首先调整kubeproxy 的模式为iptables
kubectl edit configmap kube-proxy -n kube-system
修改
kind: KubeProxyConfiguration
metricsBindAddress: 127.0.0.1:10249
mode: "ipvs" ##### 修改这一行留空则为iptables
nodePortAddresses: null
然后杀掉kubeproxy的pod ,让deployment 自动拉起来新配置pod
输出kubeproxy的pod 日志,看是否采用了iptables
kubectl logs kube-proxy-xxx -n kube-system
已经修改模式为iptables了。
目前集群已有svc
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default go-web-service NodePort 10.96.97.253 <none> 3009:30009/TCP 20d
kube-system kube-dns ClusterIP 10.96.0.10 <none> 53/UDP,53/TCP,9153/TCP 72d
观察启动go-web-service这条的iptables 脉络
[root@ebs-76642 ~]# iptables -t nat -L KUBE-SERVICES |egrep ‘go-web-service‘
target prot opt source destination
KUBE-MARK-MASQ tcp -- !ebs-76642/16 ebs-76642 /* default/go-web-service:http cluster IP */ tcp dpt:pxc-ntfy
KUBE-SVC-KG4IN6CR36NHNLPD tcp -- anywhere ebs-76642 /* default/go-web-service:http cluster IP */ tcp dpt:pxc-ntfy
[root@ebs-76642 ~]# iptables -t nat -L KUBE-SVC-KG4IN6CR36NHNLPD
Chain KUBE-SVC-KG4IN6CR36NHNLPD (2 references)
target prot opt source destination
KUBE-SEP-TKPLZBGAW27QFDLO all -- anywhere anywhere statistic mode random probability 0.50000000000
KUBE-SEP-LEFZ7V5H5GEG5L4O all -- anywhere anywhere
[root@ebs-76642 ~]# iptables -t nat -L KUBE-SEP-TKPLZBGAW27QFDLO
Chain KUBE-SEP-TKPLZBGAW27QFDLO (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 172.16.1.43 anywhere
DNAT tcp -- anywhere anywhere tcp to:172.16.1.43:3009
[root@ebs-76642 ~]# k get pods -A -o wide|grep ‘172.16.1.43‘
default go-web-app-68797989b8-2vctz 1/1 Running 3 20d 172.16.1.43 ebs-82413 <none> <none>
观察kube-dns这条iptables 脉络,这里暴露了三个ports(dns-tcp,dns,metrics)
[root@ebs-76642 ~]# iptables -t nat -L KUBE-SERVICES |egrep ‘kube-dns‘
KUBE-MARK-MASQ tcp -- !ebs-76642/16 ebs-76642 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- anywhere ebs-76642 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
KUBE-MARK-MASQ udp -- !ebs-76642/16 ebs-76642 /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
KUBE-SVC-TCOU7JCQXEZGVUNU udp -- anywhere ebs-76642 /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
KUBE-MARK-MASQ tcp -- !ebs-76642/16 ebs-76642 /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153
KUBE-SVC-JD5MR3NA4I4DYORP tcp -- anywhere ebs-76642 /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153
- 先看ports name为dns-tcp 这个的
[root@ebs-76642 ~]# iptables -t nat -L KUBE-SVC-ERIFXISQEP7F7OF4
Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references)
target prot opt source destination
KUBE-SEP-7LK5TTMYU3GPSJJW all -- anywhere anywhere statistic mode random probability 0.50000000000
KUBE-SEP-3NE7D5ZQGKE4MF2Z all -- anywhere anywhere
- 对应dns-tcp后端的两个pods
[root@ebs-76642 ~]# iptables -t nat -L KUBE-SEP-7LK5TTMYU3GPSJJW
Chain KUBE-SEP-7LK5TTMYU3GPSJJW (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 172.16.0.15 anywhere
DNAT tcp -- anywhere anywhere tcp to:172.16.0.15:53
[root@ebs-76642 ~]# iptables -t nat -L KUBE-SEP-3NE7D5ZQGKE4MF2Z
Chain KUBE-SEP-3NE7D5ZQGKE4MF2Z (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 172.16.1.44 anywhere
DNAT tcp -- anywhere anywhere tcp to:172.16.1.44:53