実施すること
- ServiceのNodePortを試す
- 実際にiptablesを見て設定を確認する
引用元
qiita.com
実施
試してみる
[tsubame@worker01 ~]$ sudo iptables -n -t nat -L > default_iptables.txt
deployment(pods)作成
[tsubame@control-plane01 ~]$ kubectl create deployment --image nginx --port 80 --replicas 3 nginxdp
deployment.apps/nginxdp created
[tsubame@control-plane01 ~]$
[tsubame@worker01 ~]$ sudo iptables -n -t nat -L > create_deploy_iptables.txt
service作成
- エラーが無いこと
- IPとNodePortが確認できること
[tsubame@control-plane01 ~]$ kubectl expose deployment nginxdp --port 80 --target-port 80 --type NodePort
service/nginxdp exposed
[tsubame@control-plane01 ~]$
[tsubame@control-plane01 ~]$ kubectl describe services nginxdp
Name: nginxdp
Namespace: default
Labels: app=nginxdp
Annotations: <none>
Selector: app=nginxdp
Type: NodePort
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.101.195.167
IPs: 10.101.195.167
Port: <unset> 80/TCP
TargetPort: 80/TCP
NodePort: <unset> 30464/TCP
Endpoints: 192.168.133.187:80,192.168.133.31:80,192.168.158.70:80
Session Affinity: None
External Traffic Policy: Cluster
Events: <none>
[tsubame@control-plane01 ~]$
[tsubame@worker01 ~]$ sudo iptables -n -t nat -L > create_service_iptables.txt
[tsubame@worker01 ~]$ diff -U5 create_deploy_iptables.txt create_service_iptables.txt
--- create_deploy_iptables.txt 2023-08-27 19:13:53.711677687 +0900
+++ create_service_iptables.txt 2023-08-27 19:14:10.579175932 +0900
@@ -11,19 +11,25 @@
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
KUBE-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules */
+Chain KUBE-EXT-FBVXYASTTP7APHIO (1 references)
+target prot opt source destination
+KUBE-MARK-MASQ all -- 0.0.0.0/0 0.0.0.0/0 /* masquerade traffic for default/nginxdp external destinations */
+KUBE-SVC-FBVXYASTTP7APHIO all -- 0.0.0.0/0 0.0.0.0/0
+
Chain KUBE-KUBELET-CANARY (0 references)
target prot opt source destination
-Chain KUBE-MARK-MASQ (17 references)
+Chain KUBE-MARK-MASQ (22 references)
target prot opt source destination
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK or 0x4000
Chain KUBE-NODEPORTS (1 references)
target prot opt source destination
+KUBE-EXT-FBVXYASTTP7APHIO tcp -- 0.0.0.0/0 0.0.0.0/0 /* default/nginxdp */ tcp dpt:32149
Chain KUBE-POSTROUTING (1 references)
target prot opt source destination
RETURN all -- 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000/0x4000
MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK xor 0x4000
@@ -35,10 +41,15 @@
Chain KUBE-SEP-2PCNEIITC6IVKETU (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 192.168.64.4 0.0.0.0/0 /* default/kubernetes:https */
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 /* default/kubernetes:https */ tcp to:192.168.64.4:6443
+Chain KUBE-SEP-2WH6BC6KPQ63CT55 (1 references)
+target prot opt source destination
+KUBE-MARK-MASQ all -- 192.168.133.186 0.0.0.0/0 /* default/nginxdp */
+DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 /* default/nginxdp */ tcp to:192.168.133.186:80
+
Chain KUBE-SEP-46GKIX34E2YJF6KJ (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 192.168.184.241 0.0.0.0/0 /* kube-system/kube-dns:metrics */
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 /* kube-system/kube-dns:metrics */ tcp to:192.168.184.241:9153
@@ -55,10 +66,15 @@
Chain KUBE-SEP-ENBOKBYDTMSJBYWL (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 192.168.184.249 0.0.0.0/0 /* calico-apiserver/calico-api:apiserver */
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 /* calico-apiserver/calico-api:apiserver */ tcp to:192.168.184.249:5443
+Chain KUBE-SEP-F2ZETNJXRJWBFBT3 (1 references)
+target prot opt source destination
+KUBE-MARK-MASQ all -- 192.168.133.19 0.0.0.0/0 /* default/nginxdp */
+DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 /* default/nginxdp */ tcp to:192.168.133.19:80
+
Chain KUBE-SEP-I4QJKZN36IZCLXAY (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 192.168.50.88 0.0.0.0/0 /* calico-system/calico-typha:calico-typha */
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 /* calico-system/calico-typha:calico-typha */ tcp to:192.168.50.88:5473
@@ -85,26 +101,39 @@
Chain KUBE-SEP-PTOI2ZNLEE4G6VCU (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 192.168.184.248 0.0.0.0/0 /* kube-system/kube-dns:dns-tcp */
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 /* kube-system/kube-dns:dns-tcp */ tcp to:192.168.184.248:53
+Chain KUBE-SEP-RU3ZZTEB56WZIAVS (1 references)
+target prot opt source destination
+KUBE-MARK-MASQ all -- 192.168.158.69 0.0.0.0/0 /* default/nginxdp */
+DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 /* default/nginxdp */ tcp to:192.168.158.69:80
+
Chain KUBE-SERVICES (2 references)
target prot opt source destination
KUBE-SVC-NPX46M4PTMTKRN6Y tcp -- 0.0.0.0/0 10.96.0.1 /* default/kubernetes:https cluster IP */ tcp dpt:443
KUBE-SVC-JD5MR3NA4I4DYORP tcp -- 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153
KUBE-SVC-TCOU7JCQXEZGVUNU udp -- 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:53
KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53
+KUBE-SVC-FBVXYASTTP7APHIO tcp -- 0.0.0.0/0 10.101.134.19 /* default/nginxdp cluster IP */ tcp dpt:80
KUBE-NODEPORTS all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL
Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references)
target prot opt source destination
KUBE-MARK-MASQ tcp -- !192.168.128.0/18 10.96.0.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53
KUBE-SEP-MKNYJ6G3NLGOIOAJ all -- 0.0.0.0/0 0.0.0.0/0 /* kube-system/kube-dns:dns-tcp -> 192.168.184.241:53 */ statistic mode random probability 0.50000000000
KUBE-SEP-PTOI2ZNLEE4G6VCU all -- 0.0.0.0/0 0.0.0.0/0 /* kube-system/kube-dns:dns-tcp -> 192.168.184.248:53 */
+Chain KUBE-SVC-FBVXYASTTP7APHIO (2 references)
+target prot opt source destination
+KUBE-MARK-MASQ tcp -- !192.168.128.0/18 10.101.134.19 /* default/nginxdp cluster IP */ tcp dpt:80
+KUBE-SEP-2WH6BC6KPQ63CT55 all -- 0.0.0.0/0 0.0.0.0/0 /* default/nginxdp -> 192.168.133.186:80 */ statistic mode random probability 0.33333333349
+KUBE-SEP-F2ZETNJXRJWBFBT3 all -- 0.0.0.0/0 0.0.0.0/0 /* default/nginxdp -> 192.168.133.19:80 */ statistic mode random probability 0.50000000000
+KUBE-SEP-RU3ZZTEB56WZIAVS all -- 0.0.0.0/0 0.0.0.0/0 /* default/nginxdp -> 192.168.158.69:80 */
+
Chain KUBE-SVC-I24EZXP75AX5E7TU (1 references)
target prot opt source destination
KUBE-MARK-MASQ tcp -- !192.168.128.0/18 10.107.73.67 /* calico-apiserver/calico-api:apiserver cluster IP */ tcp dpt:443
KUBE-SEP-NYRECLY3UN27YOG2 all -- 0.0.0.0/0 0.0.0.0/0 /* calico-apiserver/calico-api:apiserver -> 192.168.184.198:5443 */ statistic mode random probability 0.50000000000
KUBE-SEP-ENBOKBYDTMSJBYWL all -- 0.0.0.0/0 0.0.0.0/0 /* calico-apiserver/calico-api:apiserver -> 192.168.184.249:5443 */
[tsubame@worker01 ~]$
- NodePortはClusterIPも作成するが、以前触れているため省略する
全体のサービスに定義を追加
- NodePortのIPアドレスの定義が追加されている
Chain KUBE-SERVICES (2 references)
target prot opt source destination
KUBE-SVC-NPX46M4PTMTKRN6Y tcp -- 0.0.0.0/0 10.96.0.1 /* default/kubernetes:https cluster IP */ tcp dpt:443
KUBE-SVC-JD5MR3NA4I4DYORP tcp -- 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153
KUBE-SVC-TCOU7JCQXEZGVUNU udp -- 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:dns cluster IP */ udp dpt:53
KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- 0.0.0.0/0 10.96.0.10 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:53
+KUBE-SVC-FBVXYASTTP7APHIO tcp -- 0.0.0.0/0 10.101.134.19 /* default/nginxdp cluster IP */ tcp dpt:80
KUBE-NODEPORTS all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL
NodePortの定義が追加
Chain KUBE-NODEPORTS (1 references)
target prot opt source destination
+KUBE-EXT-FBVXYASTTP7APHIO tcp -- 0.0.0.0/0 0.0.0.0/0 /* default/nginxdp */ tcp dpt:32149
NodePortの定義が追加
+Chain KUBE-EXT-FBVXYASTTP7APHIO (1 references)
+target prot opt source destination
+KUBE-MARK-MASQ all -- 0.0.0.0/0 0.0.0.0/0 /* masquerade traffic for default/nginxdp external destinations */
+KUBE-SVC-FBVXYASTTP7APHIO all -- 0.0.0.0/0 0.0.0.0/0
workerサーバにバランシング
+Chain KUBE-SVC-FBVXYASTTP7APHIO (2 references)
+target prot opt source destination
+KUBE-MARK-MASQ tcp -- !192.168.128.0/18 10.101.134.19 /* default/nginxdp cluster IP */ tcp dpt:80
+KUBE-SEP-2WH6BC6KPQ63CT55 all -- 0.0.0.0/0 0.0.0.0/0 /* default/nginxdp -> 192.168.133.186:80 */ statistic mode random probability 0.33333333349
+KUBE-SEP-F2ZETNJXRJWBFBT3 all -- 0.0.0.0/0 0.0.0.0/0 /* default/nginxdp -> 192.168.133.19:80 */ statistic mode random probability 0.50000000000
+KUBE-SEP-RU3ZZTEB56WZIAVS all -- 0.0.0.0/0 0.0.0.0/0 /* default/nginxdp -> 192.168.158.69:80 */