Rke v1.3.2 and opnsense

1

Hello,

I don’t know if I’m in the right Category, I created my cluster with rke version v1.3.2

I have a home lab on a proxmox and Opensense.
I will test rancher but not with a simple node, that would be too simple :wink:

I deployed a cluster with :


                                                            +-----------------------------------------------------------+
                                                            |                                                           |
                                                            |                                                           |
                                                            |         rancher:10.20.0.253      master:10.20.0.1         |
                 +-------------+                            |                  |                    |                   |
                 |             |                            |    +-------------+--------------------+                   |
                 |             |vlan10.20.0.0/24            |    |             |                    |                   |
                 | OPNsense    +----------------------------+----+     node1:10.20.0.11    node2:10.20.0.12             |
hoteA -----------+             |ip 10.20.0.254              |                                                           |
                 |             |                            |                                                           |
                 |             |                            |                                                           |
                 |             +----------------------------+                                                           |
                 +-------------+  proxmox admin             +-----------------------------------------------------------+

cluster_cidr: 10.42.0.0/16
service_cluster_ip_range: 10.43.0.0/16

It’s installed, the cluster works, I have deploy a nginx pod for test.
I created node-port and cluster-ip services, curl works from the master or the worker

OK but :

  • How to access to nginx from the machine A ? (from rancher srv ‘ip route’ and it’s OK)
  • And by the way; it must be possible that opnsense manages the allocation of ip for services ? How to do this ?
2

Generally speaking you’d set up an ingress and use the nginx-ingress-controller that should be on all your worker nodes if you set up RKE2. If you have your ingress & service set up right you’ll be able to access it from any of the worker nodes on port 80 or 443 as normally (just keep in mind that whatever hostname or path you setup is what you’ll need to get to it, so you’d make sure machine A thinks that hostname goes to one of your workers).

If you use wildcard DNS or different paths, you don’t actually need any more IPs.

3

I misspoke and forgot several things:
And I have create a new rke2 cluster

kubectl get nodes -owide
NAME           STATUS   ROLES                       AGE    VERSION          INTERNAL-IP   EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION     CONTAINER-RUNTIME
rke2-master1   Ready    control-plane,etcd,master   139m   v1.22.4+rke2r2   10.20.0.101   <none>        Ubuntu 20.04.3 LTS   5.4.0-91-generic   containerd://1.5.8-k3s1
rke2-worker1   Ready    <none>                      136m   v1.22.4+rke2r2   10.20.0.111   <none>        Ubuntu 20.04.3 LTS   5.4.0-91-generic   containerd://1.5.8-k3s1
rke2-worker2   Ready    <none>                      136m   v1.22.4+rke2r2   10.20.0.112   <none>        Ubuntu 20.04.3 LTS   5.4.0-91-generic   containerd://1.5.8-k3s1

kubectl create deployment nginx --image=nginx
kubectl create service nodeport nginx --tcp=80:80
kubectl expose service nginx --port=80 --target-port=80 --name=nginx-http

kubectl get svc -owide

NAME         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)        AGE    SELECTOR
kubernetes   ClusterIP   10.43.0.1      <none>        443/TCP        136m   <none>
nginx        NodePort    10.43.44.168   <none>        80:30677/TCP   4s     app=nginx
nginx-http   ClusterIP      10.43.90.218    <none>        80/TCP           5m6s   app=nginx

From host A, curl http://10.20.0.101:30677 works.
But how to get the next command ?
curl http://nginx-http.default.svc.cluster-domain.example

My first problem is that on rke2- * servers : nslookup nginx-http.default.svc.cluster-domain.example does not work and I don’t understand why :frowning:

4

Doesn’t work from where? That shouldn’t work outside the cluster but should within. Within the cluster it’d normally be serviced by the default coreDNS service.

Also note that RKE2 should’ve installed nginx-ingress-controller (maybe prefixed with rke2-) as well. What you normally do externally is make sure your external DNS or a load balancer points to nodes with nginx-ingress-controller and then you set up ingress resources for those DNS resolvable hosts and paths within them to point to your various services.

5

Hello

Thanks for the answer

Inside !
But I found why, I think …

rancher@rke2-master1:~$ kubectl get svc -A
NAMESPACE     NAME                                      TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
default       kubernetes                                ClusterIP      10.43.0.1       <none>        443/TCP          5d20h
default       nginx                                     NodePort       10.43.44.168    <none>        80:30677/TCP     5d18h
default       nginx-http                                ClusterIP      10.43.90.218    <none>        80/TCP           5d17h
kube-system   rke2-coredns-rke2-coredns                 ClusterIP      10.43.0.10      <none>        53/UDP,53/TCP    5d20h
kube-system   rke2-ingress-nginx-controller-admission   ClusterIP      10.43.32.116    <none>        443/TCP          5d20h
kube-system   rke2-metrics-server                       ClusterIP      10.43.156.116   <none>        443/TCP          5d20h

When I specify the address of coredns service it works

rancher@rke2-master1:~$ dig +short nginx-http.default.svc.cluster.local @10.43.0.10
10.43.90.218

So, I execute

rancher@rke2-master1:~$ sudo cat /etc/resolv.conf | grep -v "#"
nameserver 127.0.0.53
options edns0 trust-ad
search mydomain.com

Why 127.0.0.53 ? For me it should be, the address of the coredns service (and I tested it works) or the address of a public DNS server like 8.8.8.8.
But 127.0.0.53 ? :thinking:

6

Localhost is commonly used as 127.0.0.1, but I believe network wise it’s 127.0.0.1/8, which means it’s 127. followed by anything. If you’re in the container poking around it might have a local DNS installed that it’s pointing to and that might be misconfigured to not go to coreDNS. Possibly the comments in the file might tell you, additionally you could do netstat -anp | grep 53 and look for what’s listening on TCP 53 & UDP 53 and that tells you the process (which you can then trace back if not already obvious from there).

On the other hand, I’ve never had a need to look at DNS inside my containers and possibly Kubernetes plays with things this way normally?

7

yes, i should have started with that

rancher@rke2-master1:~$ sudo netstat -anp | grep 53
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      549/systemd-resolve 
tcp        0      0 127.0.0.1:57352         127.0.0.1:6443          ESTABLISHED 653/rke2 server     
tcp        0      0 127.0.0.1:54498         127.0.0.1:2379          ESTABLISHED 653/rke2 server     
tcp        0      0 127.0.0.1:51574         127.0.0.1:9345          ESTABLISHED 653/rke2 server     
tcp        0      0 127.0.0.1:55322         127.0.0.1:2381          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:55374         127.0.0.1:2381          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:57086         127.0.0.1:6443          ESTABLISHED 653/rke2 server     
tcp        0      0 127.0.0.1:47538         127.0.0.1:9099          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:54612         127.0.0.1:2379          ESTABLISHED 653/rke2 server     
tcp        0      0 10.20.0.101:55352       10.42.0.10:8080         TIME_WAIT   -                   
tcp        0      0 127.0.0.1:54242         127.0.0.1:2379          ESTABLISHED 653/rke2 server     
tcp        0      0 10.20.0.101:44686       10.20.0.101:9345        ESTABLISHED 653/rke2 server     
tcp6       0      0 :::9345                 :::*                    LISTEN      653/rke2 server     
tcp6       0      0 10.20.0.101:9345        10.20.0.111:49240       ESTABLISHED 653/rke2 server     
tcp6       0      0 10.20.0.101:9345        10.20.0.111:49096       ESTABLISHED 653/rke2 server     
tcp6       0      0 10.20.0.101:9345        10.20.0.112:51320       ESTABLISHED 653/rke2 server     
tcp6       0      0 127.0.0.1:9345          127.0.0.1:51574         ESTABLISHED 653/rke2 server     
tcp6       0      0 10.20.0.101:9345        10.20.0.112:51200       ESTABLISHED 653/rke2 server     
tcp6       0      0 10.20.0.101:9345        10.20.0.101:44686       ESTABLISHED 653/rke2 server     
udp        0      0 127.0.0.53:53           0.0.0.0:*                           549/systemd-resolve 
unix  2      [ ACC ]     STREAM     LISTENING     27296    1743/containerd-shi  /run/containerd/s/85cb53bbab21d60863fb8354d8838e9ce349a752081feae5bbdc344026eae43c
unix  2      [ ]         DGRAM                    32021    2253/calico-node     @0002a
unix  2      [ ACC ]     STREAM     LISTENING     25312    1031/containerd-shi  /run/containerd/s/51376012f69e95e6aaa47e3c182ac653fceae9938a84b70e533971c80b1025ef
unix  2      [ ]         DGRAM                    21787    653/rke2 server      @00013
unix  3      [ ]         STREAM     CONNECTED     25314    974/containerd-shim  /run/containerd/s/e79d74b599d3f90ed2646f625222666586fb9d0138579ba5a158874cbed2d1bc
unix  3      [ ]         STREAM     CONNECTED     25304    823/containerd       /run/k3s/containerd/containerd.sock.ttrpc
unix  3      [ ]         STREAM     CONNECTED     25301    934/containerd-shim  
unix  3      [ ]         STREAM     CONNECTED     25325    982/containerd-shim  /run/containerd/s/62b124cebd1458906976e15e3a1eba2ec880592766961e94f10026a523c1fe2a
unix  3      [ ]         STREAM     CONNECTED     23785    1031/containerd-shi  /run/containerd/s/51376012f69e95e6aaa47e3c182ac653fceae9938a84b70e533971c80b1025ef
unix  3      [ ]         STREAM     CONNECTED     25322    823/containerd       
unix  3      [ ]         STREAM     CONNECTED     28217    1743/containerd-shi  /run/containerd/s/85cb53bbab21d60863fb8354d8838e9ce349a752081feae5bbdc344026eae43c
unix  3      [ ]         STREAM     CONNECTED     22645    653/rke2 server      
unix  3      [ ]         STREAM     CONNECTED     31123    1743/containerd-shi  /run/containerd/s/85cb53bbab21d60863fb8354d8838e9ce349a752081feae5bbdc344026eae43c
unix  3      [ ]         STREAM     CONNECTED     25929    1031/containerd-shi  /run/containerd/s/51376012f69e95e6aaa47e3c182ac653fceae9938a84b70e533971c80b1025ef
unix  3      [ ]         STREAM     CONNECTED     31059    1743/containerd-shi  /run/containerd/s/85cb53bbab21d60863fb8354d8838e9ce349a752081feae5bbdc344026eae43c
unix  2      [ ]         DGRAM                    14253    332/systemd-journal

so it’s systemd-resolve ok.

rancher@rke2-master1:~$ sudo cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search mydomain.com

rancher@rke2-master1:~$ resolvectl status
Global
       LLMNR setting: no                  
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
          DNSSEC NTA: 10.in-addr.arpa     
                      16.172.in-addr.arpa 
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa 
                      18.172.in-addr.arpa 
                      19.172.in-addr.arpa 
                      20.172.in-addr.arpa 
                      21.172.in-addr.arpa 
                      22.172.in-addr.arpa 
                      23.172.in-addr.arpa 
                      24.172.in-addr.arpa 
                      25.172.in-addr.arpa 
                      26.172.in-addr.arpa 
                      27.172.in-addr.arpa 
                      28.172.in-addr.arpa 
                      29.172.in-addr.arpa 
                      30.172.in-addr.arpa 
                      31.172.in-addr.arpa 
                      corp                
                      d.f.ip6.arpa        
                      home                
                      internal            
                      intranet            
                      lan                 
                      local               
                      private             
                      test                

Link 8 (caliba83fcc5606)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 7 (calia5fef82fdda)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 4 (flannel.1)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 3 (calibd7b7b49b6f)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 2 (eth0)
      Current Scopes: DNS                
DefaultRoute setting: yes                
       LLMNR setting: yes                
MulticastDNS setting: no                 
  DNSOverTLS setting: no                 
      DNSSEC setting: no                 
    DNSSEC supported: no                 
  Current DNS Server: 172.16.0.1         
         DNS Servers: 172.16.0.1         
          DNS Domain: mydomain.com

Nothing is passed to coredns to what I see.

8

Yep, I should have started with that.

rancher@rke2-master1:~$ sudo netstat -anp | grep 53
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      549/systemd-resolve 
tcp        0      0 127.0.0.1:57352         127.0.0.1:6443          ESTABLISHED 653/rke2 server     
tcp        0      0 127.0.0.1:54498         127.0.0.1:2379          ESTABLISHED 653/rke2 server     
tcp        0      0 127.0.0.1:51574         127.0.0.1:9345          ESTABLISHED 653/rke2 server     
tcp        0      0 127.0.0.1:55322         127.0.0.1:2381          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:55374         127.0.0.1:2381          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:57086         127.0.0.1:6443          ESTABLISHED 653/rke2 server     
tcp        0      0 127.0.0.1:47538         127.0.0.1:9099          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:54612         127.0.0.1:2379          ESTABLISHED 653/rke2 server     
tcp        0      0 10.20.0.101:55352       10.42.0.10:8080         TIME_WAIT   -                   
tcp        0      0 127.0.0.1:54242         127.0.0.1:2379          ESTABLISHED 653/rke2 server     
tcp        0      0 10.20.0.101:44686       10.20.0.101:9345        ESTABLISHED 653/rke2 server     
tcp6       0      0 :::9345                 :::*                    LISTEN      653/rke2 server     
tcp6       0      0 10.20.0.101:9345        10.20.0.111:49240       ESTABLISHED 653/rke2 server     
tcp6       0      0 10.20.0.101:9345        10.20.0.111:49096       ESTABLISHED 653/rke2 server     
tcp6       0      0 10.20.0.101:9345        10.20.0.112:51320       ESTABLISHED 653/rke2 server     
tcp6       0      0 127.0.0.1:9345          127.0.0.1:51574         ESTABLISHED 653/rke2 server     
tcp6       0      0 10.20.0.101:9345        10.20.0.112:51200       ESTABLISHED 653/rke2 server     
tcp6       0      0 10.20.0.101:9345        10.20.0.101:44686       ESTABLISHED 653/rke2 server     
udp        0      0 127.0.0.53:53           0.0.0.0:*                           549/systemd-resolve 
unix  2      [ ACC ]     STREAM     LISTENING     27296    1743/containerd-shi  /run/containerd/s/85cb53bbab21d60863fb8354d8838e9ce349a752081feae5bbdc344026eae43c
unix  2      [ ]         DGRAM                    32021    2253/calico-node     @0002a
unix  2      [ ACC ]     STREAM     LISTENING     25312    1031/containerd-shi  /run/containerd/s/51376012f69e95e6aaa47e3c182ac653fceae9938a84b70e533971c80b1025ef
unix  2      [ ]         DGRAM                    21787    653/rke2 server      @00013
unix  3      [ ]         STREAM     CONNECTED     25314    974/containerd-shim  /run/containerd/s/e79d74b599d3f90ed2646f625222666586fb9d0138579ba5a158874cbed2d1bc
unix  3      [ ]         STREAM     CONNECTED     25304    823/containerd       /run/k3s/containerd/containerd.sock.ttrpc
unix  3      [ ]         STREAM     CONNECTED     25301    934/containerd-shim  
unix  3      [ ]         STREAM     CONNECTED     25325    982/containerd-shim  /run/containerd/s/62b124cebd1458906976e15e3a1eba2ec880592766961e94f10026a523c1fe2a
unix  3      [ ]         STREAM     CONNECTED     23785    1031/containerd-shi  /run/containerd/s/51376012f69e95e6aaa47e3c182ac653fceae9938a84b70e533971c80b1025ef
unix  3      [ ]         STREAM     CONNECTED     25322    823/containerd       
unix  3      [ ]         STREAM     CONNECTED     28217    1743/containerd-shi  /run/containerd/s/85cb53bbab21d60863fb8354d8838e9ce349a752081feae5bbdc344026eae43c
unix  3      [ ]         STREAM     CONNECTED     22645    653/rke2 server      
unix  3      [ ]         STREAM     CONNECTED     31123    1743/containerd-shi  /run/containerd/s/85cb53bbab21d60863fb8354d8838e9ce349a752081feae5bbdc344026eae43c
unix  3      [ ]         STREAM     CONNECTED     25929    1031/containerd-shi  /run/containerd/s/51376012f69e95e6aaa47e3c182ac653fceae9938a84b70e533971c80b1025ef
unix  3      [ ]         STREAM     CONNECTED     31059    1743/containerd-shi  /run/containerd/s/85cb53bbab21d60863fb8354d8838e9ce349a752081feae5bbdc344026eae43c
unix  2      [ ]         DGRAM                    14253    332/systemd-journal

So it’s systemd-resolve…

rancher@rke2-master1:~$ sudo cat /etc/resolv.conf
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 127.0.0.53
options edns0 trust-ad
search mydomain.com
rancher@rke2-master1:~$ resolvectl status
Global
       LLMNR setting: no                  
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
          DNSSEC NTA: 10.in-addr.arpa     
                      16.172.in-addr.arpa 
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa 
                      18.172.in-addr.arpa 
                      19.172.in-addr.arpa 
                      20.172.in-addr.arpa 
                      21.172.in-addr.arpa 
                      22.172.in-addr.arpa 
                      23.172.in-addr.arpa 
                      24.172.in-addr.arpa 
                      25.172.in-addr.arpa 
                      26.172.in-addr.arpa 
                      27.172.in-addr.arpa 
                      28.172.in-addr.arpa 
                      29.172.in-addr.arpa 
                      30.172.in-addr.arpa 
                      31.172.in-addr.arpa 
                      corp                
                      d.f.ip6.arpa        
                      home                
                      internal            
                      intranet            
                      lan                 
                      local               
                      private             
                      test                

Link 8 (caliba83fcc5606)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 7 (calia5fef82fdda)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 4 (flannel.1)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 3 (calibd7b7b49b6f)
      Current Scopes: none
DefaultRoute setting: no  
       LLMNR setting: yes 
MulticastDNS setting: no  
  DNSOverTLS setting: no  
      DNSSEC setting: no  
    DNSSEC supported: no  

Link 2 (eth0)
      Current Scopes: DNS                
DefaultRoute setting: yes                
       LLMNR setting: yes                
MulticastDNS setting: no                 
  DNSOverTLS setting: no                 
      DNSSEC setting: no                 
    DNSSEC supported: no                 
  Current DNS Server: 172.16.0.1         
         DNS Servers: 172.16.0.1         
          DNS Domain: mydomain.com

But unless I am mistaken, nothing is passed to coredns.

9

Good question, the same I never needed.

10

I can never come up with a worse thing to happen to Linux than systemd. I’ve never knowingly used systemd-resolve, so am not 100% certain, but I’d think that the 172.16.0.1 should list the coreDNS internal IP first and then that second (assuming that’s your normal network DNS for the Kubernetes nodes). Sadly, saying that I’m not sure why it’d be doing that either. I checked a random container in my cluster and resolv.conf just gives me my coreDNS internal service IP (kubectl get services -n kube-system -o wide | grep coredns).

Maybe there’s something weird with the container? Maybe try deploying an app from the Rancher marketplace to see?

11

yep, systemd :roll_eyes:

Any way,

I had a problem with my vpn and … I no longer touched K8S / RKE2 during the Christmas and New Years period.

Ok, So I have destroy all my RKE2 cluster and I have rebuild 2 cluster.

  • the first with kubadm
  • the second with RKE2

And … I understood the notion that I was missing.
When you build a new cluster with kubadm, you have not this Ingress. But you can install metalLB … and it’s work :slight_smile:

And for our DNS problem, it doesn’t have one !
It is normal not to be able to solve the names of the services, pods, deployment outside the cluter. Deployements or pods should not be displayed via their internal names.

So now, I test with rke2 …