环境信息
部署方式Docker + KindK8s 版本v1.27.3CNIFlannel IPsec 模式节点网络172.18.0.0/16(Docker bridge)问题现象
同节点 Pod 通信正常,跨节点 Pod 通信卡住超时:- # 同节点访问正常docker exec flannel-ipsec-control-plane curl -s 10.244.0.4PodName: Pod-1 | PodIP: eth0 10.244.0.4/24# 跨节点访问卡住docker exec flannel-ipsec-control-plane curl -s 10.244.1.7# 无响应...
- docker exec flannel-ipsec-control-plane ip xfrm state# 空
查看 Flannel 日志
control-plane 节点:- kubectl logs -n kube-system kube-flannel-ds-cd8rf06[CFG] loaded IKE shared key for: '172.18.0.3'13[CFG] loaded IKE shared key for: '172.18.0.2'07[NET] received packet: from 172.18.0.1[500] to 172.18.0.3[500] (720 bytes)07[IKE] no IKE config found for 172.18.0.3...172.18.0.1, sending NO_PROPOSAL_CHOSEN
- kubectl logs -n kube-system kube-flannel-ds-gk7pl11[NET] sending packet: from 172.18.0.2[500] to 172.18.0.3[500] (720 bytes)04[NET] received packet: from 172.18.0.1[500] to 172.18.0.2[500] (720 bytes)04[IKE] no IKE config found for 172.18.0.2...172.18.0.1, sending NO_PROPOSAL_CHOSEN
IKE 包经过 Docker bridge 时,源 IP 被 SNAT 成了网关地址。
预期源 IP实际源 IP172.18.0.2 (worker)172.18.0.1 (网关)172.18.0.3 (control-plane)172.18.0.1 (网关)检查 iptables NAT 规则
- iptables -t nat -L POSTROUTING -n -vChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 706 42360 MASQUERADE 0 -- * !br-822761cba2a3 172.18.0.0/16 0.0.0.0/0 269 19012 MASQUERADE 0 -- * !br-64b0f4dac739 172.18.0.0/16 0.0.0.0/0
但问题是:K8s 部署时需要开启 bridge-nf-call-iptables = 1,导致网桥转发流量也会经过 iptables,触发了 MASQUERADE。- cat /proc/sys/net/bridge/bridge-nf-call-iptables# 1
flowchart TB subgraph s1 ["bridge-nf-call-iptables=0"] direction LR A1[容器A] --> B1[网桥] B1 --> C1[容器B] style B1 fill:#90EE90 end subgraph s2 ["bridge-nf-call-iptables=1"] direction LR A2[容器A] --> B2[网桥] B2 --> C2[iptables] C2 -->|MASQUERADE| D2[容器B] style C2 fill:#FFB6C1 end问题原因
Kind 环境下,K8s 节点本身是 Docker 容器,通过网桥互联。bridge-nf-call-iptables = 1 导致同网桥转发的流量也经过 iptables,触发 Docker 的 MASQUERADE 规则,源 IP 被改成网关 IP(172.18.0.1),Flannel IPsec 的 IKE 协商因此失败。
注:这是 Kind 环境特有的问题,kubeadm 部署的物理机/VM 环境不经过 Docker 网桥,不会遇到类似问题。
解决方案
在宿主机添加 iptables 规则,让同网段流量跳过 MASQUERADE:- iptables -t nat -I POSTROUTING -s 172.18.0.0/16 -d 172.18.0.0/16 -j ACCEPT
参数含义-t nat操作 NAT 表-I POSTROUTING插入到 POSTROUTING 链最前面(优先级最高)-s 172.18.0.0/16匹配源 IP-d 172.18.0.0/16匹配目的 IP-j ACCEPT直接接受,跳过后续规则添加后验证:- iptables -t nat -L POSTROUTING -n -vChain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 19 2648 ACCEPT 0 -- * * 172.18.0.0/16 172.18.0.0/16 706 42360 MASQUERADE 0 -- * !br-822761cba2a3 172.18.0.0/16 0.0.0.0/0 269 19012 MASQUERADE 0 -- * !br-64b0f4dac739 172.18.0.0/16 0.0.0.0/0
- kubectl rollout restart daemonset -n kube-system kube-flannel-ds
- # docker exec flannel-ipsec-control-plane ip xfrm statesrc 172.18.0.3 dst 172.18.0.2 proto esp spi 0xc1115682 reqid 11 mode tunnel replay-window 0 flag af-unspec aead rfc4106(gcm(aes)) 0x217a8659909ac029fb600b7cab791ee5b31d3563 128 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000src 172.18.0.2 dst 172.18.0.3 proto esp spi 0xc3b69836 reqid 11 mode tunnel replay-window 32 flag af-unspec aead rfc4106(gcm(aes)) 0xfaa2ea9f4bfb893623ce9fc5aac9ae6646913ee7 128 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000src 172.18.0.3 dst 172.18.0.2 proto esp spi 0xc9b2e230 reqid 11 mode tunnel replay-window 0 flag af-unspec aead rfc4106(gcm(aes)) 0x93c09105fd818db55e1b2d730fd31ff989fd33c2 128 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000src 172.18.0.2 dst 172.18.0.3 proto esp spi 0xc709b48b reqid 11 mode tunnel replay-window 32 flag af-unspec aead rfc4106(gcm(aes)) 0x60697edd7c58b57220c15d3b9d41851a206d4e4e 128 anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
- docker exec flannel-ipsec-control-plane curl -s 10.244.1.7# PodName: Pod-0 | PodIP: eth0 10.244.1.7/24
- NO_PROPOSAL_CHOSEN 不一定是算法协商问题,也可能是 IP 不匹配
- 排查 IPsec 问题时,关注 [NET] 日志中的实际源/目的 IP
- Kind 环境的网络行为与物理机不同,遇到问题时优先考虑 Docker 网桥的影响
来源:程序园用户自行投稿发布,如果侵权,请联系站长删除
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作! |
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜
