[kubernetes]Calico运行异常:dial tcp 10.96.0.1:443: connect: connection refused

最新推荐文章于 2025-03-14 11:27:30 发布
最新推荐文章于 2025-03-14 11:27:30 发布
阅读量4.6k 收藏 5
点赞数 5
分类专栏: k8s和k8s遇到的问题 文章标签: kubernetes tcp/ip 运维
原文链接:https://blog.csdn.net/dingpwen/article/details/124444614
版权

安装calico网络插件之后,发现相关pod一直不能进入Ready状态,查看log,出现如下问题:

Hit error connecting to datastore - retry error=Get “https://10.96.0.1:443/api/v1/nodes/foo”: dial tcp 10.96.0.1:443: connect: connection refused

网上查资料都说是什么iptables配置的问题,各种尝试,发现完全不对。于是打算从根源了解这个东西。

那么这个10.96.0.1到底是什么呢?原来

在 kubernetes,可以从集群外部和内部两种方式访问 kubernetes API,在集群外直接访问 apiserver 提供的 API,在集群内即 pod 中可以通过访问 service 为 kubernetes 的 ClusterIP。kubernetes 集群在初始化完成后就会创建一个 kubernetes service,该 service 是 kube-apiserver 创建并进行维护的,如下所示:

[root@master1 dingpwen]# kubectl get svc
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.96.0.1    <none>        443/TCP   2d20h

内置的 kubernetes service 无法删除,其 ClusterIP 为通过 --service-cluster-ip-range 参数指定的 ip 段中的首个 ip,kubernetes endpoints 中的 ip 以及 port 可以通过 --advertise-address 和 --secure-port 启动参数来指定。

那么我们Node上的pod又如何才能访问到这个服务呢?毕竟相对于master机器,Node机器通过ip访问相当于“外网”。

其实我们查看kube-proxy的代码就会发现

I0427 01:46:24.595581       1 config.go:233] "Calling handler.OnEndpointSlicesSynced()"
I0427 01:46:24.595902       1 service.go:419] "Adding new service port" portName="default/kubernetes:https" servicePort="10.96.0.1:443/TCP"
I0427 01:46:24.595983       1 service.go:419] "Adding new service port" portName="kube-system/kube-dns:dns" servicePort="10.96.0.10:53/UDP"
I0427 01:46:24.596036       1 service.go:419] "Adding new service port" portName="kube-system/kube-dns:dns-tcp" servicePort="10.96.0.10:53/TCP"
I0427 01:46:24.596047       1 service.go:419] "Adding new service port" portName="kube-system/kube-dns:metrics" servicePort="10.96.0.10:9153/TCP"
I0427 01:46:24.596056       1 service.go:419] "Adding new service port" portName="kubernetes-dashboard/dashboard-metrics-scraper" servicePort="10.101.210.188:8000/TCP"
I0427 01:46:24.596065       1 service.go:419] "Adding new service port" portName="kubernetes-dashboard/kubernetes-dashboard" servicePort="10.98.70.204:443/TCP"
I0427 01:46:24.596276       1 endpointslicecache.go:358] "Setting endpoints for service port name" portName="kubernetes-dashboard/kubernetes-dashboard" endpoints=[10.244.137.69:8443]
I0427 01:46:24.596305       1 endpointslicecache.go:358] "Setting endpoints for service port name" portName="default/kubernetes:https" endpoints=[192.168.106.131:6443]
I0427 01:46:24.596315       1 endpointslicecache.go:358] "Setting endpoints for service port name" portName="kube-system/kube-dns:dns" endpoints=[10.244.104.2:53]
I0427 01:46:24.596321       1 endpointslicecache.go:358] "Setting endpoints for service port name" portName="kube-system/kube-dns:dns-tcp" endpoints=[10.244.104.2:53]
I0427 01:46:24.596329       1 endpointslicecache.go:358] "Setting endpoints for service port name" portName="kube-system/kube-dns:metrics" endpoints=[10.244.104.2:9153]

kube-proxy会把portName=“default/kubernetes:https” servicePort=“10.96.0.1:443/TCP” 注册到本服务中,那么Node端就可以通过kube-proxy来访问10.96.0.1:443这个服务。

所以出现标题所示问题,根源在该机器没有运行kube-proxy,或者kube-proxy运行异常:

[root@master01 k8s-ha-install]# systemctl status kube-proxy
● kube-proxy.service - Kubernetes Kube Proxy
   Loaded: loaded (/usr/lib/systemd/system/kube-proxy.service; enabled; vendor preset: disabled)
   Active: activating (auto-restart) (Result: exit-code) since Fri 2023-05-12 21:27:35 CST; 6s ago
     Docs: https://github.com/kubernetes/kubernetes
  Process: 54730 ExecStart=/usr/local/bin/kube-proxy --config=/etc/kubernetes/kube-proxy.conf --v=2 (code=exited, status=1/FAILURE)
 Main PID: 54730 (code=exited, status=1/FAILURE)

May 12 21:27:35 master01 systemd[1]: kube-proxy.service: main process exited, code=exited, status=1/FAILURE
May 12 21:27:35 master01 systemd[1]: Unit kube-proxy.service entered failed state.
May 12 21:27:35 master01 systemd[1]: kube-proxy.service failed.

原文链接:https://blog.csdn.net/dingpwen/article/details/124444614

dial tcp 10.96.0.1:443: connect: no route to host
qingcyb的博客
06-21 1329
1、创建Pod一直不成功,执行kubectl describe pod runtime-java-c8b465b98-47m82。可能是 iptables 规则乱了。
dial tcp 192.168.0.190:443: connect: connection refused
qingcyb的博客
04-24 3020
用nerdctl登录镜像仓库192.168.0.190(Harbor),报错。
k8s coredns 出现network unreachable 问题
zhaijiajia94的博客
06-16 856
k8s coredns network unreachable
dial tcp 10.96.0.1:443: connect: no route to host, failed to clean up sandbox container
2302_78308374的博客
03-14 323
修改完后,calico-kube-controllers 就会重启,多了一段时间,服务的 pod 就都挂了问题的关键是防火墙设置阻止了 calico 插件和 Kubernetes API Server 之间的通信。
Harbor报错:dial tcp 192.168.1.52:443: connect: connection refused
热门推荐
变成习惯
03-19 4万+
之前在部署完harbor之后登录过程中,只遇到了x509问题,这个问题很好解决,添加证书认证即可。 后来我再次部署harbor时,登录过程中,解决完x509问题后,又遇到了一个新问题。 [root@master2 ~]# docker login harbor.uqp.com Username: admin Password: Error response from daemo...
k8s集群-calico-报错-dial tcp *:10250: connect: connection refused
博然的宝藏库
05-23 2231
Kubernetes 集群中,确认节点已经重新启动并正常运行。错误,请确保与 Kubernetes API 的连接正常。确认节点与集群的网络连接正常。确认 Calico Pod 的状态为。
问题解决:dial tcp 172.217.160.81:443: connect: connection refused
看,未来的博客
05-21 9806
[root@k8s-master wlf]# cat /etc/resolv.conf # Generated by NetworkManager search localdomain nameserver 192.168.190.2 [root@k8s-master wlf]# vi /etc/resolv.conf [root@k8s-master wlf]# cat /etc/resolv.conf # Generated by NetworkManager search localdomain #
[reset] Unmounting mounted directories in "/var/lib/kubelet" W0321 14:19:36.524481 91940 cleanupnode.go:99] [reset] Failed to remove containers: [failed to stop running pod cdf897d2b8231f7d3fffa49017090a655b94ddb22cbc24d06f32d519fbaa2c5f: output: E0321 14:19:19.953922 92079 remote_runtime.go:205] "StopPodSandbox from runtime service failed" err="rpc error: code = Unknown desc = failed to destroy network for sandbox \"cdf897d2b8231f7d3fffa49017090a655b94ddb22cbc24d06f32d519fbaa2c5f\": plugin type=\"calico\" failed (delete): error getting ClusterInformation: Get \"https://10.96.0.1:443/apis/crd.projectcalico.org/v1/clusterinformations/default\": dial tcp 10.96.0.1:443: connect: connection refused" podSandboxID="cdf897d2b8231f7d3fffa49017090a655b94ddb22cbc24d06f32d519fbaa2c5f" time="2025-03-21T14:19:19+08:00" level=fatal msg="stopping the pod sandbox \"cdf897d2b8231f7d3fffa49017090a655b94ddb22cbc24d06f32d519fbaa2c5f\": rpc error: code = Unknown desc = failed to destroy network for sandbox \"cdf897d2b8231f7d3fffa49017090a655b94ddb22cbc24d06f32d519fbaa2c5f\": plugin type=\"calico\" failed (delete): error getting ClusterInformation: Get \"https://10.96.0.1:443/apis/crd.projectcalico.org/v1/clusterinformations/default\": dial tcp 10.96.0.1:443: connect: connection refused" : exit status 1, failed to stop running pod e4fee45416ccc066380fe4d0f2f28ca861bf836967d88f2074ce62d6d77ec9ed: output: E0321 14:19:20.255860 92242 remote_runtime.go:205] "StopPodSandbox from runtime service failed" err="rpc error: code = Unknown desc = failed to destroy network for sandbox \"e4fee45416ccc066380fe4d0f2f28ca861bf836967d88f2074ce62d6d77ec9ed\": plugin type=\"calico\" failed (delete): error getting ClusterInformation: Get \"https://10.96.0.1:443/apis/crd.projectcalico.org/v1/clusterinformations/default\": dial tcp 10.96.0.1:443: connect: connection refused" podSandboxID="e4fee45416ccc066380fe4d0f2f28ca861bf836967d88f2074ce62d6d77ec9ed" time="2025-03-21T14:19:20+08:00" level=fatal msg="stopping the pod sandbox \"e4fee45416ccc06638
最新发布
03-22
- 具体报错:`error getting ClusterInformation: Get "https://10.96.0.1:443/apis/crd.projectcalico.org/v1/clusterinformations/default": dial tcp 10.96.0.1:443: connect: connection refused` - IP 地址 `...
【K8S:初始化】:执行kubeadm显示:connection refused.
凡解的博客
04-10 796
K8S,Kubernetes,主节点集群安装通过Calico和Coredns
记录一次K8s 集群故障(路由&Calico
qq_43024789的博客
02-16 1993
除了 kube-system下的api-server, etcd-admin, scheduler, controller manager, 以及各个3个节点的kube-proxy 处于running状态,因为kube-proxy和calico-node都是ds, 使用Hostnetwork,因此IP就是所在节点IP。确定它就是k8s kube-apiserver-admin这个pod所单独暴露出来的svc, 是单例的pod,不属于任何rs/ds/deployment/sts。
kubeadm init初始化时dial tcp 127.0.0.1:10248: connect: connection refused
imonkeyi的博客
09-24 5545
关于这个问题网上的资料很少,找了很久才找解决办法,这里记录以下,给后来者提供方便 错误代码 错误原因 这是cgroup驱动问题。默认情况下Kubernetes cgroup驱动程序设置为system,但docker设置为systemd。我们需要更改Docker cgroup驱动 解决办法 通过创建配置文件/etc/docker/daemon.json并添加以下行: {"exec-opts": ["native.cgroupdriver=systemd"]} 添加成功后为了使配置生效必须.
docker无法登录harbor仓库,443: connect: connection refused
进阶的蜗牛
10-09 6695
docker无法登录harbor仓库,443: connect: connection refused
Rancher 调用集群报错:dial tcp 10.1.0.1:443: connect: connection refused
06-13 3664
Rancher 调用集群报错:dial tcp 10.1.0.1:443: connect: connection refused ! 解决调用失败问题
dial tcp 10.96.0.1:443: connect: network is unreachable
shida's blog
10-17 1万+
今天,在部署 k8s 集群时,发现 CoreDNS 一直无法启动成功,报类似标题所示的错误,现记录下问题排查的主体过程: 1. 首先,正常情况下,所有 Node 应该都能够访问 10.96.0.1:443,到 CoreDNS Pod 所在节点,执行: # curl https://10.96.0.1 curl: (60) Peer's Certificate issuer is not re...
已解决 【k8s】reconnect to server error: dial tcp : connect: connection refused
黑夜开发者的博客
05-23 1579
最近使用k8s构建项目,使用kuboard连接eks的时候,导入项目总是不成功,给出的指导建议是查看日志。
go install安装应用时出现connect:connection refuseddial tcp超时问题
github_39607307的博客
04-15 1261
【代码】go install安装应用时出现connect:connection refuseddial tcp超时问题。
下载docker镜像报错,dial tcp x.x.x.x:443: connect: connection refused
V_1920的博客
09-13 1243
<-'EOF' { "registry-mirrors": ["你自己的"] } EOF。把你自己的这个直接复制在linux。原因是:国外的连接超时了.解决方案改为阿里云的数据源。搜索:容器镜像服务 ACR。然后再把服务重启就好了。
k8s集群报错:dial tcp 10.96.0.1:443: connect: no route to host
Explore
11-28 2万+
问题表征: kube-system coredns-66bff467f8-6gtp8 0/1 Running 2 29d 100.86.78.200 km1 <none> <none> kube-system coredns-66bff467f8-gf6x4 0/1 Running 2 29d 100
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值