楼主有没有用二进制部署过高可用集群？

[dotbalo]

今天突然发现一个问题，二进制部署高可用集群，转发采用的ipvs，部署traefik如果采用hostPort模式，就会导致集群无法创建pod，楼主有没有遇到过？

[Devying]

二进制的用过，但是你说的这个问题我用的也是ipvs ，traefik用的没问题，除非你端口冲突了

[Devying]

@dotbalo 你是不是用的DaemonSet的方式？那你用hostPort就是占用了节点的443端口了.

[Devying]

DaemonSet 中的 Pod 可以使用 hostPort，从而可以通过 Node IP 访问到 Pod。客户端能通过某种方法知道 Node IP 列表，并且基于此也可以知道端口。

[cookeem]

hostPort和hostNetwork的最大区别是pod的IP地址不一样，hostPort使用clusterIP，但是hostNetwork使用的是Node ip。
你可以对比一下是否必须使用nodeip

[Devying]

@cookeem 能贴一个yaml出来对比下吗？很少用这个daemonSet

[cookeem]

@Devying
https://github.com/cookeem/kubeadm-ha/blob/master/traefik/step2-traefik-ds.yaml

[cookeem]

@dotbalo ipvs这种网络模式还没有了解过。不过官方文档是有这种模式的说明

https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

In this mode, kube-proxy watches Kubernetes Services and Endpoints, calls netlink interface to create ipvs rules accordingly and syncs ipvs rules with Kubernetes Services and Endpoints periodically, to make sure ipvs status is consistent with the expectation. When Service is accessed, traffic will be redirected to one of the backend Pods.
Similar to iptables, Ipvs is based on netfilter hook function, but uses hash table as the underlying data structure and works in the kernel space. That means ipvs redirects traffic much faster, and has much better performance when syncing proxy rules.