我正在尝试将客户端流量引导至监听 192.168.1.100.30000(https 端口)的 kubernetes 集群 NodePort。
客户端需要向 192.168.1.100.8000 发出请求,因此我在 iptables 中添加了以下 REDIRECT 规则:
iptables -t nat -I PREROUTING -p tcp --dst 192.168.1.100 --dport 8000 -j REDIRECT --to-port 30000
iptables -t nat -I OUTPUT -d 192.168.1.100 -p tcp --dport 8000 -j REDIRECT --to-port 30000
但是,我收到以下错误:
# curl -vk https://192.168.1.100:8000/v1/api
* About to connect() to 192.168.1.100 port 8000 (#0)
* Trying 192.168.1.100...
* Connected to 192.168.1.100 (192.168.1.100) port 8000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.
还尝试设置远程系统指示这回答并向同一端点发出请求并收到以下错误:
# ip netns exec remotesystem curl -vk https://192.168.1.100:8000/v1/api
* About to connect() to 192.168.1.100 port 8000 (#0)
* Trying 192.168.1.100...
* Connection timed out
* Failed connect to 192.168.1.100:8000; Connection timed out
* Closing connection 0
curl: (7) Failed connect to 192.168.1.100:8000; Connection timed out
我知道 kubernetes 集群具有使用 calico crds 强制执行的网络策略,但是,我在网络策略中添加了默认允许所有内容,但流量似乎仍然挂起。
我还检查了入口控制器的日志以查看请求是否到达那里,但在发出请求时没有看到任何日志输出。
奇怪的是直接卷曲节点端口https://192.168.1.100.30000/v1/api工作并且我得到了成功的响应。
问题是,为什么卷曲会https://192.168.1.100:8000/v1/api (with the REDIRECT rule to 30000)导致请求挂起?