如何为集群外的查询公开 kube-dns 服务? [英] How to expose kube-dns service for queries outside cluster?
问题描述
我正在尝试公开kube-dns"服务,以便在 Kubernetes 集群之外进行查询.为了做到这一点,我编辑了服务"定义,将类型"从ClusterIP"更改为NodePort",这似乎工作正常.
但是,当我尝试在节点端口上进行查询时,我能够获得 TCP 会话(使用 Telnet 进行测试),但似乎无法从 DNS 服务器获得任何响应(使用 dig 进行测试).>
我查看了kube-dns"Pod 上每个容器的日志,但没有发现任何不妥之处.此外,从集群内(从正在运行的容器)查询 DNS 似乎没有任何问题.
之前有没有人尝试过暴露 kube-dns 服务?如果是这样,是否有任何其他设置步骤或您对我有任何调试建议?
服务定义如下:
$ kubectl get service kube-dns -o yaml --namespace kube-systemapi版本:v1种类:服务元数据:...规格:集群IP:10.0.0.10端口:- 名称:DNS节点端口:31257端口:53协议:UDP目标端口:53- 名称:dns-tcp节点端口:31605端口:53协议:TCP目标端口:53选择器:k8s-app:kube-dnssessionAffinity:无类型:节点端口地位:负载均衡器:{}
你是查询tcp端口还是udp端口?
我将 kube-dns 更改为 NodePort 服务:
$ kubectl 描述服务 kube-dns --namespace kube-system名称:kube-dns命名空间:kube-system标签:k8s-app=kube-dnskubernetes.io/cluster-service=truekubernetes.io/name=KubeDNS选择器:k8s-app=kube-dns类型:节点端口IP:10.171.240.10端口:dns 53/UDP节点端口:dns 30100/UDP端点:10.168.0.6:53端口:dns-tcp 53/TCP节点端口:dns-tcp 30490/TCP端点:10.168.0.6:53会话亲和力:无
然后从集群外部查询 udp 端口,一切似乎都正常:
$ dig -p 30100 @10.240.0.4 kubernetes.default.svc.cluster.local;<<>>DiG 9.9.5-9+deb8u6-Debian <<>>-p 30100 @10.240.0.4 kubernetes.default.svc.cluster.local;(找到 1 个服务器);;全局选项:+cmd;;得到答案:;;->>HEADER<<- 操作码:QUERY,状态:NOERROR,id:45472;;标志:qr aa rd ra;查询:1,答案:1,权威:0,附加:0;;问题部分:;kubernetes.default.svc.cluster.local.在一个;;回答部分:kubernetes.default.svc.cluster.local.30 中 10.171.240.1;;查询时间:3毫秒;;服务器:10.240.0.4#30100(10.240.0.4);;时间:UTC 2016 年 5 月 26 日星期四 18:27:32;;味精大小接收:70
目前,Kubernetes 不允许 NodePort 服务为 tcp & 共享相同的端口.udp(参见问题 #20092).这对于像 DNS 这样的东西来说有点时髦.
该错误已在 Kubernetes 1.3 中修复.
I'm trying to expose the "kube-dns" service to be available to be queried outside of the Kubernetes cluster. In order to do this I edited the "Service" definition to change "type" from "ClusterIP" to "NodePort" which seemed to work fine.
However, when I attempt to query on the node port, I'm able to get a TCP session (testing with Telnet) but can't seem to get any response from the DNS server (testing with dig).
I've had a look through the logs on each of the containers on the "kube-dns" Pod but can't see anything untoward. Additionally, querying the DNS from within the cluster (from a running container) appears to work without any issues.
Has anyone tried to expose the kube-dns service before? If so, are there any additional setup steps or do you have any debugging advice for me?
The service definition is as follows:
$ kubectl get service kube-dns -o yaml --namespace kube-system
apiVersion: v1
kind: Service
metadata:
...
spec:
clusterIP: 10.0.0.10
ports:
- name: dns
nodePort: 31257
port: 53
protocol: UDP
targetPort: 53
- name: dns-tcp
nodePort: 31605
port: 53
protocol: TCP
targetPort: 53
selector:
k8s-app: kube-dns
sessionAffinity: None
type: NodePort
status:
loadBalancer: {}
Are you querying on the tcp port or the udp port?
I changed my kube-dns to be a NodePort service:
$ kubectl describe services kube-dns --namespace kube-system
Name: kube-dns
Namespace: kube-system
Labels: k8s-app=kube-dns
kubernetes.io/cluster-service=true
kubernetes.io/name=KubeDNS
Selector: k8s-app=kube-dns
Type: NodePort
IP: 10.171.240.10
Port: dns 53/UDP
NodePort: dns 30100/UDP
Endpoints: 10.168.0.6:53
Port: dns-tcp 53/TCP
NodePort: dns-tcp 30490/TCP
Endpoints: 10.168.0.6:53
Session Affinity: None
and then queried on the udp port from outside of the cluster and everything appeared to work:
$ dig -p 30100 @10.240.0.4 kubernetes.default.svc.cluster.local
; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> -p 30100 @10.240.0.4 kubernetes.default.svc.cluster.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45472
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;kubernetes.default.svc.cluster.local. IN A
;; ANSWER SECTION:
kubernetes.default.svc.cluster.local. 30 IN A 10.171.240.1
;; Query time: 3 msec
;; SERVER: 10.240.0.4#30100(10.240.0.4)
;; WHEN: Thu May 26 18:27:32 UTC 2016
;; MSG SIZE rcvd: 70
Right now, Kubernetes does not allow NodePort services to share the same port for tcp & udp (see Issue #20092). That makes this a little funky for something like DNS.
EDIT: The bug was fixed in Kubernetes 1.3.
这篇关于如何为集群外的查询公开 kube-dns 服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!