为什么我无法通过其 IP 访问我的 Kubernetes 服务? [英] Why can't I access my Kubernetes service via its IP?

问题描述

我在 GKE 上有一个 Kubernetes 服务，如下所示:

I have a Kubernetes service on GKE as follows:

$ kubectl describe service staging
Name:           staging
Namespace:      default
Labels:         <none>
Selector:       app=jupiter
Type:           NodePort
IP:             10.11.246.27
Port:           <unnamed>   80/TCP
NodePort:       <unnamed>   31683/TCP
Endpoints:      10.8.0.33:1337
Session Affinity:   None
No events.

我可以通过其端点之一 (10.8.0.21:1337) 或通过节点端口 (10.240.251.174:31683 in我的情况).但是，如果我尝试访问 10.11.246.27:80，我什么也得不到.我也试过 1337 和 31683 端口.

I can access the service from a VM directly via one of its endpoints (10.8.0.21:1337) or via the node port (10.240.251.174:31683 in my case). However, if I try to access 10.11.246.27:80, I get nothing. I've also tried ports 1337 and 31683.

为什么我无法通过其 IP 访问该服务?我需要防火墙规则还是什么?

Why can't I access the service via its IP? Do I need a firewall rule or something?

推荐答案

服务 IP 是由 kube-proxy 管理的虚拟 IP.因此，为了使该 IP 有意义，客户端还必须是 kube-proxy覆盖"网络的一部分(运行 kube-proxy，指向同一个 apiserver).

Service IPs are virtual IPs managed by kube-proxy. So, in order for that IP to be meaningful, the client must also be a part of the kube-proxy "overlay" network (have kube-proxy running, pointing at the same apiserver).

GCE/GKE 上的 Pod IP 由 GCE 路由 管理a>，更像是网络中所有虚拟机的底层".

Pod IPs on GCE/GKE are managed by GCE Routes, which is more like an "underlay" of all VMs in the network.

有几种方法可以从集群外部访问非公共服务.在这里它们更详细，但简而言之:

There are a couple of ways to access non-public services from outside the cluster. Here they are in more detail, but in short:

1. 为集群的服务创建堡垒 GCE 路由.
2. 在您想要访问集群服务的任何位置安装集群的 kube-proxy.

这篇关于为什么我无法通过其 IP 访问我的 Kubernetes 服务?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！