vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/cce/umn/cce_faq_00202.html
Dong, Qiu Jian 86fb05065f CCE UMN for 24.2.0 version -20240428 
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com>
Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
2024-06-10 08:19:07 +00:00

48 lines
10 KiB
HTML
Raw Blame History

<a name="cce_faq_00202"></a><a name="cce_faq_00202"></a>
<h1 class="topictitle1">How Do I Locate a Workload Networking Fault?</h1>
<div id="body1570791815018"><div class="section" id="cce_faq_00202__section1052911589595"><h4 class="sectiontitle">Troubleshooting Process</h4><p id="cce_faq_00202__p17987205213470">The issues here are described in order of how likely they are to occur.</p>
<p id="cce_faq_00202__p997211345215">Check these causes one by one until you find the cause of the fault.</p>
<ul id="cce_faq_00202__ul68415465314"><li id="cce_faq_00202__li58454620317"><a href="#cce_faq_00202__section11960929145416">Check Item 1: Container and Container Port</a></li><li id="cce_faq_00202__li68404618317"><a href="#cce_faq_00202__section138152218598">Check Item 2: Node IP Address and Node Port</a></li><li id="cce_faq_00202__li984446636"><a href="#cce_faq_00202__section3966114610915">Check Item 3: ELB IP Address and Port</a></li><li id="cce_faq_00202__li1684174611311"><a href="#cce_faq_00202__section77791227101111">Check Item 4: NAT Gateway + Port</a></li><li id="cce_faq_00202__li19520175710409"><a href="#cce_faq_00202__section6115457143415">Check Item 5: Whether the Security Group of the Node Where the Container Is Located Allows Access</a></li></ul>
</div>
<div class="section" id="cce_faq_00202__section11960929145416"><a name="cce_faq_00202__section11960929145416"></a><a name="section11960929145416"></a><h4 class="sectiontitle">Check Item 1: Container and Container Port</h4><p class="msonormal" id="cce_faq_00202__p33757095">Log in to the CCE console or use kubectl to query the IP address of the pod. Then, log in to the node or container in the cluster and run the <strong id="cce_faq_00202__b1029154354615">curl</strong> command to manually call the API. Check whether the expected result is returned.</p>
<p class="msonormal" id="cce_faq_00202__p35378404">If &lt;container IP address&gt;:&lt;port&gt; cannot be accessed, you are advised to log in to the application container and access &lt;127.0.0.1&gt;:&lt;port&gt; to locate the fault.</p>
<p class="msonormal" id="cce_faq_00202__p49970185"><strong id="cce_faq_00202__b206575168338">Common issues:</strong></p>
<ol id="cce_faq_00202__ol11114131615919"><li class="msonormal" id="cce_faq_00202__li151141416195913">The container port is incorrectly configured (the container does not listen to the access port).</li><li class="msonormal" id="cce_faq_00202__li18114816205915">The URL does not exist (no related path exists in the container).</li><li class="msonormal" id="cce_faq_00202__li811431645917">A Service exception (a Service bug in the container) occurs.</li><li id="cce_faq_00202__li371012276317">Check whether the cluster network kernel component is abnormal (container tunnel network model: openswitch kernel component; VPC network model: ipvlan kernel component).</li></ol>
</div>
<div class="section" id="cce_faq_00202__section138152218598"><a name="cce_faq_00202__section138152218598"></a><a name="section138152218598"></a><h4 class="sectiontitle">Check Item 2: Node IP Address and Node Port</h4><p class="msonormal" id="cce_faq_00202__p46967960">Only NodePort or LoadBalancer Services can be accessed using the node IP address and node port.</p>
<ul id="cce_faq_00202__ul019363814414"><li class="msonormal" id="cce_faq_00202__li1719311387419"><strong id="cce_faq_00202__b134251804385">NodePort Services:</strong><p class="msonormal" id="cce_faq_00202__p177362361258">The access port of a node is the port exposed externally by the node.</p>
</li><li id="cce_faq_00202__li10258101015514"><strong id="cce_faq_00202__b19400943104120">LoadBalancer Service:</strong><p id="cce_faq_00202__p4647203814514">You can view the node port of a LoadBalancer Service by editing the YAML file.</p>
</li></ul>
<p class="msonormal" id="cce_faq_00202__p111253121483">Example:</p>
<p class="msonormal" id="cce_faq_00202__p47250101"><strong id="cce_faq_00202__b121138399110">nodePort: 30637</strong> indicates the exposed node port. <strong id="cce_faq_00202__b1777085513113">targetPort: 80</strong> indicates the exposed pod port. <strong id="cce_faq_00202__b88261117181217">port: 123</strong> is the exposed Service port. LoadBalancer Services also use this port to configure the ELB listener.</p>
<p class="msonormal" id="cce_faq_00202__p22597726"><span><img id="cce_faq_00202__image52387077" src="en-us_image_0000001851585032.png"></span></p>
<p class="msonormal" id="cce_faq_00202__p2052950">After finding the node port (nodePort), access &lt;IP address&gt;:&lt;port&gt; of the node where the container is located and check whether the expected result is returned.</p>
<p class="msonormal" id="cce_faq_00202__p18476557"><strong id="cce_faq_00202__b6371050105318">Common issues:</strong></p>
<ol id="cce_faq_00202__ol32071293"><li id="cce_faq_00202__li1721653">The service port is not allowed in the inbound rules of the node.</li><li id="cce_faq_00202__li15494878">A custom route is incorrectly configured for the node.</li><li id="cce_faq_00202__li5236179">The label of the pod does not match that of the Service (created using kubectl or API).</li></ol>
</div>
<div class="section" id="cce_faq_00202__section3966114610915"><a name="cce_faq_00202__section3966114610915"></a><a name="section3966114610915"></a><h4 class="sectiontitle">Check Item 3: ELB IP Address and Port</h4><p class="msonormal" id="cce_faq_00202__p47637903">There are several possible causes if &lt;IP address&gt;:&lt;port&gt; of the ELB cannot be accessed, but &lt;IP address&gt;:&lt;port&gt; of the node can be accessed.</p>
<p class="msonormal" id="cce_faq_00202__p26087949"><strong id="cce_faq_00202__b1989042985911">Possible causes:</strong></p>
<ul id="cce_faq_00202__ul2082142751017"><li class="msonormal" id="cce_faq_00202__li9821827101013">The backend server group of the port or URL does not meet the expectation.</li><li class="msonormal" id="cce_faq_00202__li12822727161018">The security group on the node has not exposed the related protocol or port to the ELB.</li><li class="msonormal" id="cce_faq_00202__li682242751010">The health check of the layer-4 load balancing is not enabled.</li><li class="msonormal" id="cce_faq_00202__li582282781016">The certificate used for Services of layer-7 load balancing has expired.</li></ul>
<p class="msonormal" id="cce_faq_00202__p50448354"><strong id="cce_faq_00202__b9932143810110">Common issues:</strong></p>
<ol id="cce_faq_00202__ol51382007"><li id="cce_faq_00202__li59078165">When exposing a layer-4 ELB load balancer, if you have not enabled health check on the console, the load balancer may route requests to abnormal nodes.</li><li id="cce_faq_00202__li61941440">For UDP access, the ICMP port of the node has not been allowed in the inbound rules.</li><li id="cce_faq_00202__li20602051">The label of the pod does not match that of the Service (created using kubectl or API).</li></ol>
</div>
<div class="section" id="cce_faq_00202__section77791227101111"><a name="cce_faq_00202__section77791227101111"></a><a name="section77791227101111"></a><h4 class="sectiontitle">Check Item 4: NAT Gateway + Port</h4><p id="cce_faq_00202__p873223012114">Generally, no EIP is configured for the backend server of NAT. Otherwise, exceptions such as network packet loss may occur.</p>
</div>
<div class="section" id="cce_faq_00202__section6115457143415"><a name="cce_faq_00202__section6115457143415"></a><a name="section6115457143415"></a><h4 class="sectiontitle">Check Item 5: Whether the Security Group of the Node Where the Container Is Located Allows Access</h4><p id="cce_faq_00202__p878410258426">Log in to the management console, choose <strong id="cce_faq_00202__b168414932319">Service List</strong> &gt; <strong id="cce_faq_00202__b198519919239">Networking</strong> &gt; <strong id="cce_faq_00202__b2085189152311">Virtual Private Cloud</strong>. On the Network console, choose <strong id="cce_faq_00202__b38516911237">Access Control</strong> &gt; <strong id="cce_faq_00202__b78511918232">Security Groups</strong>, locate the security group rule of the CCE cluster, and modify and harden the security group rule.</p>
<ul id="cce_faq_00202__ul1868032114510"><li id="cce_faq_00202__li06801721154517">CCE cluster:<p id="cce_faq_00202__p55151148114317"><a name="cce_faq_00202__li06801721154517"></a><a name="li06801721154517"></a>The security group name of the node is <strong id="cce_faq_00202__b391179202418">{<em id="cce_faq_00202__i2318131820246">Cluster name</em>}-cce-node-{<em id="cce_faq_00202__i658212215244">Random characters</em>}</strong>.</p>
</li><li id="cce_faq_00202__li125276245457">CCE Turbo cluster:<p id="cce_faq_00202__p82417114446"><a name="cce_faq_00202__li125276245457"></a><a name="li125276245457"></a>The security group name of the node is <strong id="cce_faq_00202__b73398351098">{<em id="cce_faq_00202__i1933333519912">Cluster name</em>}-cce-node-{<em id="cce_faq_00202__i33390351594">Random characters</em>}</strong>.</p>
<p id="cce_faq_00202__p20422193611433">The name of the security group associated with the containers is <strong id="cce_faq_00202__b7423102514255">{</strong><strong id="cce_faq_00202__b124231425182514"><em id="cce_faq_00202__i1613141852515">Cluster name</em></strong><strong id="cce_faq_00202__b1423142520255">}-cce-eni-{</strong><strong id="cce_faq_00202__b18423132552516"><em id="cce_faq_00202__i795212202251">Random characters</em></strong><strong id="cce_faq_00202__b134232252257">}</strong>.</p>
</li></ul>
<p id="cce_faq_00202__p17655622194613"><strong id="cce_faq_00202__b654551117266">Check the following:</strong></p>
<ul id="cce_faq_00202__ul813233834611"><li id="cce_faq_00202__li313223818466">IP address, port, and protocol of an external request to access the workloads in the cluster. They must be allowed in the inbound rule of the cluster security group.</li><li id="cce_faq_00202__li121321138184613">IP address, port, and protocol of a request by a workload to visit external applications outside the cluster. They must be allowed in the outbound rule of the cluster security group.</li></ul>
<p id="cce_faq_00202__p05783489454">For details about security group configuration, see <a href="cce_faq_00265.html">How Can I Configure a Security Group Rule in a Cluster?</a>.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_faq_00205.html">Network Fault</a></div>
</div>
</div>
View Git Blame Copy Permalink