This message was deleted.
# k3sa
adamant-kite-43734
02/20/2025, 5:21 PMThis message was deleted.
c
creamy-pencil-82913
02/20/2025, 5:31 PMAgents expect to be able to connect directly to the server IPs. If the server nodes are actually pods running somewhere, with inaccessible addresses, that will not work.
a
aloof-london-38236
02/20/2025, 5:32 PMFollowing this document: https://docs.k3s.io/datastore/cluster-loadbalancer?ext-load-balancer=HAProxy
aloof-london-38236
02/20/2025, 5:32 PMThis works because the nodes are in the same subnet as the agents?
c
creamy-pencil-82913
02/20/2025, 5:33 PMRight but even if you do that, the agents still need to be able to connect directly to the servers. The external LB is just used to provide a fixed registration address that the agents initially use to find a server. Once they are connected they switch over to connecting directly to the servers.
creamy-pencil-82913
02/20/2025, 5:33 PMAll cluster members need to be able to connect directly to each other.
a
aloof-london-38236
02/20/2025, 5:34 PMOkay that makes sense, so the best option here is to establish L3 connectivity in some way via wireguard or some other solution?
c
creamy-pencil-82913
02/20/2025, 5:35 PMidk that you can run wireguard in a pod, I’ve not tried it.
a
aloof-london-38236
02/20/2025, 5:37 PMThis is probably not the place to ask, but have you used k0s for a setup like this before? They seem to advertise supporting a setup along these lines, but I was wondering if I would end up in the same situation with that.
c
creamy-pencil-82913
02/20/2025, 5:54 PMno, I have never used k0s
creamy-pencil-82913
02/20/2025, 5:56 PMWhat you’re doing here might work better if you looked at it as a virtual control-plane, and ran the servers with --disable-agent so that they are not full members of the cluster. This isn’t a supported configuration but neither is running in an environment that lacks full connectivity between all nodes.
a
aloof-london-38236
02/20/2025, 6:08 PMUnfortunately they do already have --disable-agent. These are the flags I am passing:
Copy code
- server
- --disable-agent
- --disable=coredns,servicelb,traefik
- --tls-san={{tlsSan}}
- --flannel-backend=none
- --egress-selector-mode=clusterc
creamy-pencil-82913
02/20/2025, 6:13 PMyeah, so do you know how
kubectl logskubectl execa
aloof-london-38236
02/20/2025, 6:14 PMCorrect me if I am wrong but essentially the k8s control plane establishes a websocket? connection to the kubelet on the node which executes the action.
As for the egress selector, I am not sure.
c
creamy-pencil-82913
02/20/2025, 6:18 PMright so when you run one of those commands, the apiserver makes a connection to the kubelet to pull logs, or run the command in the pod and pipe output back to the client. This means that the server MUST be able to open a connection to the kubelet. I am guessing that your server pods can’t connect to the agents? K3s includes an embedded egress proxy so that the apiserver can connect to kubelets, using a websocket tunnel connection initiated by the agent. This means that you only need agent -> server connectivity, not agent - server. However, this does mean that the agents need to be able to connect directly to all of the servers, so that every server has the websocket tunnel to use when it needs to talk to that kubelet.
The problem you have in your environment, is that servers can’t connect to agents, and agents can’t connect to servers. All anything can connect to is the LB you’ve put in front of the servers.
creamy-pencil-82913
02/20/2025, 6:20 PMBasically, you need to rearchitect your design so that you have at least SOME sort of functional connectivity between agents and servers. You cannot rely on the reverse proxy in front of the servers handling everything.
a
aloof-london-38236
02/20/2025, 6:21 PMThank you for the detailed explanation and help, looks like I have some work to do 🙂
27 Views