分析kube-proxy的iptables规则

摘要:
NodePortservice创建一个mysql的NodePort服务,对应两个pod实例,rc和service的配置如下:1、rc配置apiVersion:v1kind:ReplicationControllermetadata:name:wordpress-mysqlspec:replicas:2selector:name:wordpress-mysqltemplate:metadata:la

NodePort service

创建一个mysql的NodePort服务,对应两个pod实例,rc和service的配置如下:

1、rc配置

apiVersion: v1
kind: ReplicationController
metadata:
  name: wordpress-mysql
spec:
  replicas: 2selector:
    name: wordpress-mysql
  template:
    metadata:
      labels:
        name: wordpress-mysql
    spec:
      containers:
        - name: wordpress-mysql
          image: 172.16.114.201/library/mysql:v1
          ports:
            - containerPort: 3306volumeMounts:
            - name: "wordpress-mysql-data"mountPath: "/var/lib/mysql"
          env:
          -name: MYSQL_PASS
            value: "123456"
          -name: ON_CREATE_DB
            value: "wordpress"volumes:
        - name: "wordpress-mysql-data"hostPath:
            path: "/root/wordpress-mysql/data"

2、service配置

apiVersion: v1
kind: Service
metadata:
  name: wordpress-mysql
spec:
  ports:
    - port: 3306targetPort: 3306nodePort: 30010protocol: TCP
  type: NodePort
  selector:
    name: wordpress-mysql

3、创建的service情况

Name:            wordpress-mysql
Namespace:        default
Labels:            <none>Selector:        name=wordpress-mysql
Type:            NodePort
IP:            10.254.67.85Port:            <unset>    3306/TCP
NodePort:        <unset>    30010/TCP
Endpoints:        10.0.3.2:3306,10.0.45.6:3306Session Affinity:    None
No events.

4、kube-proxy占用端口情况

[root@test-209 log]# netstat -anp | grep kube-proxy
tcp        0      0 127.0.0.1:10249         0.0.0.0:*               LISTEN      10165/kube-proxy
tcp        0      0 172.16.114.209:46010    172.16.114.208:8080     ESTABLISHED 10165/kube-proxy
tcp        0      0 172.16.114.209:46014    172.16.114.208:8080     ESTABLISHED 10165/kube-proxy
tcp        0      0 172.16.114.209:46012    172.16.114.208:8080     ESTABLISHED 10165/kube-proxy
tcp6       0      0 :::30010                :::*                    LISTEN      10165/kube-proxy
unix  2      [ ]         DGRAM                    36395    10165/kube-proxy
unix  3      [ ]         STREAM     CONNECTED     36403    10165/kube-proxy

5、对应的iptables规则

iptables -S -t nat | grepmysql
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/wordpress-mysql:" -m tcp --dport 30010 -j KUBE-MARK-MASQ
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/wordpress-mysql:" -m tcp --dport 30010 -j KUBE-SVC-GJ6HULPZPPQIKMS7
-A KUBE-SEP-7KXQQUXVSZ2LFV44 -s 10.0.45.6/32 -m comment --comment "default/wordpress-mysql:" -j KUBE-MARK-MASQ
-A KUBE-SEP-7KXQQUXVSZ2LFV44 -p tcp -m comment --comment "default/wordpress-mysql:" -m tcp -j DNAT --to-destination 10.0.45.6:3306
-A KUBE-SEP-J7SZJXRP24HRFT23 -s 10.0.3.2/32 -m comment --comment "default/wordpress-mysql:" -j KUBE-MARK-MASQ
-A KUBE-SEP-J7SZJXRP24HRFT23 -p tcp -m comment --comment "default/wordpress-mysql:" -m tcp -j DNAT --to-destination 10.0.3.2:3306
-A KUBE-SERVICES -d 10.254.67.85/32 -p tcp -m comment --comment "default/wordpress-mysql: cluster IP" -m tcp --dport 3306 -j KUBE-SVC-GJ6HULPZPPQIKMS7
-A KUBE-SVC-GJ6HULPZPPQIKMS7 -m comment --comment "default/wordpress-mysql:" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-J7SZJXRP24HRFT23
-A KUBE-SVC-GJ6HULPZPPQIKMS7 -m comment --comment "default/wordpress-mysql:" -j KUBE-SEP-7KXQQUXVSZ2LFV44

从以上信息看出,kube-proxy为mysql服务在node节点上单独起了一个端口30010,在iptables的规则中,目的端口30010被指向KUBE-SVC-GJ6HULPZPPQIKMS7,KUBE-SVC-GJ6HULPZPPQIKMS7又被指向KUBE-SEP-J7SZJXRP24HRFT23和KUBE-SEP-7KXQQUXVSZ2LFV44(他两各50%的几率),KUBE-SEP-J7SZJXRP24HRFT23和KUBE-SEP-7KXQQUXVSZ2LFV44定义了DNAT转换规则,将访问重定向到10.0.45.6:3306和10.0.3.2:3306这两个endpoint。因此,当外部访问30010端口时,根据iptables的规则会将该消息分发给10.0.45.6:3306和10.0.3.2:3306这两个地址(分发的几率是各50%)

ClusterIP service

创建一个zookeeper的ClusterIP服务,rc和service的配置如下:

1、rc配置

apiVersion: v1
kind: ReplicationController
metadata:
  name: zookeeper1
spec:
  replicas: 1selector:
    name: zookeeper1
  template:
    metadata:
      labels:
        name: zookeeper1
    spec:
      containers:
        -name: zookeeper1
          image: 10.10.30.166/public/zookeeper:v1
          ports:
            - containerPort: 2181
            - containerPort: 2888
            - containerPort: 3888
          env:
          -name: ZOOKEEPER_ID
            value: "1"
          -name: ZOOKEEPER_SERVER_1
            value: "zookeeper1"
          -name: ZOOKEEPER_SERVER_2
            value: "zookeeper2"
          -name: ZOOKEEPER_SERVER_3
            value: "zookeeper3"

2、service配置

apiVersion: v1
kind: Service
metadata:
  name: zookeeper1
spec:
  ports:
    - port: 2181targetPort: 2181protocol: TCP
      name: "1"
    - port: 2888targetPort: 2888protocol: TCP
      name: "2"
    - port: 3888targetPort: 3888protocol: TCP
      name: "3"type: ClusterIP
  selector:
    name: zookeeper1

3、创建service情况

Name:            zookeeper1
Namespace:        default
Labels:            <none>Selector:        name=zookeeper1
Type:            ClusterIP
IP:            10.254.181.6Port:            1    2181/TCP
Endpoints:        10.0.45.4:2181Port:            2    2888/TCP
Endpoints:        10.0.45.4:2888Port:            3    3888/TCP
Endpoints:        10.0.45.4:3888Session Affinity:    None
No events.

4、iptables规则

iptables -S -t nat | grepzookeeper1
-A KUBE-SEP-BZJZKIUQRVYJVMQB -s 10.0.45.4/32 -m comment --comment "default/zookeeper1:3" -j KUBE-MARK-MASQ
-A KUBE-SEP-BZJZKIUQRVYJVMQB -p tcp -m comment --comment "default/zookeeper1:3" -m tcp -j DNAT --to-destination 10.0.45.4:3888
-A KUBE-SEP-C3J2QHMJ3LTD3GR7 -s 10.0.45.4/32 -m comment --comment "default/zookeeper1:2" -j KUBE-MARK-MASQ
-A KUBE-SEP-C3J2QHMJ3LTD3GR7 -p tcp -m comment --comment "default/zookeeper1:2" -m tcp -j DNAT --to-destination 10.0.45.4:2888
-A KUBE-SEP-RZ4H7H2HFI3XFCXZ -s 10.0.45.4/32 -m comment --comment "default/zookeeper1:1" -j KUBE-MARK-MASQ
-A KUBE-SEP-RZ4H7H2HFI3XFCXZ -p tcp -m comment --comment "default/zookeeper1:1" -m tcp -j DNAT --to-destination 10.0.45.4:2181
-A KUBE-SERVICES -d 10.254.181.6/32 -p tcp -m comment --comment "default/zookeeper1:1 cluster IP" -m tcp --dport 2181 -j KUBE-SVC-HHEJUKXW5P7DV7BX
-A KUBE-SERVICES -d 10.254.181.6/32 -p tcp -m comment --comment "default/zookeeper1:2 cluster IP" -m tcp --dport 2888 -j KUBE-SVC-2SVOYTXLXAXVV7L3
-A KUBE-SERVICES -d 10.254.181.6/32 -p tcp -m comment --comment "default/zookeeper1:3 cluster IP" -m tcp --dport 3888 -j KUBE-SVC-KAVJ7GO67HRSOAM3
-A KUBE-SVC-2SVOYTXLXAXVV7L3 -m comment --comment "default/zookeeper1:2" -j KUBE-SEP-C3J2QHMJ3LTD3GR7
-A KUBE-SVC-HHEJUKXW5P7DV7BX -m comment --comment "default/zookeeper1:1" -j KUBE-SEP-RZ4H7H2HFI3XFCXZ
-A KUBE-SVC-KAVJ7GO67HRSOAM3 -m comment --comment "default/zookeeper1:3" -j KUBE-SEP-BZJZKIUQRVYJVMQB

从iptables的规则来看,对目的ip是10.254.181.6,端口是2181、2888或者3888的消息,规则指向了KUBE-SVC-HHEJUKXW5P7DV7BX、KUBE-SVC-2SVOYTXLXAXVV7L3、KUBE-SVC-KAVJ7GO67HRSOAM3,他们三又分别指向了KUBE-SEP-C3J2QHMJ3LTD3GR7、KUBE-SEP-RZ4H7H2HFI3XFCXZ、KUBE-SEP-BZJZKIUQRVYJVMQB,这三条规则定义了DNAT转换规则,将访问重定向到了10.0.45.4:3888、10.0.45.4:2888、10.0.45.4:2181

免责声明:文章转载自《分析kube-proxy的iptables规则》仅用于学习参考。如对内容有疑问,请及时联系本站处理。

上篇pycharm之激活MSF使用之payload模块下篇

宿迁高防,2C2G15M,22元/月;香港BGP,2C5G5M,25元/月 雨云优惠码:MjYwNzM=

相关文章

saltstack搭建LAMP架构案例

LAMP架构案例1)环境准备,定义file_roots环境   这个配置会在我们开始安装salt-master的时候,salt-master配置文件中定义: root@King: ~# grep -A 5 file_roots /etc/salt/master # file_roots: # base: # - /srv/salt/ #...

mysql 删除重复数据只保留一条记录

删除重复数据保留name中id最小的记录 delete from order_info where id not in (select id from (select min(id) as id from order_info group by order_number) as b); delete from table where id not in...

【MySQL 组复制】1.组复制技术简介

组复制有两种模式 单主模式(single-primary/single-master)下自动选举出一个主节点,从而只允许在同一时刻只有该主节点可以更新数据。 对于MySQL的高级使用人员,可以通过复制组实现多主模型(multi-primary),这种模型下,所有的主节点都可以在同一时刻接受更新操作,即并发写。 MySQL组复制有一个内置的组成员服务(gro...

zabbix proxy配置实战案例

            zabbix proxy配置实战案例                                      作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任。 一.zabbix proxy概述   上一篇博客我们分享了zabbix agent有两种工作模式,即主动模式和被动模式,默认是被动模式,主动模式需要我们手动...

linux编译安装时常见错误解决办法

linux编译安装时常见错误解决办法 This article is post on https://coderwall.com/p/ggmpfa 原文链接:http://www.bkjia.com/PHPjc/1008013.html configure: error: xslt-config not found. Please reinstall t...

mis系统的技术需求

  所谓MIS(管理信息系统--Management Information System)系统,主要指的是进行日常事务操作的系统。这种系统主要用于管理需要的记录,并对记录数据进行相关处理,将处理的信息及时反映给管理者的一套网络管理系统。   开发一个mis系统需要用到eclipse,还需要tomcat和mySQL。   tomcat安装、配置过程:首先下...