k8s之iptables

iptables 通常就是指linux上的防火墙,主要分为netfilter和iptables两个组件。netfilter为内核空间的组件,iptables为用户空间的组件,提供添加,删除查询防火墙规则的功能。

kubernetes的service通过iptables来做后端pod的转发和路由,下面来跟踪具体的规则。

service

有如下的映射关系

clusterip:port podip:port
10.96.125.27:8080 10.254.20.8:8080 
[root@master-192 st]# kubectl describe svc heketi
Name:                     heketi
Namespace:                default
Labels:                   app=heketi
Annotations:              <none>
Selector:                 app=heketi
Type:                     NodePort
IP:                       10.96.125.27
Port:                     <unset>  8080/TCP
TargetPort:               8080/TCP
NodePort:                 <unset>  31131/TCP
Endpoints:                10.254.20.8:8080
Session Affinity:         None
External Traffic Policy:  Cluster
Events:                   <none>

[root@master-192 st]# kubectl get pod -o wide
NAME                      READY   STATUS    RESTARTS   AGE   IP            NODE
heketi-5bb88f8854-7hpgx   1/1     Running   0          1d    10.254.20.8   master-192

iptables

先看DNAT

[nat]->[PREROUTING]->[KUBE-SERVICES]

[root@master-192 st]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   61  8106 cali-PREROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:6gwbT8clXdHdC1b1 */
   63  8226 KUBE-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 16 packets, 960 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1858  112K cali-OUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:tVnHkvAo15HuiPy0 */
 1888  113K KUBE-SERVICES  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes service portals */

[KUBE-SERVICES]->[KUBE-SVC-7RUAH544RSSBQYKK]

Chain KUBE-SERVICES (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  udp  --  *      *      !10.254.0.0/16        10.96.0.10           /* kube-system/kube-dns:dns cluster IP */ udp dpt:53
    0     0 KUBE-SVC-TCOU7JCQXEZGVUNU  udp  --  *      *       0.0.0.0/0            10.96.0.10           /* kube-system/kube-dns:dns cluster IP */ udp dpt:53
    0     0 KUBE-MARK-MASQ  tcp  --  *      *      !10.254.0.0/16        10.96.0.10           /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53
    0     0 KUBE-SVC-ERIFXISQEP7F7OF4  tcp  --  *      *       0.0.0.0/0            10.96.0.10           /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53
    0     0 KUBE-MARK-MASQ  tcp  --  *      *      !10.254.0.0/16        10.96.125.27         /* default/heketi: cluster IP */ tcp dpt:8080
    0     0 KUBE-SVC-7RUAH544RSSBQYKK  tcp  --  *      *       0.0.0.0/0            10.96.125.27         /* default/heketi: cluster IP */ tcp dpt:8080
    0     0 KUBE-MARK-MASQ  tcp  --  *      *      !10.254.0.0/16        10.96.0.1            /* default/kubernetes:https cluster IP */ tcp dpt:443
    0     0 KUBE-SVC-NPX46M4PTMTKRN6Y  tcp  --  *      *       0.0.0.0/0            10.96.0.1            /* default/kubernetes:https cluster IP */ tcp dpt:443
    0     0 KUBE-MARK-MASQ  tcp  --  *      *      !10.254.0.0/16        10.96.232.136        /* kube-system/calico-etcd: cluster IP */ tcp dpt:6666
    0     0 KUBE-SVC-NTYB37XIWATNM25Y  tcp  --  *      *       0.0.0.0/0            10.96.232.136        /* kube-system/calico-etcd: cluster IP */ tcp dpt:6666
   17  1020 KUBE-NODEPORTS  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL

[KUBE-SVC-7RUAH544RSSBQYKK]->[KUBE-SEP-IWORYNCAYHBSQHXU

Chain KUBE-SVC-7RUAH544RSSBQYKK (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-SEP-IWORYNCAYHBSQHXU  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* default/heketi: */

[KUBE-SEP-IWORYNCAYHBSQHXU]->[DNAT ]

Chain KUBE-SEP-IWORYNCAYHBSQHXU (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 KUBE-MARK-MASQ  all  --  *      *       10.254.20.8          0.0.0.0/0            /* default/heketi: */
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            /* default/heketi: */ tcp to:10.254.20.8:8080

再看SNAT

[POSTROUTING ]->[KUBE-POSTROUTING]

Chain POSTROUTING (policy ACCEPT 31 packets, 1860 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 2011  121K cali-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* cali:O3lYWMrLQYEMJtB5 */
 2055  123K KUBE-POSTROUTING  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes postrouting rules */

[KUBE-POSTROUTING ]->[MASQUERADE]

Chain KUBE-POSTROUTING (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。

推荐阅读更多精彩内容

  • LINUX防火墙iptables
    1.安全技术 (1)入侵检测与管理系统(Intrusion Detection Systems): 特点是不阻断任...
    尛尛大尹阅读 2,500评论 0 2
  • Linux之iptables详解及tcpdump
    1 前言 防火墙(Firewall),就是一个隔离工具,工作于主机或者网络的边缘,对于进出本主机或本网络的报文,根...
    魏镇坪阅读 7,047评论 1 23
  • linux:iptables详解
    iptabels是与Linux内核集成的包过滤防火墙系统,几乎所有的linux发行版本都会包含iptables的功...
    随风化作雨阅读 4,822评论 1 16
  • Linux的iptables相关知识和fail2ban的结合使用
    目前市面上比较常见的有3、4层的防火墙,叫网络层的防火墙,还有7层的防火墙,其实是代理层的网关。 三层的防火墙会在...
    辉耀辉耀阅读 2,694评论 0 2
  • 永远的宇智波鼬
    你没有活在现实里,可是你把感动和无私的爱带给了现世。 那一双带着可怕与杀戮的眼睛,那一双带着忧伤与孤独的眼睛...
    揚灵阅读 823评论 1 9