ubuntu - Kubernetes Pod 无法访问互联网，而主机可以

Question

我正在使用具有以下配置的 Microk8s 设置 -
部署.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jenkins
  labels:
    app: jenkins
spec:
  selector:
    matchLabels:
      app: jenkins
  replicas: 1
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  template:
    metadata:
      labels:
        app: jenkins
    spec:
      serviceAccountName: jenkins
      containers:
      - name: jenkins
        image: jenkins/jenkins:2.235.1-lts-alpine
        imagePullPolicy: IfNotPresent
        env:
        - name: JAVA_OPTS
          value: -Xmx2048m -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85
        ports:
        - containerPort: 8080
          protocol: TCP
        - containerPort: 50000
          protocol: TCP
        volumeMounts:
        - mountPath: /var/jenkins_home
          name: jenkins
      restartPolicy: Always
      securityContext:
        runAsUser: 0
      terminationGracePeriodSeconds: 30
      volumes:
      - name: jenkins
        persistentVolumeClaim:
          claimName: jenkins-claim

pv.yaml

apiVersion: v1
kind: PersistentVolume
metadata:
  name: jenkins
  labels:
    type: local
spec:
  storageClassName: manual
  capacity:
    storage: 4Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/mnt/data"

pvc.yaml

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: jenkins-claim
spec:
  storageClassName: manual
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 4Gi

rbac.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: jenkins
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: jenkins
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create","delete","get","list","patch","update"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["create","delete","get","list","patch","update"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["create","delete","get","list","patch","update"]
- apiGroups: [""]
  resources: ["services"]
  verbs: ["create","delete","get","list","patch","update"]
- apiGroups: [""]
  resources: ["ingresses"]
  verbs: ["create","delete","get","list","patch","update"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: jenkins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: jenkins
subjects:
- kind: ServiceAccount
  name: jenkins
  namespace: jenkins

服务.yaml

apiVersion: v1
kind: Service
metadata:
  name: jenkins
  labels:
    app: jenkins
spec:
  type: NodePort
  ports:
    - name: ui
      port: 8080
      targetPort: 8080
      protocol: TCP
    - name: slave
      port: 50000
      protocol: TCP
    - name: http
      port: 80
      targetPort: 8080
  selector:
    app: jenkins

我可以从我的节点(主机)访问互联网，但不能从我的 pod。
我的节点是在 VPN 中运行在 vSphere 上的 ubuntu 18.04.2 LTS 机器。
在官方文档( https://microk8s.io/docs/troubleshooting )中，它说

sudo iptables -P FORWARD ACCEPT
sudo apt-get install iptables-persistent

或者

sudo ufw default allow routed

两者都不能为我解决问题。
还尝试了 https://github.com/ubuntu/microk8s/issues/1484 中的建议没有成功。

Answer 1

为了在 Microk8s 上解决这个问题，在部署之前使用命令 microk8s enable dns 启用 dns 插件。