You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by "kiranchavala (via GitHub)" <gi...@apache.org> on 2023/08/28 12:10:23 UTC
[GitHub] [cloudstack] kiranchavala opened a new issue, #7917: Egress rules present in a network are not getting applied to a kubernetes cluster
kiranchavala opened a new issue, #7917:
URL: https://github.com/apache/cloudstack/issues/7917
ISSUE TYPE
* BUG Report
COMPONENT NAME
Component: Kubernetes
CLOUDSTACK VERSION
Cloudstack version 4.18
SUMMARY
Egress rules present in a network are not getting applied to a Kubernetes cluster
Steps to reproduce the issue
1. Launch a Kubernetes cluster
2. Connect to the Kubernetes cluster
3. Go to Isolated network > Egress rule tab and allow ALL
<img width="789" alt="Screenshot 2023-08-28 at 4 48 20 PM" src="https://github.com/apache/cloudstack/assets/1401014/ae70edad-d249-47cc-b269-bcf182e27e61">
4. Deploy application on the Kubernetes cluster
For example a nginx application
kubectl apply -f nginx.yaml
```
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2 # tells deployment to run 2 pods matching the template
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.14.2
ports:
- containerPort: 80
```
6. Get a public Ip for the application via this command
kubectl expose deploy/nginx-deployment --port=80 --type=LoadBalancer
Actual Results
The application fails to deploy with the error "Failed to Pull Image"
```
NAMESPACE NAME READY STATUS RESTARTS AGE
default nginx-deployment-6595874d85-4p22k 0/1 ImagePullBackOff 0 54s
default nginx-deployment-6595874d85-wlwq5 0/1 ImagePullBackOff 0 54s
```
```
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 93s default-scheduler Successfully assigned default/nginx-deployment-6595874d85-wt6fs to ghj-node-18a3bfa3ee3
Warning Failed 62s kubelet Failed to pull image "nginx:1.14.2": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/library/nginx:1.14.2": failed to resolve reference "docker.io/library/nginx:1.14.2": failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/1.14.2": dial tcp 44.205.64.79:443: i/o timeout
Normal BackOff 61s kubelet Back-off pulling image "nginx:1.14.2"
Warning Failed 61s kubelet Error: ImagePullBackOff
Normal Pulling 48s (x2 over 92s) kubelet Pulling image "nginx:1.14.2"
Warning Failed 2s (x2 over 62s) kubelet Error: ErrImagePull
Warning Failed 2s kubelet Failed to pull image "nginx:1.14.2": rpc error: code = Unknown desc = failed to pull and unpack image "docker.io/library/nginx:1.14.2": failed to resolve reference "docker.io/library/nginx:1.14.2": failed to do request: Head "https://registry-1.docker.io/v2/library/nginx/manifests/1.14.2": dial tcp 3.216.34.172:443: i/o timeout
```
Logs, for the failure to acquire a Public IP
```
I0828 11:43:28.584138 1 event.go:278] Event(v1.ObjectReference{Kind:"Service", Namespace:"default", Name:"nginx-deployment", UID:"65d909ec-2cd8-4097-9bb7-6f12b5962d2b", APIVersion:"v1", ResourceVersion:"910", FieldPath:""}): type: 'Normal' reason: 'EnsuringLoadBalancer' Ensuring load balancer
E0828 11:43:35.876153 1 node_controller.go:245] Error getting node addresses for node "tyu-control-18a3beffe8f": error fetching node by provider ID: error retrieving node addresses: Get http://10.0.35.177:8080/client/api?apiKey=7agfDzjXNy3wnbI4M8o3Oz6gEv12w8rmPDW3jjkG0SZOpHjEtsovd4uNw7US6w3kUb62p6F_5Txi37kDRO4qNw&command=listVirtualMachines&id=&response=json&signature=l0PsF46pf1lSvdBd48O%2FjXA4q1k%3D: dial tcp 10.0.35.177:8080: i/o timeout, and error by node name: error retrieving node addresses: Get http://10.0.35.177:8080/client/api?apiKey=7agfDzjXNy3wnbI4M8o3Oz6gEv12w8rmPDW3jjkG0SZOpHjEtsovd4uNw7US6w3kUb62p6F_5Txi37kDRO4qNw&command=listVirtualMachines&name=tyu-control-18a3beffe8f&response=json&signature=9s6%2BHi9oxBFGhJHquIsE2UtWRZw%3D: dial tcp 10.0.35.177:8080: i/o timeout
E0828 11:43:58.676516 1 controller.go:244] error processing service default/nginx-deployment (will retry): failed to ensure load balancer: error retrieving load balancer rules: Get http://10.0.35.177:8080/client/api?apiKey=7agfDzjXNy3wnbI4M8o3Oz6gEv12w8rmPDW3jjkG0SZOpHjEtsovd4uNw7US6w3kUb62p6F_5Txi37kDRO4qNw&command=listLoadBalancerRules&keyword=a65d909ec2cd840979bb76f12b5962d2&listall=true&response=json&signature=6MeRwi7JABRTHaKS1Xzvv%2BxjUZA%3D: dial tcp 10.0.35.177:8080: i/o timeout
I0828 11:43:58.676913 1 event.go:278] Event(v1.ObjectReference{Kind:"Service", Namespace:"default", Name:"nginx-deployment", UID:"65d909ec-2cd8-4097-9bb7-6f12b5962d2b", APIVersion:"v1", ResourceVersion:"910", FieldPath:""}): type: 'Warning' reason: 'SyncLoadBalancerFailed' Error syncing load balancer: failed to ensure load balancer: error retrieving load balancer rules: Get http://10.0.35.177:8080/client/api?apiKey=7agfDzjXNy3wnbI4M8o3Oz6gEv12w8rmPDW3jjkG0SZOpHjEtsovd4uNw7US6w3kUb62p6F_5Txi37kDRO4qNw&command=listLoadBalancerRules&keyword=a65d909ec2cd840979bb76f12b5962d2&listall=true&response=json&signature=6MeRwi7JABRTHaKS1Xzvv%2BxjUZA%3D: dial tcp 10.0.35.177:8080: i/o timeout
I0828 11:44:03.677645 1 event.go:278] Event(v1.ObjectReference{Kind:"Service", Namespace:"default", Name:"nginx-deployment", UID:"65d909ec-2cd8-4097-9bb7-6f12b5962d2b", APIVersion:"v1", ResourceVersion:"914", FieldPath:""}): type: 'Normal' reason: 'EnsuringLoadBalancer' Ensuring load balancer
E0828 11:44:05.876844 1 node_controller.go:237] error retrieving instance ID: Get http://10.0.35.177:8080/client/api?apiKey=7agfDzjXNy3wnbI4M8o3Oz6gEv12w8rmPDW3jjkG0SZOpHjEtsovd4uNw7US6w3kUb62p6F_5Txi37kDRO4qNw&command=listVirtualMachines&name=tyu-node-18a3bf0325b&response=json&signature=BX2eoDo8kumV62PyttwR3gWxJeE%3D: dial tcp 10.0.35.177:8080: i/o timeout
E0828 11:44:33.678713 1 controller.go:244] error processing service default/nginx-deployment (will retry): failed to ensure load balancer: error retrieving load balancer rules: Get http://10.0.35.177:8080/client/api?apiKey=7agfDzjXNy3wnbI4M8o3Oz6gEv12w8rmPDW3jjkG0SZOpHjEtsovd4uNw7US6w3kUb62p6F_5Txi37kDRO4qNw&command=listLoadBalancerRules&keyword=a65d909ec2cd840979bb76f12b5962d2&listall=true&response=json&signature=6MeRwi7JABRTHaKS1Xzvv%2BxjUZA%3D: dial tcp 10.0.35.177:8080: i/o timeout
I0828 11:44:33.678860 1 event.go:278] Event(v1.ObjectReference{Kind:"Service", Namespace:"default", Name:"nginx-deployment", UID:"65d909ec-2cd8-4097-9bb7-6f12b5962d2b", APIVersion:"v1", ResourceVersion:"914", FieldPath:""}): type: 'Warning' reason: 'SyncLoadBalancerFailed' Error syncing load balancer: failed to ensure load balancer: error retrieving load balancer rules: Get http://10.0.35.177:8080/client/api?apiKey=7agfDzjXNy3wnbI4M8o3Oz6gEv12w8rmPDW3jjkG0SZOpHjEtsovd4uNw7US6w3kUb62p6F_5Txi37kDRO4qNw&command=listLoadBalancerRules&keyword=a65d909ec2cd840979bb76f12b5962d2&listall=true&response=json&signature=6MeRwi7JABRTHaKS1Xzvv%2BxjUZA%3D: dial tcp 10.0.35.177:8080: i/o timeout
```
Expected Results
The application should deploy without any issues and the end user should acquire the public ip without any issue
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] kiranchavala commented on issue #7917: Egress rules present in a network are not getting applied to a kubernetes cluster
Posted by "kiranchavala (via GitHub)" <gi...@apache.org>.
kiranchavala commented on issue #7917:
URL: https://github.com/apache/cloudstack/issues/7917#issuecomment-1695591976
The issue will not occur, if you delete the application and reapply the egress rule by allowing the TCP traffic
1. kubectl delete deployment nginx-deployment
2. Delete the egress rules present and reapply the same
<img width="801" alt="Screenshot 2023-08-28 at 4 44 28 PM" src="https://github.com/apache/cloudstack/assets/1401014/512ca461-3625-44c8-85ea-f005e0b00abd">
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache commented on issue #7917: Egress rules present in a network are not getting applied to a kubernetes cluster
Posted by "weizhouapache (via GitHub)" <gi...@apache.org>.
weizhouapache commented on issue #7917:
URL: https://github.com/apache/cloudstack/issues/7917#issuecomment-1695598396
yes, @kiranchavala
with the egress rule you added, all outgoing traffic will be blocked
![image](https://github.com/apache/cloudstack/assets/57355700/a23ccbe5-4c73-47b2-80f0-f7b5a4b75a16)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] weizhouapache closed issue #7917: Egress rules present in a network are not getting applied to a kubernetes cluster
Posted by "weizhouapache (via GitHub)" <gi...@apache.org>.
weizhouapache closed issue #7917: Egress rules present in a network are not getting applied to a kubernetes cluster
URL: https://github.com/apache/cloudstack/issues/7917
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@cloudstack.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org