我可以直接从k8s节点访问K8s ClusterIP吗? [英] Can I access K8s ClusterIP from k8s node directly?

问题描述

我在ubuntu 14.04.4上使用k8s 1.2.

I am using k8s 1.2 on ubuntu 14.04.4.

以下是我的一个k8s奴才节点上的一些信息:

Here is some info on my one k8s minion node:

# cat /etc/os-release
NAME="Ubuntu"
VERSION="14.04.4 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.4 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

# uname -a
Linux k8s-010 3.19.0-47-generic #53~14.04.1-Ubuntu SMP Mon Jan 18 16:09:14 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

您知道，我将linux内核升级到3.19.0-47.

You see, I upgraded the linux kernel to 3.19.0-47.

以下是此节点上的kube-proxy日志:

here are kube-proxy log on this node:

# cat /var/log/upstart/kube-proxy.log.1
I0429 17:55:11.397842     985 server.go:200] Using iptables Proxier.
I0429 17:55:11.397941     985 server.go:213] Tearing down userspace rules.
I0429 17:55:12.408962     985 conntrack.go:36] Setting nf_conntrack_max to 262144
I0429 17:55:12.409050     985 conntrack.go:41] Setting conntrack hashsize to 65536
I0429 17:55:12.409288     985 conntrack.go:46] Setting nf_conntrack_tcp_timeout_established to 86400

我的k8s上有一些CLusetIp:

I have some CLusetIp on my k8s:

$ kubectl --namespace=enlighten get svc
NAME      CLUSTER-IP        EXTERNAL-IP   PORT(S)     AGE
mongo     192.168.15.118    <none>        27017/TCP   1d
mysql     192.168.4.191     <none>        3306/TCP    23h
redis     192.168.193.134   <none>        6379/TCP    1d

我发现此群集中的pod可以访问此CLusterIP. 但是，如果我尝试直接从节点主机访问此clusterIP，则会失败.

I found my pod in this cluster can access this CLusterIP. But If I tried to access this clusterIP from the node host directly, It failed.

我使用iptables-save转储规则.既然有很多规则，我将相关性过滤在:

I used iptables-save to dump the rules. Since there are a lot of rules, I filter the relevance in:

# iptables-save |grep -e mysql -e 192.168.4.191 -e "-A KUBE-MARK-MASQ" -e KUBE-SEP-HLHD6IM4G76NUUUM
:KUBE-SEP-HLHD6IM4G76NUUUM - [0:0]
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-SEP-HLHD6IM4G76NUUUM -s 172.17.45.2/32 -m comment --comment "enlighten/mysql:" -j KUBE-MARK-MASQ
-A KUBE-SEP-HLHD6IM4G76NUUUM -p tcp -m comment --comment "enlighten/mysql:" -m tcp -j DNAT --to-destination 172.17.45.2:3306
-A KUBE-SERVICES -d 192.168.4.191/32 -p tcp -m comment --comment "enlighten/mysql: cluster IP" -m tcp --dport 3306 -j KUBE-SVC-FIZ3LEJD226YKZ4B
-A KUBE-SVC-FIZ3LEJD226YKZ4B -m comment --comment "enlighten/mysql:" -j KUBE-SEP-HLHD6IM4G76NUUUM

是WAD还是问题?

推荐答案

简短的回答是是. kube-proxy为每个服务生成IPtables规则，以便可以从主机和Pod对其进行访问.

The short answer is yes. kube-proxy generates IPtables rules for each service so that it can be accessed from both hosts and pods.

如有疑问，请在运行kube-proxy的主机上执行iptables -t nat -n -v ，然后搜索服务的IP.如果需要帮助，可以在此处将输出发布为评论.

When in doubt, execute iptables -t nat -n -v on a host where kube-proxy is running and search for the IP of the service. You can post the output here as a comment if you need help.

这篇关于我可以直接从k8s节点访问K8s ClusterIP吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！