k8s在pod内无法ping通servicename和ClusterIP

需要使用 ipvs 替换iptables,操作是在所有节点上

1:开启内核支持

1

2

3

4

5

6

7

cat >> /etc/sysctl.conf << EOF

net.ipv4.ip_forward = 1

net.bridge.bridge-nf-call-iptables = 1

net.bridge.bridge-nf-call-ip6tables = 1

EOF

sysctl -p

  

2:开启ipvs支持

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

yum -y install ipvsadm  ipset

# 临时生效

modprobe -- ip_vs

modprobe -- ip_vs_rr

modprobe -- ip_vs_wrr

modprobe -- ip_vs_sh

modprobe -- nf_conntrack_ipv4

# 永久生效

cat > /etc/sysconfig/modules/ipvs.modules <<EOF

modprobe -- ip_vs

modprobe -- ip_vs_rr

modprobe -- ip_vs_wrr

modprobe -- ip_vs_sh

modprobe -- nf_conntrack_ipv4

EOF

  

3:配置kube-proxy,在master上操作,因使用kubeadmin安装,所以操作方式如下

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

[root@master] # kubectl edit cm kube-proxy -n kube-system

configmap/kube-proxy edited

#修改如下

kind: MasterConfiguration

apiVersion: kubeadm.k8s.io/v1alpha1

...

ipvs:

      excludeCIDRs: null

      minSyncPeriod: 0s

      scheduler: ""

      syncPeriod: 30s

    kind: KubeProxyConfiguration

    metricsBindAddress: 127.0.0.1:10249

    mode: "ipvs"                  #修改

  

4:在master重启kube-proxy

1

kubectl  get pod -n kube-system | grep kube-proxy | awk '{print $1}' | xargs kubectl delete pod -n kube-system

  

5:验证ipvs是否开启

1

2

3

4

5

6

7

8

9

10

11

[root@k8s-m mytest]# kubectl logs kube-proxy-cvzb4 -n kube-system

I0409 03:37:29.194391       1 server_others.go:170] Using ipvs Proxier.

W0409 03:37:29.194779       1 proxier.go:401] IPVS scheduler not specified, use rr by default

I0409 03:37:29.194981       1 server.go:534] Version: v1.15.3

I0409 03:37:29.214255       1 conntrack.go:52] Setting nf_conntrack_max to 524288

I0409 03:37:29.216744       1 config.go:96] Starting endpoints config controller

I0409 03:37:29.216812       1 controller_utils.go:1029] Waiting for caches to sync for endpoints config controller

I0409 03:37:29.217445       1 config.go:187] Starting service config controller

I0409 03:37:29.218320       1 controller_utils.go:1029] Waiting for caches to sync for service config controller

I0409 03:37:29.318218       1 controller_utils.go:1036] Caches are synced for endpoints config controller

I0409 03:37:29.318564       1 controller_utils.go:1036] Caches are synced for service config controller

  

6:进入pod内,现在可以ping通servicename了,使用iptables时,发现ping的时候出现了如下错误,执行完上述操作,一切正常

1

2

3

4

root@xxxxxx-cb4c9cb8c-hpzdl:/opt# ping xxxxxx

PING xxxxxx.xxxxx.svc.cluster.local (172.16.140.78) 56(84) bytes of data.

From 172.16.8.1 (172.16.8.1) icmp_seq=1 Time to live exceeded

From 172.16.8.1 (172.16.8.1) icmp_seq=2 Time to live exceeded