为什么我不能通过其IP访问Kubernetes服务? [英] Why can't I access my Kubernetes service via its IP?

问题描述

我在GKE上有一个Kubernetes服务，如下所示:

I have a Kubernetes service on GKE as follows:

$ kubectl describe service staging
Name:           staging
Namespace:      default
Labels:         <none>
Selector:       app=jupiter
Type:           NodePort
IP:             10.11.246.27
Port:           <unnamed>   80/TCP
NodePort:       <unnamed>   31683/TCP
Endpoints:      10.8.0.33:1337
Session Affinity:   None
No events.

我可以直接通过VM的端点之一(10.8.0.21:1337)或通过节点端口(在我的情况下为10.240.251.174:31683)从VM访问服务.但是，如果我尝试访问10.11.246.27:80，我什么也没得到.我还尝试过端口1337和31683.

I can access the service from a VM directly via one of its endpoints (10.8.0.21:1337) or via the node port (10.240.251.174:31683 in my case). However, if I try to access 10.11.246.27:80, I get nothing. I've also tried ports 1337 and 31683.

为什么我不能通过其IP访问该服务?我需要防火墙规则之类的东西吗?

Why can't I access the service via its IP? Do I need a firewall rule or something?

推荐答案

服务IP是由kube-proxy管理的虚拟IP.因此，为了使该IP有意义，客户端也必须是kube-proxy覆盖"网络的一部分(已运行kube-proxy，指向相同的apiserver).

Service IPs are virtual IPs managed by kube-proxy. So, in order for that IP to be meaningful, the client must also be a part of the kube-proxy "overlay" network (have kube-proxy running, pointing at the same apiserver).

GCE/GKE上的Pod IP由GCE 路由，更像是网络中所有VM的底层".

Pod IPs on GCE/GKE are managed by GCE Routes, which is more like an "underlay" of all VMs in the network.

有两种方法可以从群集外部访问非公共服务. 在这里，它们会更详细，但总而言之:

There are a couple of ways to access non-public services from outside the cluster. Here they are in more detail, but in short:

1. 为集群的服务创建堡垒GCE路由.
2. 在要访问群集服务的任何位置安装群集的kube-proxy.

这篇关于为什么我不能通过其IP访问Kubernetes服务?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！