部署所有 kubernetes 资源后port 443
,我想打开. 我将它添加到我的白名单表中,但它仍然关闭。我的 80 端口也发生了同样的事情。在刷新所有表后,删除所有 kubernetes 资源并从头开始设置防火墙(包括白名单port 80
),然后再次部署 kubernetesport 80
终于打开了。
现在我更愿意理解为什么我不能打开port 443
而不是再做一遍。我发现有一个表KUBE-FIREWALL
(见下文),默认情况下会阻止所有内容。
这是我的主要问题:
KUBE-FIREWALL 的规则优先级是否比我的表 TCP 高?如果,我怎样才能改变优先级?
输入
Chain INPUT (policy DROP)
target prot opt source destination
cali-INPUT all -- anywhere anywhere /* cali:Cz_u1IQiXIMmKD4c */
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
KUBE-EXTERNAL-SERVICES all -- anywhere anywhere ctstate NEW /* kubernetes externally-visible service portals */
KUBE-FIREWALL all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp echo-request ctstate NEW
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
校准输入
Chain cali-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* cali:msRIDfJRWnYwzW4g */ mark match 0x10000/0x10000
cali-wl-to-host all -- anywhere anywhere [goto] /* cali:y4fKWmWkTnYGshVX */
MARK all -- anywhere anywhere /* cali:JnMb-hdLugWL4jEZ */ MARK and 0xfff0ffff
cali-from-host-endpoint all -- anywhere anywhere /* cali:NPKZwKxJ-5imzORj */
ACCEPT all -- anywhere anywhere /* cali:aes7S4xZI-7Jyw63 */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000
KUBE-防火墙
Chain cali-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* cali:msRIDfJRWnYwzW4g */ mark match 0x10000/0x10000
cali-wl-to-host all -- anywhere anywhere [goto] /* cali:y4fKWmWkTnYGshVX */
MARK all -- anywhere anywhere /* cali:JnMb-hdLugWL4jEZ */ MARK and 0xfff0ffff
cali-from-host-endpoint all -- anywhere anywhere /* cali:NPKZwKxJ-5imzORj */
ACCEPT all -- anywhere anywhere /* cali:aes7S4xZI-7Jyw63 */ /* Host endpoint policy accepted packet. */ mark match 0x10000/0x10000
claus@vmd33301:~$ sudo iptables -L KUBE-FIREWALL
Chain KUBE-FIREWALL (2 references)
target prot opt source destination
DROP all -- anywhere anywhere /* kubernetes firewall for dropping marked packets */ mark match 0x8000/0x8000
TCP
Chain TCP (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https