Kubernetes: nodePort not responding on all nodeIPs

Created on 28 Feb 2017  ·  1Comment  ·  Source: kubernetes/kubernetes

Kubernetes version:
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.2", GitCommit:"08e099554f3c31f6e6f07b448ab3ed78d0520507", GitTreeState:"clean", BuildDate:"2017-01-12T04:57:25Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.3", GitCommit:"029c3a408176b55c30846f0faedf56aae5992e9b", GitTreeState:"clean", BuildDate:"2017-02-15T06:34:56Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"}

Docker version on master and minions:
$ docker -v
Docker version 1.13.1, build 092cba3

Environment:

  • Kernel (e.g. uname -a):
    Linux knode-master 4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

  • Install tools:
    kubeadm

  • Others:

What happened:
Using kubeadm page I installed a three node cluster. 

$ kc describe nodes | awk '/Addresses/ {print $2}' | awk -F',' '{print $3}' 
knode-0
knode-1
knode-master

Installed canal pod-network:

kubectl create -f https://raw.githubusercontent.com/tigera/canal/master/k8sinstall/kubeadm/canal.yaml

Nodes, services, pods were healthy at this time. So proceeded to dashboard

kubectl create -f https://rawgit.com/kubernetes/dashboard/master/src/deploy/kubernetes-dashboard.yaml

$ kubectl get -n kube-system services
NAME                   CLUSTER-IP       EXTERNAL-IP   PORT(S)         AGE
canal-etcd             10.96.232.136    <none>        6666/TCP        5m
kube-dns               10.96.0.10       <none>        53/UDP,53/TCP   13h
kubernetes-dashboard   10.110.163.186   <nodes>       80:31699/TCP    1m

What you expected to happen:
The nodePort section in Services doc indicates nodePort should be visible on all nodeIPs.

In my case, not all nodeIPs are responding to requests on dashboard's nodePort 31699 and forwarding them to dashboard pod.
Only the node (or minion) hosting the pod seems to respond to the browser requests. The other nodes (or minions) do not respond.

How to reproduce it (as minimally and precisely as possible):

_From knode-1 (a minion):_

$ sudo docker ps -a | grep dashboard
79e23eff2c26        gcr.io/google_containers/kubernetes-dashboard-amd64:v1.5.1   "/dashboard --port..."   44 minutes ago      Up 43 minutes

_curl access to the dashboard outside the cluster:_

Connection timed out to _knode-0:31699

$ curl -m 2 -O http://knode-0:31699/#/workload?namespace=default
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0curl: (28) Connection timed out after 2003 milliseconds

Successfully downloaded from knode-1:31699

$ curl -m 2 -O http://knode-1:31699/#/workload?namespace=default
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   811  100   811    0     0  18097      0 --:--:-- --:--:-- --:--:-- 18431

*iptables*:

_From knode-1 (nodePort 31699 accessible):_

$ sudo iptables-save | grep dashboard
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp --dport 31699 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp --dport 31699 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-SEP-4CN2KLL64AIMJOUC -s 192.168.92.6/32 -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-MARK-MASQ
-A KUBE-SEP-4CN2KLL64AIMJOUC -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp -j DNAT --to-destination 192.168.92.6:9090
-A KUBE-SERVICES -d 10.110.163.186/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 80 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-SVC-XGLOHA7QRQ3V22RZ -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-SEP-4CN2KLL64AIMJOUC

_From knode-0 (nodePort 31699 inaccessible ):_

$ sudo iptables-save | grep dashboard
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp --dport 31699 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp --dport 31699 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-SEP-4CN2KLL64AIMJOUC -s 192.168.92.6/32 -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-MARK-MASQ
-A KUBE-SEP-4CN2KLL64AIMJOUC -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp -j DNAT --to-destination 192.168.92.6:9090
-A KUBE-SERVICES -d 10.110.163.186/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 80 -j KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-SVC-XGLOHA7QRQ3V22RZ -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-SEP-4CN2KLL64AIMJOUC

Anything else we need to know:

The same behavior is reproducible on RHEL 7.3.

sinetwork
Source
picture kchitrapu

Most helpful comment

I encountered the same issue.
Run iptables -P FORWARD ACCEPT may fix your issue. But not sure it's a bug when integrated with docker v1.13.1

picture liqlin2015 on 6 Mar 2017
👍5

>All comments

I encountered the same issue.
Run iptables -P FORWARD ACCEPT may fix your issue. But not sure it's a bug when integrated with docker v1.13.1

liqlin2015 picture liqlin2015 on 6 Mar 2017
👍5
Was this page helpful?
0 / 5 - 0 ratings

Related issues

thockin picture thockin  ·  122Comments
shyamjvs picture shyamjvs  ·  142Comments
BenTheElder picture BenTheElder  ·  120Comments
mrrandrade picture mrrandrade  ·  123Comments
thockin picture thockin  ·  140Comments