EKS中的Pod:无法解析DNS(但可以ping IP) [英] Pods in EKS: can't resolve DNS (but can ping IP)

问题描述

我有2个EKS群集，分别在2个不同的AWS帐户中，并且我可能假定使用不同的防火墙(我无权访问).第一个(Dev)没问题，但是，使用相同的配置，UAT群集Pod正在努力解析DNS.节点可以解决，似乎还可以.

I have 2 EKS clusters, in 2 different AWS accounts and with, I might assume, different firewalls (which I don't have access to). The first one (Dev) is all right, however, with the same configuration, UAT cluster pods is struggling to resolve DNS. The Nodes can resolve and seems to be all right.

1)ping 8.8.8.8有效

1) ping 8.8.8.8 works

--- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms

2)我可以ping google(和其他)的IP，但不能ping实际的dns名称.

2) I can ping the IP of google (and others), but not the actual dns names.

我们的配置:

1. 使用Terraform配置.
2. 工作节点和控制平面SG与开发节点相同.我相信那很好.
3. 在入站+出站NACl上添加了53个TCP和53个UDP(只是为了确保53个确实处于打开状态...).从工作程序节点添加了53个TCP和53个UDP出站.
4. 我们正在使用ami-059c6874350e63ca9和1.14 kubernetes版本.

1. configured with Terraform.
2. The worker nodes and control plane SG are the same than the dev ones. I believe those are fine.
3. Added 53 TCP and 53 UDP on inbound + outbound NACl (just to be sure 53 was really open...). Added 53 TCP and 53 UDP outbound from Worker Nodes.
4. We are using ami-059c6874350e63ca9 with 1.14 kubernetes version.

我不确定问题是否出在某处的防火墙，coredns，需要更新的配置或愚蠢的错误".任何帮助将不胜感激.

I am unsure if the problem is a firewall somewhere, coredns, my configuration that needs to be updated or an "stupid mistake". Any help would be appreciated.

推荐答案

经过几天的调试，这是问题所在: 我已经允许节点之间的所有通信，但是all traffic是TCP，而不是UDP.

After days of debugging, here is what was the problem : I had allowed all traffic between the nodes but that all traffic is TCP, not UDP.

这基本上是AWS中的一行: 在辅助节点SG中，向/从辅助节点端口53协议DNS(UDP)添加入站规则.

It was basically a one line in AWS: In worker nodes SG, add an inbound rule from/to worker nodes port 53 protocol DNS (UDP).

如果使用terraform，它应该看起来像这样:

If you use terraform, it should look like that:

resource "aws_security_group_rule" "eks-node-ingress-cluster-dns" {
  description = "Allow pods DNS"
  from_port                = 53
  protocol                 = 17
  security_group_id        = "${aws_security_group.SG-eks-WorkerNodes.id}"
  source_security_group_id = "${aws_security_group.SG-eks-WorkerNodes.id}"  
  to_port                  = 53
  type                     = "ingress"
}

这篇关于EKS中的Pod:无法解析DNS(但可以ping IP)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！