Can I access K8s ClusterIP from k8s node directly?

问题

I am using k8s 1.2 on ubuntu 14.04.4.

Here is some info on my one k8s minion node:

# cat /etc/os-release
NAME="Ubuntu"
VERSION="14.04.4 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.4 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

# uname -a
Linux k8s-010 3.19.0-47-generic #53~14.04.1-Ubuntu SMP Mon Jan 18 16:09:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

You see, I upgraded the linux kernel to 3.19.0-47.

here are kube-proxy log on this node:

# cat /var/log/upstart/kube-proxy.log.1
I0429 17:55:11.397842     985 server.go:200] Using iptables Proxier.
I0429 17:55:11.397941     985 server.go:213] Tearing down userspace rules.
I0429 17:55:12.408962     985 conntrack.go:36] Setting nf_conntrack_max to 262144
I0429 17:55:12.409050     985 conntrack.go:41] Setting conntrack hashsize to 65536
I0429 17:55:12.409288     985 conntrack.go:46] Setting nf_conntrack_tcp_timeout_established to 86400

I have some CLusetIp on my k8s:

$ kubectl --namespace=enlighten get svc
NAME      CLUSTER-IP        EXTERNAL-IP   PORT(S)     AGE
mongo     192.168.15.118    <none>        27017/TCP   1d
mysql     192.168.4.191     <none>        3306/TCP    23h
redis     192.168.193.134   <none>        6379/TCP    1d

I found my pod in this cluster can access this CLusterIP. But If I tried to access this clusterIP from the node host directly, It failed.

I used iptables-save to dump the rules. Since there are a lot of rules, I filter the relevance in:

# iptables-save |grep -e mysql -e 192.168.4.191 -e "-A KUBE-MARK-MASQ" -e KUBE-SEP-HLHD6IM4G76NUUUM
:KUBE-SEP-HLHD6IM4G76NUUUM - [0:0]
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-SEP-HLHD6IM4G76NUUUM -s 172.17.45.2/32 -m comment --comment "enlighten/mysql:" -j KUBE-MARK-MASQ
-A KUBE-SEP-HLHD6IM4G76NUUUM -p tcp -m comment --comment "enlighten/mysql:" -m tcp -j DNAT --to-destination 172.17.45.2:3306
-A KUBE-SERVICES -d 192.168.4.191/32 -p tcp -m comment --comment "enlighten/mysql: cluster IP" -m tcp --dport 3306 -j KUBE-SVC-FIZ3LEJD226YKZ4B
-A KUBE-SVC-FIZ3LEJD226YKZ4B -m comment --comment "enlighten/mysql:" -j KUBE-SEP-HLHD6IM4G76NUUUM

Is it WAD or an issue?

回答1:

The short answer is yes. kube-proxy generates IPtables rules for each service so that it can be accessed from both hosts and pods.

When in doubt, execute iptables -t nat -n -v on a host where kube-proxy is running and search for the IP of the service. You can post the output here as a comment if you need help.

回答2:

if you just access the clusterIp, it does't able, if you access the clusterIp:service_port,it's ok!

回答3:

This is expected behavior. The network in cluster is isolated from external. To get access to service inside a cluster there are some ways, which needs your additional settings. Ways including load balancer, external ip, and node port,these are all setting from service side. Please refer to service part of kuberneres official doc for more details.

This is the link for the content I referred to. https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types

Update: a easy workround: kubectl port-forward service/yourservice localPort:servicePort If you want access from node(master node).

来源：https://stackoverflow.com/questions/37017973/can-i-access-k8s-clusterip-from-k8s-node-directly