问题描述

我构建了具有3个工作程序节点和一个管理节点的集群.工作节点已部署并设置了kube-dns和calica.每台机器都有自己的外部IP和关联的DNS.我已成功运行nginx-ingress-controller，并且可以从外部访问其默认的404端点.

I've built the cluster that has 3 worker nodes and an admin node. The worker nodes have kube-dns and calica deployed and set. Each machine has it's own external IP and associated DNS. I successfully run nginx-ingress-controller and its default 404-endpoint is accessible from the outside.

现在，问题在于，由于某些原因，不允许工作人员中的Pod建立出站连接.当我将exec封装到Pod中时，我无法卷曲，也无法ping通，即使网络在Pod内似乎配置良好.我试图检查印花棉布的配置，但是它很杂乱，我不知道它怎么可能是错误的.是否有任何默认的calico/k8s设置禁止其节点进行传出连接?也许有人面临类似的问题?

Now, the problem is that for some reason pods in the workers are not allowed to establish outbound connections. When I shell exec into the pod, I cannot curl, nor ping, even thus network seems to be configured well inside the pod. I tried to examine calico configuration, but it's quite messy and I don't know how it could be wrong. Are there any default calico/k8s settings that forbid outgoing connection from its nodes? Or maybe somebody faced similar issue?

我不确定，我将按需提供日志输出，哪些信息对于检查此问题将是宝贵的.

I'll provide log outputs on-demand, as I'm unsure, what information would be precious in examining this issue.

推荐答案

感谢您的评论，经过许多小时的调查，我终于发现问题是错误地配置了kube-dns.部署kube-dns时，它将自动从您的计算机/etc/resolv.conf中导入名称服务器列表.除非您安装了装有systemd-resolve DNS服务器的ubuntu(并且默认情况下已安装)，否则它会很好用.它充当代理DNS服务器，活动的地址为127.0.0.53，并且在Pod内无法访问.这就是即使kube-dns已安装并处于活动状态后，DNS名称服务器仍然无法使用的原因.

Thanks for comments, after many hours of investigation, I finally found that the problem was wrongly configured kube-dns. When you deploy kube-dns, it automatically imports nameservers list from your machine /etc/resolv.conf. It works great, unless you have ubuntu with systemd-resolve DNS server installed (and it's installed by default). It works as a proxy DNS server active as address 127.0.0.53, and is inaccesible from inside pods. That's why DNS nameservers were inaccesible even after kube-dns was installed and active.

我使用的解决此问题的方法如下:

Workaround for this problem, that I used, is as following:

1. 检查您的计算机使用的名称服务器-对我而言，它在/run/systemd/resolve/resolv.conf

1. Check what is the nameserver used by your machine - for me it was in /run/systemd/resolve/resolv.conf

创建新的ConfigMap来替换kube-dns的默认ConfigMap，并按如下所示进行填充:

Create new ConfigMap to replace kube-dns's default one, and fill it as follows:

apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
  name: kube-dns
  namespace: kube-system
data:
  upstreamNameservers: |
    ["Your nameserver address"]