口暴露到外部IP吗?您好,请您详细介绍一下您是如何创建Kubernetes群集的?另外,您能告诉我您想用$kubectl port forward
做什么吗?我认为您应该使用一个而不是端口转发
来公开您的kube nginx
Pod
。您好@PelicanCyber,欢迎来到StackOverflow!请记住。这样我们就知道答案是否有用,其他社区成员是否也能从中受益。试着确定这是你问题的最终解决方案,对有帮助的答案进行投票,并对那些可以改进或需要额外关注的问题进行评论。祝您入住愉快!我还没有看到127.0.0.1:10086->80从[::1:10086->80转发的输出转发