New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kilo on RKE cluster: non-maser PODs CANNOT access to the kube-apiserver endpoint #218
Comments
Maybe it is not related, but some things seem odd to me. EDIT: If you still want to encrypt all traffic, use |
Hmm the funny thing here is that your private IPs are being used as the public endpoints for WireGuard. This creates some tricky situations. The problem here (i think) is that the master node is dropping martian packets. Imagine the following situation:
This is all a funny side effect of the reuse of the private IPs in the cluster as public endpoints.
I wonder if there's a nicer way we could deal with this in Kilo to enable fully private clusters @leonnicolas |
Also, can you share the logs from the Kilo pod on master? Ideally with debug log level :)) |
@squat I appreciate your detailed response, yes you right, we are using:
The idea was to cover all internal RKE nodes by VPN connections + add custom external peers. The configuration above related to the next location settings:
In that case, I was able to see already working VPN connections between the nodes, and only one minor thing ( kube-api access from non-master POD) spoiled all the stuff :) |
Let me share another bunch of data for other cases:
Service discovery is not working, I CANNOT access to any POD because , details below:
foundation-musanin-master configuration:
foundation-musanin-node-1 configuration:
foundation-musanin-node-2 configuration:
LOGS:
|
Hi @squat, I strongly believe in your project and hope you could help me with the final issue...
I have successfully installed kilo on my RKE cluster as a CNI:
master-node
have access to kube-apiserver endpointbut I have caught another issue:
PODs in the
non-master
nodes CANNOT access to kube-apiserver (kubernetes.default -> 10.45.0.1:443 -> 172.25.132.35:6443)It is critical for k8s operators like Istio, Prometheus, Infinispan, etc. and I got stuck with that...
I guess something wrong with network routing (KILO-NAT, KILO-IPIP iptables).
Please check my k8s configuration, test PODs, and iptables of
master-node
andnode-1
, probably you might find a reason:kubectl get nodes -o wide
kubectl get pods --all-namespaces -o wide
kubectl get service --all-namespaces -o wide
kubectl get endpoints --all-namespaces -o wide
echoserver POD is accessible from all nodes
but
kube-apiserver
API is accessible only from MASTER POD !!!below network settings of master-node (foundation-musanin-master)
sudo iptables-save > ~/temp/20210720_iptables_master
sudo ifconfig
sudo ip a
sudo ip r
sudo wg
below network settings of node-1 (foundation-musanin-node-1)
sudo iptables-save > ~/temp/20210720_iptables_node1
sudo ifconfig
sudo ip a
sudo ip r
sudo wg
kgctl graph
I got stuck with iptables routing and unclear how to set up access from
node-1 (foundation-musanin-node-1)
tokube-apiserver (kubernetes.default -> 10.45.0.1:443 -> 172.25.132.35:6443)
Hope for your help.
Thanks in advance,
Vladimir.
The text was updated successfully, but these errors were encountered: