Kubernetes kube-apiserver is not reachable from nodes/podes via ClusterIP (:443).
According to the kube-apiserver documentation:
--bind-address ip The IP address on which to listen for the --secure-port port. The associated interface(s) must be reachable by the rest of the cluster, and by CLI/web clients. If blank, all interfaces will be used (0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). (default 0.0.0.0)--secure-port int The port on which to serve HTTPS with authentication and authorization. If 0, don't serve HTTPS at all. (default 6443)
As far as I see, the flags --bind-address
and --secure-port
wasn't defined in your kube-apiserver
configuration, so by default kube-apiserver
listens https connections on 0.0.0.0:6443
.
So, in order to solve your issue, just add --secure-port
flag to the kube-apiserver
configuration:
"--secure-port", "443",
Change from:
--service-cluster-ip-range", "10.0.0.0/16
To:
--service-cluster-ip-range", "10.10.0.0/16
So that --service-cluster-ip-range value to match with the flannel CIDR.
Please make sure the host you apiserver pod sit on have set the iptables accept the cidr range of your pods. Such as
-A INPUT -s 10.32.0.0/12 -j ACCEPT
I think this has something to do with when access service on the same host, the iptable does not use translate address as the source address.