i'm newbie to kubernetes,i followed the docs,using kubeadm setup a 2 node 
kubernetes. everything seem work properly.
but i found  kubernetes pod can't access external network. 


it maybe iptables related. or kube-proxy related?

my setup
kubernetes version: 1.5.1
pod network: flannel xvlan


[root@ngxingress01 yw-fund-backend]# kubectl version
Client Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.1", 
GitCommit:"82450d03cb057bab0950214ef122b67c83fb11df", GitTreeState:"clean", 
BuildDate:"2016-12-14T00:57:05Z", GoVersion:"go1.7.4", Compiler:"gc", 
Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"5", GitVersion:"v1.5.1", 
GitCommit:"82450d03cb057bab0950214ef122b67c83fb11df", GitTreeState:"clean", 
BuildDate:"2016-12-14T00:52:01Z", GoVersion:"go1.7.4", Compiler:"gc", 
Platform:"linux/amd64"}

##reproduce the issue
[root@ngxingress01 yw-fund-backend]# kubectl attach curl-2421989462-0xwqk -c 
curl -i -t
If you don't see a command prompt, try pressing enter.
[ root@curl-2421989462-0xwqk:/ ]$ ping 114.114.114.114
PING 114.114.114.114 (114.114.114.114): 56 data bytes
^C
--- 114.114.114.114 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
[ root@curl-2421989462-0xwqk:/ ]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

iptables on the host
[root@ngxingress01 yw-fund-backend]# iptables-save 
Generated by iptables-save v1.4.21 on Thu Apr 20 14:41:23 2017

nat :PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-3ABSBF2DOCMSOHT2 - [0:0]
:KUBE-SEP-5BYDP4LF2O2Q4ICD - [0:0]
:KUBE-SEP-6LCCMNIMB2MLAAZM - [0:0]
:KUBE-SEP-BST2NJ6KINXNHGWE - [0:0]
:KUBE-SEP-PHTJ7Y2L7MHNLFNC - [0:0]
:KUBE-SEP-PNFOKI7XE2XXBAST - [0:0]
:KUBE-SEP-YWXDLA4NC3XNJLSL - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-LG4B6Z4ULCMHWGTI - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-PK3XLNS3MIE4AIQZ - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:KUBE-SVC-XGLOHA7QRQ3V22RZ - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j 
KUBE-POSTROUTING
-A POSTROUTING -s 192.168.0.0/20 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.16.0.0/16 -d 172.16.0.0/16 -j RETURN
-A POSTROUTING -s 172.16.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE
-A POSTROUTING ! -s 172.16.0.0/16 -d 172.16.0.0/16 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/svc-yw-fund-backend:" -m 
tcp --dport 30080 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/svc-yw-fund-backend:" -m 
tcp --dport 30080 -j KUBE-SVC-PK3XLNS3MIE4AIQZ
-A KUBE-NODEPORTS -p tcp -m comment --comment 
"kube-system/kubernetes-dashboard:" -m tcp --dport 30177 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment 
"kube-system/kubernetes-dashboard:" -m tcp --dport 30177 -j 
KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring 
SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-3ABSBF2DOCMSOHT2 -s 10.24.0.4/32 -m comment --comment 
"default/svc-yw-fund-backend:" -j KUBE-MARK-MASQ
-A KUBE-SEP-3ABSBF2DOCMSOHT2 -p tcp -m comment --comment 
"default/svc-yw-fund-backend:" -m tcp -j DNAT --to-destination 10.24.0.4:8080
-A KUBE-SEP-5BYDP4LF2O2Q4ICD -s 10.29.185.169/32 -m comment --comment 
"default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-5BYDP4LF2O2Q4ICD -p tcp -m comment --comment 
"default/kubernetes:https" -m recent --set --name KUBE-SEP-5BYDP4LF2O2Q4ICD 
--mask 255.255.255.255 --rsource -m tcp -j DNAT --to-destination 
10.29.185.169:6443
-A KUBE-SEP-6LCCMNIMB2MLAAZM -s 120.55.128.6/32 -m comment --comment 
"default/external-mysql-yw:mysql" -j KUBE-MARK-MASQ
-A KUBE-SEP-6LCCMNIMB2MLAAZM -p tcp -m comment --comment 
"default/external-mysql-yw:mysql" -m tcp -j DNAT --to-destination 
120.55.128.6:3306
-A KUBE-SEP-BST2NJ6KINXNHGWE -s 10.24.1.3/32 -m comment --comment 
"default/svc-yw-fund-backend:" -j KUBE-MARK-MASQ
-A KUBE-SEP-BST2NJ6KINXNHGWE -p tcp -m comment --comment 
"default/svc-yw-fund-backend:" -m tcp -j DNAT --to-destination 10.24.1.3:8080
-A KUBE-SEP-PHTJ7Y2L7MHNLFNC -s 10.24.0.3/32 -m comment --comment 
"kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-PHTJ7Y2L7MHNLFNC -p tcp -m comment --comment 
"kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.24.0.3:53
-A KUBE-SEP-PNFOKI7XE2XXBAST -s 10.24.0.2/32 -m comment --comment 
"kube-system/kubernetes-dashboard:" -j KUBE-MARK-MASQ
-A KUBE-SEP-PNFOKI7XE2XXBAST -p tcp -m comment --comment 
"kube-system/kubernetes-dashboard:" -m tcp -j DNAT --to-destination 
10.24.0.2:9090
-A KUBE-SEP-YWXDLA4NC3XNJLSL -s 10.24.0.3/32 -m comment --comment 
"kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-YWXDLA4NC3XNJLSL -p udp -m comment --comment 
"kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.24.0.3:53
-A KUBE-SERVICES -d 10.107.182.61/32 -p tcp -m comment --comment 
"default/svc-yw-fund-backend: cluster IP" -m tcp --dport 8080 -j 
KUBE-SVC-PK3XLNS3MIE4AIQZ
-A KUBE-SERVICES -d 10.100.186.224/32 -p tcp -m comment --comment 
"default/external-mysql-yw:mysql cluster IP" -m tcp --dport 3306 -j 
KUBE-SVC-LG4B6Z4ULCMHWGTI
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment 
"kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j 
KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment 
"kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j 
KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.102.39.184/32 -p tcp -m comment --comment 
"kube-system/kubernetes-dashboard: cluster IP" -m tcp --dport 80 -j 
KUBE-SVC-XGLOHA7QRQ3V22RZ
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment 
"default/kubernetes:https cluster IP" -m tcp --dport 443 -j 
KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this 
must be the last rule in this chain" -m addrtype --dst-type LOCAL -j 
KUBE-NODEPORTS
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment 
"kube-system/kube-dns:dns-tcp" -j KUBE-SEP-PHTJ7Y2L7MHNLFNC
-A KUBE-SVC-LG4B6Z4ULCMHWGTI -m comment --comment 
"default/external-mysql-yw:mysql" -j KUBE-SEP-6LCCMNIMB2MLAAZM
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -m 
recent --rcheck --seconds 10800 --reap --name KUBE-SEP-5BYDP4LF2O2Q4ICD --mask 
255.255.255.255 --rsource -j KUBE-SEP-5BYDP4LF2O2Q4ICD
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j 
KUBE-SEP-5BYDP4LF2O2Q4ICD
-A KUBE-SVC-PK3XLNS3MIE4AIQZ -m comment --comment 
"default/svc-yw-fund-backend:" -m statistic --mode random --probability 
0.50000000000 -j KUBE-SEP-3ABSBF2DOCMSOHT2
-A KUBE-SVC-PK3XLNS3MIE4AIQZ -m comment --comment 
"default/svc-yw-fund-backend:" -j KUBE-SEP-BST2NJ6KINXNHGWE
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j 
KUBE-SEP-YWXDLA4NC3XNJLSL
-A KUBE-SVC-XGLOHA7QRQ3V22RZ -m comment --comment 
"kube-system/kubernetes-dashboard:" -j KUBE-SEP-PNFOKI7XE2XXBAST
COMMIT
Completed on Thu Apr 20 14:41:23 2017

Generated by iptables-save v1.4.21 on Thu Apr 20 14:41:23 2017

filter
:INPUT ACCEPT [113:79499]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [108:84705]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-SERVICES - [0:0]
-A INPUT -j KUBE-FIREWALL
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A DOCKER-ISOLATION -j RETURN
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked 
packets" -m mark --mark 0x8000/0x8000 -j DROP
COMMIT
Completed on Thu Apr 20 14:41:23 2017

-- 
You received this message because you are subscribed to the Google Groups 
"Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to kubernetes-users+unsubscr...@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

Reply via email to