![]() You can configure the iptables rules to block communication on port 10250. The iptables tool lets a system administrator configure the IP packet filter rules of a Linux firewall. To force UFW to allow access to port 10250, run the following az vmss run-command invoke command: az vmss run-command invoke -resource-group \Ĭause 3: The iptables tool is blocking port 10250 Solution 2b: Configure Uncomplicated Firewall to permit access to port 10250 Run the following az vmss run-command invoke command to disable UFW: az vmss run-command invoke -resource-group \ Solution 2a: Disable Uncomplicated Firewall Deleting these pods will cause them to be re-created. If you don't see any behavioral change after you apply a solution, you can re-create the tunnel component pods. To fix the problem, apply one of the following solutions on UFW. What if the results indicate that UFW is enabled, and it doesn't specifically allow port 10250? In this case, tunnel functionalities (such as logs and code execution) won't work for the pods that are scheduled on the nodes that have UFW enabled. To troubleshoot, you can run the az vmss run-command invoke command to invoke a ufw command that checks whether UFW is enabled: az vmss run-command invoke -resource-group \ ![]() This is because UFW might also be blocking port 22. In this case, it's unlikely that you can use Secure Shell (SSH) to connect to AKS cluster nodes for troubleshooting. Therefore, UFW is installed on AKS nodes by default, but UFW is disabled.īy default, if UFW is enabled, it will block access to all ports, including port 10250. Uncomplicated Firewall (UFW) is a command-line program for managing a netfilter firewall. This cause applies to any tunnel component that you have in your AKS cluster. If you want to be more restrictive, you can allow access to port 10250 at the subnet level only. The following Azure portal image shows an example security rule: If you use an NSG, and you have specific restrictions, make sure that you add a security rule that allows traffic for port 10250 at the virtual network level. Solution 1: Add an NSG rule to allow access to port 10250 You can run the az vmss run-command invoke command to conduct the connectivity test and verify whether it succeeds, times out, or causes some other issue: az vmss run-command invoke -resource-group \ To verify this state, you can test the connectivity by using netcat ( nc) or telnet commands. The other pods won't work because their nodes won't be able to reach the tunnel, and the tunnel is scheduled on other nodes. If the NSG blocks port 10250 at the virtual network level, tunnel functionalities (such as logs and code execution) will work for only the pods that are scheduled on the nodes where tunnel pods are scheduled. For more information, see How network security groups filter network traffic. For each rule, you can specify source and destination, port, and protocol. A network security group contains security rules that allow or deny inbound and outbound network traffic between several types of Azure resources. You can use an Azure network security group (NSG) to filter network traffic to and from Azure resources in an Azure virtual network. This cause is applicable to any tunnel components that you might have in your AKS cluster. Running a command in a container or getting inside a container (using the kubectl exec command)įorwarding one or more local ports of a pod (using the kubectl port-forward command)Ĭause 1: A network security group (NSG) is blocking port 10250 For more information, see Kubernetes ports and protocols: Worker nodes.īecause the tunnel components or the connectivity between the server and client can't be established, functionality such as the following won't work as expected:Ībility of log retrieval (using the kubectl logs command) ![]() ![]() If port 10250 is blocked, the kubectl logs and other features will only work for pods that run on the nodes in which the tunnel component is scheduled. The Kubernetes API server uses port 10250 to connect to a node's kubelet to retrieve the logs. You receive an error message that resembles the following examples about port 10250:Įrror from server: Get " dial tcp :10250: i/o timeoutĮrror from server: error dialing backend: dial tcp :10250: i/o timeout For more information about migration to Konnectivity as the tunnel component, see the AKS release notes and changelog. This is a Kubernetes upstream component that replaces both tunnel-front and aks-link. When updating to uptime service-level agreement (SLA) feature, tunnel-front was replaced by the aks-link tunnel component that used OpenVPN. By default, and depending on the region, the tunnel component was tunnel-front.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |