我有一个新安装的集群,在Ubuntu 20.04上运行kubernetes 1.22,安装了Nginx。我不能让Nginx暴露在主机上的端口80/443。如果我从Nginx pod中curl虚拟主机,我可以访问服务。
Name: ingress-nginx-controller-76dcf4d6c8-szs8s
Namespace: ingress-nginx
Priority: 0
Node: kub-worker-1/192.168.2.86
Start Time: Thu, 19 Aug 2021 15:02:02 +0000
Labels: app.kubernetes.io/component=controller
app.kubernetes.io/instance=ingress-nginx
app.kubernetes.io/name=ingress-nginx
pod-template-hash=76dcf4d6c8
Annotations: <none>
Status: Running
IP: 10.0.0.156
IPs:
IP: 10.0.0.156
Controlled By: ReplicaSet/ingress-nginx-controller-76dcf4d6c8
Containers:
controller:
Container ID: docker://5ba153e69ddc8744002605c47a58fc748d15e913b2becd8e6fe425de52fff5f7
Image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
Image ID: docker-pullable://k8s.gcr.io/ingress-nginx/controller@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
Ports: 80/TCP, 443/TCP, 8443/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
Args:
/nginx-ingress-controller
--publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
--election-id=ingress-controller-leader
--controller-class=k8s.io/ingress-nginx
--configmap=$(POD_NAMESPACE)/ingress-nginx-controller
--validating-webhook=:8443
--validating-webhook-certificate=/usr/local/certificates/cert
--validating-webhook-key=/usr/local/certificates/key
State: Running
Started: Thu, 19 Aug 2021 15:02:03 +0000
Ready: True
Restart Count: 0
Requests:
cpu: 100m
memory: 90Mi
Liveness: http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=5
Readiness: http-get http://:10254/healthz delay=10s timeout=1s period=10s #success=1 #failure=3
Environment:
POD_NAME: ingress-nginx-controller-76dcf4d6c8-szs8s (v1:metadata.name)
POD_NAMESPACE: ingress-nginx (v1:metadata.namespace)
LD_PRELOAD: /usr/local/lib/libmimalloc.so
Mounts:
/usr/local/certificates/ from webhook-cert (ro)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-mql58 (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
webhook-cert:
Type: Secret (a volume populated by a Secret)
SecretName: ingress-nginx-admission
Optional: false
kube-api-access-mql58:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
QoS Class: Burstable
Node-Selectors: kubernetes.io/os=linux
Tolerations: node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events: <none>
Ufw启用:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 6443 ALLOW IN Anywhere
[ 3] 6783/udp ALLOW IN Anywhere
[ 4] 6784/udp ALLOW IN Anywhere
[ 5] 6783/tcp ALLOW IN Anywhere
[ 6] 2379/tcp ALLOW IN Anywhere
[ 7] 2380/tcp ALLOW IN Anywhere
[ 8] 8472/udp ALLOW IN Anywhere
[ 9] 4240/tcp ALLOW IN Anywhere
[10] 8472/udp ALLOW OUT Anywhere (out)
[11] 4240/tcp ALLOW OUT Anywhere (out)
[12] 4244/tcp ALLOW IN Anywhere
[13] 4245/tcp ALLOW IN Anywhere
[14] 6060/tcp ALLOW IN Anywhere
[15] 6061/tcp ALLOW IN Anywhere
[16] 6062/tcp ALLOW IN Anywhere
[17] 6942/tcp ALLOW IN Anywhere
[18] 9090/tcp ALLOW IN Anywhere
[19] 9876/tcp ALLOW IN Anywhere
[20] 9890/tcp ALLOW IN Anywhere
[21] 9891/tcp ALLOW IN Anywhere
[22] 9892/tcp ALLOW IN Anywhere
[23] 9893/tcp ALLOW IN Anywhere
[24] 51871/udp ALLOW IN Anywhere
[25] 80/tcp ALLOW IN Anywhere
[26] 443/tcp ALLOW IN Anywhere
[27] 8080/tcp ALLOW IN Anywhere
[28] 12000/tcp ALLOW IN Anywhere
[29] 22/tcp (v6) ALLOW IN Anywhere (v6)
[30] 6443 (v6) ALLOW IN Anywhere (v6)
[31] 6783/udp (v6) ALLOW IN Anywhere (v6)
[32] 6784/udp (v6) ALLOW IN Anywhere (v6)
[33] 6783/tcp (v6) ALLOW IN Anywhere (v6)
[34] 2379/tcp (v6) ALLOW IN Anywhere (v6)
[35] 2380/tcp (v6) ALLOW IN Anywhere (v6)
[36] 8472/udp (v6) ALLOW IN Anywhere (v6)
[37] 4240/tcp (v6) ALLOW IN Anywhere (v6)
[38] 8472/udp (v6) ALLOW OUT Anywhere (v6) (out)
[39] 4240/tcp (v6) ALLOW OUT Anywhere (v6) (out)
[40] 4244/tcp (v6) ALLOW IN Anywhere (v6)
[41] 4245/tcp (v6) ALLOW IN Anywhere (v6)
[42] 6060/tcp (v6) ALLOW IN Anywhere (v6)
[43] 6061/tcp (v6) ALLOW IN Anywhere (v6)
[44] 6062/tcp (v6) ALLOW IN Anywhere (v6)
[45] 6942/tcp (v6) ALLOW IN Anywhere (v6)
[46] 9090/tcp (v6) ALLOW IN Anywhere (v6)
[47] 9876/tcp (v6) ALLOW IN Anywhere (v6)
[48] 9890/tcp (v6) ALLOW IN Anywhere (v6)
[49] 9891/tcp (v6) ALLOW IN Anywhere (v6)
[50] 9892/tcp (v6) ALLOW IN Anywhere (v6)
[51] 9893/tcp (v6) ALLOW IN Anywhere (v6)
[52] 51871/udp (v6) ALLOW IN Anywhere (v6)
[53] 80/tcp (v6) ALLOW IN Anywhere (v6)
[54] 443/tcp (v6) ALLOW IN Anywhere (v6)
[55] 12000/tcp (v6) ALLOW IN Anywhere (v6)
暴露港口:
systemd-r 899 systemd-resolve 13u IPv4 21166 0t0 TCP 127.0.0.53:53 (LISTEN)
sshd 18827 root 3u IPv4 52153 0t0 TCP *:22 (LISTEN)
sshd 18827 root 4u IPv6 52155 0t0 TCP *:22 (LISTEN)
container 20083 root 13u IPv4 60776 0t0 TCP 127.0.0.1:37531 (LISTEN)
kube-cont 34531 root 7u IPv4 107006 0t0 TCP 127.0.0.1:10257 (LISTEN)
etcd 34589 root 7u IPv4 106830 0t0 TCP 192.168.2.52:2380 (LISTEN)
etcd 34589 root 8u IPv4 106834 0t0 TCP 127.0.0.1:2379 (LISTEN)
etcd 34589 root 9u IPv4 106835 0t0 TCP 192.168.2.52:2379 (LISTEN)
etcd 34589 root 13u IPv4 107720 0t0 TCP 127.0.0.1:2381 (LISTEN)
kube-sche 34603 root 7u IPv4 107783 0t0 TCP 127.0.0.1:10259 (LISTEN)
kube-apis 34618 root 7u IPv6 107757 0t0 TCP *:6443 (LISTEN)
kubelet 37098 root 13u IPv4 114512 0t0 TCP 127.0.0.1:33915 (LISTEN)
kubelet 37098 root 31u IPv6 114560 0t0 TCP *:10250 (LISTEN)
kubelet 37098 root 34u IPv4 114566 0t0 TCP 127.0.0.1:10248 (LISTEN)
cilium-op 143227 root 7u IPv4 563370 0t0 TCP 127.0.0.1:9891 (LISTEN)
cilium-op 143227 root 8u IPv4 563375 0t0 TCP 127.0.0.1:9234 (LISTEN)
cilium-ag 158094 root 7u IPv4 619482 0t0 TCP 127.0.0.1:9890 (LISTEN)
cilium-ag 158094 root 8u IPv6 663676 0t0 TCP *:30206 (LISTEN)
cilium-ag 158094 root 23u IPv6 619998 0t0 TCP *:42707 (LISTEN)
cilium-ag 158094 root 47u IPv4 623102 0t0 TCP 127.0.0.1:9876 (LISTEN)
cilium-ag 158094 root 64u IPv6 623295 0t0 TCP *:4244 (LISTEN)
cilium-ag 158094 root 67u IPv6 623305 0t0 TCP *:4240 (LISTEN)
从nginx容器
bash-5.1$ curl --header "Host: linkerd.internal.damn.li" localhost
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width">
<title>Linkerd</title>
<meta name="description" content="Linkerd">
<meta name="keywords" content="Linkerd">
<link rel="icon" type="image/png" href="/dist/img/favicon.png">
<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700,900" rel="stylesheet">
<script type="text/javascript" src="/dist/index_bundle.js" async></script>
</head>
<body>
<div class="main" id="main"
data-release-version="stable-2.10.2"
data-go-version="go1.16.2"
data-controller-namespace="linkerd"
data-uuid="0766d708-1cdd-4225-a4b5-c587b503c3e6"
data-grafana="grafana.linkerd-viz.svc.cluster.local:3000"
data-jaeger="">
</div>
</body>
</html>
更新2:
我在舵图中找到了这些配置线。它被设置为false,我将其更改为true。但是,端口仍然没有暴露。我想知道它是否会起作用,因为我使用纤毛作为CNI。
# Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
# since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
# is merged
hostNetwork: true
更新3:
Helm values文件:https://pastebin.com/njpBTu9q
荚定义:
apiVersion: v1
kind: Pod
metadata:
creationTimestamp: "2021-08-22T12:04:29Z"
generateName: ingress-nginx-controller-88758fc9-
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
pod-template-hash: 88758fc9
name: ingress-nginx-controller-88758fc9-pl4kl
namespace: ingress-nginx
ownerReferences:
- apiVersion: apps/v1
blockOwnerDeletion: true
controller: true
kind: ReplicaSet
name: ingress-nginx-controller-88758fc9
uid: 8d1441f7-92b0-497a-a0c7-e9685253ba5c
resourceVersion: "545734"
uid: abb6fb65-f06e-4cfa-b3b5-cd6de52e7fad
spec:
containers:
- args:
- /nginx-ingress-controller
- --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: k8s.gcr.io/ingress-nginx/controller:v1.0.0-beta.3@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
hostPort: 80
name: http
protocol: TCP
- containerPort: 443
hostPort: 443
name: https
protocol: TCP
- containerPort: 8443
hostPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access-dfft5
readOnly: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
hostNetwork: true
nodeName: kub-worker-1
nodeSelector:
kubernetes.io/os: linux
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: ingress-nginx
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
tolerations:
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 300
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 300
volumes:
- name: webhook-cert
secret:
defaultMode: 420
secretName: ingress-nginx-admission
- name: kube-api-access-dfft5
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
status:
conditions:
- lastProbeTime: null
lastTransitionTime: "2021-08-22T12:04:29Z"
status: "True"
type: Initialized
- lastProbeTime: null
lastTransitionTime: "2021-08-22T12:04:49Z"
status: "True"
type: Ready
- lastProbeTime: null
lastTransitionTime: "2021-08-22T12:04:49Z"
status: "True"
type: ContainersReady
- lastProbeTime: null
lastTransitionTime: "2021-08-22T12:04:29Z"
status: "True"
type: PodScheduled
containerStatuses:
- containerID: docker://200bc5cd1cea0fda6967d28d27cbf199834c7857bc49fce6c314240f6c4821e0
image: sha256:11d6381f7abc4250c143a97419d269adde01b2c51a874723357eead09c810dcb
imageID: docker-pullable://k8s.gcr.io/ingress-nginx/controller@sha256:44a7a06b71187a4529b0a9edee5cc22bdf71b414470eff696c3869ea8d90a695
lastState: {}
name: controller
ready: true
restartCount: 0
started: true
state:
running:
startedAt: "2021-08-22T12:04:31Z"
hostIP: 192.168.2.86
phase: Running
podIP: 192.168.2.86
podIPs:
- ip: 192.168.2.86
qosClass: Burstable
startTime: "2021-08-22T12:04:29Z"
查看您的描述,我们可以看到:
Host Ports: 0/TCP, 0/TCP, 0/TCP
这意味着您的容器端口在您的主机上不公开。
编辑您的部署或状态集。添加hostNetwork: true
spec:
containers:
- [...]
hostNetwork: true
如果您的集群使用PodSecurityPolicies,您可能需要授予控制器在没有网络隔离的情况下启动容器的权限。