4

Can't connect to Kubernetes Deployment (App) when using the MetalLB load balancer. Attempting to configure floating IP so when one node fails and the workload moves across, I still know what the IP is when on the new node with new address.

Deployed:

  1. Raspbian on 4x Raspberry Pi 4s
  2. Enabled promiscuous mode on the ethernet ports
  3. Docker + Kubernetes
  4. CNI - Weave (set NO_MASQ_LOCAL = 1). [I have also set this up with Flannel with the same outcome]
  5. NGINX docker image
  6. MetalLB with Layer2 (Node network is 192.168.0.0/24, YAML for MetalLB has a small subnet allocated for the VIP 192.168.0.240/28)

Verified:

  1. Deployment (NGINX) works on CNI IP (10.44.0.1:80). Verified with curl to container IP from node hosting container.
  2. Deployment (NGINX) works on Nodeport using node IP (192.168.0.102). Verified with curl to node from laptop.

Deployment .yaml

metallb.yaml

apiVersion: v1 kind: ConfigMap metadata: namespace: metallb-system name: config data: config: | address-pools: - name: my-ip-space protocol: layer2 addresses: - 192.168.0.240/28

nginx.yaml apiVersion: apps/v1beta2 kind: Deployment metadata: name: nginx spec: selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:1 ports: - name: http containerPort: 80

nginx-service -lb.yaml apiVersion: v1 kind: Service metadata: name: nginx labels: app: nginx spec: selector: app: nginx type: LoadBalancer ports: - port: 80 name: http protocol: TCP targetPort: 80

Results

I think works:

  1. ARP requests to the VIP from the laptop I believe is working, MAC address of node hosting the container appears.

Doesn't work:

  1. Deploy load balancer which allocates a VIP 192.168.0.240 and port X, but when I try to connect to this from the worker node or my laptop unsuccessful. My laptop IP is in the same network. The node that this VIP is on can't perform the curl request either.
  2. I attempted making the loadbalancing subnet the /32 of the node with the deployment to see if it was an IP or ARP issue. When doing that I'm able to verify that the port allocated by MetalLB is open, but no response. This was done from my laptop.

Results from laptop

  1. ~ user$ curl 192.168.0.102:31854
    • curl: (7) Failed to connect to 192.168.0.102 port 31854: Connection refused

ARP request from laptop .102 is the node, .240 is the VIP allocated by MetalLB

  1. ~ user$ arp 192.168.0.102
    • ? (192.168.0.102) at dc:a6:32:b:fc:d on en0 ifscope [ethernet]
  2. ~ user$ arp 192.168.0.240
    • ? (192.168.0.240) at dc:a6:32:b:fc:d on en0 ifscope [ethernet]
Anton2079
  • 41
  • 3

1 Answers1

0

We encountered an issue that manifested in exactly the same way, and we traced it down to to a Windows OS network bridge bridging the MetalLB network with another network (our office wireless).

There are other issues that may present in similar ways (such as firewall configurations), so to verify that a bridged network is causing the problems, run

arping -I <interface> <target ip>

where <interface> is an interface routable on the MetalLB network (en0 in your case) and <target ip> is the external IP of the Kubernetes service (192.168.0.240 in your example). If a bridge is causing the problem, you will see the IP associated with 2 distinct MAC addresses (or more, depending on the arity of the bridge).

Once MetalLB has allocated the IP address, bridging the networks seems to work, even when redeploying the service or deploying new services.

If a bridge is present and you must maintain it, consider configuring MetalLB in BGP mode.

Josiah Haswell
  • 121
  • 2