用户空间模式在kube-proxy的代理模式下意味着什么? [英] What does userspace mode means in kube-proxy's proxy mode?
问题描述
kube-proxy有一个名为--proxy-mode的选项,根据帮助消息,该选项可以是用户空间或 iptables .(请参见下文)
kube-proxy has an option called --proxy-mode,and according to the help message, this option can be userspace or iptables.(See below)
# kube-proxy -h
Usage of kube-proxy:
...
--proxy-mode="": Which proxy mode to use: 'userspace' (older, stable) or 'iptables' (experimental). If blank, look at the Node object on the Kubernetes API and respect the 'net.experimental.kubernetes.io/proxy-mode' annotation if provided. Otherwise use the best-available proxy (currently userspace, but may change in future versions). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient, this always falls back to the userspace proxy.
...
我无法弄清楚用户空间模式在这里的含义.
I can't figure out what does userspace mode means here.
任何人都可以告诉我,当kube-proxy在用户空间模式下运行时,工作原理是什么?
Anyone can tell me what the working principle is when kube-proxy runs under userspace mode?
推荐答案
用户空间和iptables指的是实际处理连接转发的内容.在这两种情况下,都将安装本地iptables规则以拦截具有与服务关联的目标IP地址的出站TCP连接.
Userspace and iptables refer to what actually handles the connection forwarding. In both cases, local iptables rules are installed to intercept outbound TCP connections that have a destination IP address associated with a service.
在用户空间模式下,iptables规则转发到本地端口,go二进制文件(kube-proxy)正在其中监听连接.二进制文件(在用户空间中运行)终止连接,为服务的后端建立新连接,然后将请求转发到后端,并将响应转发回本地进程.用户空间模式的一个优点是,因为连接是从应用程序创建的,所以如果拒绝连接,则该应用程序可以重试到另一个后端.
In the userspace mode, the iptables rule forwards to a local port where a go binary (kube-proxy) is listening for connections. The binary (running in userspace) terminates the connection, establishes a new connection to a backend for the service, and then forwards requests to the backend and responses back to the local process. An advantage of the userspace mode is that because the connections are created from an application, if the connection is refused, the application can retry to a different backend.
在iptables模式下,将安装iptables规则以直接将发往该服务的数据包转发到该服务的后端.这比将数据包从内核移动到kube-proxy然后再返回到内核更加有效,这样可以提高吞吐量和尾部延迟.主要缺点是调试起来比较困难,因为您必须从处理iptables规则的内核中检查日志,而不是将日志写入/var/log/kube-proxy的本地二进制文件.
In iptables mode, the iptables rules are installed to directly forward packets that are destined for a service to a backend for the service. This is more efficient than moving the packets from the kernel to kube-proxy and then back to the kernel so it results in higher throughput and better tail latency. The main downside is that it is more difficult to debug, because instead of a local binary that writes a log to /var/log/kube-proxy you have to inspect logs from the kernel processing iptables rules.
在两种情况下,您的计算机上都将运行kube-proxy二进制文件.在用户空间模式下,它将自身插入为代理.在iptables模式下,它将配置iptables而不是代理连接本身.相同的二进制文件在两种模式下均有效,并且通过标志或通过在节点的apiserver中设置注释来切换行为.
In both cases there will be a kube-proxy binary running on your machine. In userspace mode it inserts itself as the proxy; in iptables mode it will configure iptables rather than to proxy connections itself. The same binary works in both modes, and the behavior is switched via a flag or by setting an annotation in the apiserver for the node.
这篇关于用户空间模式在kube-proxy的代理模式下意味着什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
