0

Gist: I am struggling to get a pod to connect to a service outside the cluster. Basically the pod manages to resolve the ClusterIp of the selectorless service, but traffic does not go through. Traffic does go through if i hit the ClusterIp of the selectorless service from the cluster host.

I'm fairly new with microk8s and k8s in general. I hope i am making some sense though...

Background:

I am attempting to move parts of my infrastructure from a docker-compose setup on one virtual machine, to a microk8s cluster (with 2 nodes).

In the docker compose, i have a Grafana Container, connecting to an InfluxDb container.

kubectl version:

Client Version: version.Info{Major:"1", Minor:"22+", GitVersion:"v1.22.2-3+9ad9ee77396805", GitCommit:"9ad9ee77396805781cd0ae076d638b9da93477fd", GitTreeState:"clean", BuildDate:"2021-09-30T09:52:57Z", GoVersion:"go1.16.8", Compiler:"gc", Platform:"linux/amd64"}

I now want to setup a Grafana container on the microk8s cluster, and have it connect to the InfluxDb that is still running on the docker-compose vm.

All of these VM's are running on an ESXi host.

  • InfluxDb is exposed at 10.1.2.220:8086
  • microk8s-master has ip 10.1.2.50
  • microk8s-slave-1 has ip 10.1.2.51

I have enabled ingress and dns. I have also enabled metallb, though i don't intend to use it here.

I have configured a selectorless service, a remote endpoint and an egress Network Policy (currently allowing all).

From microk8s-master and slave-1, i can

  • telnet directly to 10.1.2.220:8086 successfully
  • telnet to the ClusterIP(10.152.183.26):8086 of the service, successfully reaching influxdb
  • wget ClusterIp:8086

Inside the Pod, if i do a wget to influxdb-service:8086, it will resolve to the ClusterIP, but after that it times out. I can however reach (wget), services pointing to other pods in the same namespace

Update:

I have been able to get it to work through a workaround, but i dont think this is the correct way.

My temporary solution is to expose the selectorless service on metallb, then use that exposed ip inside the pod.

Service and Endpoints for InfluxDb

---
apiVersion: v1
kind: Service
metadata:
  name: influxdb-service
  labels:
    app: grafana
spec:
  ports:
    - protocol: TCP
      port: 8086
      targetPort: 8086
---
apiVersion: v1
kind: Endpoints
metadata:
  name: influxdb-service
subsets:
  - addresses:
      - ip: 10.1.2.220
    ports:
      - port: 8086

The service and endpoint shows up fine

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl get endpoints
NAME                ENDPOINTS                             AGE
neo4j-service-lb    10.1.166.176:7687,10.1.166.176:7474   25h
influxdb-service    10.1.2.220:8086                       127m
questrest-service   10.1.166.178:80                       5d
kubernetes          10.1.2.50:16443,10.1.2.51:16443       26d
grafana-service     10.1.237.120:3000                     3h11m

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl get svc
NAME                TYPE           CLUSTER-IP       EXTERNAL-IP   PORT(S)                         AGE
kubernetes          ClusterIP      10.152.183.1     <none>        443/TCP                         26d
questrest-service   ClusterIP      10.152.183.56    <none>        80/TCP                          5d
neo4j-service-lb    LoadBalancer   10.152.183.166   10.1.2.60     7474:31974/TCP,7687:32688/TCP   25h
grafana-service     ClusterIP      10.152.183.75    <none>        3000/TCP                        3h13m
influxdb-service    ClusterIP      10.152.183.26    <none>        8086/TCP                        129m

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl get networkpolicy
NAME                            POD-SELECTOR    AGE
grafana-allow-egress-influxdb   app=grafana     129m
test-egress-influxdb            app=questrest   128m

Describe:

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl describe svc influxdb-service
Name:              influxdb-service
Namespace:         default
Labels:            app=grafana
Annotations:       <none>
Selector:          <none>
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.152.183.26
IPs:               10.152.183.26
Port:              <unset>  8086/TCP
TargetPort:        8086/TCP
Endpoints:         10.1.2.220:8086
Session Affinity:  None
Events:            <none>

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl describe endpoints influxdb-service
Name:         influxdb-service
Namespace:    default
Labels:       <none>
Annotations:  <none>
Subsets:
  Addresses:          10.1.2.220
  NotReadyAddresses:  <none>
  Ports:
    Name     Port  Protocol
    ----     ----  --------
    <unset>  8086  TCP

Events:  <none>

eso@microk8s-master:~/k8s-grafana$ microk8s.kubectl describe networkpolicy grafana-allow-egress-influxdb
Name:         grafana-allow-egress-influxdb
Namespace:    default
Created on:   2021-11-03 20:53:00 +0000 UTC
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     app=grafana
  Not affecting ingress traffic
  Allowing egress traffic:
    To Port: <any> (traffic allowed to all ports)
    To: <any> (traffic not restricted by destination)
  Policy Types: Egress

Grafana.yml:

eso@microk8s-master:~/k8s-grafana$ cat grafana.yml
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: grafana-pv
spec:
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  storageClassName: ""
  claimRef:
    name: grafana-pvc
    namespace: default
  persistentVolumeReclaimPolicy: Retain
  nfs:
    path: /mnt/MainVol/grafana
    server: 10.2.0.1
    readOnly: false
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: grafana-pvc
spec:
  accessModes:
    - ReadWriteMany
  storageClassName: ""
  volumeName: grafana-pv
  resources:
    requests:
      storage: 1Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: grafana
  name: grafana
spec:
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      securityContext:
        fsGroup: 472
        supplementalGroups:
          - 0
      containers:
        - name: grafana
          image: grafana/grafana:7.5.2
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
              name: http-grafana
              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /robots.txt
              port: 3000
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 2
          livenessProbe:
            failureThreshold: 3
            initialDelaySeconds: 30
            periodSeconds: 10
            successThreshold: 1
            tcpSocket:
              port: 3000
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 250m
              memory: 750Mi
          volumeMounts:
            - mountPath: /var/lib/grafana
              name: grafana-pv
      volumes:
        - name: grafana-pv
          persistentVolumeClaim:
            claimName: grafana-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: grafana-service
spec:
  ports:
    - port: 3000
      protocol: TCP
      targetPort: http-grafana
  selector:
    app: grafana
  #sessionAffinity: None
  #type: LoadBalancer
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - host: "g2.some.domain.com"
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: grafana-service
            port:
              number: 3000
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: grafana-allow-egress-influxdb
  namespace: default
spec:
  podSelector:
    matchLabels:
      app: grafana
  ingress:
  - {}
  egress:
  - {}
  policyTypes:
  - Egress
takilara
  • 108
  • 6
  • what Kubernetes version you are using? – Bazhikov Nov 04 '21 at 15:51
  • kubectl version -> 1.22+ / 1.22.2 microk8s: 1.22.2 – takilara Nov 04 '21 at 18:25
  • I've since discovered that my router did not provide a route to the cluster pod networks. It was defaulting to 10.1.0.0/16 (that i already use for other things) I changed the pod CIDR to 10.5.0.0/16 , then added routes to this network in my pfsense router, and now most of my network work alot better:) – takilara Nov 23 '21 at 15:34
  • @takilara I'm facing the very same problem. Do you mind further elaborating your comment? Thanks – lsabi Oct 23 '22 at 16:50
  • @lsabi Its been awhile but they way i got it working as a total solution is: - Have an endpoint that points to the external influxdb service - Have a service of type loadbalancer that points to this endpoint - In the config of grafana, use the IP of the loadbalancer service I am not sure why i didnt just point directly to the external service though... It might be that i originally intended to later move the InfluxDB to the cluster also... I'll update the answer below wit ha diagram... – takilara Oct 24 '22 at 17:42
  • @takilara I see. I have to rely on external services that do not depend on me. Access to internet is not a problem, but access my local network seems impossible from within a pod. I hope that the router thing you mentioned, was the root cause of the problem. Thanks anyways – lsabi Oct 24 '22 at 20:19

1 Answers1

2

As I haven't gotten much response, i'll answer the question with my "workaround". I am still not sure this is the best way to do it though.

I got it to work by exposing the selectorless service on metallb, then using that exposed ip inside grafana

kind: Service
apiVersion: v1
metadata:
  name: influxdb-service-lb
  #namespace: ingress
spec:
  type: LoadBalancer
  loadBalancerIP: 10.1.2.61
#  selector:
#    app: grafana
  ports:
  - name: http
    protocol: TCP
    port: 8086
    targetPort: 8086
---
apiVersion: v1
kind: Endpoints
metadata:
  name: influxdb-service-lb
subsets:
  - addresses:
      - ip: 10.1.2.220
    ports:
      - name: influx
        protocol: TCP
        port: 8086

I then use the loadbalancer ip in grafana (10.1.2.61)

Update October 2022 As a response to a comment above, I have added a diagram of how i believe this to work

enter image description here

takilara
  • 108
  • 6