解决docker - Can not access kubernetes master from the container of pods according DNS
I use DNS in kubernetes. and test result like:
core@core-1-86 ~ $ kubectl exec busybox -- nslookup kubernetes Server: 10.100.0.10 Address 1: 10.100.0.10 Name: kubernetes Address 1: 10.100.0.1
And then I entried to busybox container, and ping kubernetes, like:
core@core-1-86 ~ $ kubectl exec -it busybox sh / # ping kubernetes PING kubernetes (10.100.0.1): 56 data bytes ^C --- kubernetes ping statistics --- 55 packets transmitted, 0 packets received, 100% packet loss / #
if I ping another ip , it ok!
/ # ping 10.12.1.85 PING 10.12.1.85 (10.12.1.85): 56 data bytes 64 bytes from 10.12.1.85: seq=0 ttl=63 time=0.262 ms 64 bytes from 10.12.1.85: seq=1 ttl=63 time=0.218 ms ^C --- 10.12.1.85 ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max = 0.218/0.240/0.262 ms / #
who can help me and tell me why?dns docker kubernetes
this question asked Sep 16 '15 at 11:20 sope 168 12 And How to find kubernetes master from DNS? – sope Sep 16 '15 at 11:30
The kubernetes service is a virtual IP and doesn't currently handle ICMP requests (see #2259). You should be able to verify connectivity to the kubernetes service using a TCP connection, e.g.
this answer answered Sep 16 '15 at 16:51 Robert Bailey 9,105 1 16 33 Yes, doesn't currently handle ICMP requests as you say. I use curl and can get response from other domain, like: root@hello-world:/# curl monitoring-influxdb:8086 404 page not found root@hello-world:/# curl kubernetes curl: (6) Could not resolve host: kubernetes but could not resolve host: kubernetes – sope Sep 17 '15 at 4:08 Can you curl
https://10.100.0.1? – Robert Bailey Sep 17 '15 at 4:48 Nope, the response is the same to curl kubernetes. root@hello-world:/# curl kubernetes curl: (6) Could not resolve host: kubernetes – sope Sep 17 '15 at 6:00 but if I curl
https://10.100.0.1; , the result like follow, Is this mean I can access the master from the container of the pod ?
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl.haxx.se/docs/sslcerts.html curl performs SSL
certificate verification by default, using a "bundle" of Certificate Authority
(CA) public keys (CA certs). If the default bundle file isn't adequate, you
can specify an alternate file using the --cacert option –– sope Sep 17 '15 at 6:09 For the certificates that we generate via the shell scripts, we add the service IP to the list of subject alternate names (SANs) that are valid. If you create a cluster on GCE, for instance, you'd be able to curl the kubernetes service IP without getting a certificate warning. You can either pass
--insecureto curl or re-generate a server certificate for your apiserver that includes
10.100.0.1as a SAN. – Robert Bailey Sep 17 '15 at 18:58 | show more comments