如果在 kubernetes 集群中将 externalTrafficPolicy 设置为 Local，为什么无法访问服务 [英] Why unable to access a service if setting externalTrafficPolicy to Local in a kubernetes cluster

问题描述

我正在按照 this 指南来应用源 ip 功能到我的 kubernetes 集群.

I'm following this guide to apply the source ip feature to my kubernetes cluster.

首先，我通过运行创建了一个 pod:

Firstly, I created a pod by running:

$ kubectl run source-ip-app --image=gcr.io/google_containers/echoserver:1.4

然后将其公开为 NodePort 服务:

Then expose it as a NodePort service:

kubectl 公开部署 source-ip-app --name=nodeport --port=80 --target-port=8080 --type=NodePort

此时，我可以从集群外部访问该服务并获得正确的 client_address:

At this point, I'm able to access the service from outside of the cluster and get correct client_address:

$ 卷曲 10.74.68.49:16860 |grep客户端
% Total % Received % Xferd 平均速度时间时间电流
下载上传总花费的剩余速度
100 296 0 296 0 0 43167 0 --:--:-- --:--:-- --:--:-- 49333
客户端地址=10.168.193.130

$ curl 10.74.68.49:16860 | grep client
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 296 0 296 0 0 43167 0 --:--:-- --:--:-- --:--:-- 49333
client_address=10.168.193.130

但是如果应用源ip功能:

But if applying the source ip feature:

kubectl patch svc nodeport -p '{"spec":{"externalTrafficPolicy":"Local"}}'

我会超时:

$ 卷曲 10.74.68.49:16860 |grep客户端
% Total % Received % Xferd 平均速度时间时间电流
下载上传总花费的剩余速度
0 0 0 0 0 0 0 0 --:--:-- 0:01:14 --:--:-- 0curl: (7) 无法连接到 10.74.68.49 端口 16860:操作超时

$ curl 10.74.68.49:16860 | grep client
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- 0:01:14 --:--:-- 0curl: (7) Failed to connect to 10.74.68.49 port 16860: Operation timed out

我想知道这背后的原因是什么以及如何解决它.

I'm wondering what's the reason behind this and how to resolve it.

我的环境信息:

$ kubectl 版本
客户端版本:version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.3", GitCommit:"2c2fe6e8278a5db2d15a013987b53968c743f2a1", GitTreeState:"clean", BuildDate:"2010T-0821Z", GoVersion:"go1.8.3", 编译器:"gc", 平台:"linux/amd64"}
服务器版本:version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.3", GitCommit:"2c2fe6e8278a5db2d15a013987b53968c743f2a1", GitTreeState:"clean", BuildDate:"2013T-08:"2013T-0648Z", GoVersion:"go1.8.3", 编译器:"gc", 平台:"linux/amd64"}

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.3", GitCommit:"2c2fe6e8278a5db2d15a013987b53968c743f2a1", GitTreeState:"clean", BuildDate:"2017-08-03T07:00:21Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.3", GitCommit:"2c2fe6e8278a5db2d15a013987b53968c743f2a1", GitTreeState:"clean", BuildDate:"2017-08-03T06:43:48Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

更新:

我的集群有 2 个节点，无论访问哪个节点 ip 都会出现超时问题.

My cluster has 2 nodes, I get the timeout issue no matter which node ip is accessed.

推荐答案

创建 kube-proxy.yaml

kubectl get ds -n kube-system kube-proxy -o yaml >kube-proxy.yaml

# ...
spec:
  containers:
  - command:
    - ./hyperkube
    - proxy
    - --cluster-cidr=10.2.0.0/16
    - --hostname-override=$(HOST_IP)
    - --kubeconfig=/etc/kubernetes/kubeconfig
    - --proxy-mode=iptables
    env:
    - name: HOST_IP
      valueFrom:
          fieldRef:
              apiVersion: v1
              fieldPath: status.hostIP
    #...

更新 Pod:

kubectl apply -f kube-proxy.yaml

这将应用 https://github.com/kubernetes/kubernetes/中提到的修复问题/48437，解决丢包问题.

This will apply the fix mentioned in https://github.com/kubernetes/kubernetes/issues/48437, resolving the dropped packets issue.

这篇关于如果在 kubernetes 集群中将 externalTrafficPolicy 设置为 Local，为什么无法访问服务的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！