Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Container in GKE can't ping compute instance on the same network

Tags:

google-cloud-platform

kubernetes

google-kubernetes-engine

I have created a new cluster in GKE with version 1.10.5-gke.0. I see that my applications cannot reach IPs in the same network, basically instances running on compute.

I have ssh'd to one of the Kubernetes nodes, and by using the toolbox included i can ping those IP addresses, but I can't if I try from a container running on this cluster.

I saw that since 1.10 google disables access scopes for compute & storage, and even if I enable those scopes I still get the same.

I find it a bit puzzling, as this used to work for all other clusters in the past without any extra config needed

Am I missing something here?

like image 501
Apostolos Samatas Avatar asked Jul 09 '18 13:07

Apostolos Samatas

People also ask

Can two pods have same IP?

Each Pod has a single IP address assigned from the Pod CIDR range of its node. This IP address is shared by all containers running within the Pod, and connects them to other Pods running in the cluster. Each Service has an IP address, called the ClusterIP, assigned from the cluster's VPC network.

What is master authorized networks in Gke?

--create-subnetwork name=my-subnet-1 causes GKE to automatically create a subnet named my-subnet-1 . --enable-master-authorized-networks specifies that access to the public endpoint is restricted to IP address ranges that you authorize.

What condition must be set to TRUE to allow the pod to utilize the network of the host?

node_selector - (Optional) NodeSelector is a selector which must be true for the pod to fit on a node. Selector which must match a node's labels for the pod to be scheduled on that node.

2 Answers

An easy way of doing fixing this is using the Google Cloud Console.

Go to

Navigation Menu -> VPC network -> Firewall rules

.

Normally when a cluster is created, a number of rules are created automatically with certain prefixes and suffixes. Look in the table of rules with a gke- prefix and an -all suffix e.g. gke-[my_cluster_name]-all. You'll notice for this rule, it has the source ranges for your pods within the cluster and quite a few protocols (tcp, udp, imp, esp, etc.) allowed.

Select this rule and go to Edit. Under Targets, select the drop down and change to All instances in the network.

Alternatively, you can choose specified Specified target tags or Specified service account, inputing the correct values below, like your correct developer service account for the compute engine you're trying to reach.

You can also look here if you're Kubernetes is version 1.9.x and later for another alternative way. Troubleshooting

Hope all this helps.

like image 65
iAmcR Avatar answered Sep 21 '22 00:09

iAmcR

I also ran into this issue. I have mongo running on a VM on the default network, and couldn't reach it from inside pods after I recreated my kubernetes cluster on a new node that was also on the default network.

Adding this firewall rule fixed the issue:

NAME                                              NETWORK                DIRECTION  PRIORITY  SRC_RANGES                                                                                                                                                                                                                                   DEST_RANGES  ALLOW                         DENY  SRC_TAGS  SRC_SVC_ACCT  TARGET_TAGS                                        TARGET_SVC_ACCT
gke-seqr-cluster-dev-eb823c8e-all                 default                INGRESS    1000      10.48.0.0/24                                                                                                                                                                                                                                              tcp,udp,icmp,esp,ah,sctp

Here, the 10.48.0.0 subnet is based on the cbr0 network (looked up by ssh'ing into the kubernetes node and running ip address)

cbr0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1460 qdisc htb state UP group default qlen 1000
   ..
    inet 10.48.0.1/24 scope global cbr0
       valid_lft forever preferred_lft forever
   ..

Another way to get the 10.48.0.1 ip is to install and run traceroute inside a pod:

traceroute <ip of node you're trying to reach>
like image 27
user553965 Avatar answered Sep 18 '22 00:09

user553965
Sign in to Comment

Related questions

SSH into kubernetes nodes created through KOPS
k8s ramped deployment -- css from same pod
Enable Stackdriver Kubernetes Engine Monitoring with Terraform
kubectl: how to display pod logs without specyfing the pod name explicitly?
Kubernetes ingress websockets connection issue
Bazel - Build, Push, Deploy Docker Containers to Kubernetes within Monorepo
How do I change the storage class of existing persistent volumes?
Is there a way to force delete a crd with failing webhooks?
Kubernetes persistente volume: hostpath vs local and data persistence
Microk8s, MetalLB, ingress-nginx - How to route external traffic?
How to revoke client certificates in Kubernetes?
AWS EKS - Only 2 pod can be launched - Too many pods error
Kubernetes PullImageError using Docker Hub with a private image
How to ship logs from pods on Kubernetes running on top of GCP to elasticsearch/logstash?
Unable to properly connect to Redis in Kubernetes
Local files transfered to a Kubernentes Persistent Volume?
How to change the cluster.local default domain on kubernetes 1.9 deployed with kubeadm?
How to get access-logs from OpenShift router (HAProxy)?
Adding arrays as Kubernetes environment variables
Minikube never start - Error restarting cluster

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!