k8s service \u53ef\u4ee5\u770b\u505a\u662f\u591a\u4e2a Pod \u7684\u8d1f\u8f7d\u5747\u8861\u3002\u6709\u4ee5\u4e0b\u51e0\u79cd service:<\/p>\n
\u5728 service \u7684\u6f14\u8fdb\u4e2d\uff0c\u4ece\u6700\u521d\u7684 userspace \u7684\u65b9\u6848\u53d8\u6210 iptables \u548c ipvs \u7684\u65b9\u6848\uff0c\u5176\u4e2d\uff0cipvs \u4e3b\u8981\u662f\u89e3\u51b3\u4e86 iptables \u7684\u6027\u80fd\u95ee\u9898\u3002\u8fd9\u7bc7\u6587\u7ae0\u4e3b\u8981\u5206\u6790 iptables \u5982\u4f55\u5b9e\u73b0 service \u7684\u8d1f\u8f7d\u5747\u8861\u3002<\/p>\n
ClusterIP \u662f\u63d0\u4f9b\u5728\u96c6\u7fa4\u4e2d\u8bbf\u95ee Service \u7684\u65b9\u6848\uff0c\u901a\u5e38\u6bcf\u4e2a Service \u90fd\u4f1a\u5206\u914d\u4e00\u4e2a VIP\uff0c\u7136\u540e\u4e3a\u591a\u4e2a Pod \u63d0\u4f9b\u8d1f\u8f7d\u5747\u8861\u3002\u8fd9\u91cc\u6211\u4eec\u521b\u5efa\u4e24\u4e2a\u526f\u672c\u7684 nginx \u90e8\u7f72\uff0c\u4ee5\u53ca\u4e00\u4e2a nginx service\u3002\u5177\u4f53\u4fe1\u606f\u5982\u4e0b\uff1a<\/p>\n
$ kubectl get endpoints nginx\nNAME ENDPOINTS AGE\nnginx 172.17.0.4:80,172.17.0.5:80 65m\n\n$ kubectl get service nginx\nNAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE\nnginx ClusterIP 10.111.67.225 <none> 80\/TCP 65m\n<\/code><\/pre>\n\u5728\u96c6\u7fa4\u4e2d\u8bbf\u95ee nginx.default.svc.cluster.local<\/code> \u65f6\uff0cDNS \u4f1a\u5c06\u8fd9\u4e2a\u5730\u5740\u89e3\u6790\u5230 Service \u7684 IP \u4e0a\uff0c\u4e5f\u5c31\u662f 10.111.67.225<\/code>\u3002\u4e0b\u9762\u6211\u4eec\u770b\u770b iptables \u662f\u5982\u4f55\u5c06\u8bbf\u95ee\u8fd9\u4e2a\u5730\u5740\u7684\u6d41\u91cf\u8f6c\u5230\u771f\u5b9e\u7684 Pod \u4e0a\u7684\u3002<\/p>\n\u9996\u5148\u770b\u4e00\u4e0b nat \u8868\u4e0a\u7684 OUTPUT \u94fe:<\/p>\n
$ iptables -t nat -nL OUTPUT\nChain OUTPUT (policy ACCEPT)\ntarget prot opt source destination\nKUBE-SERVICES all -- 0.0.0.0\/0 0.0.0.0\/0 \/* kubernetes service portals *\/\nDOCKER all -- 0.0.0.0\/0 !127.0.0.0\/8 ADDRTYPE match dst-type LOCAL\n<\/code><\/pre>\n\u7b2c\u4e00\u6761\u89c4\u5219\u4f1a\u5339\u914d\u6240\u6709\u7684\u6d41\u91cf\uff0c\u7136\u540e\u8df3\u5230 KUBE-SERVICES<\/code> \u8fd9\u6761\u94fe\u4e0a\u3002\u6211\u4eec\u770b\u4e00\u4e0b KUBE-SERVICES<\/code> \u7684\u5177\u4f53\u5185\u5bb9\uff1a<\/p>\n$ iptables -t nat -nL KUBE-SERVICES\nChain KUBE-SERVICES (2 references)\ntarget prot opt source destination\nKUBE-SVC-NPX46M4PTMTKRN6Y tcp -- 0.0.0.0\/0 10.96.0.1 \/* default\/kubernetes:https cluster IP *\/ tcp dpt:443\nKUBE-SVC-P4Q3KNUAWJVP4ILH tcp -- 0.0.0.0\/0 10.111.67.225 \/* default\/nginx:http cluster IP *\/ tcp dpt:80\nKUBE-SVC-TCOU7JCQXEZGVUNU udp -- 0.0.0.0\/0 10.96.0.10 \/* kube-system\/kube-dns:dns cluster IP *\/ udp dpt:53\nKUBE-SVC-ERIFXISQEP7F7OF4 tcp -- 0.0.0.0\/0 10.96.0.10 \/* kube-system\/kube-dns:dns-tcp cluster IP *\/ tcp dpt:53\nKUBE-SVC-JD5MR3NA4I4DYORP tcp -- 0.0.0.0\/0 10.96.0.10 \/* kube-system\/kube-dns:metrics cluster IP *\/ tcp dpt:9153\nKUBE-NODEPORTS all -- 0.0.0.0\/0 0.0.0.0\/0 \/* kubernetes service nodeports; NOTE: this must be the last rule in this chain *\/ ADDRTYPE match dst-type LOCAL\n<\/code><\/pre>\n\u8fd9\u91cc\u524d\u9762\u7684 KUBE-SVC-*<\/code> \u90fd\u662f\u6839\u636e destination\uff0c protocol \u548c\u76ee\u7684\u7aef\u53e3\u53f7\u6765\u5339\u914d\u7684\uff0c\u6839\u636e\u6211\u4eec\u7684 service \u5730\u5740\u548c\u7aef\u53e3\u53f7\u4ee5\u53ca\u534f\u8bae\uff0c\u53ef\u4ee5\u5b9a\u4f4d\u5230 KUBE-SVC-P4Q3KNUAWJVP4ILH<\/code> \u8fd9\u6761\u89c4\u5219\u53ef\u4ee5\u5339\u914d\uff0c\u7136\u540e\u8df3\u5230\u8fd9\u6761\u94fe\u4e0a\u3002\u6211\u4eec\u63a5\u7740\u770b\u8fd9\u6761\u94fe\u5b9a\u4e49\u4e86\u4ec0\u4e48\uff1a<\/p>\n$ iptables -t nat -nL KUBE-SVC-P4Q3KNUAWJVP4ILH\nChain KUBE-SVC-P4Q3KNUAWJVP4ILH (1 references)\ntarget prot opt source destination\nKUBE-SEP-GL7IUDQTUTXSADHR all -- 0.0.0.0\/0 0.0.0.0\/0 \/* default\/nginx:http *\/ statistic mode random probability 0.50000000000\nKUBE-SEP-VMO3WCKZND6ZICDD all -- 0.0.0.0\/0 0.0.0.0\/0 \/* default\/nginx:http *\/\n<\/code><\/pre>\n\u6709\u4e24\u6761\u89c4\u5219\uff0c\u6839\u636e\u7b2c\u4e00\u6761\u89c4\u5219\u540e\u9762\u7684\u5185\u5bb9\uff0c\u6211\u4eec\u53ef\u4ee5\u77e5\u9053\u8fd9\u5c31\u662f\u4f7f\u7528 iptables \u5b9e\u73b0\u8d1f\u8f7d\u5747\u8861\u7684\u5730\u65b9\u4e86\u3002\u7b2c\u4e00\u6761\u89c4\u5219\u6709 50% \u7684\u5339\u914d\u51e0\u7387\u3002\u5982\u679c\u5339\u914d\u5230\u4e86\u5176\u4e2d\u4e00\u6761\uff0c\u5c31\u4f1a\u8df3\u5230\u53e6\u5916\u4e00\u4e2a\u94fe\u4e0a\u3002\u6bd4\u5982\uff1a<\/p>\n
$ iptables -t nat -nL KUBE-SEP-GL7IUDQTUTXSADHR\nChain KUBE-SEP-GL7IUDQTUTXSADHR (1 references)\ntarget prot opt source destination\nKUBE-MARK-MASQ all -- 172.17.0.4 0.0.0.0\/0 \/* default\/nginx:http *\/\nDNAT tcp -- 0.0.0.0\/0 0.0.0.0\/0 \/* default\/nginx:http *\/ tcp to:172.17.0.4:80\n<\/code><\/pre>\n\u5176\u4e2d\u7b2c\u4e00\u6761\u89c4\u5219\u7684 source \u662f Pod \u7684 IP\uff0c\u5728\u8bbf\u95ee Service \u65f6\u76ee\u524d\u8fd8\u4e0d\u4f1a\u5339\u914d\uff0c\u4e8e\u662f\u6211\u4eec\u770b\u7b2c\u4e8c\u6761\u89c4\u5219\uff0c\u5c06\u76ee\u7684 IP \u548c Port \u6539\u5199\u6210 172.17.0.4:80\uff0c\u4e5f\u5c31\u662f\u6211\u4eec\u7684 Pod IP\uff0c\u8fd9\u6837\u6d41\u91cf\u5c31\u7ecf\u8fc7\u8d1f\u8f7d\u5747\u8861\u6307\u5411\u4e86\u6211\u4eec\u7684 Pod\u4e86\u3002<\/p>\n
NodePort<\/h2>\n
\u6211\u4eec\u5c06\u4e0a\u9762\u7684 Service \u6539\u6210 NodePort<\/p>\n
nginx NodePort 10.111.67.225 <none> 80:30000\/TCP 34h\n<\/code><\/pre>\n\u7136\u540e\u67e5\u8be2\u673a\u5668\u4e0a\u7684 30000 \u7aef\u53e3\u3002<\/p>\n
$ ss -lp | grep 30000\ntcp LISTEN 0 0 0.0.0.0:30000 0.0.0.0:* users:((\"kube-proxy\",pid=4006,fd=8))\n<\/code><\/pre>\n\u53ef\u4ee5\u770b\u5230, kube-proxy<\/code> \u76d1\u542c\u4e86 30000 \u7aef\u53e3\uff0c\u540c\u65f6\u6211\u4eec\u770b nat \u8868\u4e0a\u7684 PREROUTING<\/code> \u94fe\u3002<\/p>\nKUBE-SERVICES all -- 0.0.0.0\/0 0.0.0.0\/0 \/* kubernetes service portals *\/\n<\/code><\/pre>\n\u518d\u770b KUBE-SERVICES<\/code><\/p>\nKUBE-SVC-TCOU7JCQXEZGVUNU udp -- 0.0.0.0\/0 10.96.0.10 \/* kube-system\/kube-dns:dns cluster IP *\/ udp dpt:53\nKUBE-SVC-ERIFXISQEP7F7OF4 tcp -- 0.0.0.0\/0 10.96.0.10 \/* kube-system\/kube-dns:dns-tcp cluster IP *\/ tcp dpt:53\nKUBE-SVC-JD5MR3NA4I4DYORP tcp -- 0.0.0.0\/0 10.96.0.10 \/* kube-system\/kube-dns:metrics cluster IP *\/ tcp dpt:9153\nKUBE-SVC-NPX46M4PTMTKRN6Y tcp -- 0.0.0.0\/0 10.96.0.1 \/* default\/kubernetes:https cluster IP *\/ tcp dpt:443\nKUBE-SVC-P4Q3KNUAWJVP4ILH tcp -- 0.0.0.0\/0 10.111.67.225 \/* default\/nginx:http cluster IP *\/ tcp dpt:80\nKUBE-NODEPORTS all -- 0.0.0.0\/0 0.0.0.0\/0 \/* kubernetes service nodeports; NOTE: this must be the last rule in this chain *\/ ADDRTYPE match dst-type LOCAL\n<\/code><\/pre>\n\u6700\u540e\u4e00\u6761 KUBE-NODEPORTS<\/code> \u53ef\u4ee5\u5339\u914d\u5230\uff0c\u8fd9\u91cc\u6709\u4e2a\u5339\u914d\u6761\u4ef6\uff0c\u90a3\u5c31\u662f ADDRTYPE match dst-type LOCAL<\/code>\u3002\u6ce8\u610f\u8fd9\u91cc\u7684 LOCAL<\/code> \u6307\u7684\u662f\u672c\u673a\u7f51\u5361\u4e0a\u5b58\u5728\u7684\u5730\u5740\uff0c\u4e5f\u5c31\u662f\u8fd9\u6761\u6570\u636e\u662f\u53d1\u5230\u672c\u673a\uff0c\u90a3\u4e48\u5c31\u80fd\u5339\u914d\u3002<\/p>\nKUBE-NODEPORTS<\/code> \u7684\u89c4\u5219\u5982\u4e0b\uff1a<\/p>\nKUBE-MARK-MASQ tcp -- 0.0.0.0\/0 0.0.0.0\/0 \/* default\/nginx:http *\/ tcp dpt:30000\nKUBE-SVC-P4Q3KNUAWJVP4ILH tcp -- 0.0.0.0\/0 0.0.0.0\/0 \/* default\/nginx:http *\/ tcp dpt:30000\n<\/code><\/pre>\n\u7b2c\u4e00\u6761\u89c4\u5219\u662f\u66ff\u6362\u6e90\u5730\u5740\u4e3a\u672c\u673a\u51fa\u53e3\u7684\u7f51\u5361\u5730\u5740\u3002\u7b2c\u4e8c\u6761\u89c4\u5219\u5982\u4e0b\uff1a<\/p>\n
KUBE-SEP-F3MS6OIYSABTYGOY all -- 0.0.0.0\/0 0.0.0.0\/0 \/* default\/nginx:http *\/ statistic mode random probability 0.50000000000\nKUBE-SEP-VMO3WCKZND6ZICDD all -- 0.0.0.0\/0 0.0.0.0\/0 \/* default\/nginx:http *\/\n<\/code><\/pre>\n\u8fd9\u91cc\u6211\u4eec\u5728 ClusterIP<\/code> \u4e2d\u5c31\u5206\u6790\u4e86\u5b9e\u73b0\u65b9\u6cd5\uff0c\u56e0\u6b64\u8fd9\u91cc\u5ffd\u7565\u3002<\/p>\nLoadBalancer<\/h2>\n
LoadBalancer \u672c\u8eab\u4e0d\u662f\u7531 Kubernetes \u63d0\u4f9b\u7684\uff0c\u5176\u539f\u7406\u8bf4\u8d77\u6765\u4e5f\u4e0d\u96be\uff0c\u6211\u4eec\u5148\u521b\u5efa\u4e00\u4e2a LoadBalancer \u7684 Service \u770b\u770b\uff1a<\/p>\n
nginx LoadBalancer 10.111.67.225 <pending> 80:32014\/TCP 34h\n<\/code><\/pre>\n\u8fd9\u91cc\u56e0\u4e3a\u6211\u7684\u672c\u5730\u96c6\u7fa4\u6ca1\u6709 LoadBalancer\uff0c\u6240\u4ee5\u4e00\u76f4\u5904\u4e8e Pending \u72b6\u6001\u3002\u4f46\u662f\u6211\u4eec\u53ef\u4ee5\u770b\u5230\uff0c\u8fd9\u91cc\u8fd8\u6709\u4e00\u4e2a 80:32014<\/code>\u3002\u548c\u4e0a\u9762\u7684 NodePort \u8f93\u51fa\u4e00\u81f4\u3002\u4e5f\u5c31\u662f\u8bf4\u521b\u5efa LoadBalancer \u65f6\uff0c\u4f1a\u5728 Pod \u6240\u5728\u7684\u673a\u5668\u4e0a\u5f00\u542f NodePort\uff0c\u7136\u540e\u7531\u5916\u90e8\u7684 LoadBalancer \u5c06\u8d1f\u8f7d\u5747\u8861\u8fc7\u7684\u6d41\u91cf\u5e26\u5230\u673a\u5668\u7684\u6307\u5b9a\u7684 NodePort \u4e0a\u3002<\/p>\n\u4e00\u4e9b\u6709\u610f\u601d\u7684\u53c2\u6570<\/h2>\n
\u8fd9\u91cc\u987a\u4fbf\u591a\u63d0\u51e0\u4e2a\u6709\u610f\u601d\u7684Service \u53c2\u6570<\/p>\n
externalTrafficPolicy<\/code>\uff1a\u53ef\u9009\u503c\u6709 Local<\/code> \u548c Cluster<\/code>\u3002<\/p>\n\n- Local: \u6d41\u91cf\u53ea\u4f1a\u88ab\u5bfc\u5411\u672c\u673a\u7684 Pod\uff0c\u8fd9\u6837\u5c31\u5c11\u4e00\u6b21\u5305\u7684\u8f6c\u53d1\uff0c\u63d0\u9ad8\u6027\u80fd\u3002\u4f46\u662f\u7f3a\u70b9\u662f\u5982\u679c\u5bb9\u6613\u5bfc\u81f4\u8d1f\u8f7d\u4e0d\u5747\u8861\u3002<\/li>\n
- Cluster: \u5728\u96c6\u7fa4\u8303\u56f4\u5185\u8f6c\u53d1\u6d41\u91cf<\/li>\n<\/ul>\n
\u5982\u679c\u80fd\u4fdd\u8bc1 Pod \u5747\u5300\u7684\u5206\u5e03\u5728\u4e0d\u540c\u7684\u8282\u70b9\u4e0a\uff0c\u90a3\u4e48\u5916\u90e8\u7684 LoadBalancer \u914d\u5408 Local \u7684 externalTrafficPolicy \u53ef\u4ee5\u5e26\u6765\u66f4\u597d\u7684\u6027\u80fd\u3002<\/p>\n
sessionAffinity<\/code>: \u4f1a\u8bdd\u4eb2\u548c\u6027\uff0c\u53ef\u4ee5\u8bbe\u7f6e\u4e3a ClientIP\uff0c\u6765\u8fbe\u5230\u5c06\u540c\u4e00\u4e2a IP \u7684\u4f1a\u8bdd\u8f6c\u53d1\u5230\u76f8\u540c\u7684 Pod \u4e0a\u3002\u5176\u4e5f\u662f\u901a\u8fc7 iptables \u5b9e\u73b0\u7684\u3002<\/p>\nKUBE-SEP-Q7ZFI57LOFFPF3HN all -- 0.0.0.0\/0 0.0.0.0\/0 \/* test\/nginx-session-affinity:http *\/ recent: CHECK seconds: 10800 reap name: KUBE-SEP-Q7ZFI57LOFFPF3HN side: source mask: 255.255.255.255\nKUBE-SEP-LWUZWBNY6M3CYJ2M all -- 0.0.0.0\/0 0.0.0.0\/0 \/* test\/nginx-session-affinity:http *\/ recent: CHECK seconds: 10800 reap name: KUBE-SEP-LWUZWBNY6M3CYJ2M side: source mask: 255.255.255.255\nKUBE-SEP-Q7ZFI57LOFFPF3HN all -- 0.0.0.0\/0 0.0.0.0\/0 \/* test\/nginx-session-affinity:http *\/ statistic mode random probability 0.50000000000\nKUBE-SEP-LWUZWBNY6M3CYJ2M all -- 0.0.0.0\/0 0.0.0.0\/0 \/* test\/nginx-session-affinity:http *\/\n<\/code><\/pre>\n\u8fd9\u4e2a iptables \u7684\u524d\u4e24\u6761\u89c4\u5219\u5c31\u662f\u5728\u505a iptables \u7684\u68c0\u67e5\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"