I have a problem with pods reaching the cluster DNS.
I am able to reach the cluster DNS from the host, but not from the pods.
I'm mainly doing this to learn how components within a cluster interact with each other.
What I missing?
Appreciate the help.
cluster CIDR: 10.200.0.0/24
kube-dns cluster IP: 10.96.0.10
service cluster IP range: 10.96.0.0/24
$ ip route
default via 10.26.8.1 dev ens33 onlink
10.26.8.0/21 dev ens33 proto kernel scope link src 10.26.8.173
10.200.0.0/24 dev cnio0 proto kernel scope link src 10.200.0.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
$ ip addr list
...
12: cnio0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 9a:7c:99:d0:34:05 brd ff:ff:ff:ff:ff:ff
inet 10.200.0.1/24 brd 10.200.0.255 scope global cnio0
valid_lft forever preferred_lft forever
inet6 fe80::987c:99ff:fed0:3405/64 scope link
valid_lft forever preferred_lft forever
...
# from the pod
$ kubectl exec -ti busybox3 -- ip route get 10.96.0.10
10.96.0.10 via 10.200.0.1 dev eth0 src 10.200.0.35
$ kubectl exec -ti busybox3 -- ip route get 10.200.0.32
10.200.0.32 dev eth0 src 10.200.0.35
## Unable to ping pod
$ kubectl exec -ti busybox3 -- ping 10.200.0.32
PING 10.200.0.32 (10.200.0.32): 56 data bytes
^C
--- 10.200.0.32 ping statistics ---
26 packets transmitted, 0 packets received, 100% packet loss
command terminated with exit code 1
$ kubectl exec -ti busybox3 -- nslookup kubernetes
Server: 10.96.0.10
Address 1: 10.96.0.10
nslookup: can't resolve 'kubernetes'
command terminated with exit code 1
# from the host
$ nslookup kubernetes.default.svc.cluster.local 10.96.0.10
Server: 10.96.0.10
Address: 10.96.0.10#53
Name: kubernetes.default.svc.cluster.local
Address: 10.32.0.1
## using the pod IP directly
$ nslookup kubernetes.default.svc.cluster.local 10.200.0.32
Server: 10.200.0.32
Address: 10.200.0.32#53
Name: kubernetes.default.svc.cluster.local
Address: 10.32.0.1
$ kubectl get pods -n kube-system -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
coredns-68567cdb47-8bqbc 1/1 Running 0 16m 10.200.0.32 myhostname <none> <none>
coredns-68567cdb47-j7w5v 1/1 Running 0 16m 10.200.0.33 myhostname <none> <none>
$ cat /var/lib/kubelet/kubelet-config.yaml
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: "/var/lib/kubernetes/ca.pem"
authorization:
mode: Webhook
clusterDomain: "cluster.local"
clusterDNS:
- "10.96.0.10"
podCIDR: "10.200.0.0/24"
resolvConf: "/etc/resolv.conf"
runtimeRequestTimeout: "15m"
tlsCertFile: "/var/lib/kubelet/myhostname.pem"
tlsPrivateKeyFile: "/var/lib/kubelet/myhostname-key.pem"
$ sudo iptables-save
# Generated by iptables-save v1.6.0 on Tue Dec 17 22:25:50 2019
*mangle
:PREROUTING ACCEPT [75825:12120908]
:INPUT ACCEPT [73784:12027210]
:FORWARD ACCEPT [2041:93698]
:OUTPUT ACCEPT [72541:12755845]
:POSTROUTING ACCEPT [72541:12755845]
COMMIT
# Completed on Tue Dec 17 22:25:50 2019
# Generated by iptables-save v1.6.0 on Tue Dec 17 22:25:50 2019
*filter
:INPUT ACCEPT [2265:357288]
:FORWARD DROP [70:3150]
:OUTPUT ACCEPT [2254:381251]
:KUBE-EXTERNAL-SERVICES - [0:0]
:KUBE-FIREWALL - [0:0]
:KUBE-FORWARD - [0:0]
:KUBE-SERVICES - [0:0]
-A INPUT -j KUBE-FIREWALL
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A FORWARD -m comment --comment "kubernetes forwarding rules" -j KUBE-FORWARD
-A FORWARD -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A KUBE-FIREWALL -m comment --comment "kubernetes firewall for dropping marked packets" -m mark --mark 0x8000/0x8000 -j DROP
-A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP
-A KUBE-FORWARD -m comment --comment "kubernetes forwarding rules" -m mark --mark 0x4000/0x4000 -j ACCEPT
-A KUBE-FORWARD -s 10.200.0.0/24 -m comment --comment "kubernetes forwarding conntrack pod source rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A KUBE-FORWARD -d 10.200.0.0/24 -m comment --comment "kubernetes forwarding conntrack pod destination rule" -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Dec 17 22:25:50 2019
# Generated by iptables-save v1.6.0 on Tue Dec 17 22:25:50 2019
*nat
:PREROUTING ACCEPT [71:3399]
:INPUT ACCEPT [1:249]
:OUTPUT ACCEPT [10:600]
:POSTROUTING ACCEPT [10:600]
:CNI-08323572f8c1b7437b5b2d5a - [0:0]
:CNI-6ffb7cac9d9ed164b2d5ba7b - [0:0]
:CNI-75946e699f4851c447169397 - [0:0]
:CNI-7fc98eb6f610acba6ece3337 - [0:0]
:CNI-a96f59ef769e0d335cecc5fa - [0:0]
:DOCKER - [0:0]
:KUBE-MARK-DROP - [0:0]
:KUBE-MARK-MASQ - [0:0]
:KUBE-NODEPORTS - [0:0]
:KUBE-POSTROUTING - [0:0]
:KUBE-SEP-BAY6F2PYGJH5DEUE - [0:0]
:KUBE-SEP-G6EBKTWNJTOIEXU4 - [0:0]
:KUBE-SEP-GOBYNHXNZIF5W3D2 - [0:0]
:KUBE-SEP-HT77WNMWLBPE7QGR - [0:0]
:KUBE-SEP-LFB6X7K6BJJCW3R6 - [0:0]
:KUBE-SEP-LHZJOTZD4BS6MHNZ - [0:0]
:KUBE-SEP-VCPA7KUZVLOW57EQ - [0:0]
:KUBE-SERVICES - [0:0]
:KUBE-SVC-ERIFXISQEP7F7OF4 - [0:0]
:KUBE-SVC-JD5MR3NA4I4DYORP - [0:0]
:KUBE-SVC-NPX46M4PTMTKRN6Y - [0:0]
:KUBE-SVC-TCOU7JCQXEZGVUNU - [0:0]
:REDSOCKS - [0:0]
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 10.200.0.32/32 -m comment --comment "name: \"bridge\" id: \"6cb90718739f0752baa8722dbfff1f9f03d0237962dc8985f8fb13d23d80b31d\"" -j CNI-a96f59ef769e0d335cecc5fa
-A POSTROUTING -s 10.200.0.33/32 -m comment --comment "name: \"bridge\" id: \"b0546397dbc9bf07b7c5b02a4dcc91d0a052e715c1d451c47d774211bcf5c1a4\"" -j CNI-6ffb7cac9d9ed164b2d5ba7b
-A POSTROUTING -s 10.200.0.34/32 -m comment --comment "name: \"bridge\" id: \"75b63b258fdd87fcd35e703e4a4bb39c9f11e2e5fd01a574d8a006e5e472234a\"" -j CNI-75946e699f4851c447169397
-A POSTROUTING -s 10.200.0.35/32 -m comment --comment "name: \"bridge\" id: \"e6244383918a970b53438d4e4198540c60778640c9c2a167ff77f39d7fd79bbb\"" -j CNI-7fc98eb6f610acba6ece3337
-A CNI-6ffb7cac9d9ed164b2d5ba7b -d 10.200.0.0/24 -m comment --comment "name: \"bridge\" id: \"b0546397dbc9bf07b7c5b02a4dcc91d0a052e715c1d451c47d774211bcf5c1a4\"" -j ACCEPT
-A CNI-6ffb7cac9d9ed164b2d5ba7b ! -d 224.0.0.0/4 -m comment --comment "name: \"bridge\" id: \"b0546397dbc9bf07b7c5b02a4dcc91d0a052e715c1d451c47d774211bcf5c1a4\"" -j MASQUERADE
-A CNI-75946e699f4851c447169397 -d 10.200.0.0/24 -m comment --comment "name: \"bridge\" id: \"75b63b258fdd87fcd35e703e4a4bb39c9f11e2e5fd01a574d8a006e5e472234a\"" -j ACCEPT
-A CNI-75946e699f4851c447169397 ! -d 224.0.0.0/4 -m comment --comment "name: \"bridge\" id: \"75b63b258fdd87fcd35e703e4a4bb39c9f11e2e5fd01a574d8a006e5e472234a\"" -j MASQUERADE
-A CNI-7fc98eb6f610acba6ece3337 -d 10.200.0.0/24 -m comment --comment "name: \"bridge\" id: \"e6244383918a970b53438d4e4198540c60778640c9c2a167ff77f39d7fd79bbb\"" -j ACCEPT
-A CNI-7fc98eb6f610acba6ece3337 ! -d 224.0.0.0/4 -m comment --comment "name: \"bridge\" id: \"e6244383918a970b53438d4e4198540c60778640c9c2a167ff77f39d7fd79bbb\"" -j MASQUERADE
-A CNI-a96f59ef769e0d335cecc5fa -d 10.200.0.0/24 -m comment --comment "name: \"bridge\" id: \"6cb90718739f0752baa8722dbfff1f9f03d0237962dc8985f8fb13d23d80b31d\"" -j ACCEPT
-A CNI-a96f59ef769e0d335cecc5fa ! -d 224.0.0.0/4 -m comment --comment "name: \"bridge\" id: \"6cb90718739f0752baa8722dbfff1f9f03d0237962dc8985f8fb13d23d80b31d\"" -j MASQUERADE
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE
-A KUBE-SEP-BAY6F2PYGJH5DEUE -s 10.26.8.173/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-BAY6F2PYGJH5DEUE -p tcp -m tcp -j DNAT --to-destination 10.26.8.173:6443
-A KUBE-SEP-G6EBKTWNJTOIEXU4 -s 10.200.0.33/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-G6EBKTWNJTOIEXU4 -p udp -m udp -j DNAT --to-destination 10.200.0.33:53
-A KUBE-SEP-GOBYNHXNZIF5W3D2 -s 10.200.0.33/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-GOBYNHXNZIF5W3D2 -p tcp -m tcp -j DNAT --to-destination 10.200.0.33:53
-A KUBE-SEP-HT77WNMWLBPE7QGR -s 10.200.0.32/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-HT77WNMWLBPE7QGR -p tcp -m tcp -j DNAT --to-destination 10.200.0.32:53
-A KUBE-SEP-LFB6X7K6BJJCW3R6 -s 10.200.0.32/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-LFB6X7K6BJJCW3R6 -p udp -m udp -j DNAT --to-destination 10.200.0.32:53
-A KUBE-SEP-LHZJOTZD4BS6MHNZ -s 10.200.0.33/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-LHZJOTZD4BS6MHNZ -p tcp -m tcp -j DNAT --to-destination 10.200.0.33:9153
-A KUBE-SEP-VCPA7KUZVLOW57EQ -s 10.200.0.32/32 -j KUBE-MARK-MASQ
-A KUBE-SEP-VCPA7KUZVLOW57EQ -p tcp -m tcp -j DNAT --to-destination 10.200.0.32:9153
-A KUBE-SERVICES ! -s 10.200.0.0/24 -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES ! -s 10.200.0.0/24 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES ! -s 10.200.0.0/24 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES ! -s 10.200.0.0/24 -d 10.32.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.32.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-HT77WNMWLBPE7QGR
-A KUBE-SVC-ERIFXISQEP7F7OF4 -j KUBE-SEP-GOBYNHXNZIF5W3D2
-A KUBE-SVC-JD5MR3NA4I4DYORP -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-VCPA7KUZVLOW57EQ
-A KUBE-SVC-JD5MR3NA4I4DYORP -j KUBE-SEP-LHZJOTZD4BS6MHNZ
-A KUBE-SVC-NPX46M4PTMTKRN6Y -j KUBE-SEP-BAY6F2PYGJH5DEUE
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-LFB6X7K6BJJCW3R6
-A KUBE-SVC-TCOU7JCQXEZGVUNU -j KUBE-SEP-G6EBKTWNJTOIEXU4
COMMIT
# Completed on Tue Dec 17 22:25:50 2019
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0", GitCommit:"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77", GitTreeState:"clean", BuildDate:"2019-09-18T14:36:53Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.0", GitCommit:"2bd9643cee5b3b3a5ecbd3af49d09018f0773c77", GitTreeState:"clean", BuildDate:"2019-09-18T14:27:17Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"linux/amd64"}