首先这里是一些背景信息,尽管它可能与问题无关。
我正在学习 Kubernetes,并设置了一个集群,pi-hole 在其中作为服务运行。我可以从 LAN 上另一台计算机上运行的浏览器访问管理控制台。
以下是服务内容:
$ sudo kubectl get services --all-namespaces -o wide
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
default kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 70m <none>
kube-system kube-dns ClusterIP 10.43.0.10 <none> 53/UDP,53/TCP,9153/TCP 70m k8s-app=kube-dns
kube-system metrics-server ClusterIP 10.43.78.148 <none> 443/TCP 69m k8s-app=metrics-server
pihole pihole-dhcp NodePort 10.43.41.144 <none> 67:31097/UDP 69m app=pihole,release=pihole
pihole pihole-dns-tcp LoadBalancer 10.43.36.226 192.168.1.129,192.168.1.146,192.168.1.148 53:31213/TCP 69m app=pihole,release=pihole
pihole pihole-dns-udp LoadBalancer 10.43.191.104 192.168.1.129,192.168.1.146,192.168.1.148 53:31078/UDP 69m app=pihole,release=pihole
pihole pihole-web LoadBalancer 10.43.63.236 192.168.1.129,192.168.1.146,192.168.1.148 80:30081/TCP,443:31214/TCP 69m app=pihole,release=pihole
kube-system traefik LoadBalancer 10.43.122.130 <pending> 80:30146/TCP,443:32021/TCP 68m app.kubernetes.io/instance=traefik,app.kubernetes.io/name=traefik
谜底就在这里——谁在监听 80 端口?正如我之前提到的,我可以从浏览器或 curl 建立与 pi-hole 的连接:
$ curl http://192.168.1.129
<!doctype html>
<html lang='en'>
HTML lines omitted...
</html>
然而,以下命令是从 192.168.1.129 执行的:
$ sudo lsof -i :80
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether e4:5f:01:b8:fc:6f brd ff:ff:ff:ff:ff:ff
inet 192.168.1.129/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
valid_lft 43882sec preferred_lft 33082sec
inet6 2603:8001:8e00:1ca9:37e7:e1f8:8ea9:571b/64 scope global dynamic mngtmpaddr noprefixroute
valid_lft 464540sec preferred_lft 464540sec
inet6 fe80::aba5:f484:5575:9864/64 scope link
valid_lft forever preferred_lft forever
Many other Kubernetes interface omitted...
netstat 和 ss 也没有显示任何正在监听该端口的人。但是,如果我在从浏览器连接到服务器时运行 tcpdump,我可以使用 tcpdump 查看端口上的流量。
我错过了什么?
答案1
在 Daniel B. 给我指明了正确的方向后,我所要做的就是遵守防火墙规则。我找到了这个详细的解释https://www.stackrox.io/blog/kubernetes-networking-demystified/ 如何做到这一点。我只需要用等效的 nft 命令替换 iptables 命令,因为前者在我的系统上不起作用。
我从使用浏览器访问的服务器 192.168.1.129 和端口 80 开始:
$ sudo nft -n list chain nat KUBE-SERVICES|grep "192.168.1.129.*[^0-9]80[^0-9]"
meta l4proto 6 ip daddr 192.168.1.129 tcp dport 80 counter packets 3 bytes 156 jump KUBE-FW-ZVTMEM247U444IPT
然后我只需遵循链式规则:
$ sudo nft -n list chain nat KUBE-FW-ZVTMEM247U444IPT
table ip nat {
chain KUBE-FW-ZVTMEM247U444IPT {
counter packets 3 bytes 156 jump KUBE-XLB-ZVTMEM247U444IPT
counter packets 0 bytes 0 jump KUBE-MARK-DROP
counter packets 0 bytes 0 jump KUBE-XLB-ZVTMEM247U444IPT
counter packets 0 bytes 0 jump KUBE-MARK-DROP
counter packets 0 bytes 0 jump KUBE-XLB-ZVTMEM247U444IPT
counter packets 0 bytes 0 jump KUBE-MARK-DROP
}
}
$ sudo nft -n list chain nat KUBE-XLB-ZVTMEM247U444IPT
table ip nat {
chain KUBE-XLB-ZVTMEM247U444IPT {
ip saddr 10.42.0.0/16 counter packets 0 bytes 0 jump KUBE-SVC-ZVTMEM247U444IPT
fib saddr type local counter packets 0 bytes 0 jump KUBE-MARK-MASQ
fib saddr type local counter packets 0 bytes 0 jump KUBE-SVC-ZVTMEM247U444IPT
counter packets 3 bytes 156 jump KUBE-SEP-PXNUQBE4P5SOTECD
}
}
$ sudo nft -n list chain nat KUBE-SVC-ZVTMEM247U444IPT
table ip nat {
chain KUBE-SVC-ZVTMEM247U444IPT {
meta l4proto 6 ip saddr != 10.42.0.0/16 ip daddr 10.43.29.63 tcp dport 80 counter packets 0 bytes 0 jump KUBE-MARK-MASQ
counter packets 0 bytes 0 jump KUBE-SEP-PXNUQBE4P5SOTECD
}
}
最后一个命令输出一个熟悉的 IP 地址——这是我的服务运行的地方:
$ sudo kubectl get services --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 104m
kube-system kube-dns ClusterIP 10.43.0.10 <none> 53/UDP,53/TCP,9153/TCP 104m
kube-system metrics-server ClusterIP 10.43.8.179 <none> 443/TCP 104m
pihole pihole-dhcp NodePort 10.43.156.246 <none> 67:31575/UDP 84m
pihole pihole-dns-udp LoadBalancer 10.43.167.163 192.168.1.129,192.168.1.146,192.168.1.148 53:31671/UDP 84m
pihole pihole-dns-tcp LoadBalancer 10.43.219.243 192.168.1.129,192.168.1.146,192.168.1.148 53:30437/TCP 84m
pihole pihole-web LoadBalancer 10.43.29.63 192.168.1.129,192.168.1.146,192.168.1.148 80:32526/TCP,443:30932/TCP 84m