前言
Kubernetes利用iptables達成以下兩個目的:
1)對外暴露POD和服務
2)簡單的負載均衡
在kubernetes worker node的iptables的NAT表的prerouting和output鏈表會出現如下規則作爲kubernetes相關的數據包操作的入口:
-A PREROUTING -m comment --comment "kube hostport portals" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-CONTAINER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-CONTAINER
-A OUTPUT -m comment --comment "kube hostport portals" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-HOST
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-HOST
PREROUTING鏈表用來處理外部進來的數據包
規則1 用來向使用hostport的POD轉發數據包(用於IP Tables模式)
規則2 用來向kubernetes服務轉發數據包(用於IPTables模式)
規則3 用來處理容器內向cluster service虛IP發出的請求(用於kube-proxy模式)
規則4 用來處理容器向nodeport發出的請求(用於kube-proxy模式)
OUTPUT鏈表用來處理髮向外部的數據包
規則1 用來處理主機向host port發出的請求(用於IP Tables模式)
規則2 用來處理主機向kubernetes service發出的請求(用於IP Tables模式)
規則3 用來處理主機向cluster service 虛IP發出的請求(用於kube-proxy模式)
規則4 用來處理主機向nodeport發出的請求(用於kube-proxy模式)
kubernetes各種類型的服務對外暴露的順序依次是hostport、cluster service、node external、 loadbalancer service 和nodeport service
-A KUBE-SERVICES -d cluster_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name cluster IP" -m tcp --dport 80 -j KUBE-SVC-SSSSSS
-A KUBE-SERVICES -d node_external_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name external IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d node_external_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name external IP" -m tcp --dport 80 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-SSSSSS
-A KUBE-SERVICES -d node_external_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name external IP" -m tcp --dport 80 -m addrtype --dst-type LOCAL -j KUBE-SVC-SSSSSS
-A KUBE-SERVICES -d loadbalancer_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name loadbalancer IP" -m tcp --dport 80 -j KUBE-FW-SSSSSS
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
工作原理
1) cluster service 的入口是這個規則“-A[PREROUTING|OUTPUT]-m comment --comment 'kubernetes service portals' -j KUBE_SERVICES”, 跳到KUBE-SERVICE chain
2)這個KUBE-SERVICE chain 由一系列滿足如下規則的rule組成:
滿足訪問某個cluster_VIP和port的請求將會被倒入到rule KUBE-SVC-XXXXX
3)KUBE-SVC-XXXXXX的組成如下:
-A KUBE-SVC-XXXXXX -m comment --comment "namespace/pod_name:port_name" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-AAAAAA
-A KUBE-SVC-XXXXXX -m comment --comment "namespace/pod_name:port_name" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BBBBBB
-A KUBE-SVC-XXXXXX -m comment --comment "namespace/pod_name:port_name" -j KUBE-SEP-CCCCCC
會按照概率對所有後端的POD進行選擇轉發
4)KUBE-SEP-CCCCC的組成如下:
-A KUBE-SEP-CCCCCC -s POD_IP/32 -m comment --comment "namespace/pod_name:port_name" -j KUBE-MARK-MASQ
-A KUBE-SEP-CCCCCC -p tcp -m comment --comment "namespace/pod_name:port_name" -m tcp -j DNAT --to-destination POD_IP:PORT
需要進行一次DNAT, 把數據包定位到選定的POD, 然後經由路由進入遠端或者本地的POD
External Load balancer service如何使用iptables對外暴露POD服務
1. 經由external load balancer轉發的外部請求會帶有外部IP地址,這個地址會匹配如下規則:
-A KUBE-SERVICES -d loadbalancer_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name loadbalancer IP" -m tcp --dport 80 -j KUBE-FW-SSSSSS
2. KUBE-FW-SSSSSS組成如下:
-A KUBE-FW-SSSSSS -m comment --comment "namespace/pod_name:port_name loadbalancer IP" -j KUBE-XLB-KKKKKK
-A KUBE-FW-SSSSSS -m comment --comment "namespace/pod_name:port_name loadbalancer IP" -j KUBE-MARK-DROP
3.KUBE-XLB-KKKKKK由一系列概率選擇規則組成:
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 0 for namespace/pod_name:port_name" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-AAAAAA
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 1 for namespace/pod_name:port_name" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BBBBBB
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 2 for namespace/pod_name:port_name" -j KUBE-SEP-CCCCCC
將數據包導到具體的POD相關iptables規則
4. KUBE-SEP-CCCCC的組成如下:
-A KUBE-SEP-CCCCCC -s POD_IP/32 -m comment --comment "namespace/pod_name:port_name" -j KUBE-MARK-MASQ
-A KUBE-SEP-CCCCCC -p tcp -m comment --comment "namespace/pod_name:port_name" -m tcp -j DNAT --to-destination POD_IP:PORT
需要進行一次DNAT,把數據包定位到選定POD,然後經由路由進入遠端或者本地的POD
nodePort Service如何使用iptables對外暴露POD服務
1. KUBE-SERVICE chain的最末端將跳轉到nodeport service對應的chain KUBE-NODEPORTS
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
2. KUBE-NODEPORTS裏面包含一系列不同的nodeport service對應的規則
例如:
-A KUBE-NODEPORTS -p tcp -m comment --comment "namespace/pod_name:port_name" -m tcp --dport 80 -j KUBE-XLB-KKKKKK
最後跳轉到爲外部訪問生成的load balance規則。
3.KUBE-XLB-KKKKKK由一系列概率選擇規則組成:
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 0 for namespace/pod_name:port_name" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-AAAAAA
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 1 for namespace/pod_name:port_name" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BBBBBB
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 2 for namespace/pod_name:port_name" -j KUBE-SEP-CCCCCC
將數據包導到具體的POD相關iptables規則
4. KUBE-SEP-CCCCC的組成如下:
-A KUBE-SEP-CCCCCC -s POD_IP/32 -m comment --comment "namespace/pod_name:port_name" -j KUBE-MARK-MASQ
-A KUBE-SEP-CCCCCC -p tcp -m comment --comment "namespace/pod_name:port_name" -m tcp -j DNAT --to-destination POD_IP:PORT
需要進行一次DNAT,把數據包定位到選定POD,然後經由路由進入遠端或者本地的POD