欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

[K8S] Service代理模式之iptables

程序员文章站 2024-03-13 09:48:21
...

创建deployment和service
三个Pod的IP为
10.244.169.161
10.244.169.163
10.244.169.165
SVC的Cluster IP为10.104.247.10, nodePort为31947

>>>Deployment
[[email protected] ~]# kubectl get deploy -o wide
NAME   READY   UP-TO-DATE   AVAILABLE   AGE   CONTAINERS   IMAGES       SELECTOR
web    3/3     3            3           12m   nginx        nginx:1.21   app=web

>>>Pod
[[email protected] ~]# kubectl get pod -o wide
NAME                  READY   STATUS    RESTARTS   AGE   IP               NODE        NOMINATED NODE   READINESS GATES
web-d779974b6-9zx48   1/1     Running   0          12m   10.244.169.165   k8s-node2   <none>           <none>
web-d779974b6-csx2h   1/1     Running   0          12m   10.244.169.161   k8s-node2   <none>           <none>
web-d779974b6-hb6kw   1/1     Running   0          12m   10.244.169.163   k8s-node2   <none>           <none>

>>>Service
[[email protected] ~]# kubectl get svc -o wide
NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE   SELECTOR
kubernetes   ClusterIP   10.96.0.1       <none>        443/TCP        27d   <none>
web          NodePort    10.104.247.10   <none>        80:31947/TCP   12m   app=web

>>>Endpoint
[[email protected] ~]# kubectl get ep -o wide
NAME         ENDPOINTS                                               AGE
kubernetes   192.168.231.121:6443                                    27d
web          10.244.169.161:80,10.244.169.163:80,10.244.169.165:80   12m


iptables-save | grep <svc name> 查看规则

iptables-save — dump iptables rules to stdout
ip6tables-save — dump iptables rules to stdout

[[email protected] ~]# iptables-save | grep web
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/web" -m tcp --dport 31947 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/web" -m tcp --dport 31947 -j KUBE-SVC-LOLE4ISW44XBNF3G
-A KUBE-SEP-BJLXVQMD4VVYPI2H -s 10.244.169.161/32 -m comment --comment "default/web" -j KUBE-MARK-MASQ
-A KUBE-SEP-BJLXVQMD4VVYPI2H -p tcp -m comment --comment "default/web" -m tcp -j DNAT --to-destination 10.244.169.161:80
-A KUBE-SEP-G4IDOWJQUQJ6MLO4 -s 10.244.169.165/32 -m comment --comment "default/web" -j KUBE-MARK-MASQ
-A KUBE-SEP-G4IDOWJQUQJ6MLO4 -p tcp -m comment --comment "default/web" -m tcp -j DNAT --to-destination 10.244.169.165:80
-A KUBE-SEP-HPW2WDDZQWHWFYBL -s 10.244.169.163/32 -m comment --comment "default/web" -j KUBE-MARK-MASQ
-A KUBE-SEP-HPW2WDDZQWHWFYBL -p tcp -m comment --comment "default/web" -m tcp -j DNAT --to-destination 10.244.169.163:80
-A KUBE-SERVICES ! -s 10.244.0.0/16 -d 10.104.247.10/32 -p tcp -m comment --comment "default/web cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d 10.104.247.10/32 -p tcp -m comment --comment "default/web cluster IP" -m tcp --dport 80 -j KUBE-SVC-LOLE4ISW44XBNF3G
-A KUBE-SVC-LOLE4ISW44XBNF3G -m comment --comment "default/web" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-BJLXVQMD4VVYPI2H
-A KUBE-SVC-LOLE4ISW44XBNF3G -m comment --comment "default/web" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-HPW2WDDZQWHWFYBL
-A KUBE-SVC-LOLE4ISW44XBNF3G -m comment --comment "default/web" -j KUBE-SEP-G4IDOWJQUQJ6MLO4
[[email protected] ~]#

说明:

Line 2 ......KUBE-MARK-MASQ 跟踪数据包,标记作用

Line 3 集群外部 --> nodePort
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/web" -m tcp --dport 31947 -j KUBE-SVC-LOLE4ISW44XBNF3G
来自于tcp协议,default命名空间,web服务,目标端口31947的流量会重定向到 KUBE-SVC-LOLE4ISW44XBNF3G

Line 11 集群内部(pod,node...) --> Cluster IP 
-A  KUBE-SERVICES -d 10.104.247.10/32 -p tcp -m comment --comment "default/web cluster IP" -m tcp --dport 80 -j KUBE-SVC-LOLE4ISW44XBNF3G 
访问10.104.247.10 (Cluster IP):80 会被重定向到 KUBE-SVC-LOLE4ISW44XBNF3G

可以看到集群内部/外部访问都转发到了同一个规则 KUBE-SVC-LOLE4ISW44XBNF3G

Line 12-14 实现负载均衡 (从上到下匹配规则)
-A KUBE-SVC-LOLE4ISW44XBNF3G -m comment --comment "default/web" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-BJLXVQMD4VVYPI2H
-A KUBE-SVC-LOLE4ISW44XBNF3G -m comment --comment "default/web" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-HPW2WDDZQWHWFYBL
-A KUBE-SVC-LOLE4ISW44XBNF3G -m comment --comment "default/web" -j KUBE-SEP-G4IDOWJQUQJ6MLO4

Line 12 随机到这条规则的概率是33%  --> Line 5
Line 13 如果上一条没有选中,随机到这条规则的概率是50%  --> Line 7
Line 14 如果上一条也没有选中,会选择这条规则  --> Line 9

Line 5 当流量转发到这条规则,就会通过DNAT到10.244.169.161 (pod web-d779974b6-csx2h)
-A KUBE-SEP-BJLXVQMD4VVYPI2H -p tcp -m comment --comment "default/web" -m tcp -j DNAT --to-destination 10.244.169.161:80
Line 7 当流量转发到这条规则,就会通过DNAT到10.244.169.165 (pod web-d779974b6-9zx48)
-A KUBE-SEP-G4IDOWJQUQJ6MLO4 -p tcp -m comment --comment "default/web" -m tcp -j DNAT --to-destination 10.244.169.165:80
Line 9 当流量转发到这条规则,就会通过DNAT到10.244.169.163 (pod web-d779974b6-hb6kw)
-A KUBE-SEP-HPW2WDDZQWHWFYBL -p tcp -m comment --comment "default/web" -m tcp -j DNAT --to-destination 10.244.169.163:80

相关标签: K8S

上一篇: Struts中使用validate()输入校验方法详解

下一篇: Ubuntu18.04 安装docker

推荐阅读