Traefik Ingress在从另一台主机连接时超时，在localhost上工作正常

Question

我正在尝试让Kubernetes集群在单个Redhat 7.7服务器上运行。

我之前已经成功地让它在Centos 7和AWS上的Redhat 7.7 AMI上工作。

Traefik HTTP Ingress Controller显示并正在运行，但是traefik- timed nodePort - http -service的所有http请求都超时。

kubectl get services | grep traefik的输出

​

​

一开始我认为Ingress本身有问题，但如果你尝试从服务器内部卷曲，它工作得很好。

为了避免某种防火墙问题，我在我的一些服务中添加了一个nodePort，它们可以很好地访问。

每当我在服务器内部使用curl时，来自traefik-ingress controller pod的日志上都会出现一条调试消息：

level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request"

对于超时的请求，没有调试消息。

在使用netstat -anp之后，我注意到kube-proxy拥有我尝试使用的端口，所以我还查看了kube-proxy pod的日志，并与我成功安装时的日志进行了比较，唯一的区别是这一行，它只显示在失败的服务器安装上：

node.go:135]成功检索到节点IP: 192.168.215.172

暂时我做了一个端口转发，它工作得很好：

nohup kubectl port-forward --address 0.0.0.0 svc/traefik-ingress-controller-http-service 30225:443 -n traefik &

我的版本是：

Kubernetes: 1.17.3 Traefik: 1.7

Traefik配置：

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-ingress-configmap
  namespace: traefik
data:
  traefik.toml: |
    defaultEntryPoints = ["https","http"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
    [kubernetes]
      [kubernetes.ingressEndpoint]
        publishedService = "traefik/traefik-ingress-controller-http-service"
    [ping]
    entryPoint = "http"

服务：

---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-controller-http-service
  namespace: traefik
  annotations: {}
spec:
  selector:
    k8s-app: traefik-ingress-controller
  ports:
  - protocol: TCP
    port: 80
    name: http
  - protocol: TCP
    port: 443
    name: https
    nodePort: 30220
  type: NodePort

Traefik部署：

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-ingress-controller
  namespace: traefik
  labels:
    k8s-app: traefik-ingress-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-controller
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-controller
        name: traefik-ingress-controller
    spec:
      serviceAccountName: traefik-ingress-serviceaccount
      terminationGracePeriodSeconds: 35
      volumes:
        - name: traefik-ui-tls-cert
          secret:
            secretName: traefik-ui-tls-cert
        - name: traefik-ingress-configmap
          configMap:
            name: traefik-ingress-configmap
      containers:
      - image: traefik:v1.7
        name: traefik-ingress-controller
        imagePullPolicy: Always
        resources:
          limits:
            cpu: 200m
            memory: 384Mi
          requests:
            cpu: 25m
            memory: 128Mi
        livenessProbe:
          failureThreshold: 2
          httpGet:
            path: /ping
            port: 80
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 5
        readinessProbe:
          failureThreshold: 2
          httpGet:
            path: /ping
            port: 80
            scheme: HTTP
          periodSeconds: 5
        volumeMounts:
          - mountPath: "/ssl"
            name: "traefik-ui-tls-cert"
          - mountPath: "/config"
            name: "traefik-ingress-configmap"
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: 443
        - name: dashboard
          containerPort: 8080
        args:
        - --logLevel=DEBUG
        - --configfile=/config/traefik.toml
        - --insecureskipverify

欢迎任何想法:)

Answer 1

我开始跟踪所有相关网络接口上的tcp包，我意识到traefik服务的集群IP无法回复SYN初始包。

在这种情况下，我必须将externalTrafficPolicy设置为本地，以允许Traefik HTTP Ingress Controller Pod使用实际的客户端IP来应答，而不是使用掩码的NAT IP /端口。

---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-controller-http-service
  namespace: traefik
  annotations: {}
spec:
  selector:
    k8s-app: traefik-ingress-controller
  ports:
  - protocol: TCP
    port: 80
    name: http
  - protocol: TCP
    port: 443
    name: https
    nodePort: 30220
  type: NodePort
  externalTrafficPolicy: Local