Firewall – Can’t reach a Kubernetes service on a guest node

cloudstackfirewallkubernetesopenshift-origin

I have tried to run the guestbook example in Kubernetes Github repository but I can't reach this service from my local host.
My test enviroment consists of two virtual machines (with CentOS7) provisioned by CloudStack, with OpenShift Origin installed on it.
Here it's the services list:

    [root@openshift-master amd64]# ./oc get svc
NAME              CLUSTER-IP       EXTERNAL-IP   PORT(S)                   AGE
docker-registry   172.30.39.251    <none>        5000/TCP                  1d
guestbook         172.30.55.125    nodes         3000/TCP                  56m
kubernetes        172.30.0.1       <none>        443/TCP,53/UDP,53/TCP     1d
redis-master      172.30.24.94     <none>        6379/TCP                  1h
redis-slave       172.30.132.250   <none>        6379/TCP                  1h
router            172.30.33.117    <none>        80/TCP,443/TCP,1936/TCP   1d

The service exposed is guestbook.
Here is the service guestbook description:

[root@openshift-master amd64]# ./oc describe svc guestbook
Name:           guestbook
Namespace:      default
Labels:         app=guestbook
Selector:       app=guestbook
Type:           NodePort
IP:         172.30.55.125
Port:           <unset> 3000/TCP
NodePort:       <unset> 30642/TCP
Endpoints:      172.17.0.6:3000,172.17.0.7:3000,172.17.0.8:3000
Session Affinity:   None
No events.

If I do:

curl 172.30.55.125:3000

It works only from the node who host the guestbook pod, from others node in the cluster and my host machine (192.168.1.2) It doesn't work.

I opened all ports in CloudStack, otherwise I can't ssh the nodes and in the node I set this firewall rule:

firewall-cmd --permanent --zone=public --add-port=30642/tcp

30642 is the NodePort, that is mandatory to reach it from out of the cluster.
Have you any idea on how to resolve?
Thanks in advance.

Best Answer

curl 172.17.0.6:3000 (i.e. each of the Endpoints addresses) should be usable directly from every cluster node. If it doesn't work, then the cluster network is not set up correctly. This could include any firewall or SDN that filters packets sent from one node to another.

172.30.55.125:3000 should have an entry in the iptables list on every cluster node, maintained by the local kube-proxy daemon on each cluster node. If curling a remote endpoint works but using the service virtual ip and port fails, then it's possible that kube-proxy is not working. Check its iptables entries, its process status, and its log file.

Finally, it's possible that the guestbook app is indeed receiving the connection, but it's then aborting or blocking while it tries a doomed reverse DNS lookup.

Related Solutions

Docker – Kubernetes cluster internal routing not working (NodePort service)

Kubernetes requires more than just the nodes being able to talk to each other. It also requires a network (or routing table) so pods can talk to each other. It's essentially another network just for the pods (often called an overlay/underlay network) that allows pod on nodeA to talk to pods on nodeB.

From the looks of it you don't have pod networking set up. You can implement overlay networking a multitude of ways (which is one reason it's so confusing). Read more about the networking requirements here.

With only 2 nodes I would recommend you actually set up what I like to call "no SDN Kubernetes" and just manually add pod routes to each node. It would require you to do 2 things.

Specify the subnet for pods on each node
Manually run a command to create the route

I have details on how to do it on my blog post I wrote about the subject.

Unfortunately, setting up the pod networking is only going to get you 1/2 of the way there. In order to implement automatic NodePort services you also need to install the kube-proxy. The job of the kube-proxy is to watch for what port a service starts on and then route that port to the correct service/pod inside the cluster. It does this via IP tables and is mostly automatic.

I couldn't find a very good example of deploying kube-proxy manually (usually it's handled via your deployment tool) Here's an example of a DaemonSet the kubeadm tool should automatically create to run the kube-proxy on every node in the cluster.

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  generation: 1
  labels:
    component: kube-proxy
    k8s-app: kube-proxy
    kubernetes.io/cluster-service: "true"
    name: kube-proxy
    tier: node
  name: kube-proxy
  namespace: kube-system
spec:
  selector:
    matchLabels:
      component: kube-proxy
      k8s-app: kube-proxy
      kubernetes.io/cluster-service: "true"
      name: kube-proxy
      tier: node
  template:
    metadata:
      labels:
        component: kube-proxy
        k8s-app: kube-proxy
        kubernetes.io/cluster-service: "true"
        name: kube-proxy
        tier: node
    spec:
      containers:
      - command:
        - kube-proxy
        - --kubeconfig=/run/kubeconfig
        image: gcr.io/google_containers/kube-proxy-amd64:v1.5.2
        imagePullPolicy: IfNotPresent
        name: kube-proxy
        securityContext:
          privileged: true
        terminationMessagePath: /dev/termination-log
        volumeMounts:
        - mountPath: /var/run/dbus
          name: dbus
        - mountPath: /run/kubeconfig
          name: kubeconfig
      dnsPolicy: ClusterFirst
      hostNetwork: true
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      volumes:
      - hostPath:
          path: /etc/kubernetes/kubelet.conf
        name: kubeconfig
      - hostPath:
          path: /var/run/dbus
        name: dbus

One other resources that might be useful to go through is Kubernetes the Hard Way. It's not directly applicable to running in VMs on proxmox (it assumes GCE or AWS) but it shows you the bare minimum steps and resources needed to run a functioning Kubernetes cluster.

Nginx ingress to support ipv4 and ipv6 for kubernetes IPv4 cluster

According to the official gcloud documentation:

VPC networks only support IPv4 unicast traffic. They do not support broadcast, multicast, or IPv6 traffic within the network: VMs in the VPC network can only send to IPv4 destinations and only receive traffic from IPv4 sources. It is possible to create an IPv6 address for a global load balancer

Please read this article about ipv6 support and dual-stack configurations

In azure:

IPv6 for Azure Virtual Network is currently in public preview. This preview is provided without a service level agreement and is not recommended for production workloads. You can find more information here

Discussion about ipv6 support on github

In addition to work the cluster with ipv support the cluster should have dual-stack implementation supporting IPv4 and IPv6 for both pods and services. As an example please take a look here and here and here kubeadm-dind-cluster

At the moment probably Amazon provide the biggest IPv6 support

Best Answer

Related Solutions

Docker – Kubernetes cluster internal routing not working (NodePort service)

Nginx ingress to support ipv4 and ipv6 for kubernetes IPv4 cluster

Related Topic