microk8s（六）分析kube-proxy

kube-proxy怎么实现service

一、看看kube-proxy监听了哪些端口

# pid=`ps aux | grep kube-proxy | grep -v grep | awk '{print $2}'`
# lsof -i | grep $pid | grep LISTEN
kube-prox  3835            root    6u  IPv4  42966      0t0  TCP localhost:10256 (LISTEN)
kube-prox  3835            root    7u  IPv4  42968      0t0  TCP localhost:10249 (LISTEN)
kube-prox  3835            root   10u  IPv6  42981      0t0  TCP *:44649 (LISTEN)
kube-prox  3835            root   12u  IPv6  43031      0t0  TCP *:33621 (LISTEN)
kube-prox  3835            root   13u  IPv6  47000      0t0  TCP *:37711 (LISTEN)
kube-prox  3835            root   14u  IPv6  47029      0t0  TCP *:33881 (LISTEN)
kube-prox  3835            root   15u  IPv6  47065      0t0  TCP *:46833 (LISTEN)
kube-prox  3835            root   16u  IPv6  47091      0t0  TCP *:45231 (LISTEN)
kube-prox  3835            root   17u  IPv6  47120      0t0  TCP *:44267 (LISTEN)
kube-prox  3835            root   18u  IPv6  47438      0t0  TCP *:34319 (LISTEN)
kube-prox  3835            root   44u  IPv6 306588      0t0  TCP *:37255 (LISTEN)

可以看到，kube-proxy监听了很多端口，这些端口都是啥子呢？

其中有两个特殊端口

// ProxyStatusPort is the default port for the proxy metrics server.
// May be overridden by a flag at startup.
ProxyStatusPort = 10249

// ProxyHealthzPort is the default port for the proxy healthz server.
// May be overridden by a flag at startup.
ProxyHealthzPort = 10256

二、防火墙规则

# iptables -t nat -L
Chain KUBE-PORTALS-CONTAINER (1 references)
target     prot opt source               destination
REDIRECT   tcp  --  anywhere             10.152.183.1         /* default/kubernetes:https */ tcp dpt:https redir ports 44649
REDIRECT   udp  --  anywhere             10.152.183.10        /* kube-system/kube-dns:dns */ udp dpt:domain redir ports 35960
REDIRECT   tcp  --  anywhere             10.152.183.10        /* kube-system/kube-dns:dns-tcp */ tcp dpt:domain redir ports 33621
REDIRECT   tcp  --  anywhere             10.152.183.120       /* kube-system/kubernetes-dashboard: */ tcp dpt:https redir ports 37711
REDIRECT   tcp  --  anywhere             10.152.183.86        /* kube-system/monitoring-grafana: */ tcp dpt:http redir ports 33881
REDIRECT   tcp  --  anywhere             10.152.183.145       /* kube-system/monitoring-influxdb:http */ tcp dpt:8083 redir ports 46833
REDIRECT   tcp  --  anywhere             10.152.183.145       /* kube-system/monitoring-influxdb:api */ tcp dpt:8086 redir ports 45231
REDIRECT   tcp  --  anywhere             10.152.183.152       /* kube-system/heapster: */ tcp dpt:http redir ports 44267
REDIRECT   tcp  --  anywhere             10.152.183.99        /* default/default-http-backend: */ tcp dpt:http redir ports 34319
REDIRECT   tcp  --  anywhere             10.152.183.226       /* default/nginx: */ tcp dpt:http redir ports 37255

Chain KUBE-PORTALS-HOST (1 references)
target     prot opt source               destination
DNAT       tcp  --  anywhere             10.152.183.1         /* default/kubernetes:https */ tcp dpt:https to:172.21.102.125:44649
DNAT       udp  --  anywhere             10.152.183.10        /* kube-system/kube-dns:dns */ udp dpt:domain to:172.21.102.125:35960
DNAT       tcp  --  anywhere             10.152.183.10        /* kube-system/kube-dns:dns-tcp */ tcp dpt:domain to:172.21.102.125:33621
DNAT       tcp  --  anywhere             10.152.183.120       /* kube-system/kubernetes-dashboard: */ tcp dpt:https to:172.21.102.125:37711
DNAT       tcp  --  anywhere             10.152.183.86        /* kube-system/monitoring-grafana: */ tcp dpt:http to:172.21.102.125:33881
DNAT       tcp  --  anywhere             10.152.183.145       /* kube-system/monitoring-influxdb:http */ tcp dpt:8083 to:172.21.102.125:46833
DNAT       tcp  --  anywhere             10.152.183.145       /* kube-system/monitoring-influxdb:api */ tcp dpt:8086 to:172.21.102.125:45231
DNAT       tcp  --  anywhere             10.152.183.152       /* kube-system/heapster: */ tcp dpt:http to:172.21.102.125:44267
DNAT       tcp  --  anywhere             10.152.183.99        /* default/default-http-backend: */ tcp dpt:http to:172.21.102.125:34319
DNAT       tcp  --  anywhere             10.152.183.226       /* default/nginx: */ tcp dpt:http to:172.21.102.125:37255

三、结论

对于每个service，kube-proxu都会单独监听一个端口，而且会在iptables增加两个条DNAT规则

• CONTAINER
• HOST