In K8s I can not telnet to the port using the cluster IP from selector app

Question

I am searching for a long time on the net. But no use. Please help or try to give some ideas how to achieve this.

Service definition:

{
  "kind": "Service",
  "apiVersion": "v1",
  "metadata": {
    "name": "eureka1",
    "namespace": "default",
    "selfLink": "/api/v1/namespaces/default/services/eureka1",
    "uid": "aed393f1-d127-11e8-8f19-fa163e4dc428",
    "resourceVersion": "7432445",
    "creationTimestamp": "2018-10-16T09:41:40Z",
    "labels": {
      "k8s-app": "eureka1"
    }
  },
  "spec": {
    "ports": [
      {
      "name": "tcp-38761-8761-6fjms",
      "protocol": "TCP",
      "port": 80,
      "targetPort": 80,
      "nodePort": 8761
    }
  ],
  "selector": {
    "k8s-app": "eureka1"
  },
  "clusterIP": "10.254.65.233",
  "type": "NodePort",
  "sessionAffinity": "None",
  "externalTrafficPolicy": "Cluster"
  },
  "status": {
    "loadBalancer": {}
  }
}

kubectl describe service eureka1:

Name:                     eureka1
Namespace:                default
Labels:                   k8s-app=eureka1
Annotations:              <none>
Selector:                 k8s-app=eureka1
Type:                     NodePort
IP:                       10.254.65.233
Port:                     tcp-38761-8761-6fjms  80/TCP
TargetPort:               80/TCP
NodePort:                 tcp-38761-8761-6fjms  8761/TCP
Endpoints:                172.101.51.8:80
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

kubectl get ep:

NAME                         ENDPOINTS
eureka1                      172.101.51.8:80
eureka2                      172.101.52.8:80

If I in the eureka1 app telnet to 10.254.65.233 80

Trying 10.254.65.233...
telnet: connect to address 10.254.65.233: Connection timed out

but I can ping 10.254.65.233

Try another service IP not selector and can telnet.

The kube-proxy mode is ipvs

Thanks

That's weird, as far as I know, servie ip is not pingable, since there is no iptable rules for icmp. so, can you telnet to the 80 port of your pod ip ? — Kun Li, Nov 07 '18 at 12:30
Where are you connecting from? Is the Service actually connecting to some Pods (`kubectl describe service` will show you)? Why aren't you using an HTTP client (like `curl`) or the service's DNS name (`eureka1.default.svc.cluster.local`)? — David Maze, Nov 07 '18 at 12:30
@KunLi I can telnet to the 80 port of my pod ip like 172.101.51.8 and my kube-proxy mode is ipvs so service ip support from ipvs not iptables — ming_v5, Nov 08 '18 at 04:51
@DavidMaze In the service selector the app can't telnet to itself service ip，use DNS name like the same thing — ming_v5, Nov 08 '18 at 04:51
@KunLi NAME ENDPOINTS AGE eureka1 172.101.51.8:80 22d eureka2 172.101.52.8:80 23d — ming_v5, Nov 08 '18 at 07:44
why dont you just use the node ip and node port which is mapped to port 80 of your pod? — Siddhesh Rane, Nov 08 '18 at 08:07
Maybe something wrong with NAT. When you telnet to your pod ip, it just access the loopback address, not even leave the pod. while when you telnet to the service ip, the packages will leave the pod and then enter the pod, since the service point to the same pod. At the mean while, it must do both SNAT and DNAT to let the package through. So, try snoop the network interface of the pod to get some hints. — Kun Li, Nov 08 '18 at 08:21

score 0 · Accepted Answer · answered Nov 20 '18 at 07:11

this can happen when the network is not properly configured for “hairpin” traffic, usually when kube-proxy is running in iptables mode and Pods are connected with bridge network. The Kubelet exposes a hairpin-mode flag that allows endpoints of a Service to loadbalance back to themselves if they try to access their own Service VIP. The hairpin-mode flag must either be set to hairpin-veth or promiscuous-bridge.

In K8s I can not telnet to the port using the cluster IP from selector app

1 Answers1