Network situation when combine kuryr-kubernetes and virtual-kubelet
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kuryr-kubernetes |
New
|
Undecided
|
Unassigned |
Bug Description
I'm trying to deploy a model consist of VK(virtual-kubelet) and kubernetes kubelet runing on the same network
I am having a quite funny situation:
I have these network:
```
[root@controller ~(kubernetes)]$ openstack network list
+------
| ID | Name | Subnets |
+------
| 01b93608-
| 050df0e8-
| 95e7931a-
| a154417c-
| a4322dbc-
| a47c405a-
+------
```
well for short describes:
provider = external
subnet = 10.10.10.0/24 selfservice=
subnet =10.1.0.0/16 pod=internal network for kubernetes pod (normal kubernetes)
subnet= 10.2.0.0/16 service=internal network for kubernetes service (normal kubernetes)
these pod and service network set to dhcp=no (I install kuryr-kubernetes and it work for normal pod)
But when I create VK pod in that network, it running but can't ping to that IP address although I can still ping to normal pod IP address
Any advices ?
here for examples:
```
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-deploymen
nginx-deploymen
```
When I curl these:
it normal:
```
[root@controller ~(kubernetes)]$ curl 192.168.122.123
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://
Commercial support is available at
<a href="http://
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@controller ~(kubernetes)]$ curl 10.1.3.140
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://
Commercial support is available at
<a href="http://
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
```
but when I use selfservice network to create VK pod:
```
root@k8s-master:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-deploymen
nginx-deploymen
[root@controller ~(kubernetes)]$ openstack capsule list
+------
| uuid | name | status | addresses |
+------
| b79348be-
+------
[root@controller ~(kubernetes)]$ curl 10.10.10.48
curl: (56) Recv failure: Connection reset by peer
[root@controller ~(kubernetes)]$ ping 10.10.10.48
PING 10.10.10.48 (10.10.10.48) 56(84) bytes of data.
64 bytes from 10.10.10.48: icmp_seq=1 ttl=63 time=11.8 ms
64 bytes from 10.10.10.48: icmp_seq=2 ttl=63 time=0.898 ms
64 bytes from 10.10.10.48: icmp_seq=3 ttl=63 time=1.19 ms
64 bytes from 10.10.10.48: icmp_seq=4 ttl=63 time=1.17 ms
```
I can only ping it
but when it come to pod network:
```
root@k8s-master:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-deploymen
nginx-deploymen
[root@controller ~(kubernetes)]$ openstack capsule list
+------
| uuid | name | status | addresses |
+------
| 7bbe5e34-
+------
[root@controller ~(kubernetes)]$ ping 10.1.3.255
PING 10.1.3.255 (10.1.3.255) 56(84) bytes of data.
^C
--- 10.1.3.255 ping statistics ---
44 packets transmitted, 0 received, 100% packet loss, time 44030ms
```
I cant even ping it, but still can curl (worker) pod on the same network:
```
[root@controller ~(kubernetes)]$ curl 10.1.3.140
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://
Commercial support is available at
<a href="http://
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
```
This seems related to the multinetwork and OpenStack security groups. Few questions:
- What driver are you using for pods isolation? Network Policies?
- Are all the networks connected to the same neutron router?
- Are the pods in the same namespace? Can you check SGs associated to the pod allow the traffic you need?