问题描述

我正在Google Cloud Platform的同一VPC上运行Kubernetes集群和HA Redis VM.子网10.128.0.0/20允许所有TCP和UDP端口上的ICMP和流量. Kubernetes有自己的内部网络10.12.0.0/14，但是集群在10.128.0.0/20内部的VM上运行，与redis VM相同.

但是，即使10.128.0.0/20内部的虚拟机可以互相看到，我也无法在运行Kubernetes pod的命令时对同一台虚拟机执行ping操作或连接到其端口.为此，我需要在k8s或GCP防火墙规则中进行哪些修改-我印象中这应该可以立即使用，并且pod可以访问其节点正在运行的同一网络? >

kube-dns已启动并正在运行，并且此g8s 1.9.4在GCP上已运行.

我尝试使用相同的配置重现您的问题，但是效果很好.我创建了一个名为"myservernetwork1"的网络，其子网为10.128.0.0/20.我在该子网中启动了一个集群，并创建了3条防火墙规则，以允许网络中的icmp，tcp和udp通信.

$ gcloud compute firewall-rules list --filter="myservernetwork1"
    myservernetwork1-icmp  myservernetwork1  INGRESS    1000      icmp
    myservernetwork1-tcp   myservernetwork1  INGRESS    1000      tcp
    myservernetwork1-udp   myservernetwork1  INGRESS    1000      udp

我允许网络内的所有TCP，UDP和ICMP通信.我使用以下命令为子网的icmp协议创建了一条规则:

gcloud compute firewall-rules create myservernetwork1-icmp \
  --allow icmp \
  --network myservernetwork1 \
  --source-ranges 10.0.0.0/8

我使用/8掩码是因为我想覆盖网络中的所有地址.检查您的GCP防火墙设置，以确保设置正确.

I'm running a Kubernetes cluster and HA redis VMs on the same VPC on Google Cloud Platform. ICMP and traffic on all TCP and UDP ports is allowed on the subnet 10.128.0.0/20. Kubernetes has its own internal network, 10.12.0.0/14, but the cluster runs on VMs inside of 10.128.0.0/20, same as redis VM.

However, even though the VMs inside of 10.128.0.0/20 see each other, I can't ping the same VM or connect to its ports while running commands from Kubernetes pod. What would I need to modify either in k8s or in GCP firewall rules to allow for this - I was under impression that this should work out of the box and pods would be able to access the same network that their nodes were running on?

kube-dns is up and running, and this k8s 1.9.4 on GCP.

I've tried to reproduce your issue with the same configuration, but it works fine. I've create a network called "myservernetwork1" with subnet 10.128.0.0/20. I started a cluster in this subnet and created 3 firewall rules to allow icmp, tcp and udp traffic inside the network.

$ gcloud compute firewall-rules list --filter="myservernetwork1"
    myservernetwork1-icmp  myservernetwork1  INGRESS    1000      icmp
    myservernetwork1-tcp   myservernetwork1  INGRESS    1000      tcp
    myservernetwork1-udp   myservernetwork1  INGRESS    1000      udp

I allowed all TCP, UDP and ICMP traffic inside the network.I created a rule for icmp protocol for my sub-net using this command:

gcloud compute firewall-rules create myservernetwork1-icmp \
  --allow icmp \
  --network myservernetwork1 \
  --source-ranges 10.0.0.0/8

I’ve used /8 mask because I wanted to cover all addresses in my network. Check your GCP firewall settings to make sure those are correct.

这篇关于在同一GCP网络上将Kubernetes集群连接到Redis的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！