Welcome to the Linux Foundation Forum!

Lab 8.1 routing issue

Hi all,
I deployed and exposed nginx-one, the pods landed on my second node (kube-worker-01) as expected

[email protected]:~/labs/8.1-service$ kubectl -n accounting describe pod nginx-one-755bd7c7d5-kq777
Name:         nginx-one-755bd7c7d5-kq777
Namespace:    accounting
Priority:     0
Node:         kube-worker-01/10.20.0.5
Start Time:   Thu, 28 May 2020 19:43:19 +0000
Labels:       pod-template-hash=755bd7c7d5
              system=secondary
Annotations:  cni.projectcalico.org/podIP: 192.168.188.187/32
              cni.projectcalico.org/podIPs: 192.168.188.187/32
Status:       Running
IP:           192.168.188.187

However, curl from the control node does not work (since there is no route)

[email protected]:~/labs/8.1-service$ curl 192.168.188.187:80
curl: (7) Failed to connect to 192.168.188.187 port 80: Connection refused

route -n
192.168.84.129  0.0.0.0         255.255.255.255 UH    0      0        0 cali8f6751be4be
192.168.84.130  0.0.0.0         255.255.255.255 UH    0      0        0 cali99d95d831c3
192.168.84.131  0.0.0.0         255.255.255.255 UH    0      0        0 calid152b729a3f

The pod itself if fine, I can curl it from the second node where it resides

[email protected]:~$ curl 192.168.188.187:80
<!DOCTYPE html>
<html>

I would expect calico to handle inter-node communication via tunl0 interfaces, correct ?

Thanks and regards

Piotrek Z

Comments

  • chrispokorni
    chrispokorni Posts: 1,284

    Hi Piotrek,

    Your situation is consistently reported in the forum, and it reflects the cluster's inability to route traffic between nodes, typically because of a firewall that is blocking specific ports. When there is an infrastructure firewall and/or even an OS firewall, Kubernetes will not be able to go around it. Kubernetes does not manage the infrastructure on your behalf, it only uses it as-is.

    I would recommend revisiting your firewall rules. At the infrastructure level allow all ingress traffic from all sources, all protocols, to all ports, and at the nodes' OS level disable any firewall you may have running.

    Regards,
    -Chris

Categories

Upcoming Training