Skip to content

Instantly share code, notes, and snippets.

@fenar

fenar/k8s-svc-nodeport-debug.md Secret

Last active February 16, 2022 19:25
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fenar/af5c43678919a0866e1b9afdb2be908b to your computer and use it in GitHub Desktop.
Save fenar/af5c43678919a0866e1b9afdb2be908b to your computer and use it in GitHub Desktop.
Download ZIP
Raw
k8s-svc-nodeport-debug.md

Login to your worker node: (oc debug or direct ssh)

$ oc debug node/<worker-node>

Get Host Access

$ chroot /host

Lets see how service and nodeport definitions are looking on this worker

# iptables -t nat -L KUBE-SERVICES -n | column -t | grep <yourexposedsvcportnumber>
 <see your service listed here, something like KUBE-SVC-FENARX> 
# iptables -t nat -L KUBE-NODEPORTS -n | column -t | grep <yourexposedsvcportnumber>
 <see your nodeport service listed here, something like KUBE-SVC-FENARX that matches above resource-id> 
# iptables -t nat -L <your svc id: KUBE-SVC-FENARX> -n | column -t
 <you will see KUBE-MARK-XXXX and KUBE-SEP-FENARXXX listed undr target/protocol/source/destionation table columns>
# iptables -t nat -L <your KUBE-SEP id: KUBE-SEP-FENARXXX> -n | column -t
 < you will see KUBE-MAR-XXX and DNAT listed for your nodeport ingress and routing with protocol tag followed by to:address:port

alt text

On the same worker try to ping the service node-ip to see if traffic routed over tun0 interface of the node towards the node that hosts the application pods.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment