我正在嘗試將客戶端流量定向到在 192.168.1.100.30000(https 連接埠)上偵聽的 kubernetes 叢集 NodePort。
客戶端需要向 192.168.1.100.8000 發出請求,因此我在 iptables 中新增了以下 REDIRECT 規則:
iptables -t nat -I PREROUTING -p tcp --dst 192.168.1.100 --dport 8000 -j REDIRECT --to-port 30000
iptables -t nat -I OUTPUT -d 192.168.1.100 -p tcp --dport 8000 -j REDIRECT --to-port 30000
但是,我收到以下錯誤:
# curl -vk https://192.168.1.100:8000/v1/api
* About to connect() to 192.168.1.100 port 8000 (#0)
* Trying 192.168.1.100...
* Connected to 192.168.1.100 (192.168.1.100) port 8000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.
也嘗試設定遠端系統所示這回答並向同一端點發出請求並收到以下錯誤:
# ip netns exec remotesystem curl -vk https://192.168.1.100:8000/v1/api
* About to connect() to 192.168.1.100 port 8000 (#0)
* Trying 192.168.1.100...
* Connection timed out
* Failed connect to 192.168.1.100:8000; Connection timed out
* Closing connection 0
curl: (7) Failed connect to 192.168.1.100:8000; Connection timed out
我知道 kubernetes 叢集具有使用 calico crds 強制執行的網路策略,但是,我在網路策略中新增了預設的允許所有策略,並且流量似乎仍然處於掛起狀態。
我還檢查了入口控制器的日誌,以查看請求是否在那裡發出,但在發出請求時沒有看到任何日誌輸出。
奇怪的是直接捲曲節點連接埠https://192.168.1.100.30000/v1/api有效,我得到了成功的回應。
問題是,為什麼curl會https://192.168.1.100:8000/v1/api (with the REDIRECT rule to 30000)導致請求掛起?