如何在不禁用防火墙的情况下使用法兰绒(Kubernetes) [英] How can I use Flannel without disabing firewalld (Kubernetes)

问题描述

我是法兰绒和K8的新手.我在我的1个主节点和2个节点群集(从KVM创建)上玩耍.

I'm new to flannel and K8s. I'm playing around them on my 1 master and 2 nodes cluster (created from KVM).

我用法兰绒网络插件初始化了集群.然后我发现我无法到达内部. 原来，我的网络或DNS进程可能出了问题.

I initialized my cluster with flannel network addon. And then I found I can't reach the Internal. It turned out that there may be something wrong with my network or DNS process.

遵循 https://kubernetes.io /docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/，我将 8285和8472 添加到Firewalld

Following https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/create-cluster-kubeadm/, I add 8285 and 8472 to firewalld

[root@k8smaster ~]# firewall-cmd --list-port
6443/tcp 80/tcp 8285/udp 8472/udp 8472/tcp 8285/tcp

我知道了

[root@k8smaster ~]# kubectl exec -ti dnsutils -- nslookup kubernetes.default
;; connection timed out; no servers could be reached

command terminated with exit code 1

但是，如果我停止了防火墙，一切都很好.

However, if I stop the firewalld, everything is just fine.

[root@k8smaster ~]# kubectl exec -ti dnsutils -- nslookup kubernetes.default
Server:     10.96.0.10
Address:    10.96.0.10#53

Name:   kubernetes.default.svc.cluster.local
Address: 10.96.0.1

所以我的问题是，我应该在firewalld中添加任何端口吗? 让我知道是否有任何信息.我应该在这里添加. 谢谢.

So my question is, are there any ports I should add into firewalld? Let me know if any info. I should add here. Thank you.

推荐答案

您所应用的规则仅适用于Flannel通信，您需要允许所有Kubernetes端口使其正常工作.

The rules you are applying referred only for Flannel communication, you need to allow all Kubernetes ports to make it work.

在简历中，您需要为以下端口应用规则:

In resume, you need to apply rules for these ports:

Control-plane node(s)
Protocol        Direction       Port Range      Purpose Used By
TCP     Inbound 6443*   Kubernetes API server   All
TCP     Inbound 2379-2380       etcd server client API  kube-apiserver, etcd
TCP     Inbound 10250   Kubelet API     Self, Control plane
TCP     Inbound 10251   kube-scheduler  Self
TCP     Inbound 10252   kube-controller-manager Self

Worker node(s)
Protocol        Direction       Port Range      Purpose Used By
TCP     Inbound 10250   Kubelet API     Self, Control plane
TCP     Inbound 30000-32767     NodePort Services†      All
† Default port range for NodePort Services.
~                                          

此处您会看到控制平面和辅助节点的所有必需端口.

Here you could see all necessary ports for Control-plane and Worker nodes.

然后在应用此规则之后，您需要应用其他2条规则以允许绒布网络，如所述

And then after this rules applied you need to apply more other 2 rules to allow flannel network as mentioned here.

确保您的防火墙规则允许参与覆盖网络的所有主机的UDP端口8285和8472流量. Flannel故障排除指南的防火墙"部分将对此进行更详细的说明.

Make sure that your firewall rules allow UDP ports 8285 and 8472 traffic for all hosts participating in the overlay network. The Firewall section of Flannel’s troubleshooting guide explains about this in more detail.

这篇关于如何在不禁用防火墙的情况下使用法兰绒(Kubernetes)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！