iptables 通常就是指linux上的防火墙,主要分为netfilter和iptables两个组件。netfilter为内核空间的组件,iptables为用户空间的组件,提供添加,删除查询防火墙规则的功能。
kubernetes的service通过iptables来做后端pod的转发和路由,下面来跟踪具体的规则。
service
有如下的映射关系
clusterip:port | podip:port |
---|---|
10.96.125.27:8080 | 10.254.20.8:8080 |
[root@master-192 st]# kubectl describe svc heketi
Name: heketi
Namespace: default
Labels: app=heketi
Annotations:
Selector: app=heketi
Type: NodePort
IP: 10.96.125.27
Port: 8080/TCP
TargetPort: 8080/TCP
NodePort: 31131/TCP
Endpoints: 10.254.20.8:8080
Session Affinity: None
External Traffic Policy: Cluster
Events:
[root@master-192 st]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE
heketi-5bb88f8854-7hpgx 1/1 Running 0 1d 10.254.20.8 master-192
iptables
先看DNAT
[nat]->[PREROUTING]->[KUBE-SERVICES]
[root@master-192 st]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
61 8106 cali-PREROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:6gwbT8clXdHdC1b1 */
63 8226 KUBE-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 16 packets, 960 bytes)
pkts bytes target prot opt in out source destination
1858 112K cali-OUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:tVnHkvAo15HuiPy0 */
1888 113K KUBE-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */
[KUBE-SERVICES]->[KUBE-SVC-7RUAH544RSSBQYKK]
Chain KUBE-SERVICES (2 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ udp -- * * !10.254.0.0/16 10.96.0.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:53
0 0 KUBE-SVC-TCOU7JCQXEZGVUNU udp -- * * 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:53
0 0 KUBE-MARK-MASQ tcp -- * * !10.254.0.0/16 10.96.0.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53
0 0 KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- * * 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53
0 0 KUBE-MARK-MASQ tcp -- * * !10.254.0.0/16 10.96.125.27 /* default/heketi: cluster IP */ tcp dpt:8080
0 0 KUBE-SVC-7RUAH544RSSBQYKK tcp -- * * 0.0.0.0/0 10.96.125.27 /* default/heketi: cluster IP */ tcp dpt:8080
0 0 KUBE-MARK-MASQ tcp -- * * !10.254.0.0/16 10.96.0.1 /* default/kubernetes:https cluster IP */ tcp dpt:443
0 0 KUBE-SVC-NPX46M4PTMTKRN6Y tcp -- * * 0.0.0.0/0 10.96.0.1 /* default/kubernetes:https cluster IP */ tcp dpt:443
0 0 KUBE-MARK-MASQ tcp -- * * !10.254.0.0/16 10.96.232.136 /* kube-system/calico-etcd: cluster IP */ tcp dpt:6666
0 0 KUBE-SVC-NTYB37XIWATNM25Y tcp -- * * 0.0.0.0/0 10.96.232.136 /* kube-system/calico-etcd: cluster IP */ tcp dpt:6666
17 1020 KUBE-NODEPORTS all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL
[KUBE-SVC-7RUAH544RSSBQYKK]->[KUBE-SEP-IWORYNCAYHBSQHXU
Chain KUBE-SVC-7RUAH544RSSBQYKK (2 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-SEP-IWORYNCAYHBSQHXU all -- * * 0.0.0.0/0 0.0.0.0/0 /* default/heketi: */
[KUBE-SEP-IWORYNCAYHBSQHXU]->[DNAT ]
Chain KUBE-SEP-IWORYNCAYHBSQHXU (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ all -- * * 10.254.20.8 0.0.0.0/0 /* default/heketi: */
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* default/heketi: */ tcp to:10.254.20.8:8080
再看SNAT
[POSTROUTING ]->[KUBE-POSTROUTING]
Chain POSTROUTING (policy ACCEPT 31 packets, 1860 bytes)
pkts bytes target prot opt in out source destination
2011 121K cali-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 /* cali:O3lYWMrLQYEMJtB5 */
2055 123K KUBE-POSTROUTING all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules */
[KUBE-POSTROUTING ]->[MASQUERADE]
Chain KUBE-POSTROUTING (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000