我有2个EKS群集,分别在2个不同的AWS帐户中,并且我可能假定使用不同的防火墙(我无权访问).第一个(Dev)没问题,但是,使用相同的配置,UAT群集Pod正在努力解析DNS.节点可以解决,似乎还可以.
I have 2 EKS clusters, in 2 different AWS accounts and with, I might assume, different firewalls (which I don't have access to). The first one (Dev) is all right, however, with the same configuration, UAT cluster pods is struggling to resolve DNS. The Nodes can resolve and seems to be all right.
1)ping 8.8.8.8有效
1) ping 8.8.8.8 works
--- 8.8.8.8 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3003ms2)我可以ping google(和其他)的IP,但不能ping实际的dns名称.
2) I can ping the IP of google (and others), but not the actual dns names.
我们的配置:
我不确定问题是否出在某处的防火墙,coredns,需要更新的配置或愚蠢的错误".任何帮助将不胜感激.
I am unsure if the problem is a firewall somewhere, coredns, my configuration that needs to be updated or an "stupid mistake". Any help would be appreciated.
推荐答案经过几天的调试,这是问题所在: 我已经允许节点之间的所有通信,但是all traffic是TCP,而不是UDP.
After days of debugging, here is what was the problem : I had allowed all traffic between the nodes but that all traffic is TCP, not UDP.
这基本上是AWS中的一行: 在辅助节点SG中,向/从辅助节点端口53协议DNS(UDP)添加入站规则.
It was basically a one line in AWS: In worker nodes SG, add an inbound rule from/to worker nodes port 53 protocol DNS (UDP).
如果使用terraform,它应该看起来像这样:
If you use terraform, it should look like that:
resource "aws_security_group_rule" "eks-node-ingress-cluster-dns" { description = "Allow pods DNS" from_port = 53 protocol = 17 security_group_id = "${aws_security_group.SG-eks-WorkerNodes.id}" source_security_group_id = "${aws_security_group.SG-eks-WorkerNodes.id}" to_port = 53 type = "ingress" }更多推荐
EKS中的Pod:无法解析DNS(但可以ping IP)
发布评论