问题描述
我正在Google Cloud Platform的同一VPC上运行Kubernetes集群和HA Redis VM.子网10.128.0.0/20允许所有TCP和UDP端口上的ICMP和流量. Kubernetes有自己的内部网络10.12.0.0/14,但是集群在10.128.0.0/20内部的VM上运行,与redis VM相同.
但是,即使10.128.0.0/20内部的虚拟机可以互相看到,我也无法在运行Kubernetes pod的命令时对同一台虚拟机执行ping操作或连接到其端口.为此,我需要在k8s或GCP防火墙规则中进行哪些修改-我印象中这应该可以立即使用,并且pod可以访问其节点正在运行的同一网络? >
kube-dns已启动并正在运行,并且此g8s 1.9.4在GCP上已运行.
我尝试使用相同的配置重现您的问题,但是效果很好.我创建了一个名为"myservernetwork1"的网络,其子网为10.128.0.0/20.我在该子网中启动了一个集群,并创建了3条防火墙规则,以允许网络中的icmp,tcp和udp通信.
$ gcloud compute firewall-rules list --filter="myservernetwork1"
myservernetwork1-icmp myservernetwork1 INGRESS 1000 icmp
myservernetwork1-tcp myservernetwork1 INGRESS 1000 tcp
myservernetwork1-udp myservernetwork1 INGRESS 1000 udp
我允许网络内的所有TCP,UDP和ICMP通信.我使用以下命令为子网的icmp协议创建了一条规则:
gcloud compute firewall-rules create myservernetwork1-icmp \
--allow icmp \
--network myservernetwork1 \
--source-ranges 10.0.0.0/8
我使用/8掩码是因为我想覆盖网络中的所有地址.检查您的GCP防火墙设置,以确保设置正确.
I'm running a Kubernetes cluster and HA redis VMs on the same VPC on Google Cloud Platform. ICMP and traffic on all TCP and UDP ports is allowed on the subnet 10.128.0.0/20. Kubernetes has its own internal network, 10.12.0.0/14, but the cluster runs on VMs inside of 10.128.0.0/20, same as redis VM.
However, even though the VMs inside of 10.128.0.0/20 see each other, I can't ping the same VM or connect to its ports while running commands from Kubernetes pod. What would I need to modify either in k8s or in GCP firewall rules to allow for this - I was under impression that this should work out of the box and pods would be able to access the same network that their nodes were running on?
kube-dns is up and running, and this k8s 1.9.4 on GCP.
I've tried to reproduce your issue with the same configuration, but it works fine. I've create a network called "myservernetwork1" with subnet 10.128.0.0/20. I started a cluster in this subnet and created 3 firewall rules to allow icmp, tcp and udp traffic inside the network.
$ gcloud compute firewall-rules list --filter="myservernetwork1"
myservernetwork1-icmp myservernetwork1 INGRESS 1000 icmp
myservernetwork1-tcp myservernetwork1 INGRESS 1000 tcp
myservernetwork1-udp myservernetwork1 INGRESS 1000 udp
I allowed all TCP, UDP and ICMP traffic inside the network.I created a rule for icmp protocol for my sub-net using this command:
gcloud compute firewall-rules create myservernetwork1-icmp \
--allow icmp \
--network myservernetwork1 \
--source-ranges 10.0.0.0/8
I’ve used /8 mask because I wanted to cover all addresses in my network. Check your GCP firewall settings to make sure those are correct.
这篇关于在同一GCP网络上将Kubernetes集群连接到Redis的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!