search

projectcalico / calico

Cloud native networking and network security
https://docs.tigera.io/calico/latest/about/
Apache License 2.0
6.05k stars 1.35k forks source link

Calico Network Connection only works if pods are on the same node #7194

Closed philipphomberger closed 1 year ago

philipphomberger commented 1 year ago

Calico Network Connection only works if pods are on the same node

If two pods are one the same worker node they can ping each otpher etc. If two pods on difrent nodes there come no response for the ping

Expected Behavior

I would expect that I get a response when the other pod is on difrent node in the cluster too.

Current Behavior

Ping Testing using the ping testing guide [eco_adm@cg3a54d9ac-k8m-s301 linux-amd64]$ kubectl exec -ti pingtest-8547ccd6f-mvt7l -- sh / # / # ping 192.168.177.239 PING 192.168.177.239 (192.168.177.239): 56 data bytes 64 bytes from 192.168.177.239: seq=0 ttl=63 time=0.249 ms 64 bytes from 192.168.177.239: seq=1 ttl=63 time=0.098 ms 64 bytes from 192.168.177.239: seq=2 ttl=63 time=0.096 ms 64 bytes from 192.168.177.239: seq=3 ttl=63 time=0.087 ms ^C --- 192.168.177.239 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.087/0.132/0.249 ms / # ping 192.168.9.1 PING 192.168.9.1 (192.168.9.1): 56 data bytes ^C --- 192.168.9.1 ping statistics --- 4 packets transmitted, 0 packets received, 100% packet loss / # ping 192.168.9.1 PING 192.168.9.1 (192.168.9.1): 56 data bytes ^C --- 192.168.9.1 ping statistics --- 211 packets transmitted, 0 packets received, 100% packet loss

Pods and Pod Nodes: [eco_adm@cg3a54d9ac-k8m-s301 linux-amd64]$ kubectl get pods -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES pingtest-8547ccd6f-7kkwn 1/1 Running 0 69m 192.168.9.2 cg3a54d9ac-k8w-s302.sys.schwarz pingtest-8547ccd6f-ghskk 1/1 Running 0 69m 192.168.9.1 cg3a54d9ac-k8w-s302.sys.schwarz pingtest-8547ccd6f-mvt7l 1/1 Running 0 69m 192.168.177.250 cg3a54d9ac-k8w-s301.sys.schwarz

NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME cg3a54d9ac-k8m-s301.sys.schwarz Ready control-plane 38h v1.26.0 10.124.149.95 Red Hat Enterprise Linux 8.7 (Ootpa) 4.18.0-425.3.1.el8.x86_64 containerd://1.6.15 cg3a54d9ac-k8w-s301.sys.schwarz Ready worker 38h v1.26.0 10.124.149.35 Red Hat Enterprise Linux 8.7 (Ootpa) 4.18.0-372.32.1.el8_6.x86_64 containerd://1.6.15 cg3a54d9ac-k8w-s302.sys.schwarz Ready worker 35h v1.26.0 10.124.149.200 Red Hat Enterprise Linux 8.7 (Ootpa) 4.18.0-372.32.1.el8_6.x86_64 containerd://1.6.15

[eco_adm@cg3a54d9ac-k8m-s301 linux-amd64]$ sudo ./calicoctl node status Calico process is running.

IPv4 BGP status +----------------+-------------------+-------+----------+-------------+ | PEER ADDRESS | PEER TYPE | STATE | SINCE | INFO | +----------------+-------------------+-------+----------+-------------+ | 10.124.149.35 | node-to-node mesh | up | 07:17:42 | Established | | 10.124.149.200 | node-to-node mesh | up | 07:17:42 | Established | +----------------+-------------------+-------+----------+-------------+

IPv6 BGP status No IPv6 peers found.

If you need more inormation plese telle me.

Thank you :)

Your Environment

frozenprocess commented 1 year ago

Both nodes are on a single broadcast domain? What are your installation manifest configurations? kubectl get installation default -o yaml

song-jiang commented 1 year ago

First thing to check, can you see route to pods running on other node by running ip route on one of the nodes?

philipphomberger commented 1 year ago

The Problem come from Openstack. The Security of the network pod not allow the servers use different Ip adresses. See https://kubespray.io/#/docs/openstack