Kubernetes如何使用Service.spec.externalTrafficPolicy =本地路由流量进行NodePort服务? [英] How do Kubernetes NodePort services with Service.spec.externalTrafficPolicy=Local route traffic?

问题描述

关于NodePort服务如何路由流量似乎有两个相互矛盾的解释.服务可以将流量路由到两者之一，而不是两者:

There seems to be two contradictory explanations of how NodePort services route traffic. Services can route traffic to one of the two, not both:

1. 节点(通过kube-proxy)根据kubectl explain Service.spec.externalTrafficPolicy和 kube-proxy网络文档进一步支持这一理论，并补充说，端点在服务的IPtable中添加了一条规则，该规则通过kube-proxy将流量转发到节点.

1. Nodes (through the kube-proxy) According to kubectl explain Service.spec.externalTrafficPolicy and this article that adds more detail, packets incoming to NodePort services with Service.spec.externalTrafficPolicy=Local set get routed to a kube-proxy, which then routes the packets to the corresponding pods its running.
   • This kube-proxy networking documentation further supports this theory adding that endpoints add a rule in the service's IPtable that forwards traffic to nodes through the kube-proxy.

如果其中之一是正确的，那我一定是误会了.

If one of these is right, then I must be misunderstanding something.

• 如果服务路由到节点，那么为什么我可以在不破坏IPtable的情况下编辑endpoints?
• 如果服务路由到 pod ，那么为什么在设置Service.spec.externalTrafficPolicy时服务会遇到路由到节点的麻烦?

• If services route to nodes, then why can I edit endpoints without breaking the IPtables?
• If services route to pods, then why would services go through the trouble of routing to nodes when Service.spec.externalTrafficPolicy is set?

推荐答案

A 服务是由kube-proxy管理的虚拟地址/端口.服务将流量转发到其关联的终结点，这些终结点通常是Pod，但是正如您提到的，可以将其设置为任何目标IP/端口.

A Service is a virtual address/port managed by kube-proxy. Services forward traffic to their associated endpoints, which are usually pods but as you mentioned, can be set to any destination IP/Port.

NodePort服务不会更改终结点端服务的节点端口允许外部流量通过节点上的端口进入服务.

A NodePort Service doesn't change the endpoint side of the service, the NodePort allows external traffic into Service via a port on a node.

kube-proxy可以使用 3方法来实现从节点到目的地的服务转发.

kube-proxy can use 3 methods to implement the forwarding of a service from Node to destination.

• 用户代理
• iptables
• ipvs

大多数集群都使用iptables，下面将对此进行介绍.我使用术语转发"代替路由"，因为服务使用网络地址转换(或代理)以转发"流量，而不是标准网络路由.

Most clusters use iptables, which is what is described below. I use the term "forward" instead of "route" because services use Network Address Translation (or the proxy) to "forward" traffic rather than standard network routing.

服务ClusterIP是由kube-proxy管理的虚拟实体.此地址/端口组合在群集中的每个节点上都可用，并将任何本地(pod)服务流量转发到端点IP和端口.

The service ClusterIP is a virtual entity managed by kube-proxy. This address/port combination is available on every node in the cluster and forwards any local (pod) service traffic to the endpoints IP and port.

                                         / Pod (remote node)
Pod -- ClusterIP/Port -- KUBE-SVC-NAT  --  Pod
                                         \ Pod (remote node)

带有NodePort的服务与上述相同，只是增加了一种通过节点将外部流量转发到群集中的方法. kube-proxy管理一个附加规则，以监视外部流量并将其转发到相同的服务规则中.

A service with a NodePort is the same as above, with the addition of a way to forward external traffic into the cluster via a Node. kube-proxy manages an additional rule to watch for external traffic and forward it into the same service rules.

Ext --     NodePort   \                / Pod (remote node)
                        KUBE-SVC-NAT --  Pod
Pod -- ClusterIP/Port /                \ Pod (remote node)

externalTrafficPolicy=Local设置使NodePort服务仅使用 本地Pod服务传入的流量.这样可以避免网络跃点，而无需再重写数据包的源(通过NAT).这导致实际的网络IP到达为连接提供服务的Pod，而不是作为源IP的群集节点之一.

The externalTrafficPolicy=Local setting makes a NodePort service use only a local Pod to service the incoming traffic. This avoids a network hop which removes the need to rewrite the source of the packet (via NAT). This results in the real network IP arriving at the pod servicing the connection, rather than one of the cluster nodes being the source IP.

Ext --     NodePort   \                  Pod (remote node)
                        KUBE-SVC-NAT --  Pod (local)
Pod -- ClusterIP/Port /                  Pod (remote node)

iptables

我建议尝试跟踪主机上服务或节点端口从源到目标的连接.它需要一些iptables知识，但是我认为这很值得

iptables

I recommend attempting to trace a connection from source to destination for a service or nodeport on a host. It requires a bit of iptables knowledge but I think it's worthwhile

列出将要转发的所有服务ip/端口:

To list all the services ip/ports that will be forwarded:

iptables -vnL -t nat KUBE-SERVICES

列出要转发的所有节点端口:

To list all the nodeports that will be forwarded:

iptables -vnL -t nat KUBE-NODEPORTS

一旦有了规则，就可以在完整输出中跳过KUBE-SVC-XXX目标"规则.

Once you have the rule you can jump through KUBE-SVC-XXX "target" rules in the full output.

iptables -vnL -t nat | less

这篇关于Kubernetes如何使用Service.spec.externalTrafficPolicy =本地路由流量进行NodePort服务?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！