k8s中service 的iptables

首先调整kubeproxy 的模式为iptables

kubectl edit configmap kube-proxy -n kube-system
修改

kind: KubeProxyConfiguration
metricsBindAddress: 127.0.0.1:10249
mode: "ipvs"                          ##### 修改这一行留空则为iptables
nodePortAddresses: null

然后杀掉kubeproxy的pod ,让deployment 自动拉起来新配置pod

输出kubeproxy的pod 日志,看是否采用了iptables
kubectl logs kube-proxy-xxx -n kube-system

已经修改模式为iptables了。

目前集群已有svc

NAMESPACE              NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                   AGE
default                go-web-service              NodePort    10.96.97.253    <none>        3009:30009/TCP            20d
kube-system            kube-dns                    ClusterIP   10.96.0.10      <none>        53/UDP,53/TCP,9153/TCP    72d

观察启动go-web-service这条的iptables 脉络

[root@ebs-76642 ~]# iptables -t nat -L KUBE-SERVICES |egrep ‘go-web-service‘
target     prot opt source               destination
KUBE-MARK-MASQ  tcp  -- !ebs-76642/16         ebs-76642            /* default/go-web-service:http cluster IP */ tcp dpt:pxc-ntfy
KUBE-SVC-KG4IN6CR36NHNLPD  tcp  --  anywhere             ebs-76642            /* default/go-web-service:http cluster IP */ tcp dpt:pxc-ntfy

[root@ebs-76642 ~]# iptables -t nat -L KUBE-SVC-KG4IN6CR36NHNLPD
Chain KUBE-SVC-KG4IN6CR36NHNLPD (2 references)
target     prot opt source               destination
KUBE-SEP-TKPLZBGAW27QFDLO  all  --  anywhere             anywhere             statistic mode random probability 0.50000000000
KUBE-SEP-LEFZ7V5H5GEG5L4O  all  --  anywhere             anywhere

[root@ebs-76642 ~]# iptables -t nat -L KUBE-SEP-TKPLZBGAW27QFDLO
Chain KUBE-SEP-TKPLZBGAW27QFDLO (1 references)
target     prot opt source               destination
KUBE-MARK-MASQ  all  --  172.16.1.43          anywhere
DNAT       tcp  --  anywhere             anywhere             tcp to:172.16.1.43:3009

[root@ebs-76642 ~]# k get pods -A -o wide|grep ‘172.16.1.43‘
default                go-web-app-68797989b8-2vctz                 1/1     Running   3          20d   172.16.1.43      ebs-82413   <none>           <none>

观察kube-dns这条iptables 脉络,这里暴露了三个ports(dns-tcp,dns,metrics)

[root@ebs-76642 ~]# iptables -t nat -L KUBE-SERVICES |egrep ‘kube-dns‘
KUBE-MARK-MASQ  tcp  -- !ebs-76642/16         ebs-76642            /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
KUBE-SVC-ERIFXISQEP7F7OF4  tcp  --  anywhere             ebs-76642            /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
KUBE-MARK-MASQ  udp  -- !ebs-76642/16         ebs-76642            /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
KUBE-SVC-TCOU7JCQXEZGVUNU  udp  --  anywhere             ebs-76642            /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
KUBE-MARK-MASQ  tcp  -- !ebs-76642/16         ebs-76642            /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153
KUBE-SVC-JD5MR3NA4I4DYORP  tcp  --  anywhere             ebs-76642            /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153

- 先看ports name为dns-tcp 这个的
[root@ebs-76642 ~]# iptables -t nat -L KUBE-SVC-ERIFXISQEP7F7OF4
Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references)
target     prot opt source               destination
KUBE-SEP-7LK5TTMYU3GPSJJW  all  --  anywhere             anywhere             statistic mode random probability 0.50000000000
KUBE-SEP-3NE7D5ZQGKE4MF2Z  all  --  anywhere             anywhere

- 对应dns-tcp后端的两个pods
[root@ebs-76642 ~]# iptables -t nat -L KUBE-SEP-7LK5TTMYU3GPSJJW
Chain KUBE-SEP-7LK5TTMYU3GPSJJW (1 references)
target     prot opt source               destination
KUBE-MARK-MASQ  all  --  172.16.0.15          anywhere
DNAT       tcp  --  anywhere             anywhere             tcp to:172.16.0.15:53
[root@ebs-76642 ~]# iptables -t nat -L KUBE-SEP-3NE7D5ZQGKE4MF2Z
Chain KUBE-SEP-3NE7D5ZQGKE4MF2Z (1 references)
target     prot opt source               destination
KUBE-MARK-MASQ  all  --  172.16.1.44          anywhere
DNAT       tcp  --  anywhere             anywhere             tcp to:172.16.1.44:53

k8s中service 的iptables

k8s中service 的iptables

k8s中service 的iptables

上一篇:Metasploit命令大全


下一篇:如何在 iPhone 和 iPad 上自动更新应用程序?