k8s之iptables

iptables 通常就是指linux上的防火墙,主要分为netfilter和iptables两个组件。netfilter为内核空间的组件，iptables为用户空间的组件，提供添加，删除查询防火墙规则的功能。

kubernetes的service通过iptables来做后端pod的转发和路由，下面来跟踪具体的规则。

service

有如下的映射关系

clusterip:port	podip:port
10.96.125.27:8080	10.254.20.8:8080

[root@master-192 st]# kubectl describe svc heketi
Name:                     heketi
Namespace:                default
Labels:                   app=heketi
Annotations:              
Selector:                 app=heketi
Type:                     NodePort
IP:                       10.96.125.27
Port:                       8080/TCP
TargetPort:               8080/TCP
NodePort:                   31131/TCP
Endpoints:                10.254.20.8:8080
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   

---

[root@master-192 st]# kubectl get pod -o wide
NAME                      READY   STATUS    RESTARTS   AGE   IP            NODE
heketi-5bb88f8854-7hpgx   1/1     Running   0          1d    10.254.20.8   master-192

iptables

先看DNAT

[nat]->[PREROUTING]->[KUBE-SERVICES]

[root@master-192 st]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   61  8106 cali-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:6gwbT8clXdHdC1b1 */
   63  8226 KUBE-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 16 packets, 960 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1858  112K cali-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:tVnHkvAo15HuiPy0 */
 1888  113K KUBE-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */

[KUBE-SERVICES]->[KUBE-SVC-7RUAH544RSSBQYKK]

Chain KUBE-SERVICES (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  udp  --  *      *      !10.254.0.0/16        10.96.0.10           /* kube-system/kube-dns:dns cluster IP */ udp dpt:53
    0     0 KUBE-SVC-TCOU7JCQXEZGVUNU  udp  --  *      *       0.0.0.0/0            10.96.0.10           /* kube-system/kube-dns:dns cluster IP */ udp dpt:53
    0     0 KUBE-MARK-MASQ  tcp  --  *      *      !10.254.0.0/16        10.96.0.10           /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53
    0     0 KUBE-SVC-ERIFXISQEP7F7OF4  tcp  --  *      *       0.0.0.0/0            10.96.0.10           /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53
    0     0 KUBE-MARK-MASQ  tcp  --  *      *      !10.254.0.0/16        10.96.125.27         /* default/heketi: cluster IP */ tcp dpt:8080
    0     0 KUBE-SVC-7RUAH544RSSBQYKK  tcp  --  *      *       0.0.0.0/0            10.96.125.27         /* default/heketi: cluster IP */ tcp dpt:8080
    0     0 KUBE-MARK-MASQ  tcp  --  *      *      !10.254.0.0/16        10.96.0.1            /* default/kubernetes:https cluster IP */ tcp dpt:443
    0     0 KUBE-SVC-NPX46M4PTMTKRN6Y  tcp  --  *      *       0.0.0.0/0            10.96.0.1            /* default/kubernetes:https cluster IP */ tcp dpt:443
    0     0 KUBE-MARK-MASQ  tcp  --  *      *      !10.254.0.0/16        10.96.232.136        /* kube-system/calico-etcd: cluster IP */ tcp dpt:6666
    0     0 KUBE-SVC-NTYB37XIWATNM25Y  tcp  --  *      *       0.0.0.0/0            10.96.232.136        /* kube-system/calico-etcd: cluster IP */ tcp dpt:6666
   17  1020 KUBE-NODEPORTS  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL

[KUBE-SVC-7RUAH544RSSBQYKK]->[KUBE-SEP-IWORYNCAYHBSQHXU

Chain KUBE-SVC-7RUAH544RSSBQYKK (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-SEP-IWORYNCAYHBSQHXU  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* default/heketi: */

[KUBE-SEP-IWORYNCAYHBSQHXU]->[DNAT ]

Chain KUBE-SEP-IWORYNCAYHBSQHXU (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  *      *       10.254.20.8          0.0.0.0/0            /* default/heketi: */
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* default/heketi: */ tcp to:10.254.20.8:8080

再看SNAT

[POSTROUTING ]->[KUBE-POSTROUTING]

Chain POSTROUTING (policy ACCEPT 31 packets, 1860 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2011  121K cali-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:O3lYWMrLQYEMJtB5 */
 2055  123K KUBE-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes postrouting rules */

[KUBE-POSTROUTING ]->[MASQUERADE]

Chain KUBE-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000