coredns fails to start after the firewall is enabled 开启防火墙后导致coredns启动不了 #6996
Labels
Comments
you can remove |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
当前环境中没有开启防火墙。出于安全考虑,我开启了防火墙,防火墙开启后coredns无法启动,导致pod无法解析服务名
At present, the firewall is not enabled in the environment. For security reasons, I have enabled the firewall, and coredns cannot be started after firewalld is enabled, causing pod to fail to resolve the service name
What you expected to happen:
I need to enable the firewall to allow Intranet access only. Now I do not know what is wrong with the firewall configuration or how to configure it
我需要开启防火墙只允许内网访问,现在不知道防火墙配置哪里出了问题,或者需要怎么配置
How to reproduce it (as minimally and precisely as possible):
There was no problem when firewalld was turned off when the cluster was installed. Now there is this problem when firewalld is turned on
安装集群的时候关闭了 firewalld 是没有出现问题的 现在开启了firewalld 就出现了这个问题
Anything else we need to know?:
Environment:
docker image version k8s.gcr.io/coredns:1.2.2
.:53
2024/11/22 06:13:23 [INFO] CoreDNS-1.2.2
2024/11/22 06:13:23 [INFO] linux/amd64, go1.11, eb51e8b
CoreDNS-1.2.2
linux/amd64, go1.11, eb51e8b
2024/11/22 06:13:23 [INFO] plugin/reload: Running configuration MD5 = 18863a4483c30117a60ae2332bab9448
2024/11/22 06:13:23 [ERROR] 2 1521631809623499160.2030884935085046681. HINFO: unreachable backend: no upstream host
cat /etc/os-release):CentOS 7.9
firewalld 详细配置如下
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client dns ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" accept
rule family="ipv4" source address="10.0.0.0/8" accept
rule family="ipv4" source address="10.244.0.0/16" accept
rule family="ipv4" source address="10.0.0.0/8" destination address="10.0.0.2" port port="53" protocol="tcp" accept
rule family="ipv4" source address="0.0.0.0/0" accept
rule family="ipv4" source address="10.244.0.0/16" destination address="10.96.0.10" port port="53" protocol="tcp" accept
rule family="ipv4" source address="10.244.0.0/16" destination address="10.96.0.10" port port="53" protocol="udp" accept
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
The text was updated successfully, but these errors were encountered: