k8s 网络基础
pod
Field | Description |
---|---|
containerPort | integer Number of port to expose on the pod's IP address. This must be a valid port number, 0 < x < 65536. |
hostIP | string What host IP to bind the external port to. |
hostPort | integer Number of port to expose on the host. If specified, this must be a valid port number, 0 < x < 65536. If HostNetwork is specified, this must match ContainerPort. Most containers do not need this. |
name | string If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services. |
protocol | string Protocol for port. Must be UDP or TCP. Defaults to "TCP". |
重点关注containerPort,他与Pod IP组成了endpoint,Pod IP就是docker0网桥分配的IP,有pause容器拥有,Pod其他容器与pause容器公用一个network namespace。
关于containerPort有个问题,如果一个pod中有2个容器,2个容器暴露相同的port,为什么可以?两个容器应该是公用pause容器的网络协议栈,如果tcp来了,到底是访问哪个容器的里面的进程?
如果简单点想尽快从外部访问pod,就可以直接指定hostPort,一般不推荐。
这个问题需要理解pause,待解决
serivce
Field | Description |
---|---|
name | string The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. This maps to the 'Name' field in EndpointPort objects. Optional if only one ServicePort is defined on this service. |
nodePort | integer The port on each node on which this service is exposed when type=NodePort or LoadBalancer. Usually assigned by the system. If specified, it will be allocated to the service if unused or else creation of the service will fail. Default is to auto-allocate a port if the ServiceType of this Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport |
port | integer The port that will be exposed by this service. |
protocol | string The IP protocol for this port. Supports "TCP" and "UDP". Default is TCP. |
targetPort | Number or name of the port to access on the pods targeted by the service. Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. If this is a string, it will be looked up as a named port in the target Pod's container ports. If this is not specified, the value of the 'port' field is used (an identity map). This field is ignored for services with clusterIP=None, and should be omitted or set equal to the 'port' field. More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service |
- targetPort,将外部流量映射到对应Pod的Container Port
- port就是service port,与cluster ip组合就是k8s内部服务互相通信的地址
- nodePort:暴露给外部程序使用,需要与node ip一起使用,配合type: NodePort
service的网络信息早期采用ENV管理,后期通过DNS系统,直接使用service name访问cluster ip。
cluster ip
为什么cluster ip不能ping?
Headless Service
设置clusterIP: None,自己做LB,而非k8s做LB,提供cluster IP,减少网络损耗。直接返回对应ep。
endpoints
service通过label selector筛选合适的pod,然后post到同名的Endpoints对象,Endpoints对象保存Endpoint,即Pod IP + Container Port
[图片上传失败...(image-83ad0d-1536978807340)]
endpoints用法:
- 使用外部非k8s服务,比如外部还没有容器化的数据库服务
- 把一个service指向其他的service
具体流程:
- 创建一个没有label selector的service,因为没有选择器,所以就没有对应的Endpoints对象
- 手动创建Endpoints对象,重点是想要代理的服务地址
比如这里有个场景,batch服务的task多副本,一个task对应一个service,一个pod;那么如何对这些task多副本做一个统一的入口呢?我们可以在这些services上面再加一个serivce,然后手动创建对应的Endpoints,这里注意endpoint必须是pod ip,而不能是cluster ip,至于为什么暂时不清楚。
详见services