Kubernetes pods 无法访问互联网,而主机可以
Kubernetes pods can't access the internet while host can
我正在使用具有以下配置的 Microk8s 设置 -
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: jenkins
labels:
app: jenkins
spec:
selector:
matchLabels:
app: jenkins
replicas: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
app: jenkins
spec:
serviceAccountName: jenkins
containers:
- name: jenkins
image: jenkins/jenkins:2.235.1-lts-alpine
imagePullPolicy: IfNotPresent
env:
- name: JAVA_OPTS
value: -Xmx2048m -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 50000
protocol: TCP
volumeMounts:
- mountPath: /var/jenkins_home
name: jenkins
restartPolicy: Always
securityContext:
runAsUser: 0
terminationGracePeriodSeconds: 30
volumes:
- name: jenkins
persistentVolumeClaim:
claimName: jenkins-claim
pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: jenkins
labels:
type: local
spec:
storageClassName: manual
capacity:
storage: 4Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/data"
pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jenkins-claim
spec:
storageClassName: manual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi
rbac.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create","delete","get","list","patch","update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create","delete","get","list","patch","update"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["create","delete","get","list","patch","update"]
- apiGroups: [""]
resources: ["services"]
verbs: ["create","delete","get","list","patch","update"]
- apiGroups: [""]
resources: ["ingresses"]
verbs: ["create","delete","get","list","patch","update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
namespace: jenkins
service.yaml
apiVersion: v1
kind: Service
metadata:
name: jenkins
labels:
app: jenkins
spec:
type: NodePort
ports:
- name: ui
port: 8080
targetPort: 8080
protocol: TCP
- name: slave
port: 50000
protocol: TCP
- name: http
port: 80
targetPort: 8080
selector:
app: jenkins
我可以从我的节点(主机)访问互联网,但不能从我的 pods。
我的节点是 vSphere 上的 ubuntu 18.04.2 LTS 机器 运行,在 VPN 中。
在官方文档 (https://microk8s.io/docs/troubleshooting) 中,它说
sudo iptables -P FORWARD ACCEPT
sudo apt-get install iptables-persistent
或
sudo ufw default allow routed
两者都不能解决我的问题。
也尝试了 https://github.com/ubuntu/microk8s/issues/1484 中的建议但没有成功。
为了解决 Microk8s 上的这个问题,在使用命令 microk8s enable dns
部署之前启用 dns 插件
我正在使用具有以下配置的 Microk8s 设置 -
deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: jenkins
labels:
app: jenkins
spec:
selector:
matchLabels:
app: jenkins
replicas: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
template:
metadata:
labels:
app: jenkins
spec:
serviceAccountName: jenkins
containers:
- name: jenkins
image: jenkins/jenkins:2.235.1-lts-alpine
imagePullPolicy: IfNotPresent
env:
- name: JAVA_OPTS
value: -Xmx2048m -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85
ports:
- containerPort: 8080
protocol: TCP
- containerPort: 50000
protocol: TCP
volumeMounts:
- mountPath: /var/jenkins_home
name: jenkins
restartPolicy: Always
securityContext:
runAsUser: 0
terminationGracePeriodSeconds: 30
volumes:
- name: jenkins
persistentVolumeClaim:
claimName: jenkins-claim
pv.yaml
apiVersion: v1
kind: PersistentVolume
metadata:
name: jenkins
labels:
type: local
spec:
storageClassName: manual
capacity:
storage: 4Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/data"
pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jenkins-claim
spec:
storageClassName: manual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi
rbac.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: jenkins
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create","delete","get","list","patch","update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create","delete","get","list","patch","update"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["create","delete","get","list","patch","update"]
- apiGroups: [""]
resources: ["services"]
verbs: ["create","delete","get","list","patch","update"]
- apiGroups: [""]
resources: ["ingresses"]
verbs: ["create","delete","get","list","patch","update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: jenkins
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: jenkins
subjects:
- kind: ServiceAccount
name: jenkins
namespace: jenkins
service.yaml
apiVersion: v1
kind: Service
metadata:
name: jenkins
labels:
app: jenkins
spec:
type: NodePort
ports:
- name: ui
port: 8080
targetPort: 8080
protocol: TCP
- name: slave
port: 50000
protocol: TCP
- name: http
port: 80
targetPort: 8080
selector:
app: jenkins
我可以从我的节点(主机)访问互联网,但不能从我的 pods。 我的节点是 vSphere 上的 ubuntu 18.04.2 LTS 机器 运行,在 VPN 中。
在官方文档 (https://microk8s.io/docs/troubleshooting) 中,它说
sudo iptables -P FORWARD ACCEPT
sudo apt-get install iptables-persistent
或
sudo ufw default allow routed
两者都不能解决我的问题。
也尝试了 https://github.com/ubuntu/microk8s/issues/1484 中的建议但没有成功。
为了解决 Microk8s 上的这个问题,在使用命令 microk8s enable dns