无法从pod内部ping ClusterIP并且DNS不适用于外部域名，例如google.com

Question

我已经在裸机/ Ubuntu上安装了Kubernetes。我在6b649d7f9f2b09ca8b0dd8c0d3e14dcb255432d1提交git。我使用cd kubernetes/cluster; KUBERNETES_PROVIDER=ubuntu ./kube-up.sh后跟cd kubernetes/cluster/ubuntu; ./deployAddons.sh来启动群集。一切都很顺利，集群起来了。

我/ubuntu/config-default.sh如下：

# Define all your cluster nodes, MASTER node comes first" 
# And separated with blank space like <user_1@ip_1> <user_2@ip_2> <user_3@ip_3> 
export nodes=${nodes:-"root@192.168.48.170 root@192.168.48.180"} 

# Define all your nodes role: a(master) or i(minion) or ai(both master and minion), must be the order same 
role=${role:-"ai i"} 
# If it practically impossible to set an array as an environment variable 
# from a script, so assume variable is a string then convert it to an array 
export roles=($role) 

# Define minion numbers 
export NUM_NODES=${NUM_NODES:-2} 
# define the IP range used for service cluster IPs. 
# according to rfc 1918 ref: https://tools.ietf.org/html/rfc1918 choose a private ip range here. 
export SERVICE_CLUSTER_IP_RANGE=${SERVICE_CLUSTER_IP_RANGE:-192.168.3.0/24} # formerly PORTAL_NET 
# define the IP range used for flannel overlay network, should not conflict with above SERVICE_CLUSTER_IP_RANGE 
export FLANNEL_NET=${FLANNEL_NET:-172.16.0.0/16} 

# Optionally add other contents to the Flannel configuration JSON 
# object normally stored in etcd as /coreos.com/network/config. Use 
# JSON syntax suitable for insertion into a JSON object constructor 
# after other field name:value pairs. For example: 
# FLANNEL_OTHER_NET_CONFIG=', "SubnetMin": "172.16.10.0", "SubnetMax": "172.16.90.0"' 

export FLANNEL_OTHER_NET_CONFIG 
FLANNEL_OTHER_NET_CONFIG='' 

# Admission Controllers to invoke prior to persisting objects in cluster 
export ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota,SecurityContextDeny 

# Path to the config file or directory of files of kubelet 
export KUBELET_CONFIG=${KUBELET_CONFIG:-""} 

# A port range to reserve for services with NodePort visibility 
SERVICE_NODE_PORT_RANGE=${SERVICE_NODE_PORT_RANGE:-"30000-32767"} 

# Optional: Enable node logging. 
ENABLE_NODE_LOGGING=false 
LOGGING_DESTINATION=${LOGGING_DESTINATION:-elasticsearch} 

# Optional: When set to true, Elasticsearch and Kibana will be setup as part of the cluster bring up. 
ENABLE_CLUSTER_LOGGING=false 
ELASTICSEARCH_LOGGING_REPLICAS=${ELASTICSEARCH_LOGGING_REPLICAS:-1} 

# Optional: When set to true, heapster, Influxdb and Grafana will be setup as part of the cluster bring up. 
ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-true}" 

# Extra options to set on the Docker command line. This is useful for setting 
# --insecure-registry for local registries. 
DOCKER_OPTS=${DOCKER_OPTS:-""} 

# Extra options to set on the kube-proxy command line. This is useful 
# for selecting the iptables proxy-mode, for example. 
KUBE_PROXY_EXTRA_OPTS=${KUBE_PROXY_EXTRA_OPTS:-""} 

# Optional: Install cluster DNS. 
ENABLE_CLUSTER_DNS="${KUBE_ENABLE_CLUSTER_DNS:-true}" 
# DNS_SERVER_IP must be a IP in SERVICE_CLUSTER_IP_RANGE 
DNS_SERVER_IP=${DNS_SERVER_IP:-"192.168.3.10"} 
DNS_DOMAIN=${DNS_DOMAIN:-"cluster.local"} 
DNS_REPLICAS=${DNS_REPLICAS:-1} 

# Optional: Install Kubernetes UI 
ENABLE_CLUSTER_UI="${KUBE_ENABLE_CLUSTER_UI:-true}" 

# Optional: Enable setting flags for kube-apiserver to turn on behavior in active-dev 
RUNTIME_CONFIG="--basic-auth-file=password.csv" 

# Optional: Add http or https proxy when download easy-rsa. 
# Add envitonment variable separated with blank space like "http_proxy=http://10.x.x.x:8080 https_proxy=https://10.x.x.x:8443" 
PROXY_SETTING=${PROXY_SETTING:-""} 

DEBUG=${DEBUG:-"false"} 

然后，我用下面YML文件中创建一个吊舱：

apiVersion: v1 
kind: Pod 
metadata: 
    name: nginx 
    labels: 
    app: nginx 
spec: 
    containers: 
    - name: nginx 
    image: nginx 
    ports: 
    - containerPort: 80 

与服务使用以下YML：

apiVersion: v1 
kind: Service 
metadata: 
    name: nginx-service 
spec: 
    ports: 
    - port: 8000 
    targetPort: 80 
    protocol: TCP 
    selector: 
    app: nginx 
    type: NodePort 

然后，我使用docker exec -it [CONTAINER_ID] bash进入了开始的集装箱码头。主要有两个问题：

1. 我无法ping外部域如google.com，但我可以ping外部IP如8.8.8.8。所以容器可以上网。
2. 内部服务解析为更正内部群集IP，但我无法从容器内ping该IP。

主机的/etc/resolve.conf文件如下：

nameserver 8.8.8.8 
nameserver 127.0.1.1 

容器的/etc/resolve.conf文件如下：

search default.svc.cluster.local svc.cluster.local cluster.local 
nameserver 192.168.3.10 
nameserver 8.8.8.8 
nameserver 127.0.1.1 
options ndots:5 

关于第一个问题，我认为这可能与两种SkyDNS nameservers misconfigurarion或我必须做但我不知道的自定义配置。

但是，我没有任何关于为什么容器无法ping集群IP的想法。

任何解决方法？

Answer 1

我找到了解决方法。 SkyDNS文档中的命令行参数部分，并且具体地，对于“名称服务器”参数意味着：

域名服务器：转发DNS请求到这些（递归）域名服务器（阵列IP的：端口组合）中，当没有为权威域。默认为/etc/resolv.conf中列出的服务器

但它不！为了解决这个问题，应该将dns addon复制控制器配置文件（cluster/addons/dns/skydns-rc.yaml.in）更改为包含名称服务器配置。我改变了skydns容器部分，如下所示，它的工作就像一个魅力。

- name: skydns 
    image: gcr.io/google_containers/skydns:2015-10-13-8c72f8c 
    resources: 
     # keep request = limit to keep this container in guaranteed class 
     limits: 
     cpu: 100m 
     memory: 50Mi 
     requests: 
     cpu: 100m 
     memory: 50Mi 
    args: 
    # command = "/skydns" 
    - -machines=http://127.0.0.1:4001 
    - -addr=0.0.0.0:53 
    - -nameservers=8.8.8.8:53 
    - -ns-rotate=false 
    - -domain={{ pillar['dns_domain'] }}. 
    ports: 
    - containerPort: 53 
     name: dns 
     protocol: UDP 
    - containerPort: 53 
     name: dns-tcp 
     protocol: TCP 
    livenessProbe: 
     httpGet: 
     path: /healthz 
     port: 8080 
     scheme: HTTP 
     initialDelaySeconds: 30 
     timeoutSeconds: 5 
    readinessProbe: 
     httpGet: 
     path: /healthz 
     port: 8080 
     scheme: HTTP 
     initialDelaySeconds: 1 
     timeoutSeconds: 5 

Answer 2

我可以回答你的ping clusterIP问题。 我遇到了同样的问题，想从Pod中ping服务的集群IP。

该解决方案似乎不能ping通群集IP，但端点可以使用端口卷曲访问。

我只是努力寻找关于ping虚拟IP的细节。