Kubelet - 无法 "CreatePodSandbox" for coredns;无法设置网桥地址:无法将 ip 地址添加到 "cni0":权限被拒绝

Kubelet - failed to "CreatePodSandbox" for coredns; failed to set bridge addr: could not add ip addr to "cni0": permission denied

编辑 1

为了回应评论,我提供了更多信息。

$ kubectl get pods --namespace kube-system
NAME                                                  READY   STATUS              RESTARTS   AGE
coredns-66bff467f8-lkwfn                              0/1     ContainerCreating   0          7m8s
coredns-66bff467f8-pcn6b                              0/1     ContainerCreating   0          7m8s
etcd-masternode                                       1/1     Running             0          7m16s
kube-apiserver-masternode                             1/1     Running             0          7m16s
kube-controller-manager-masternode                    1/1     Running             0          7m16s
kube-proxy-7zrjn                                      1/1     Running             0          7m8s
kube-scheduler-masternode                             1/1     Running             0          7m16s

更多系统日志

...
Jun 16 16:18:59 masternode kubelet[6842]: E0616 16:18:59.313433    6842 remote_runtime.go:105] RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_coredns-66bff467f8-pcn6b_kube-system_d5fe7a46-c32d-4fa3-b1b3-fe5a28983e08_0(cc72c59e22145274e47ca417c274af99591d0008baf2bf13364538b7debb57d3): failed to set bridge addr: could not add IP address to "cni0": permission denied
Jun 16 16:18:59 masternode kubelet[6842]: E0616 16:18:59.313512    6842 kuberuntime_sandbox.go:68] CreatePodSandbox for pod "coredns-66bff467f8-pcn6b_kube-system(d5fe7a46-c32d-4fa3-b1b3-fe5a28983e08)" failed: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_coredns-66bff467f8-pcn6b_kube-system_d5fe7a46-c32d-4fa3-b1b3-fe5a28983e08_0(cc72c59e22145274e47ca417c274af99591d0008baf2bf13364538b7debb57d3): failed to set bridge addr: could not add IP address to "cni0": permission denied
Jun 16 16:18:59 masternode kubelet[6842]: E0616 16:18:59.313532    6842 kuberuntime_manager.go:727] createPodSandbox for pod "coredns-66bff467f8-pcn6b_kube-system(d5fe7a46-c32d-4fa3-b1b3-fe5a28983e08)" failed: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_coredns-66bff467f8-pcn6b_kube-system_d5fe7a46-c32d-4fa3-b1b3-fe5a28983e08_0(cc72c59e22145274e47ca417c274af99591d0008baf2bf13364538b7debb57d3): failed to set bridge addr: could not add IP address to "cni0": permission denied
Jun 16 16:18:59 masternode kubelet[6842]: E0616 16:18:59.313603    6842 pod_workers.go:191] Error syncing pod d5fe7a46-c32d-4fa3-b1b3-fe5a28983e08 ("coredns-66bff467f8-pcn6b_kube-system(d5fe7a46-c32d-4fa3-b1b3-fe5a28983e08)"), skipping: failed to "CreatePodSandbox" for "coredns-66bff467f8-pcn6b_kube-system(d5fe7a46-c32d-4fa3-b1b3-fe5a28983e08)" with CreatePodSandboxError: "CreatePodSandbox for pod \"coredns-66bff467f8-pcn6b_kube-system(d5fe7a46-c32d-4fa3-b1b3-fe5a28983e08)\" failed: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_coredns-66bff467f8-pcn6b_kube-system_d5fe7a46-c32d-4fa3-b1b3-fe5a28983e08_0(cc72c59e22145274e47ca417c274af99591d0008baf2bf13364538b7debb57d3): failed to set bridge addr: could not add IP address to \"cni0\": permission denied"
Jun 16 16:19:09 masternode kubelet[6842]: E0616 16:19:09.256408    6842 remote_runtime.go:105] RunPodSandbox from runtime service failed: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_coredns-66bff467f8-lkwfn_kube-system_f0187bfd-89a2-474c-b843-b00875183c77_0(1aba005509e85f3ea7da3fc48ab789ae3a10ba0ffefc152d1c4edf65693befe2): failed to set bridge addr: could not add IP address to "cni0": permission denied
Jun 16 16:19:09 masternode kubelet[6842]: E0616 16:19:09.256498    6842 kuberuntime_sandbox.go:68] CreatePodSandbox for pod "coredns-66bff467f8-lkwfn_kube-system(f0187bfd-89a2-474c-b843-b00875183c77)" failed: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_coredns-66bff467f8-lkwfn_kube-system_f0187bfd-89a2-474c-b843-b00875183c77_0(1aba005509e85f3ea7da3fc48ab789ae3a10ba0ffefc152d1c4edf65693befe2): failed to set bridge addr: could not add IP address to "cni0": permission denied
Jun 16 16:19:09 masternode kubelet[6842]: E0616 16:19:09.256525    6842 kuberuntime_manager.go:727] createPodSandbox for pod "coredns-66bff467f8-lkwfn_kube-system(f0187bfd-89a2-474c-b843-b00875183c77)" failed: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_coredns-66bff467f8-lkwfn_kube-system_f0187bfd-89a2-474c-b843-b00875183c77_0(1aba005509e85f3ea7da3fc48ab789ae3a10ba0ffefc152d1c4edf65693befe2): failed to set bridge addr: could not add IP address to "cni0": permission denied
Jun 16 16:19:09 masternode kubelet[6842]: E0616 16:19:09.256634    6842 pod_workers.go:191] Error syncing pod f0187bfd-89a2-474c-b843-b00875183c77 ("coredns-66bff467f8-lkwfn_kube-system(f0187bfd-89a2-474c-b843-b00875183c77)"), skipping: failed to "CreatePodSandbox" for "coredns-66bff467f8-lkwfn_kube-system(f0187bfd-89a2-474c-b843-b00875183c77)" with CreatePodSandboxError: "CreatePodSandbox for pod \"coredns-66bff467f8-lkwfn_kube-system(f0187bfd-89a2-474c-b843-b00875183c77)\" failed: rpc error: code = Unknown desc = failed to create pod network sandbox k8s_coredns-66bff467f8-lkwfn_kube-system_f0187bfd-89a2-474c-b843-b00875183c77_0(1aba005509e85f3ea7da3fc48ab789ae3a10ba0ffefc152d1c4edf65693befe2): failed to set bridge addr: could not add IP address to \"cni0\": permission denied"
... (repeats over and over again)

我已经成功安装了带有 CRI-0 1.18 的 Kubernetes 1.18,并使用 kubeadm init --pod-network-cidr=192.168.0.0/16 设置了一个集群。但是,"coredns" 节点停留在 "ContainerCreating"。我按照官方 Kubernetes 安装说明进行操作。

我试过的

我尝试安装 Calico,但没有解决问题。我也尝试手动将 cni0 接口更改为 UP,但这也没有用。问题显然出在桥接流量的某个地方,但我遵循了 Kubernetes 教程并启用了它。

在我对问题的研究中,我偶然发现了有前途的解决方案和教程,但其中 none 解决了问题。 (Rancher GitHub Issue, CRI-O GitHub Page, Projectcalico, Kubernetes tutorial)

防火墙命令

$ sudo firewall-cmd --state
running
$ sudo firewall-cmd --version
0.7.0

Systemd 日志

Image of the log 因为粘贴整个日志会很难看。

uname -r

4.18.0-147.8.1.el8_1.x86_64 (Centos 8)

CRI-O

crio --version
crio version
Version:       1.18.1
GitCommit:     5cbf694c34f8d1af19eb873e39057663a4830635
GitTreeState:  clean
BuildDate:     2020-05-25T19:01:44Z
GoVersion:     go1.13.4
Compiler:      gc
Platform:      linux/amd64
Linkmode:      dynamic

runc

$ runc --version
runc version spec: 1.0.1-dev

Kubernetes

1.18

Podman 版本

1.6.4

iptables/nft

我正在使用带有 iptables 兼容层的 nft。

$ iptables --version
iptables v1.8.2 (nf_tables)

主机提供商:

Contabo VPS

sysctl

$ sysctl net.bridge
net.bridge.bridge-nf-call-arptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-filter-pppoe-tagged = 0
net.bridge.bridge-nf-filter-vlan-tagged = 0
net.bridge.bridge-nf-pass-vlan-input-dev = 0
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

selinux 已禁用

$ cat /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

ip 地址列表

$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether REDACTED brd ff:ff:ff:ff:ff:ff
    inet REDACTED scope global noprefixroute eth0
       valid_lft forever preferred_lft forever
3: cni0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether c6:00:41:85:da:ad brd ff:ff:ff:ff:ff:ff
    inet 10.85.0.1/16 brd 10.85.255.255 scope global noprefixroute cni0
       valid_lft forever preferred_lft forever
7: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
    inet 192.168.249.128/32 brd 192.168.249.128 scope global tunl0
       valid_lft forever preferred_lft forever

安条克的圣手榴弹!我终于修好了!这只花了我,什么,大约数十亿年和一个不安分的夜晚。甜蜜的胜利!嗯……嗯。关于解决方案。

我终于明白@Arghya Sadhu 和@Piotr Malec 的评论了,他们是对的。我没有正确配置我的 CNI 插件。我使用 Flannel 作为网络提供商,他们需要 10.244.0.0/16 子网。在我的 /etc/cni/net.d/ 中找到的 crio-bridge.conf 中,默认子网不同(10.85.0.0/16 或其他)。我认为在 kubeadm init 命令上指定 CIDR 就足够了,但我错了。您需要在 crio-bridge.conf 和 podman.conflist(或目录中的类似文件)中设置正确的 CIDR。我还认为那些随 CRI-O 安装的文件配置了合理的默认值,老实说,我并不完全理解它们的用途。

还发生了一些奇怪的事情:根据 Flannel,CRI-O 的子网应该是 /16,但是当我用 journalctl -u kubelet 检查日志时,它提到了一个 /24 子网。

failed to set bridge addr: \"cni0\" already has an IP address different from 10.244.0.1/24"

所以我不得不将 crio.conf 中的子网更改为 /24 并且它起作用了。我可能也必须更改 podman.conflist 中的子网,但我不确定。

无论如何,感谢 Arghya 和 Piotr 的帮助!

要使用 Calico 网络插件和 cri-o 容器运行时设置集群,我必须:

添加到/etc/crio/crio.conf

[crio.network]
network_dir = "/etc/cni/net.d/"
plugin_dirs = [
    "/opt/cni/bin/",
    "/usr/libexec/cni/",
]

/var/lib/kubelet/kubeadm-flags.env

中添加--cgroup-driver=systemd
KUBELET_KUBEADM_ARGS="--cgroup-driver=systemd --container-runtime=remote --container-runtime-endpoint=/var/run/crio/crio.sock --pod-infra-container-image=k8s.gcr.io/pause:3.5"

重新启动 kubeletcrio

systemctl daemon-reload && systemctl restart kubelet crio

初始化集群

kubeadm init --pod-network-cidr='10.85.0.0/16'

安装 calico 网络插件

kubectl create -f https://docs.projectcalico.org/manifests/calico.yaml