Aliyun(ACK) POD access external domain (connection refused)
Issue:
some POD can not access external domain will get connection refused in Aliyun
port 80: Connection refusedBackground :
Service A (provide external ingress): aaa.com
Service B (internal service)
A →B (callback with external domain(aaa.com)) → A
but we found some appB Pods will get Connection refused
there are different Pods (appB) in different node
we found some Pod can access aaa.com, but some Pod can not access,
it is so confused for us.
we found the answer in google
(ref: https://segmentfault.com/a/1190000020751999)
The reason is :
Aliyun Ingress Controll Service (externalTrafficPolicy default value: Local) , it makes if the request is using external domain(bind in ingress) will get connect refused.
ex:
solution:
A. Aliyun Ingress Controll Service externalTrafficPolicy: Cluster
kubectl edit service/nginx-ingress-lb -n kube-system
(but this solution side effect is can not get source IP)
externalTrafficPolicy: ClusterB. set ingress controller Deployment to DaemonSet let every nodes install ingress controller)
ref: https://www.alibabacloud.com/help/tc/doc-detail/71840.htm