Problem with Exercise 3.3: Access from Outside the Cluster
Please check this status :
esudbat@kube-master:~$ kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 40d
nginx LoadBalancer 10.106.224.107 <pending> 80:30619/TCP 26m
Step 6 : External access via the public IP and port doesnt work.
Any suggestion ?
Comments
-
Hello,
First check the access to the high port on the node itself. First use loopback, then the 10.106.224.107 IP. This may narrow down if the issue is a firewall problem. Remember that only the high-port is accessable with services. The nc command can be helpful to troubleshoot, such as: nc 10.106.224.107 30619
If the nc command works using 127.0.0.1 but not the 10. IP it probably is a firewall issue. If you load a webserver on the host node, can you access that server via the public IP?
Regards,
0 -
Hello devagari,
The iptables command would be where I started, something like sudo iptables -vL and see if there are any rules which would drop or reject the expected traffic. The use of a LOG target early in the rules can be helpful so you can see the packet enter, then you can find which rule is dropping, rejecting or perhaps even sending the packet to an unexpected place.
Chances are the packet is dopped on INPUT instead of OUTPUT, so one easy way to check is to add as the first rule to ACCEPT all traffic from the sending host, something like sudo iptables -I INPUT -s <ip of sending node here> -j ACCEPT Then try the curl, wget or HTTP commands again and see if it works. You can learn more about iptables here: https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/
Did it work using loopback/127.0.0.1 but not the exterior IP address? Are you using virtualbox or a cloud provider for your instances, like AWS or GCE?
Regards,
0 -
Using GCE :
Definitely this interface is too slow and almost wastage of time- I wish LF moves to Slack- otherwise this is too slow and not so useful :
Here is my output :
esudbat@kube-master:~$ kubectl get svc nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx LoadBalancer 10.106.224.107 <pending> 80:30619/TCP 4d
esudbat@kube-master:~$ curl 104.196.99.153:30619
^C
esudbat@kube-master:~$ kubectl get svc nginx
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
nginx LoadBalancer 10.106.224.107 <pending> 80:30619/TCP 4d
esudbat@kube-master:~$ curl 10.106.224.107:8080
^C
esudbat@kube-master:~$ curl 10.106.224.107:80
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p><truncated>
esudbat@node1:~$ sudo iptables -A INPUT -p tcp --dport 30619 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
esudbat@node1:~$ sudo iptables -A OUTPUT -p tcp --sport 30619 -m conntrack --ctstate ESTABLISHED -j ACCEPTesudbat@kube-master:~$ curl 104.196.99.153:30619
Keeps waiting - no response here....
LinuxFoundation Guide is not user-friendly.
0 -
Hi, I also use GCE for the labs in this course. I remember having a similar issue with the access from outside the cluster, and after a little bit of google-shooting I realized it was a GCE firewall issue. I added another firewall rule and after that I was able to complete the exercise. Hope this helps.
Good luck!
-Chris
0 -
Yes I did that- I suppose you are referring this link.
https://cloud.google.com/compute/docs/tutorials/basic-webserver-apache
And also tested using a different VM with webserver- that all works. But still couldnt figure out the issue..
I tried flushing all the iptables , still doesnt work, strange. I think there is some firewall issue locally on the node vm- which I am unable to decipher.
0 -
Hello Sudeep,
Did you attempt to access the port using the loopback IP address? As Chris pointed out GCE, which runs SDN on our behalf, has a firewall by default. One thing you may try is to log into the console and add a firewall rule to GCE that opens up all ports, from all source IP addresses. If the curl traffic works once you add the rule, you know it was the cause.
From your example, the 104.196.99.153 is your public IP address. Which would indicate traffic would navigate throught the Google SDN to get to your node. The firewall would not be inside the node, but inside google's network.
Do you have a rule inside GCE which allows all traffic to your nodes?
Regards,
0 -
Ok - I added an allow-all firewall rule to allow all trafffic from 0.0.0.0/0, and now it did work. Thanks.
0 -
Glad to hear it Sudeep. Thanks for letting us know.
0 -
I am able to curl from within all the GCE network but the external access doesnt seem to be working.
esudbat@node1:~$ curl 35.231.45.60:30438
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>I tried the same rules on the GCE, allow-all but strangely cant access from outside.
chrispokorni , Can you confirm the rules you created in GCE ? To allow all or a particular port.
0 -
For simplicity, I created a rule to allow all tcp traffic (rather than allowing a specific port), and only then I was able to access from the outside on the [nodeIP]:[nodePort], and I verified access on all running nodes.
-Chris
PS: The new rule I created was in the same project where my nodes were (in my case a custom project created only for the purpose of lfs258 where I run all the master/worker nodes)
0 -
Hello Sudeep,
If you have added an allow-all rule to GCE and still cannot gain access to your Pod, perhaps the block is not in GCE.
Like Chris I had opened all ports from all source IPs. To test which rules are actually necessary I returned to the GCE firewall page and added only the port exposed by the service, or 30494 in my case. When I removed the all-traffic firewall rule traffic my request for the page timed out. When I added only tcp:30494 I was able see the Welcome to nginx! page again. From this testing the only necessary rule is the particular port being exposed, which will change with each time you run the kubectl expose command. Please note that it took about minute for the rule to actually take affect after selecting the save button in the GCE console.
Could there be a corportate firewall or proxy which is blocking the high ports?
Regards,
0 -
The issue is definitely due to the corporate firewall. I tested it outside the corporate network and it worked.
0
Categories
- All Categories
- 167 LFX Mentorship
- 219 LFX Mentorship: Linux Kernel
- 798 Linux Foundation IT Professional Programs
- 356 Cloud Engineer IT Professional Program
- 180 Advanced Cloud Engineer IT Professional Program
- 82 DevOps Engineer IT Professional Program
- 149 Cloud Native Developer IT Professional Program
- 112 Express Training Courses
- 138 Express Courses - Discussion Forum
- 6.2K Training Courses
- 48 LFC110 Class Forum - Discontinued
- 17 LFC131 Class Forum
- 35 LFD102 Class Forum
- 227 LFD103 Class Forum
- 19 LFD110 Class Forum
- 39 LFD121 Class Forum
- 15 LFD133 Class Forum
- 7 LFD134 Class Forum
- 17 LFD137 Class Forum
- 63 LFD201 Class Forum
- 3 LFD210 Class Forum
- 5 LFD210-CN Class Forum
- 2 LFD213 Class Forum - Discontinued
- 128 LFD232 Class Forum - Discontinued
- 1 LFD233 Class Forum
- 2 LFD237 Class Forum
- 23 LFD254 Class Forum
- 697 LFD259 Class Forum
- 109 LFD272 Class Forum
- 3 LFD272-JP クラス フォーラム
- 10 LFD273 Class Forum
- 154 LFS101 Class Forum
- 1 LFS111 Class Forum
- 1 LFS112 Class Forum
- 1 LFS116 Class Forum
- 1 LFS118 Class Forum
- LFS120 Class Forum
- 7 LFS142 Class Forum
- 7 LFS144 Class Forum
- 3 LFS145 Class Forum
- 1 LFS146 Class Forum
- 3 LFS147 Class Forum
- 1 LFS148 Class Forum
- 15 LFS151 Class Forum
- 1 LFS157 Class Forum
- 34 LFS158 Class Forum
- 8 LFS162 Class Forum
- 1 LFS166 Class Forum
- 1 LFS167 Class Forum
- 3 LFS170 Class Forum
- 2 LFS171 Class Forum
- 1 LFS178 Class Forum
- 1 LFS180 Class Forum
- 1 LFS182 Class Forum
- 1 LFS183 Class Forum
- 29 LFS200 Class Forum
- 736 LFS201 Class Forum - Discontinued
- 2 LFS201-JP クラス フォーラム
- 14 LFS203 Class Forum
- 102 LFS207 Class Forum
- 1 LFS207-DE-Klassenforum
- 1 LFS207-JP クラス フォーラム
- 301 LFS211 Class Forum
- 55 LFS216 Class Forum
- 48 LFS241 Class Forum
- 48 LFS242 Class Forum
- 37 LFS243 Class Forum
- 15 LFS244 Class Forum
- LFS245 Class Forum
- LFS246 Class Forum
- 50 LFS250 Class Forum
- 1 LFS250-JP クラス フォーラム
- LFS251 Class Forum
- 155 LFS253 Class Forum
- LFS254 Class Forum
- LFS255 Class Forum
- 5 LFS256 Class Forum
- 1 LFS257 Class Forum
- 1.3K LFS258 Class Forum
- 10 LFS258-JP クラス フォーラム
- 121 LFS260 Class Forum
- 159 LFS261 Class Forum
- 41 LFS262 Class Forum
- 82 LFS263 Class Forum - Discontinued
- 15 LFS264 Class Forum - Discontinued
- 11 LFS266 Class Forum - Discontinued
- 20 LFS267 Class Forum
- 25 LFS268 Class Forum
- 31 LFS269 Class Forum
- 1 LFS270 Class Forum
- 199 LFS272 Class Forum
- 1 LFS272-JP クラス フォーラム
- LFS274 Class Forum
- 3 LFS281 Class Forum
- 10 LFW111 Class Forum
- 261 LFW211 Class Forum
- 182 LFW212 Class Forum
- 13 SKF100 Class Forum
- 1 SKF200 Class Forum
- 1 SKF201 Class Forum
- 782 Hardware
- 198 Drivers
- 68 I/O Devices
- 37 Monitors
- 96 Multimedia
- 174 Networking
- 91 Printers & Scanners
- 83 Storage
- 758 Linux Distributions
- 80 Debian
- 67 Fedora
- 15 Linux Mint
- 13 Mageia
- 23 openSUSE
- 143 Red Hat Enterprise
- 31 Slackware
- 13 SUSE Enterprise
- 348 Ubuntu
- 461 Linux System Administration
- 39 Cloud Computing
- 70 Command Line/Scripting
- Github systems admin projects
- 90 Linux Security
- 77 Network Management
- 101 System Management
- 46 Web Management
- 64 Mobile Computing
- 17 Android
- 34 Development
- 1.2K New to Linux
- 1K Getting Started with Linux
- 371 Off Topic
- 114 Introductions
- 174 Small Talk
- 19 Study Material
- 806 Programming and Development
- 304 Kernel Development
- 204 Software Development
- 1.8K Software
- 211 Applications
- 180 Command Line
- 3 Compiling/Installing
- 405 Games
- 309 Installation
- 97 All In Program
- 97 All In Forum
Upcoming Training
-
August 20, 2018
Kubernetes Administration (LFS458)
-
August 20, 2018
Linux System Administration (LFS301)
-
August 27, 2018
Open Source Virtualization (LFS462)
-
August 27, 2018
Linux Kernel Debugging and Security (LFD440)