準備

首先創(chuàng)建redis deployment, 副本數(shù)為3捡遍，同時創(chuàng)建一個Cluster Service

cat << EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name:  redis-deploy-demo
  namespace: default
  labels:
    app:  redis-deploy-demo
spec:
  selector:
    matchLabels:
      app: redis-deploy-demo
  replicas: 3
  template:
    metadata:
      labels:
        app:  redis-deploy-demo
    spec:
      containers:
      - name:  redis-deploy-demo
        image:  redis:latest
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort:  6379
          name:  redis
      restartPolicy: Always
---

apiVersion: v1
kind: Service
metadata:
  name: redis-demo-svc
  namespace: default
spec:
  selector:
    app: redis-deploy-demo
  type: ClusterIP
  ports:
  - name: redis-demo-svc
    protocol: TCP
    port: 6379
    targetPort: 6379
---
EOF

我的CNI的環(huán)境為flannel奕塑，其中

host 地址為：192.168.205.10
Pod CIDR網(wǎng)段為 172.16.0.0/16
Service CIDR網(wǎng)段為：10.68.0.0/16

查看Pod創(chuàng)建情況

# watch kubectl get pods -o wide
Every 2.0s: kubectl get pod -o wide                                                                                                                                                 k8s1: Thu Nov 26 09:27:55 2020

NAME                                READY   STATUS    RESTARTS   AGE     IP            NODE             NOMINATED NODE   READINESS GATES
redis-deploy-demo-7d6cf8d7b-8g8h4   1/1     Running   0          2m59s   172.16.0.10   192.168.205.10   <none>           <none>
redis-deploy-demo-7d6cf8d7b-ldw6p   1/1     Running   0          2m59s   172.16.0.11   192.168.205.10   <none>           <none>
redis-deploy-demo-7d6cf8d7b-txbx2   1/1     Running   0          2m59s   172.16.0.12   192.168.205.10   <none>           <none>

查看service創(chuàng)建情況

?  ~ kubectl get svc -o wide
NAME                        TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE     SELECTOR
kubernetes                  ClusterIP   10.68.0.1       <none>        443/TCP    32h     <none>
redis-demo-svc              ClusterIP   10.68.87.193    <none>        6379/TCP   5m16s   app=redis-deploy-demo

探秘iptables

本節(jié)僅關(guān)注Service和endpoints如何生成iptables的，因此只關(guān)注KUBE-SERVICES這個Chain运准。

kube-proxy啟動時會創(chuàng)建 KUBE-SERVICES 這個Chain溜宽，該Chain創(chuàng)建到多個Chain中：

Chain：FORWARD，Table：filter
Chain：OUTPUT烈涮，Table：filter
Chain：INPUT，Table：filter
Chain：OUTPUT窖剑，Table：nat
Chain：PREROUTING坚洽，Table：nat

查看filter table的KUBE-SERVICE Chain

?  ~ iptables -L -n -t filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes service portals */

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW /* kubernetes service portals */

查看nat table的KUBE-SERVICE Chain

?  ~ iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
KUBE-SERVICES  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */

如何設置Service的iptables

Kubernetes中 Service的流量進入KUBE-SERVICES鏈
KUBE-SERVICES鏈根據(jù)目標IP:Port匹配并跳轉(zhuǎn)到相應的 KUBE-SVC-* 鏈
KUBE-SVC-*鏈相當于一個負載均衡器，它會將數(shù)據(jù)包平均分發(fā)到KUBE-SEP-鏈西土。
每個KUBE-SVC-鏈后面的KUBE-SEP-鏈都和Service的后端Pod數(shù)量一樣讶舰；
KUBE-SEP-鏈通過DNAT將連接的目的地址和端口從Service的IP:port替換為后端Pod的IP:port，從而將流量轉(zhuǎn)發(fā)到相應的Pod

?  ~ iptables -L -n -t nat | grep redis-demo-svc
KUBE-MARK-MASQ  tcp  -- !172.16.0.0/16        10.68.87.193         /* default/redis-demo-svc:redis-demo-svc cluster IP */ tcp dpt:6379
KUBE-SVC-VE7MVEEUKDB7C47U  tcp  --  0.0.0.0/0            10.68.87.193         /* default/redis-demo-svc:redis-demo-svc cluster IP */ tcp dpt:6379

?  ~ iptables -S -t nat | grep KUBE-SVC-VE7MVEEUKDB7C47U
-N KUBE-SVC-VE7MVEEUKDB7C47U
-A KUBE-SERVICES -d 10.68.87.193/32 -p tcp -m comment --comment "default/redis-demo-svc:redis-demo-svc cluster IP" -m tcp --dport 6379 -j KUBE-SVC-VE7MVEEUKDB7C47U
-A KUBE-SVC-VE7MVEEUKDB7C47U -m comment --comment "default/redis-demo-svc:redis-demo-svc" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-FICB4PLPMKAVYTRH
-A KUBE-SVC-VE7MVEEUKDB7C47U -m comment --comment "default/redis-demo-svc:redis-demo-svc" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-H4Y7KXPHOKLDT3V2
-A KUBE-SVC-VE7MVEEUKDB7C47U -m comment --comment "default/redis-demo-svc:redis-demo-svc" -j KUBE-SEP-DMEF5W3N2PX5ARY5

對于Service的流量路徑需了，首先進入的是KUBE-SERVICES鏈
其中 -A KUBE-SERVICES -d 10.68.87.193/32 -p tcp -m comment --comment "default/redis-demo-svc:redis-demo-svc cluster IP" -m tcp --dport 6379 -j KUBE-SVC-VE7MVEEUKDB7C47U 表示對于目的地址為 10.68.87.193/32 跳昼，目的端口為 6379 的流量JUMP到 KUBE-SVC-VE7MVEEUKDB7C47U

KUBE-SVC-VE7MVEEUKDB7C47U 鏈設置為

-A KUBE-SVC-VE7MVEEUKDB7C47U -m comment --comment "default/redis-demo-svc:redis-demo-svc" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-FICB4PLPMKAVYTRH
-A KUBE-SVC-VE7MVEEUKDB7C47U -m comment --comment "default/redis-demo-svc:redis-demo-svc" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-H4Y7KXPHOKLDT3V2
-A KUBE-SVC-VE7MVEEUKDB7C47U -m comment --comment "default/redis-demo-svc:redis-demo-svc" -j KUBE-SEP-DMEF5W3N2PX5ARY5

未完待續(xù)......

深入解讀 Kubernetes 如何實現(xiàn)Service （一）

深入解讀 Kubernetes 如何實現(xiàn)Service （一）

準備

探秘iptables

如何設置Service的iptables