0

I created a K8s via Terraform in OCI (Oracle cloud). And I encounter the following problem.

a) from a single pod I can't access the internet via name e.g.

   # nslookup google.de
   nslookup: can't resolve '(null)': Name does not resolve

   nslookup: can't resolve 'google.de': Try again

However I can reach the internet via IPs

/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=119 time=1.950 ms

b) I can request services in another pod only when they are on the same node as the inquiring pod. E.g.

# wget 10.244.0.19:9376 --> success when on same node
# wget 10.244.0.18:9376 --> failed because on another node

How can I debug the error?

I looked at https://kubernetes.io/docs/tasks/debug-application-cluster/debug-service/ and already have the problem in the first step. How to continue?

(Also found https://www.jeffgeerling.com/blog/2019/debugging-networking-issues-multi-node-kubernetes-on-virtualbox and from outside it looked similar. However, I'm not in a VM environment.)

What I did was: I updated all worker nodes on the current OS software (oracle Linux).

Best regards Thomas

Kamol Hasan
  • 12,218
  • 1
  • 37
  • 46
Thomas Seehofchen
  • 367
  • 1
  • 5
  • 14
  • Must probably this is due to nftables which are not supported by some k8s CNIs. Try this: https://stackoverflow.com/questions/65836764/kubernetes-ingress-second-node-port-is-not-responding/65862994#65862994 – Matt Feb 04 '21 at 12:48
  • OCI uses flannel as standard. ```kubectl get pods -n kube-system``` shows me three kube-flannel-ds-xxxx containers. However I willl read your link. – Thomas Seehofchen Feb 04 '21 at 13:00
  • I'd like to add some explaination about nftables. Many linux distros historicaly use iptables. But the new RedHat8, centos8 and some other use nftables and make iptables depricated. Many k8s CNIs don't support nftables yet. But this is only my best guess so far based on your observations. – Matt Feb 04 '21 at 13:07
  • My k8s uses Oracle linux7, not Oracle linux 8. And Oracle-linux7 uses still iptables I think, I looked at https://support.oracle.com/knowledge/Oracle%20Linux%20and%20Virtualization/2570019_1.html – Thomas Seehofchen Feb 04 '21 at 13:25
  • "flannel uses UDP port 8285 for sending encapsulated IP packets. Make sure to enable this traffic to pass between the hosts. If you find that you can't ping containers across hosts, this port is probably not open." https://coreos.com/flannel/docs/latest/flannel-config.html#firewall – Matt Feb 04 '21 at 13:39
  • I have a egress rule: destination src-port-range destination-port-range stateless=no 0.0.0.0/0 UDP All 8285 Is this okay? – Thomas Seehofchen Feb 04 '21 at 13:59

0 Answers0