Ufw防火墙阻止kubernetes(带有印花布) [英] Ufw firewall blocks kubernetes (with calico)
问题描述
我正在尝试在服务器(Debian 10)上安装kubernetes集群.在我的服务器上,我使用ufw作为防火墙.在创建集群之前,我允许在ufw上使用这些端口:
I'm trying to install a kubernetes cluster on my server (Debian 10). On my server I used ufw as firewall. Before creating the cluster I allowed these ports on ufw:
179/tcp,4789/udp,5473/tcp,443/tcp,6443/tcp,2379/tcp,4149/tcp,10250/tcp,10255/tcp,10256/tcp,9099/tcp,6443/tcp
179/tcp, 4789/udp, 5473/tcp, 443 /tcp, 6443/tcp, 2379/tcp, 4149/tcp, 10250/tcp, 10255/tcp, 10256/tcp, 9099/tcp, 6443/tcp
根据calico博士的建议( https://docs.projectcalico.org/getting-started/kubernetes/requirements ),这也是有关kubernetes安全的git回购协议( https://github.com/freach/kubernetes-security-best-practice ).
As calico doc suggests (https://docs.projectcalico.org/getting-started/kubernetes/requirements) and this git repo on kubernetes security too (https://github.com/freach/kubernetes-security-best-practice).
但是,当我要创建集群时,由于Felix不活跃(我在ufw上允许9099/tcp),因此calico/node pod无法启动:
But when I want to create the cluster, the calico/node pod can't start because Felix is not live (I allowed 9099/tcp on ufw):
活动性"探针失败:印花布/节点尚未就绪:Felix尚未活动:获取 http://localhost:9099/liveness:拨打tcp [:: 1]:9099:连接:连接被拒绝
Liveness probe failed: calico/node is not ready: Felix is not live: Get http://localhost:9099/liveness: dial tcp [::1]:9099: connect: connection refused
如果禁用ufw,则会创建群集,并且没有错误.
If I disable ufw, the cluster is created and there is no error.
所以我想知道我应该如何配置ufw才能使kubernetes正常工作.如果有人可以帮助我,那就太好了,谢谢!
So I would like to know how I should configure ufw in order for kubernetes to work. If anyone could help me, it would be very great, thanks !
我的ufw状态
To Action From
6443/tcp ALLOW Anywhere
9099 ALLOW Anywhere
179/tcp ALLOW Anywhere
4789/udp ALLOW Anywhere
5473/tcp ALLOW Anywhere
2379/tcp ALLOW Anywhere
8181 ALLOW Anywhere
8080 ALLOW Anywhere
###### (v6) LIMIT Anywhere (v6) # allow ssh connections in
Postfix (v6) ALLOW Anywhere (v6)
KUBE (v6) ALLOW Anywhere (v6)
6443 (v6) ALLOW Anywhere (v6)
6783/udp (v6) ALLOW Anywhere (v6)
6784/udp (v6) ALLOW Anywhere (v6)
6783/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)
4149/tcp (v6) ALLOW Anywhere (v6)
10250/tcp (v6) ALLOW Anywhere (v6)
10255/tcp (v6) ALLOW Anywhere (v6)
10256/tcp (v6) ALLOW Anywhere (v6)
9099/tcp (v6) ALLOW Anywhere (v6)
6443/tcp (v6) ALLOW Anywhere (v6)
9099 (v6) ALLOW Anywhere (v6)
179/tcp (v6) ALLOW Anywhere (v6)
4789/udp (v6) ALLOW Anywhere (v6)
5473/tcp (v6) ALLOW Anywhere (v6)
2379/tcp (v6) ALLOW Anywhere (v6)
8181 (v6) ALLOW Anywhere (v6)
8080 (v6) ALLOW Anywhere (v6)
53 ALLOW OUT Anywhere # allow DNS calls out
123 ALLOW OUT Anywhere # allow NTP out
80/tcp ALLOW OUT Anywhere # allow HTTP traffic out
443/tcp ALLOW OUT Anywhere # allow HTTPS traffic out
21/tcp ALLOW OUT Anywhere # allow FTP traffic out
43/tcp ALLOW OUT Anywhere # allow whois
SMTPTLS ALLOW OUT Anywhere # open TLS port 465 for use with SMPT to send e-mails
10.32.0.0/12 ALLOW OUT Anywhere on weave
53 (v6) ALLOW OUT Anywhere (v6) # allow DNS calls out
123 (v6) ALLOW OUT Anywhere (v6) # allow NTP out
80/tcp (v6) ALLOW OUT Anywhere (v6) # allow HTTP traffic out
443/tcp (v6) ALLOW OUT Anywhere (v6) # allow HTTPS traffic out
21/tcp (v6) ALLOW OUT Anywhere (v6) # allow FTP traffic out
43/tcp (v6) ALLOW OUT Anywhere (v6) # allow whois
SMTPTLS (v6) ALLOW OUT Anywhere (v6) # open TLS port 465 for use with SMPT to send e-mails
对不起,我的ufw规则有点混乱,我尝试了太多事情才能使kubernetes正常工作.
Sorry my ufw rules are a bit messy, I tried too many things to get kubernetes working.
推荐答案
我正在尝试在服务器(Debian 10)上安装kubernetes集群.在我的服务器上,我使用ufw作为防火墙.在创建集群之前,我允许在ufw上使用以下端口:179/tcp,4789/udp,5473/tcp,443/tcp,6443/tcp,2379/tcp,4149/tcp,10250/tcp,10255/tcp,10256/tcp,9099/tcp,6443/tcp
I'm trying to install a kubernetes cluster on my server (Debian 10). On my server I used ufw as firewall. Before creating the cluster I allowed these ports on ufw: 179/tcp, 4789/udp, 5473/tcp, 443 /tcp, 6443/tcp, 2379/tcp, 4149/tcp, 10250/tcp, 10255/tcp, 10256/tcp, 9099/tcp, 6443/tcp
注意::所有可执行命令均以 $
NOTE: all executable commands begin with $
- 按照此初始说明,我在Debian 10上安装了ufw并启用了您提到的相同端口:
$ sudo apt update && sudo apt-upgrade -y
$ sudo apt install ufw -y
$ sudo ufw allow ssh
Rule added
Rule added (v6)
$ sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
$ sudo ufw allow 179/tcp
$ sudo ufw allow 4789/tcp
$ sudo ufw allow 5473/tcp
$ sudo ufw allow 443/tcp
$ sudo ufw allow 6443/tcp
$ sudo ufw allow 2379/tcp
$ sudo ufw allow 4149/tcp
$ sudo ufw allow 10250/tcp
$ sudo ufw allow 10255/tcp
$ sudo ufw allow 10256/tcp
$ sudo ufw allow 9099/tcp
$ sudo ufw status
Status: active
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
179/tcp ALLOW Anywhere
4789/tcp ALLOW Anywhere
5473/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
6443/tcp ALLOW Anywhere
2379/tcp ALLOW Anywhere
4149/tcp ALLOW Anywhere
10250/tcp ALLOW Anywhere
10255/tcp ALLOW Anywhere
10256/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
179/tcp (v6) ALLOW Anywhere (v6)
4789/tcp (v6) ALLOW Anywhere (v6)
5473/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
6443/tcp (v6) ALLOW Anywhere (v6)
2379/tcp (v6) ALLOW Anywhere (v6)
4149/tcp (v6) ALLOW Anywhere (v6)
10250/tcp (v6) ALLOW Anywhere (v6)
10255/tcp (v6) ALLOW Anywhere (v6)
10256/tcp (v6) ALLOW Anywhere (v6)
- 现在,我将安装 Docker :
$ sudo apt-get update
$ sudo apt-get install -y apt-transport-https ca-certificates curl gnupg2 software-properties-common=
- 添加Docker存储库:
$ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
$ sudo apt-key fingerprint 0EBFCD88
$ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian buster stable"
- 更新源列表并安装Docker-ce:
$ sudo apt-get update
$ sudo apt-get -y install docker-ce
注意::在生产系统上,建议安装固定版本的docker:
NOTE: On production system recomend install a fixed version of docker:
$ apt-cache madison docker-ce
$ sudo apt-get install docker-ce=<VERSION>
- 安装Kube工具-kubeadm,kubectl,kubelet:
- Installing Kube Tools - kubeadm, kubectl, kubelet:
$ curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
- 配置Kubernetes存储库(复制3行并一次粘贴):
$ cat <<EOF | sudo tee /etc/apt/sources.list.d/kubernetes.list
deb https://apt.kubernetes.io/ kubernetes-xenial main
EOF
- 安装软件包:
$ sudo apt-get update
$ sudo apt-get install -y kubelet kubeadm kubectl
- 安装后,将这些软件包标记为不会自动更新:
$ sudo apt-mark hold kubelet kubeadm kubectl
$ sudo kubeadm init --pod-network-cidr=192.168.0.0/16
- 为非root用户启用kubectl:
$ mkdir -p $HOME/.kube
$ sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
$ sudo chown $(id -u):$(id -g) $HOME/.kube/config
- 安装Calico :
$ kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml
configmap/calico-config created
customresourcedefinition.apiextensions.k8s.io/bgpconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/bgppeers.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/blockaffinities.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/clusterinformations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/felixconfigurations.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/globalnetworksets.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/hostendpoints.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamblocks.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamconfigs.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ipamhandles.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/ippools.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networkpolicies.crd.projectcalico.org created
customresourcedefinition.apiextensions.k8s.io/networksets.crd.projectcalico.org created
clusterrole.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrolebinding.rbac.authorization.k8s.io/calico-kube-controllers created
clusterrole.rbac.authorization.k8s.io/calico-node created
clusterrolebinding.rbac.authorization.k8s.io/calico-node created
daemonset.apps/calico-node created
serviceaccount/calico-node created
deployment.apps/calico-kube-controllers created
serviceaccount/calico-kube-controllers created
- 检查状态:
$ kubectl get pods -n kube-system
NAME READY STATUS RESTARTS AGE
calico-kube-controllers-555fc8cc5c-wnnvq 1/1 Running 0 26m
calico-node-sngt8 1/1 Running 0 26m
coredns-66bff467f8-2qqlv 1/1 Running 0 55m
coredns-66bff467f8-vptpr 1/1 Running 0 55m
etcd-kubeadm-ufw-debian10 1/1 Running 0 55m
kube-apiserver-kubeadm-ufw-debian10 1/1 Running 0 55m
kube-controller-manager-kubeadm-ufw-debian10 1/1 Running 0 55m
kube-proxy-nx8cz 1/1 Running 0 55m
kube-scheduler-kubeadm-ufw-debian10 1/1 Running 0 55m
注意事项:
对不起,我的ufw规则有点混乱,我尝试了太多事情才能使kubernetes正常工作.
Sorry my ufw rules are a bit messy, I tried too many things to get kubernetes working.
- 尝试许多事情以使某件事情正常是正常的,但有时最终会变成问题本身.
- 我正在一步一步地发布您,将其部署到与您相同的环境中,以便您可以再次遵循它以达到相同的结果.
- 我的felix探针没有任何错误,只有当它出现错误时才是我(有意)部署kubernetes而不在ufw上创建规则的时候.
- 现在,如果按照本教程进行操作后您仍然遇到类似的问题,请使用以下信息更新问题:
-
kubectl describe< pod_name>-n kube-system -
kubectl get pod< pod_name>-n kube-system -
kubectl日志< pod_name>-n kube-system - 始终建议从全新安装Linux开始,如果要运行VM,请删除该VM并创建一个新VM.
- 如果您是在裸机上运行,请考虑服务器上还运行着什么,也许还有另一个软件在干扰网络通信.
如果您在执行这些疑难解答步骤后发现任何问题,请在评论中告诉我.
Let me know in the comments if you find any problem following these troubleshooting steps.
这篇关于Ufw防火墙阻止kubernetes(带有印花布)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
-
如果仍然无法解决,请执行以下步骤:
