Comments (6)
curl -vs https://18.157.186.193:6443/cacerts on agent exposes the following problem:
This is not a problem, the cluster does use its own self-signed root CA.
May 21 17:44:03 ip-172-31-46-96 k3s[589]: time="2024-05-21T17:44:03Z" level=error msg="failed to get CA certs: Get "https://127.0.0.1:6444/cacerts\": context deadline exceeded (Client.Timeout exceeded while awaiting headers)"
Check the logs prior to this - I suspect that you have not set --node-external-ip
properly on the server, and the agent load-balancer is trying to connect to the server's internal IP, which the agent cannot connect to because they are not on the same private network.
from k3s.
The security groups are open on ingress for port 6443, 6444, and 443.
Also, this is not sufficient for a functional cluster, see https://docs.k3s.io/installation/requirements#inbound-rules-for-k3s-nodes
from k3s.
The security groups are open on ingress for port 6443, 6444, and 443.
Also, this is not sufficient for a functional cluster, see https://docs.k3s.io/installation/requirements#inbound-rules-for-k3s-nodes
Are you referring to the Flannel ports and the kubelet metrics (port 10250) or more? When I've read this, I got the impression that the other ports are only optional. TCP ports 5001 and 6443 are needed by Spegel, TCP 2379-2380 for HA, and UDP port 8472, 51820 and 51821 are needed by Flannel.
from k3s.
443 and 6444 are not needed. The ports required for CNI traffic depend on which flannel backend you're using; if you don't open those then pods and services hosted on different nodes will not be able to communicate.
from k3s.
Thank you very much! I could now connect the agent with the server using the following commands and the mentioned ports.
# K3s Server
export MASTER_IP=<PUBLIC_IP>
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--node-external-ip $MASTER_IP" sh -s -
sudo cat /var/lib/rancher/k3s/server/node-token
and using the above TOKEN and MASTER_IP from server in the agent node:
# K3s Agent
export K3S_URL=https://<MASTER_IP>:6443
export K3S_TOKEN=<TOKEN>
curl -sfL https://get.k3s.io | K3S_URL=$K3S_URL K3S_TOKEN=$K3S_TOKEN sh -
The only problem I now have is that I can't connect to the Internet from the within the pods. It looks like a problem caused by coreDNS or Flannel as described in issue 5349 but it does not look like a problem with the outbound IP range of the AWS security group (I opened "All Traffic" and "All TCP" ports from 0 - 65535).
I've checked the following:
ping 8.8.8.8
worksping google.com:80
does not work (bad address)ping google.com:443
does not work (bad address)curl google.com
orwget https://google.com
do not work either (Could not resolve host)
But using the above commands in kubectl run -i -t busybox --image=osexp2000/ubuntu-with-utils --overrides='{"kind":"Pod", "apiVersion":"v1", "spec": {"hostNetwork": true}}' --command -- sh -
works
And the potential firewalls are disabled:
$ sudo systemctl status firewalld
Unit firewalld.service could not be found.
$ sudo ufw status
Status: inactive
Should I open a new issue or do you see some easy solution?
from k3s.
As I mentioned above, you've not opened the CNI ports. Also, the default flannel backend (vxlan) is not suitable for use over the internet; it is insecure and does not tolerate NAT well. I suspect that the vxlan CNI traffic between pods and the coredns service is being dropped, which is why your DNS lookups fail. See the docs at https://docs.k3s.io/networking/distributed-multicloud
from k3s.
Related Issues (20)
- [Release-1.28] - Support containerd config_path for stargz snapshotter
- [Release-1.27] - Support containerd config_path for stargz snapshotter
- [Release-1.29] - Bump containerd to >= v1.7.17
- [Release-1.28] - Bump containerd to >= v1.7.17 HOT 1
- [Release-1.27] - Bump containerd to >= v1.7.17 HOT 1
- [Release-1.29] - Bump etcd to >= v3.5.13
- [Release-1.28] - Bump etcd to >= v3.5.13
- [Release-1.27] - Bump etcd to >= v3.5.13
- [Release-1.29] - Spegel mirror returns 500 instead of 404 on unavailable images
- [Release-1.28] - Spegel mirror returns 500 instead of 404 on unavailable images HOT 1
- [Release-1.27] - Spegel mirror returns 500 instead of 404 on unavailable images HOT 1
- [Release-1.29] - LoadBalancers crashing after updating from 1.27.3 to 1.29.3
- [Release-1.28] - LoadBalancers crashing after updating from 1.27.3 to 1.29.3
- [Release-1.27] - LoadBalancers crashing after updating from 1.27.3 to 1.29.3 HOT 1
- [Release-1.29] - local path provisioner helper script does not support `-a` flag
- [Release-1.28] - local path provisioner helper script does not support `-a` flag
- [Release-1.27] - local path provisioner helper script does not support `-a` flag HOT 1
- [Release-1.29] - Allow setting `priorityClassName` on ServiceLB daemonset. HOT 1
- [Release-1.28] - Allow setting `priorityClassName` on ServiceLB daemonset.
- [Release-1.27] - Allow setting `priorityClassName` on ServiceLB daemonset.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from k3s.