路線不kubernetes用白布工作

kubernetes V1.6.0設置由kubeadm V1.6.1官方通過yaml
的iptables V1.6.0通過提供
節點
印花布設置AliCloud

問題：

cni網絡無法正常工作。任何部署只能從正在運行的節點訪問。我懷疑它與路由表衝突/丟失有關，因爲我有Vultr Cloud上的另一個集羣正常工作，具有相同的設置步驟。

集羣信息：

[email protected]:~# kubectl get pods --all-namespaces -o wide 
NAMESPACE  NAME            READY  STATUS RESTARTS AGE  IP    NODE 
kube-system calico-etcd-66gf4         1/1  Running 0   16h  10.27.219.50  iz2ze8ctk2q17u029a8wcoz 
kube-system calico-node-4wxsb         2/2  Running 0   16h  10.27.219.50  iz2ze8ctk2q17u029a8wcoz 
kube-system calico-node-6n1g1         2/2  Running 0   16h  10.30.248.80  iz2zegw6nmd5t5qxy35lh0z 
kube-system calico-policy-controller-2561685917-7bdd4   1/1  Running 0   16h  10.30.248.80  iz2zegw6nmd5t5qxy35lh0z 
kube-system etcd-iz2ze8ctk2q17u029a8wcoz      1/1  Running 0   16h  10.27.219.50  iz2ze8ctk2q17u029a8wcoz 
kube-system heapster-bx03l         1/1  Running 0   16h  192.168.31.150 iz2zegw6nmd5t5qxy35lh0z 
kube-system kube-apiserver-iz2ze8ctk2q17u029a8wcoz   1/1  Running 0   16h  10.27.219.50  iz2ze8ctk2q17u029a8wcoz 
kube-system kube-controller-manager-iz2ze8ctk2q17u029a8wcoz 1/1  Running 0   16h  10.27.219.50  iz2ze8ctk2q17u029a8wcoz 
kube-system kube-dns-3913472980-kgzln       3/3  Running 0   16h  192.168.31.149 iz2zegw6nmd5t5qxy35lh0z 
kube-system kube-proxy-ck83t         1/1  Running 0   16h  10.30.248.80  iz2zegw6nmd5t5qxy35lh0z 
kube-system kube-proxy-lssdn         1/1  Running 0   16h  10.27.219.50  iz2ze8ctk2q17u029a8wcoz 
kube-system kube-scheduler-iz2ze8ctk2q17u029a8wcoz   1/1  Running 0   16h  10.27.219.50  iz2ze8ctk2q17u029a8wcoz

我檢查了每莢的日誌，找不到任何錯誤。

主信息：內部IP：10.27.219.50

[email protected]:~# ifconfig 

docker0 Link encap:Ethernet HWaddr 02:42:56:84:35:19 
      inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.255.0 
      UP BROADCAST MULTICAST MTU:1500 Metric:1 
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
      collisions:0 txqueuelen:0 
      RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 

eth0  Link encap:Ethernet HWaddr 00:16:3e:30:51:ae 
      inet addr:10.27.219.50 Bcast:10.27.219.255 Mask:255.255.252.0 
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
      RX packets:4400927 errors:0 dropped:0 overruns:0 frame:0 
      TX packets:3906530 errors:0 dropped:0 overruns:0 carrier:0 
      collisions:0 txqueuelen:1000 
      RX bytes:564808928 (564.8 MB) TX bytes:792611382 (792.6 MB) 

eth1  Link encap:Ethernet HWaddr 00:16:3e:32:07:f8 
      inet addr:59.110.32.199 Bcast:59.110.35.255 Mask:255.255.252.0 
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
      RX packets:1148756 errors:0 dropped:0 overruns:0 frame:0 
      TX packets:688177 errors:0 dropped:0 overruns:0 carrier:0 
      collisions:0 txqueuelen:1000 
      RX bytes:1570341044 (1.5 GB) TX bytes:58104611 (58.1 MB) 

tunl0  Link encap:IPIP Tunnel HWaddr 
      inet addr:192.168.201.0 Mask:255.255.255.255 
      UP RUNNING NOARP MTU:1440 Metric:1 
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
      collisions:0 txqueuelen:1 
      RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 


[email protected]:~# route -n 
Kernel IP routing table 
Destination  Gateway   Genmask   Flags Metric Ref Use Iface 
0.0.0.0   59.110.35.247 0.0.0.0   UG 0  0  0 eth1 
10.27.216.0  0.0.0.0   255.255.252.0 U  0  0  0 eth0 
10.30.0.0  10.27.219.247 255.255.0.0  UG 0  0  0 eth0 
10.32.0.0  0.0.0.0   255.240.0.0  U  0  0  0 weave 
59.110.32.0  0.0.0.0   255.255.252.0 U  0  0  0 eth1 
100.64.0.0  10.27.219.247 255.192.0.0  UG 0  0  0 eth0 
172.16.0.0  10.27.219.247 255.240.0.0  UG 0  0  0 eth0 
172.17.0.0  0.0.0.0   255.255.255.0 U  0  0  0 docker0 
192.168.201.0 0.0.0.0   255.255.255.192 U  0  0  0 * 

[email protected]:~# ip route list 
default via 59.110.35.247 dev eth1 
10.27.216.0/22 dev eth0 proto kernel scope link src 10.27.219.50 
10.30.0.0/16 via 10.27.219.247 dev eth0 
10.32.0.0/12 dev weave proto kernel scope link src 10.32.0.1 
59.110.32.0/22 dev eth1 proto kernel scope link src 59.110.32.199 
100.64.0.0/10 via 10.27.219.247 dev eth0 
172.16.0.0/12 via 10.27.219.247 dev eth0 
172.17.0.0/24 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
blackhole 192.168.201.0/26 proto bird 

// NOTE: 10.30.0.0/16 via 10.27.219.247 dev eth0 
// this rule is important, the worker node's ip is 10.30.xx.xx. If I delete this rule, I cannot ping worker node. 
// this rule is 10.0.0.0/8 via 10.27.219.247 dev eth0 by default, I changed it to the above. 


[email protected]:~# iptables -t nat -nvL 
Chain PREROUTING (policy ACCEPT 3 packets, 180 bytes) 
pkts bytes target  prot opt in  out  source    destination 
20976 1250K cali-PREROUTING all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:6gwbT8clXdHdC1b1 */ 
21016 1252K KUBE-SERVICES all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kubernetes service portals */ 
20034 1193K DOCKER  all -- *  *  0.0.0.0/0   0.0.0.0/0   ADDRTYPE match dst-type LOCAL 

Chain INPUT (policy ACCEPT 3 packets, 180 bytes) 
pkts bytes target  prot opt in  out  source    destination 

Chain OUTPUT (policy ACCEPT 4 packets, 240 bytes) 
pkts bytes target  prot opt in  out  source    destination 
109K 6580K cali-OUTPUT all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:tVnHkvAo15HuiPy0 */ 
111K 6738K KUBE-SERVICES all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kubernetes service portals */ 
1263 75780 DOCKER  all -- *  *  0.0.0.0/0   !127.0.0.0/8   ADDRTYPE match dst-type LOCAL 

Chain POSTROUTING (policy ACCEPT 4 packets, 240 bytes) 
pkts bytes target  prot opt in  out  source    destination 
86584 5235K cali-POSTROUTING all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:O3lYWMrLQYEMJtB5 */ 
    0  0 MASQUERADE all -- *  !docker0 172.17.0.0/24  0.0.0.0/0 
3982K 239M KUBE-POSTROUTING all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kubernetes postrouting rules */ 
28130 1704K WEAVE  all -- *  *  0.0.0.0/0   0.0.0.0/0 

Chain DOCKER (2 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 RETURN  all -- docker0 *  0.0.0.0/0   0.0.0.0/0 

Chain KUBE-MARK-DROP (0 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 MARK  all -- *  *  0.0.0.0/0   0.0.0.0/0   MARK or 0x8000 

Chain KUBE-MARK-MASQ (5 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 MARK  all -- *  *  0.0.0.0/0   0.0.0.0/0   MARK or 0x4000 

Chain KUBE-NODEPORTS (1 references) 
pkts bytes target  prot opt in  out  source    destination 

Chain KUBE-POSTROUTING (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 MASQUERADE all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000 

Chain KUBE-SEP-2VS52M6CEWASZVOP (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-MARK-MASQ all -- *  *  192.168.31.149  0.0.0.0/0   /* kube-system/kube-dns:dns-tcp */ 
    0  0 DNAT  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/kube-dns:dns-tcp */ tcp to:192.168.31.149:53 

Chain KUBE-SEP-3XQHSFTDAPNNNDX3 (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-MARK-MASQ all -- *  *  192.168.31.150  0.0.0.0/0   /* kube-system/heapster: */ 
    0  0 DNAT  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/heapster: */ tcp to:192.168.31.150:8082 

Chain KUBE-SEP-CH7KJM5XKO5WGA6D (2 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-MARK-MASQ all -- *  *  10.27.219.50   0.0.0.0/0   /* default/kubernetes:https */ 
    0  0 DNAT  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   /* default/kubernetes:https */ recent: SET name: KUBE-SEP-CH7KJM5XKO5WGA6D side: source mask: 255.255.255.255 tcp to:10.27.219.50:6443 

Chain KUBE-SEP-X3WTOMIYJNS7APAN (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-MARK-MASQ all -- *  *  192.168.31.149  0.0.0.0/0   /* kube-system/kube-dns:dns */ 
    0  0 DNAT  udp -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/kube-dns:dns */ udp to:192.168.31.149:53 

Chain KUBE-SEP-YDCHDMTZNPMRRKCX (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-MARK-MASQ all -- *  *  10.27.219.50   0.0.0.0/0   /* kube-system/calico-etcd: */ 
    0  0 DNAT  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/calico-etcd: */ tcp to:10.27.219.50:6666 

Chain KUBE-SERVICES (2 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-SVC-NPX46M4PTMTKRN6Y tcp -- *  *  0.0.0.0/0   10.96.0.1   /* default/kubernetes:https cluster IP */ tcp dpt:443 
    0  0 KUBE-SVC-TCOU7JCQXEZGVUNU udp -- *  *  0.0.0.0/0   10.96.0.10   /* kube-system/kube-dns:dns cluster IP */ udp dpt:53 
    0  0 KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- *  *  0.0.0.0/0   10.96.0.10   /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53 
    0  0 KUBE-SVC-NTYB37XIWATNM25Y tcp -- *  *  0.0.0.0/0   10.96.232.136  /* kube-system/calico-etcd: cluster IP */ tcp dpt:6666 
    0  0 KUBE-SVC-BJM46V3U5RZHCFRZ tcp -- *  *  0.0.0.0/0   10.96.181.180  /* kube-system/heapster: cluster IP */ tcp dpt:80 
    7 420 KUBE-NODEPORTS all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL 

Chain KUBE-SVC-BJM46V3U5RZHCFRZ (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-SEP-3XQHSFTDAPNNNDX3 all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/heapster: */ 

Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-SEP-2VS52M6CEWASZVOP all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/kube-dns:dns-tcp */ 

Chain KUBE-SVC-NPX46M4PTMTKRN6Y (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-SEP-CH7KJM5XKO5WGA6D all -- *  *  0.0.0.0/0   0.0.0.0/0   /* default/kubernetes:https */ recent: CHECK seconds: 10800 reap name: KUBE-SEP-CH7KJM5XKO5WGA6D side: source mask: 255.255.255.255 
    0  0 KUBE-SEP-CH7KJM5XKO5WGA6D all -- *  *  0.0.0.0/0   0.0.0.0/0   /* default/kubernetes:https */ 

Chain KUBE-SVC-NTYB37XIWATNM25Y (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-SEP-YDCHDMTZNPMRRKCX all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/calico-etcd: */ 

Chain KUBE-SVC-TCOU7JCQXEZGVUNU (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-SEP-X3WTOMIYJNS7APAN all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/kube-dns:dns */ 

Chain WEAVE (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 RETURN  all -- *  *  10.32.0.0/12   224.0.0.0/4 
    1 93 MASQUERADE all -- *  *  !10.32.0.0/12   10.32.0.0/12 
    0  0 MASQUERADE all -- *  *  10.32.0.0/12  !10.32.0.0/12 

Chain cali-OUTPUT (1 references) 
pkts bytes target  prot opt in  out  source    destination 
109K 6580K cali-fip-dnat all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:GBTAv2p5CwevEyJm */ 

Chain cali-POSTROUTING (1 references) 
pkts bytes target  prot opt in  out  source    destination 
109K 6571K cali-fip-snat all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:Z-c7XtVd2Bq7s_hA */ 
109K 6571K cali-nat-outgoing all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:nYKhEzDlr11Jccal */ 
    0  0 MASQUERADE all -- *  tunl0 0.0.0.0/0   0.0.0.0/0   /* cali:JHlpT-eSqR1TvyYm */ ADDRTYPE match src-type !LOCAL limit-out ADDRTYPE match src-type LOCAL 

Chain cali-PREROUTING (1 references) 
pkts bytes target  prot opt in  out  source    destination 
20976 1250K cali-fip-dnat all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:r6XmIziWUJsdOK6Z */ 

Chain cali-fip-dnat (2 references) 
pkts bytes target  prot opt in  out  source    destination 

Chain cali-fip-snat (1 references) 
pkts bytes target  prot opt in  out  source    destination 

Chain cali-nat-outgoing (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    4 376 MASQUERADE all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:Wd76s91357Uv7N3v */ match-set cali4-masq-ipam-pools src ! match-set cali4-all-ipam-pools dst

工作節點信息：內部IP：10.30.248.80

ifconfig 

docker0 Link encap:Ethernet HWaddr 02:42:58:2b:b5:39 
      inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.255.0 
      UP BROADCAST MULTICAST MTU:1500 Metric:1 
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
      collisions:0 txqueuelen:0 
      RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 

eth0  Link encap:Ethernet HWaddr 00:16:3e:2e:3d:fd 
      inet addr:10.30.248.80 Bcast:10.30.251.255 Mask:255.255.252.0 
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
      RX packets:3856596 errors:0 dropped:0 overruns:0 frame:0 
      TX packets:4253613 errors:0 dropped:0 overruns:0 carrier:0 
      collisions:0 txqueuelen:1000 
      RX bytes:827402268 (827.4 MB) TX bytes:510838231 (510.8 MB) 

eth1  Link encap:Ethernet HWaddr 00:16:3e:2c:db:d1 
      inet addr:47.93.161.177 Bcast:47.93.163.255 Mask:255.255.252.0 
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 
      RX packets:890451 errors:0 dropped:0 overruns:0 frame:0 
      TX packets:825607 errors:0 dropped:0 overruns:0 carrier:0 
      collisions:0 txqueuelen:1000 
      RX bytes:1695352720 (1.6 GB) TX bytes:62341312 (62.3 MB) 

tunl0  Link encap:IPIP Tunnel HWaddr 
      inet addr:192.168.31.128 Mask:255.255.255.255 
      UP RUNNING NOARP MTU:1440 Metric:1 
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0 
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 
      collisions:0 txqueuelen:1 
      RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) 


[email protected]:~# route -n 
Kernel IP routing table 
Destination  Gateway   Genmask   Flags Metric Ref Use Iface 
0.0.0.0   47.93.163.247 0.0.0.0   UG 0  0  0 eth1 
10.0.0.0  10.30.251.247 255.0.0.0  UG 0  0  0 eth0 
10.30.248.0  0.0.0.0   255.255.252.0 U  0  0  0 eth0 
47.93.160.0  0.0.0.0   255.255.252.0 U  0  0  0 eth1 
100.64.0.0  10.30.251.247 255.192.0.0  UG 0  0  0 eth0 
172.16.0.0  10.30.251.247 255.240.0.0  UG 0  0  0 eth0 
172.17.0.0  0.0.0.0   255.255.255.0 U  0  0  0 docker0 
192.168.31.128 0.0.0.0   255.255.255.192 U  0  0  0 * 
192.168.31.149 0.0.0.0   255.255.255.255 UH 0  0  0 cali3567b3362cc 
192.168.31.150 0.0.0.0   255.255.255.255 UH 0  0  0 cali9d04015b0e7 

[email protected]:~# ip route list 
default via 47.93.163.247 dev eth1 
10.0.0.0/8 via 10.30.251.247 dev eth0 
10.30.248.0/22 dev eth0 proto kernel scope link src 10.30.248.80 
47.93.160.0/22 dev eth1 proto kernel scope link src 47.93.161.177 
100.64.0.0/10 via 10.30.251.247 dev eth0 
172.16.0.0/12 via 10.30.251.247 dev eth0 
172.17.0.0/24 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
blackhole 192.168.31.128/26 proto bird 
192.168.31.149 dev cali3567b3362cc scope link 
192.168.31.150 dev cali9d04015b0e7 scope link 

// NOTE: 10.0.0.0/8 via 10.30.251.247 dev eth0 
// I didn't change this one. So it is default now. 


[email protected]:~# iptables -t nat -nvL 
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target  prot opt in  out  source    destination 
3524 263K cali-PREROUTING all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:6gwbT8clXdHdC1b1 */ 
3527 263K KUBE-SERVICES all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kubernetes service portals */ 
1031 53882 DOCKER  all -- *  *  0.0.0.0/0   0.0.0.0/0   ADDRTYPE match dst-type LOCAL 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 
pkts bytes target  prot opt in  out  source    destination 

Chain OUTPUT (policy ACCEPT 4 packets, 240 bytes) 
pkts bytes target  prot opt in  out  source    destination 
84174 5099K cali-OUTPUT all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:tVnHkvAo15HuiPy0 */ 
85201 5163K KUBE-SERVICES all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kubernetes service portals */ 
    0  0 DOCKER  all -- *  *  0.0.0.0/0   !127.0.0.0/8   ADDRTYPE match dst-type LOCAL 

Chain POSTROUTING (policy ACCEPT 7 packets, 420 bytes) 
pkts bytes target  prot opt in  out  source    destination 
76279 4644K cali-POSTROUTING all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:O3lYWMrLQYEMJtB5 */ 
    0  0 MASQUERADE all -- *  !docker0 172.17.0.0/24  0.0.0.0/0 
87179 5342K KUBE-POSTROUTING all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kubernetes postrouting rules */ 
43815 2646K WEAVE  all -- *  *  0.0.0.0/0   0.0.0.0/0 

Chain DOCKER (2 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 RETURN  all -- docker0 *  0.0.0.0/0   0.0.0.0/0 

Chain KUBE-MARK-DROP (0 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 MARK  all -- *  *  0.0.0.0/0   0.0.0.0/0   MARK or 0x8000 

Chain KUBE-MARK-MASQ (5 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 MARK  all -- *  *  0.0.0.0/0   0.0.0.0/0   MARK or 0x4000 

Chain KUBE-NODEPORTS (1 references) 
pkts bytes target  prot opt in  out  source    destination 

Chain KUBE-POSTROUTING (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 MASQUERADE all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000 

Chain KUBE-SEP-2VS52M6CEWASZVOP (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-MARK-MASQ all -- *  *  192.168.31.149  0.0.0.0/0   /* kube-system/kube-dns:dns-tcp */ 
    0  0 DNAT  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/kube-dns:dns-tcp */ tcp to:192.168.31.149:53 

Chain KUBE-SEP-3XQHSFTDAPNNNDX3 (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-MARK-MASQ all -- *  *  192.168.31.150  0.0.0.0/0   /* kube-system/heapster: */ 
    0  0 DNAT  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/heapster: */ tcp to:192.168.31.150:8082 

Chain KUBE-SEP-CH7KJM5XKO5WGA6D (2 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-MARK-MASQ all -- *  *  10.27.219.50   0.0.0.0/0   /* default/kubernetes:https */ 
    3 180 DNAT  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   /* default/kubernetes:https */ recent: SET name: KUBE-SEP-CH7KJM5XKO5WGA6D side: source mask: 255.255.255.255 tcp to:10.27.219.50:6443 

Chain KUBE-SEP-X3WTOMIYJNS7APAN (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-MARK-MASQ all -- *  *  192.168.31.149  0.0.0.0/0   /* kube-system/kube-dns:dns */ 
    0  0 DNAT  udp -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/kube-dns:dns */ udp to:192.168.31.149:53 

Chain KUBE-SEP-YDCHDMTZNPMRRKCX (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-MARK-MASQ all -- *  *  10.27.219.50   0.0.0.0/0   /* kube-system/calico-etcd: */ 
    0  0 DNAT  tcp -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/calico-etcd: */ tcp to:10.27.219.50:6666 

Chain KUBE-SERVICES (2 references) 
pkts bytes target  prot opt in  out  source    destination 
    3 180 KUBE-SVC-NPX46M4PTMTKRN6Y tcp -- *  *  0.0.0.0/0   10.96.0.1   /* default/kubernetes:https cluster IP */ tcp dpt:443 
    0  0 KUBE-SVC-TCOU7JCQXEZGVUNU udp -- *  *  0.0.0.0/0   10.96.0.10   /* kube-system/kube-dns:dns cluster IP */ udp dpt:53 
    0  0 KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- *  *  0.0.0.0/0   10.96.0.10   /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53 
    0  0 KUBE-SVC-NTYB37XIWATNM25Y tcp -- *  *  0.0.0.0/0   10.96.232.136  /* kube-system/calico-etcd: cluster IP */ tcp dpt:6666 
    0  0 KUBE-SVC-BJM46V3U5RZHCFRZ tcp -- *  *  0.0.0.0/0   10.96.181.180  /* kube-system/heapster: cluster IP */ tcp dpt:80 
    0  0 KUBE-NODEPORTS all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL 

Chain KUBE-SVC-BJM46V3U5RZHCFRZ (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-SEP-3XQHSFTDAPNNNDX3 all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/heapster: */ 

Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-SEP-2VS52M6CEWASZVOP all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/kube-dns:dns-tcp */ 

Chain KUBE-SVC-NPX46M4PTMTKRN6Y (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    3 180 KUBE-SEP-CH7KJM5XKO5WGA6D all -- *  *  0.0.0.0/0   0.0.0.0/0   /* default/kubernetes:https */ recent: CHECK seconds: 10800 reap name: KUBE-SEP-CH7KJM5XKO5WGA6D side: source mask: 255.255.255.255 
    0  0 KUBE-SEP-CH7KJM5XKO5WGA6D all -- *  *  0.0.0.0/0   0.0.0.0/0   /* default/kubernetes:https */ 

Chain KUBE-SVC-NTYB37XIWATNM25Y (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-SEP-YDCHDMTZNPMRRKCX all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/calico-etcd: */ 

Chain KUBE-SVC-TCOU7JCQXEZGVUNU (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    0  0 KUBE-SEP-X3WTOMIYJNS7APAN all -- *  *  0.0.0.0/0   0.0.0.0/0   /* kube-system/kube-dns:dns */ 

Chain WEAVE (1 references) 
pkts bytes target  prot opt in  out  source    destination 

Chain cali-OUTPUT (1 references) 
pkts bytes target  prot opt in  out  source    destination 
84174 5099K cali-fip-dnat all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:GBTAv2p5CwevEyJm */ 

Chain cali-POSTROUTING (1 references) 
pkts bytes target  prot opt in  out  source    destination 
86501 5298K cali-fip-snat all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:Z-c7XtVd2Bq7s_hA */ 
86501 5298K cali-nat-outgoing all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:nYKhEzDlr11Jccal */ 
    0  0 MASQUERADE all -- *  tunl0 0.0.0.0/0   0.0.0.0/0   /* cali:JHlpT-eSqR1TvyYm */ ADDRTYPE match src-type !LOCAL limit-out ADDRTYPE match src-type LOCAL 

Chain cali-PREROUTING (1 references) 
pkts bytes target  prot opt in  out  source    destination 
3524 263K cali-fip-dnat all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:r6XmIziWUJsdOK6Z */ 

Chain cali-fip-dnat (2 references) 
pkts bytes target  prot opt in  out  source    destination 

Chain cali-fip-snat (1 references) 
pkts bytes target  prot opt in  out  source    destination 

Chain cali-nat-outgoing (1 references) 
pkts bytes target  prot opt in  out  source    destination 
    29 1726 MASQUERADE all -- *  *  0.0.0.0/0   0.0.0.0/0   /* cali:Wd76s91357Uv7N3v */ match-set cali4-masq-ipam-pools src ! match-set cali4-all-ipam-pools dst

來源

2017-04-19 JasonW

我不知道是什麼問題，但在這裏是一對夫婦的事情要考慮：

我不熟悉AliCloud但s有時候有些雲提供商會特別考慮這一點。例如，對於GCE，必須明確允許IP-in-IP，http://docs.projectcalico.org/v2.1/getting-started/kubernetes/installation/gce。
我看到你的主人的編織界面，所以我想知道織物是否可以留下一些東西導致問題。
同樣如在您的問題https://github.com/projectcalico/cni-plugin/issues/314中建議的，您應該在節點上檢查calicoctl node status以查看BGP是否按預期工作。

來源

2017-04-19 20:26:46

你的建議對我很好，特別是最後一個。雖然我已經解決了它[這裏]（https://github.com/projectcalico/cni-plugin/issues/314） – JasonW

問題找到calicoctl node status。印花布/節點使用公共IP相互通信。但AliCloud中的節點位於防火牆後面。所以他們不能通過公共IP地址來做到這一點。

正如gunjan5的建議，我用這個env var IP_AUTODETECTION_METHOD來指定內部接口。問題解決了。

來源

2017-04-20 08:43:14 JasonW

你使用VPC嗎？ – Alan

路線不kubernetes用白布工作

回答

相關問題