kubernetes 创建GCP群集节点期间出现“连接被拒绝错误”

4nkexdtk  于 2022-11-21  发布在  Kubernetes
关注(0)|答案(1)|浏览(222)

创建GKE群集时
可以创建群集,但节点无法正常启动。在日志-节点(vm)的串行端口1(控制台)输出中,我可以看到以下错误:

[   24.630930] configure.sh[1010]: Getting the service account access token configured for VM. 
[   24.673381] configure.sh[1010]: Service account access token is received. Downloading https://storage.googleapis.com/gke-release/npd-custom-plugins/v1.0.4/npd-custom-plugins-v1.0.4.tar.gz using this token. 
[   24.969664] configure.sh[1116]: curl: (7) Failed to connect to storage.googleapis.com port 443 after 292 ms: Connection refused 
[   24.969859] configure.sh[1116]: Warning: Problem : connection refused. Will retry in 10 seconds. 6 retries.
[   66.167634] configure.sh[1116]: Warning: left. 
[   76.459028] configure.sh[1116]: curl: (7) Failed to connect to storage.googleapis.com port 443 after 281 ms: Connection refused 
[   76.459198] configure.sh[1116]: Warning: Problem : connection refused. Will retry in 10 seconds. 1 retries 
[   76.459252] configure.sh[1116]: Warning: left. 
[   86.759856] configure.sh[1116]: curl: (7) Failed to connect to storage.googleapis.com port 443 after 290 ms: Connection refused 
[   86.760211] configure.sh[1010]: == Failed to download https://storage.googleapis.com/gke-release/npd-custom-plugins/v1.0.4/npd-custom-plugins-v1.0.4.tar.gz. Retrying.

这看起来是一个权限问题,但我真的不知道错过了什么权限。我甚至给编辑,网络管理,和安全管理这些服务帐户,但仍然得到同样的错误。

service-abcde@container-engine-robot.iam.gserviceaccount.com
Compute Network User

Compute Network Admin
Compute Security Admin
Kubernetes Engine Host Service Agent User
Service Networking Service Agent

abcde@cloudservices.gserviceaccount.com

Compute Network User

我使用的命令是:

gcloud container clusters create poc-65 --project project-xyz \
  --zone=us-west1-a --enable-ip-alias \
  --network projects/project-xyz/global/networks/network-xyz \
  --subnetwork projects/project-xyz/regions/us-west1/subnetworks/subnet-xyz \
  --services-secondary-range-name uat-xyz-service \
  --cluster-secondary-range-name uat-xyz-pod \
  --no-enable-master-authorized-networks \
  --master-ipv4-cidr 172.16.2.32/28 \
  --enable-private-nodes --num-nodes 3 \
  --default-max-pods-per-node 20

谢谢

kubernetes

1条答案

按热度按时间
oknwwptz

oknwwptz1#

对不起,我找到原因了。我们的代理机构有一个政策,所有到外部的流量都必须通过内部网络,我们确实替换了默认的0.0.0.0/0路由,将其指向内部。但内部防火墙规则阻止了流量,这就是为什么在创建集群期间,节点无法访问谷歌私有服务API。调整防火墙规则后,问题得到了解决。

赞(0)分享  回复(0)举报  2022-11-21
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备13028337号-1 大数据知识库 https://www.saoniuhuo.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com