4

I have defined a new service with a ClusterIP.

[ciuffoly@master-node ~]$ kubectl get services
NAME         TYPE           CLUSTER-IP      EXTERNAL-IP     PORT(S)          AGE
kubernetes   ClusterIP      10.96.0.1       <none>          443/TCP          4d1h    
test-reg     ClusterIP      10.102.196.35   <none>          5000/TCP         58m
test-web     LoadBalancer   10.108.151.13   192.168.1.125   80:30001/TCP     73m

The pod is running on worker-node1 and I can connect to this server with the worker-node1 plumbed on ethernet ip.

[ciuffoly@worker-node1 ~]$ ip addr show|grep "192\.168\.1\."
inet 192.168.1.20/24 brd 192.168.1.255 scope global noprefixroute ens33

[ciuffoly@worker-node1 ~]$ telnet 192.168.1.20 5000    
Connected to 192.168.1.20.
Escape character is '^]'.
^]
telnet> q

[ciuffoly@master-node ~]$ telnet 192.168.1.20 5000
Connected to 192.168.1.20.
Escape character is '^]'.
^]
telnet> q

But I cannot connect to this service with the ClusterIP

[ciuffoly@master-node ~]$ telnet 10.102.196.35 5000
Trying 10.102.196.35...
^C

Following the answers I have tested also NodePort but I still have the same problem.

[ciuffoly@master-node ~]$ kubectl get services|grep reg
test-reg     NodePort       10.111.117.116   <none>          5000:30030/TCP   5m41s

[ciuffoly@master-node ~]$ kubectl delete svc test-reg
service "test-reg" deleted
[ciuffoly@master-node ~]$ netstat -an|grep 30030

[ciuffoly@master-node ~]$ kubectl apply -f myreg.yaml
myreg.yamldeployment.apps/test-reg unchanged
service/test-reg created
[ciuffoly@master-node ~]$ netstat -an|grep 30030
tcp        0      0 0.0.0.0:30030           0.0.0.0:*               LISTEN

This does not work

[ciuffoly@master-node ~]$ telnet master-node  30030
Trying 192.168.1.10...
^C

This works

[ciuffoly@master-node ~]$ telnet worker-node1  30030
Trying 192.168.1.20...
Connected to worker-node1.
Escape character is '^]'.
^]
telnet> q
Connection closed.
Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
andrea ciuffoli
  • 151
  • 10
  • ClusterIP is valid inside the cluster. So you need to get inside a Pod and use telnet to use that ClusterIP – Tarun Lalwani Apr 13 '21 at 09:00
  • https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types – Tarun Lalwani Apr 13 '21 at 09:14
  • ok, but there is a method to create a logical ip that I can connect from master and all workers ? I would like to use this for the local register – andrea ciuffoli Apr 13 '21 at 09:17
  • I see you have a LoadBalancer service with attached an External IP. What is it attached to? Can you describe (kubectl descrive resource-type resource-name) the service and the Pod you are trying to reach? – AndD Apr 13 '21 at 10:31
  • SOLVED All problem has been solved using Calico instead of Flannel – andrea ciuffoli Apr 14 '21 at 14:53

2 Answers2

1

This is a community wiki answer posted for better visibility. Feel free to expand it.

As already confirmed by andrea ciuffoli, switching from Flannel to Calico solved the issue.

Flannel is a very simple overlay network that satisfies the Kubernetes requirements.

On the other hand, Calico is an open source networking and network security solution for containers, virtual machines, and native host-based workloads. Calico supports multiple data planes including: a pure Linux eBPF dataplane, a standard Linux networking dataplane, and a Windows HNS dataplane. Calico provides a full networking stack but can also be used in conjunction with cloud provider CNIs to provide network policy enforcement.

It's hard to say what was the sole reason behind the final solution but you can find some details about Comparing Kubernetes CNI Providers: Flannel, Calico, Canal, and Weave.

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
0

From the docs:

The service type ClusterIP exposes the Service on a cluster-internal IP. Choosing this value makes the Service only reachable from within the cluster. This is the default ServiceType.

So you can reach your ClusterIP service only from within your cluster. So you could deploy a pod with telnet installed and test your setup from there.

If you want to connect from your host, you could use the service type NodePort.

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  type: NodePort
  selector:
    app: MyApp
  ports:
    - port: 80
      targetPort: 80
      nodePort: 30080

This way you could connect to the service via hostname:30080. The thing is, that you can use every hostname of your cluster.

chresse
  • 5,486
  • 3
  • 30
  • 47
  • now work! [ciuffoly@master-node ~]$ kubectl get services NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE test-reg NodePort 10.102.196.35 5000:30030/TCP 148m [ciuffoly@master-node ~]$ telnet 10.102.196.35 30030 Trying 10.102.196.35... ^C – andrea ciuffoli Apr 13 '21 at 10:13
  • Take into consideration that using NodePort is not resilient to node failure as much as using a LoadBalancer service. LoadBalancer services are the type of service to use if HA and resilience needs to come into play. – AndD Apr 13 '21 at 10:23
  • ok, but both NodePort and LoadBalancer does not work from mater-node – andrea ciuffoli Apr 13 '21 at 10:25
  • @AndD that is correct. But in most onprem setups you don't have a LoadBalancer out of the box. – chresse Apr 13 '21 at 10:26
  • @andreaciuffoli: don't use the clusterIP for telnet on your host. Use the hostname or the nodes IP. e.g. `telnet master-node 30080` (or which port you are using...) – chresse Apr 13 '21 at 10:28
  • [ciuffoly@master-node ~]$ telnet master-node 30030 Trying 192.168.1.10... not run! – andrea ciuffoli Apr 13 '21 at 10:29
  • [ciuffoly@master-node ~]$ netstat -an|grep 30030 tcp 0 0 0.0.0.0:30030 0.0.0.0:* LISTEN – andrea ciuffoli Apr 13 '21 at 10:37
  • @andreaciuffoli using it directly from the own host seems not to work (https://github.com/kubernetes/kubernetes/issues/67730#issuecomment-818575890) or takes sometimes very long (>1min). What is your usecase? Maybe we can find another solution. Inside your k8s cluster network your service will be reachable via the service name. – chresse Apr 13 '21 at 11:51
  • I would to create a service for the local register to use for docker images so master-node and worker-nodes should connect the register in the pod. – andrea ciuffoli Apr 13 '21 at 13:47
  • sorry, but I don't understand what you mean – chresse Apr 13 '21 at 14:03
  • I would like to have a local register for my custom docker images instead of use the https://hub.docker.com/repository – andrea ciuffoli Apr 13 '21 at 14:13
  • You could deploy your registry in kubernetes (which can lead to a chicken-egg problem) with an ingress placed before. So you could pull and push from outside (an inside) of your cluster the images. Or you can deploy the registry in a dedicated environment. But this probably is not in focus of this question – chresse Apr 13 '21 at 14:24
  • Today I have tested also with Ingress and same result: the master-node cannot contact the virtual ip created by the Ingress just like the LoabBalancer configuration – andrea ciuffoli Apr 13 '21 at 17:31
  • SOLVED All problem has been solved using Calico instead of Flannel – andrea ciuffoli Apr 14 '21 at 14:52
  • Good to hear that. Please provide a separate answer explaining the actions taken in order to solve your issue or edit the one above with the same info – Wytrzymały Wiktor Apr 15 '21 at 08:34
  • Also with Calico it is necessary close the firewall to run without problems. I have read about strange packages that are locked by iptables but there is no solution to solve this. – andrea ciuffoli Apr 22 '21 at 14:54