# Q\&A ### 删除命名空间时一直处于Terminating状态 {% embed url="" %} 比如删除命名空间test-ns ``` export ns=test-ns kubectl get namespace ${ns} -o json | tr -d "\n" | sed "s/\"finalizers\": \[[^]]\+\]/\"finalizers\": []/" | kubectl replace --raw /api/v1/namespaces/${ns}/finalize -f - ``` ### 如何避免并发更新资源对象导致数据错误 在更新资源对象时,带上resourceVersion字段 ### 证书过期如何续签 {% embed url="" %} ### ETCD集群地址变更 {% embed url="" %} ### 如何开启防火墙并保持集群内部的正常网络通讯 在 cni 使用 overlay 网络模式和 kube-proxy 使用 iptables 进行请求转发时,无需额外配置策略,按照先重启 firewalld,再重启 kubelet 的顺序即可。 在 cni 使用路由直联模式时,除了重启 firewalld + kubelet 之外,需要额外添加白名单策略,允许来自 pod cidr 端的入栈请求 ``` firewall-cmd --zone=trusted --add-source= --permanent firewall-cmd --zone=trusted --add-source= ``` 在 kube-proxy 使用 ipvs 进行请求转发时,除了重启 firewalld + kubelet 之外,需要额外添加白名单策略,允许地址转发请求 ``` firewall-cmd --zone=public --add-masquerade --permanent firewall-cmd --zone=public --add-masquerade ``` 在开启了 NodeLocal DNSCache 的情况下,需要额外将集群 dns 地址加入白名单中 ``` firewall-cmd --zone=trusted --add-source= --permanent firewall-cmd --zone=trusted --add-source= ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viva.gitbook.io/project/cloud-native/kubernetes/q-and-a.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.