本文主要是介绍dial tcp 10.96.0.1:443: connect: network is unreachable,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
今天,在部署 k8s 集群时,发现 CoreDNS 一直无法启动成功,报类似标题所示的错误,现记录下问题排查的主体过程:
1. 首先,正常情况下,所有 Node 应该都能够访问 10.96.0.1:443,到 CoreDNS Pod 所在节点,执行:
# curl https://10.96.0.1
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.htmlcurl performs SSL certificate verification by default, using a "bundle"of Certificate Authority (CA) public keys (CA certs). If the defaultbundle file isn't adequate, you can specify an alternate fileusing the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented inthe bundle, the certificate verification probably failed due to aproblem with the certificate (it might be expired, or the name mightnot match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, usethe -k (or --insecure) option.无需关心返回的内容,有返回即代表 10.96.0.1:443 是可以访问的,如果不能访问进入第 2 步
2. 查看对应 Node 上的 kube-proxy 日志,根据日志判断 iptables 规则设置有无异常
E1017 09:28:33.524808 1 proxier.go:688] Failed to ensure that filter chain KUBE-EXTERNAL-SERVICES exists: error creating chain "KUBE-EXTERNAL-SERVICES": exit status 3: modprobe: ERROR: could not insert 'ip6_tables': Exec format error
ip6tables v1.6.0: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
E1017 09:29:03.528199 1 proxier.go:688] Failed to ensure that filter chain KUBE-EXTERNAL-SERVICES exists: error creating chain "KUBE-EXTERNAL-SERVICES": exit status 3: modprobe: ERROR: could not insert 'ip6_tables': Exec format error
ip6tables v1.6.0: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)
Perhaps ip6tables or your kernel needs to be upgraded.
如有异常,则根据错误提示,配置 Node 解决 iptables 故障
这篇关于dial tcp 10.96.0.1:443: connect: network is unreachable的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
