问题
如题,在开启了 surge enhanced mode 的mac 上部署了 k8s 集群。
使用过程中发现,k8s svc 域名 无法绕过 VIF。
现象与日志
问题发生在在部署 MetalLb,进行 Layer2 Configuration 时,相关日志如下:
[vagrant@k8s-master metallb]$ kubectl get svc -n metallb-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
metallb-webhook-service ClusterIP 10.102.100.177 <none> 443/TCP 23h
[vagrant@k8s-master metallb]$ kubectl apply -f IPAddressPool.yaml
Error from server (InternalError): error when creating "IPAddressPool.yaml": Internal error occurred: failed calling webhook "ipaddresspoolvalidationwebhook.metallb.io": failed to call webhook: Post "https://metallb-webhook-service.metallb-system.svc:443/validate-metallb-io-v1beta1-ipaddresspool?timeout=10s": context deadline exceeded
[vagrant@k8s-master metallb]$ ping metallb-webhook-service.metallb-system.svc
PING metallb-webhook-service.metallb-system.svc (198.18.85.57) 56(84) bytes of data.
64 bytes from 198.18.85.57 (198.18.85.57): icmp_seq=1 ttl=63 time=0.257 ms
64 bytes from 198.18.85.57 (198.18.85.57): icmp_seq=2 ttl=63 time=0.475 ms
^C
--- metallb-webhook-service.metallb-system.svc ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.257/0.366/0.475/0.109 ms
[vagrant@k8s-master metallb]$ nslookup metallb-webhook-service.metallb-system.svc
Server: 10.0.2.3
Address: 10.0.2.3#53
Non-authoritative answer:
Name: metallb-webhook-service.metallb-system.svc
Address: 198.18.85.57
已处置过的方案
如果 Surge Mac 勾选了设置为系统代理,且开启了增强模式,或者是在 Surge iOS 上。那么该参数将使对应请求的接管模式由代理接管变为 Surge VIF 接管:
直观理解的话,那么如果想要让 svc 绕过 surge,需要同时配置 skip-proxy 以及 tun-excluded-route,但是 tun-excluded-route,但是后者不支持配置域名
skip-proxy = *.svc,10.0.0.0/8, 172.16.0.0/12
always-real-ip= *.svc
skip-proxy, always-real-ip, tun-excludes-route 等各种组合我都试过了,都不行。
@SurgeTeam 如何解决这个问题
