netplugin
netplugin copied to clipboard
contiv
Unable access pod from k8s Nodeport
Description
I configured contiv with k8s, and create a service in k8s, but it can't access pod from k8s nodeport. I noticed that contiv had support k8s nodeport in the code.[1]
But there is no guide about how to setup, or do we need to create a contiv service like the guide[2]?
[1] https://github.com/contiv/netplugin/pull/505/commits/5c879ca8d6a472e885cf265bfbd6fa6246d2ea0b [2] http://contiv.github.io/documents/networking/services.html
Your Environment
- netctl version 1.1.1
- Orchestrator version (e.g. kubernetes, mesos, swarm): Kubernetes v1.6.7
- Operating System and version Centos 7.2
@hellochosen can you check ip forwarding, /proc/sys/net/ipv4/ip_forward on the host ? it should be turned on.
@rchirakk, thanks for your reply, ip_forward had already set to 1. There is no traffic in KUBE-NODEPORTS chains.
Chain KUBE-NODEPORTS (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* default/nginx-demo: / tcp dpt:30080
0 0 KUBE-SVC-53PNG6KROACM5MQP tcp -- * * 0.0.0.0/0 0.0.0.0/0 / default/nginx-demo: */ tcp dpt:30080
And in chain CONTIV-NODEPORT, there is no iptables rules. Chain CONTIV-NODEPORT (1 references) pkts bytes target prot opt in out source destination
you should see rules & pkt count in CONTIV-NODEPORT.
Can you check these
nettle global info
netctl net ls -a
kubectl get svc
kubectl describe svc <svc-name>
`[root@contiv-node1 ~]# netctl global info Fabric mode: default Forward mode: bridge ARP mode: proxy Vlan Range: 1-4094 Vxlan range: 1-10000 Private subnet: 172.19.0.0/16 [root@contiv-node1 ~]# netctl net ls -a Tenant Network Nw Type Encap type Packet tag Subnet Gateway IPv6Subnet IPv6Gateway Cfgd Tag
developer vxlan-net1 data vxlan 0 20.9.0.0/24 20.9.0.1
default default-net data vxlan 0 10.10.10.0/24 10.10.10.1
default contiv-net-1 data vxlan 0 10.1.1.0/24 10.1.1.1
[root@contiv-node1 ~]# kubectl get svc
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes 10.20.0.1
[root@contiv-node1 ~]# netctl global info
Fabric mode: default
>>Forward mode: bridge
Forward mode should be in "routing" mode, netctl global set -b routing How did you install contiv/k8s ? Did you assign service network 10.20.x.x ?
I have create a nodeport service. But I can't visit it using hostIP:port from outside. My contiv is v1.1.1. The forward mode is routing. My k8s is v1.9.2.
@MIBc Type: NodePort IP: 10.20.175.244
Is the IP is the master's node ip?or is there netplugin run in the 10.20.175.244's host?Not the netmaster.
In contiv,Just netplugin support the nodeproxy!
yes. It has iptables.
From: Jackson Date: 2018-07-10 17:01 To: contiv/netplugin CC: Lv Jiawei; Mention Subject: Re: [contiv/netplugin] Unable access pod from k8s Nodeport (#939) @MIBc Is there iptables in the host? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
You mean I should access node ip which is not k8s master.
From: Jackson Date: 2018-07-10 17:11 To: contiv/netplugin CC: Lv Jiawei; Mention Subject: Re: [contiv/netplugin] Unable access pod from k8s Nodeport (#939) @MIBc Type: NodePort IP: 10.20.175.244 Is the IP is the master's node ip?or is there netplugin run in the 10.20.175.244's host?Not the netmaster. In contiv,Just netplugin support the nodeproxy! — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
@MIBc
Yes, u can see iptables -t nat -nL in node (which run the netplutin not the netmaster ) not the master.
Is there some rules about the nodeport?