i'm newbie to kubernetes,i followed the docs,using kubeadm setup a 2 node kubernetes. everything seem work properly. but i found kubernetes pod can't access external network.
it maybe iptables related. or kube-proxy related? my setup kubernetes version: 1.5.1 pod network: flannel xvlan [root@ngxingress01 yw-fund-backend]# kubectl version Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.1", GitCommit:"82450d03cb057bab0950214ef122b67c83fb11df", GitTreeState:"clean", BuildDate:"2016-12-14T00:57:05Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.1", GitCommit:"82450d03cb057bab0950214ef122b67c83fb11df", GitTreeState:"clean", BuildDate:"2016-12-14T00:52:01Z", GoVersion:"go1.7.4", Compiler:"gc", Platform:"linux/amd64"} ##reproduce the issue [root@ngxingress01 yw-fund-backend]# kubectl attach curl-2421989462-0xwqk -c curl -i -t If you don't see a command prompt, try pressing enter. [ root@curl-2421989462-0xwqk:/ ]$ ping 114.114.114.114 PING 114.114.114.114 (114.114.114.114): 56 data bytes ^C --- 114.114.114.114 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss [ root@curl-2421989462-0xwqk:/ ]$ ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8): 56 data bytes ^C --- 8.8.8.8 ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss iptables on the host [root@ngxingress01 yw-fund-backend]# iptables-save Generated by iptables-save v1.4.21 on Thu Apr 20 14:41:23 2017 nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :DOCKER - [0:0] :KUBE-MARK-DROP - [0:0] :KUBE-MARK-MASQ - [0:0] :KUBE-NODEPORTS - [0:0] :KUBE-POSTROUTING - [0:0] :KUBE-SEP-3ABSBF2DOCMSOHT2 - [0:0] :KUBE-SEP-5BYDP4LF2O2Q4ICD - [0:0] :KUBE-SEP-6LCCMNIMB2MLAAZM - [0:0] :KUBE-SEP-BST2NJ6KINXNHGWE - [0:0] :KUBE-SEP-PHTJ7Y2L7MHNLFNC - [0:0] :KUBE-SEP-PNFOKI7XE2XXBAST - [0:0] :KUBE-SEP-YWXDLA4NC3XNJLSL - [0:0] :KUBE-SERVICES - [0:0] :KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0] :KUBE-SVC-LG4B6Z4ULCMHWGTI - [0:0] :KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0] :KUBE-SVC-PK3XLNS3MIE4AIQZ - [0:0] :KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0] :KUBE-SVC-XGLOHA7QRQ3V22RZ - [0:0] -A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING -A POSTROUTING -s 192.168.0.0/20 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.16.0.0/16 -d 172.16.0.0/16 -j RETURN -A POSTROUTING -s 172.16.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE -A POSTROUTING ! -s 172.16.0.0/16 -d 172.16.0.0/16 -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000 -A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000 -A KUBE-NODEPORTS -p tcp -m comment --comment "default/svc-yw-fund-backend:" -m tcp --dport 30080 -j KUBE-MARK-MASQ -A KUBE-NODEPORTS -p tcp -m comment --comment "default/svc-yw-fund-backend:" -m tcp --dport 30080 -j KUBE-SVC-PK3XLNS3MIE4AIQZ -A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp --dport 30177 -j KUBE-MARK-MASQ -A KUBE-NODEPORTS -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp --dport 30177 -j KUBE-SVC-XGLOHA7QRQ3V22RZ -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE -A KUBE-SEP-3ABSBF2DOCMSOHT2 -s 10.24.0.4/32 -m comment --comment "default/svc-yw-fund-backend:" -j KUBE-MARK-MASQ -A KUBE-SEP-3ABSBF2DOCMSOHT2 -p tcp -m comment --comment "default/svc-yw-fund-backend:" -m tcp -j DNAT --to-destination 10.24.0.4:8080 -A KUBE-SEP-5BYDP4LF2O2Q4ICD -s 10.29.185.169/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ -A KUBE-SEP-5BYDP4LF2O2Q4ICD -p tcp -m comment --comment "default/kubernetes:https" -m recent --set --name KUBE-SEP-5BYDP4LF2O2Q4ICD --mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 10.29.185.169:6443 -A KUBE-SEP-6LCCMNIMB2MLAAZM -s 120.55.128.6/32 -m comment --comment "default/external-mysql-yw:mysql" -j KUBE-MARK-MASQ -A KUBE-SEP-6LCCMNIMB2MLAAZM -p tcp -m comment --comment "default/external-mysql-yw:mysql" -m tcp -j DNAT --to-destination 120.55.128.6:3306 -A KUBE-SEP-BST2NJ6KINXNHGWE -s 10.24.1.3/32 -m comment --comment "default/svc-yw-fund-backend:" -j KUBE-MARK-MASQ -A KUBE-SEP-BST2NJ6KINXNHGWE -p tcp -m comment --comment "default/svc-yw-fund-backend:" -m tcp -j DNAT --to-destination 10.24.1.3:8080 -A KUBE-SEP-PHTJ7Y2L7MHNLFNC -s 10.24.0.3/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ -A KUBE-SEP-PHTJ7Y2L7MHNLFNC -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.24.0.3:53 -A KUBE-SEP-PNFOKI7XE2XXBAST -s 10.24.0.2/32 -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-MARK-MASQ -A KUBE-SEP-PNFOKI7XE2XXBAST -p tcp -m comment --comment "kube-system/kubernetes-dashboard:" -m tcp -j DNAT --to-destination 10.24.0.2:9090 -A KUBE-SEP-YWXDLA4NC3XNJLSL -s 10.24.0.3/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ -A KUBE-SEP-YWXDLA4NC3XNJLSL -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.24.0.3:53 -A KUBE-SERVICES -d 10.107.182.61/32 -p tcp -m comment --comment "default/svc-yw-fund-backend: cluster IP" -m tcp --dport 8080 -j KUBE-SVC-PK3XLNS3MIE4AIQZ -A KUBE-SERVICES -d 10.100.186.224/32 -p tcp -m comment --comment "default/external-mysql-yw:mysql cluster IP" -m tcp --dport 3306 -j KUBE-SVC-LG4B6Z4ULCMHWGTI -A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU -A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4 -A KUBE-SERVICES -d 10.102.39.184/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 80 -j KUBE-SVC-XGLOHA7QRQ3V22RZ -A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y -A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS -A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-PHTJ7Y2L7MHNLFNC -A KUBE-SVC-LG4B6Z4ULCMHWGTI -m comment --comment "default/external-mysql-yw:mysql" -j KUBE-SEP-6LCCMNIMB2MLAAZM -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m recent --rcheck --seconds 10800 --reap --name KUBE-SEP-5BYDP4LF2O2Q4ICD --mask 255.255.255.255 --rsource -j KUBE-SEP-5BYDP4LF2O2Q4ICD -A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-5BYDP4LF2O2Q4ICD -A KUBE-SVC-PK3XLNS3MIE4AIQZ -m comment --comment "default/svc-yw-fund-backend:" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-3ABSBF2DOCMSOHT2 -A KUBE-SVC-PK3XLNS3MIE4AIQZ -m comment --comment "default/svc-yw-fund-backend:" -j KUBE-SEP-BST2NJ6KINXNHGWE -A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-YWXDLA4NC3XNJLSL -A KUBE-SVC-XGLOHA7QRQ3V22RZ -m comment --comment "kube-system/kubernetes-dashboard:" -j KUBE-SEP-PNFOKI7XE2XXBAST COMMIT Completed on Thu Apr 20 14:41:23 2017 Generated by iptables-save v1.4.21 on Thu Apr 20 14:41:23 2017 filter :INPUT ACCEPT [113:79499] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [108:84705] :DOCKER - [0:0] :DOCKER-ISOLATION - [0:0] :KUBE-FIREWALL - [0:0] :KUBE-SERVICES - [0:0] -A INPUT -j KUBE-FIREWALL -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -j DOCKER -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES -A OUTPUT -j KUBE-FIREWALL -A DOCKER-ISOLATION -j RETURN -A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP COMMIT Completed on Thu Apr 20 14:41:23 2017 -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.