Kubernetes的应用部署与访问

描述

一、应用部署

# 部署httpd,2个副本。
root@k8s:~# kubectl create deployment httpd-test --image=httpd --replicas=2
deployment.apps/httpd-test created


# pod IP地址为安装时指定的--pod-network-cidr=10.244.0.0/16地址段。
root@k8s:~# kubectl get pod -o wide
NAME                         READY   STATUS    RESTARTS   AGE     IP           NODE    NOMINATED NODE   READINESS GATES
httpd-app-675b65488d-6kgk6   1/1     Running   0          20h     10.244.2.2   node2              
httpd-app-675b65488d-9w69v   1/1     Running   0          20h     10.244.1.2   node1              
httpd-test-fd769fcb7-nbqsn   1/1     Running   0          2m29s   10.244.2.3   node2              
httpd-test-fd769fcb7-nnm99   1/1     Running   0          2m29s   10.244.1.3   node1              


httpd-app-*为仅执行了kubectl create deployment,而没有执行kubectl expose deployment。


# 通过POD ID地址都能访问
root@k8s:~# curl 10.244.1.2

It works!1> root@k8s:~# curl 10.244.2.2

It works!1> root@k8s:~# curl 10.244.1.3

It works!1> root@k8s:~# curl 10.244.2.3

It works!1>

二、服务发布与访问

Service是Kubernetes最核心的概念,本质上是筛选具有相同功能的容器,并提供一个统一的入口地址,进而进行负载并分发到后端的Endpoint(容器应用)上。

kubernetes发布Service时,有不同的类型:

  • ClusterIP:默认ServiceType,供集群内部访问;
  • NodePort:供集群外部访问,采用集群Node节点IP,形式为NodeIP:NodePort;
  • LoadBalancer: 供集群外部访问,通常是公有云使用。

1、通过ClusterIP访问httpd(集群内部)

(1)对外开放服务(ClusterIP),不指定--type,默认为ClusterIP。

root@k8s:~# kubectl expose deployment httpd-test --port=80
service/httpd-test exposed

(2)httpd 服务信息

# 查看所有的服务
root@k8s:~# kubectl get services --all-namespaces
NAMESPACE     NAME         TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                  AGE
default       httpd-test   ClusterIP   10.97.122.105           80/TCP                   6s
default       kubernetes   ClusterIP   10.96.0.1               443/TCP                  44h
kube-system   kube-dns     ClusterIP   10.96.0.10              53/UDP,53/TCP,9153/TCP   44h
# httpd-test的详细信息 
root@k8s:~# kubectl describe services httpd-test
Name:              httpd-test
Namespace:         default
Labels:            app=httpd-test
Annotations:       
Selector:          app=httpd-test
Type:              ClusterIP
IP Family Policy:  SingleStack
IP Families:       IPv4
IP:                10.97.122.105 # service CLUSTER-IP
IPs:               10.97.122.105
Port:                80/TCP
TargetPort:        80/TCP
Endpoints:         10.244.1.3:80,10.244.2.3:80 # Pod IP:PORT
Session Affinity:  None
Events:            

(3)通过CLUSTERID访问httpd

root@k8s:/etc/kubernetes# curl 10.97.122.105
<html><body><h1>It works!h1>body>html>

2、通过NodePorT访问httpd-app(集群外部)

集群外部访问服务的方式有:Loadblancer;Nodeport;ingress。

root@k8s:/etc/kubernetes# kubectl expose deployment httpd-test --port=80 --type=NodePort
Error from server (AlreadyExists): services "httpd-test" already exists


root@k8s:/etc/kubernetes# kubectl expose deployment httpd-app --port=80 --type=NodePort
service/httpd-app exposed


root@k8s:/etc/kubernetes# kubectl get svc
NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
httpd-app    NodePort    10.106.113.156           80:31248/TCP   14s
httpd-test   ClusterIP   10.97.122.105            80/TCP         3h43m
kubernetes   ClusterIP   10.96.0.1                443/TCP        2d


root@k8s:/etc/kubernetes# curl 10.106.113.156

It works!1> root@k8s:/etc/kubernetes# curl 30.0.1.180 curl: (7) Failed to connect to 30.0.1.180 port 80: Connection refused root@k8s:/etc/kubernetes# curl 30.0.1.180:31248

It works!1> root@k8s:~# kubectl describe services httpd-app Name: httpd-app Namespace: default Labels: app=httpd-app Annotations: Selector: app=httpd-app Type: NodePort IP Family Policy: SingleStack IP Families: IPv4 IP: 10.106.113.156 # ClusterIP IPs: 10.106.113.156 Port: 80/TCP TargetPort: 80/TCP NodePort: 31248/TCP # NODEIP + 端口号 Endpoints: 10.244.1.2:80,10.244.2.2:80 # PODID + 端口号 Session Affinity: None External Traffic Policy: Cluster Events:

三、访问应用的背后

ClusterIP对应的链路是“cluster ip --> POD IP”;

NodePort对应的链路是“NodePort -- clusterIP --> POD IP”。

那么,这些链路是如何转换的呢?基本原理是通过iptables的NAT转换进行的。

root@k8s:~# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-N KUBE-KUBELET-CANARY
-N KUBE-MARK-DROP
-N KUBE-MARK-MASQ
-N KUBE-NODEPORTS
-N KUBE-POSTROUTING
-N KUBE-PROXY-CANARY
-N KUBE-SEP-5OCXZNKOYHPOQMHR
-N KUBE-SEP-6E7XQMQ4RAYOWTTM
-N KUBE-SEP-B7WZ6X3JS7NGRAGL
-N KUBE-SEP-C3AY35NSVPYD6C6M
-N KUBE-SEP-IT2ZTR26TO4XFPTO
-N KUBE-SEP-JEHA6AXBK4XAVWB5
-N KUBE-SEP-MPQE5E3FPNMZ422T
-N KUBE-SEP-N4G2XR5TDX7PQE7P
-N KUBE-SEP-YIL6JZP7A3QYXJU2
-N KUBE-SEP-ZP3FB6NMPNCO4VBJ
-N KUBE-SEP-ZXMNUKOKXUTL2MK2
-N KUBE-SERVICES
-N KUBE-SVC-47MZKVTVFE2WTG5V
-N KUBE-SVC-ERIFXISQEP7F7OF4
-N KUBE-SVC-JD5MR3NA4I4DYORP
-N KUBE-SVC-NPX46M4PTMTKRN6Y
-N KUBE-SVC-TCOU7JCQXEZGVUNU
-N KUBE-SVC-ZLFK63IBL3TQ6LW7
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 10.244.0.0/16 -d 10.244.0.0/16 -j RETURN
-A POSTROUTING -s 10.244.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE
-A POSTROUTING ! -s 10.244.0.0/16 -d 10.244.0.0/24 -j RETURN
-A POSTROUTING ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/httpd-app" -m tcp --dport 31248 -j KUBE-SVC-47MZKVTVFE2WTG5V
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
-A KUBE-SEP-5OCXZNKOYHPOQMHR -s 10.244.1.3/32 -m comment --comment "default/httpd-test" -j KUBE-MARK-MASQ
-A KUBE-SEP-5OCXZNKOYHPOQMHR -p tcp -m comment --comment "default/httpd-test" -m tcp -j DNAT --to-destination 10.244.1.3:80
-A KUBE-SEP-6E7XQMQ4RAYOWTTM -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-6E7XQMQ4RAYOWTTM -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.244.0.3:53
-A KUBE-SEP-B7WZ6X3JS7NGRAGL -s 10.244.2.2/32 -m comment --comment "default/httpd-app" -j KUBE-MARK-MASQ
-A KUBE-SEP-B7WZ6X3JS7NGRAGL -p tcp -m comment --comment "default/httpd-app" -m tcp -j DNAT --to-destination 10.244.2.2:80
-A KUBE-SEP-C3AY35NSVPYD6C6M -s 30.0.1.180/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-C3AY35NSVPYD6C6M -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 30.0.1.180:6443
-A KUBE-SEP-IT2ZTR26TO4XFPTO -s 10.244.0.2/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-IT2ZTR26TO4XFPTO -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.244.0.2:53
-A KUBE-SEP-JEHA6AXBK4XAVWB5 -s 10.244.1.2/32 -m comment --comment "default/httpd-app" -j KUBE-MARK-MASQ
-A KUBE-SEP-JEHA6AXBK4XAVWB5 -p tcp -m comment --comment "default/httpd-app" -m tcp -j DNAT --to-destination 10.244.1.2:80
-A KUBE-SEP-MPQE5E3FPNMZ422T -s 10.244.2.3/32 -m comment --comment "default/httpd-test" -j KUBE-MARK-MASQ
-A KUBE-SEP-MPQE5E3FPNMZ422T -p tcp -m comment --comment "default/httpd-test" -m tcp -j DNAT --to-destination 10.244.2.3:80
-A KUBE-SEP-N4G2XR5TDX7PQE7P -s 10.244.0.2/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-N4G2XR5TDX7PQE7P -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.244.0.2:9153
-A KUBE-SEP-YIL6JZP7A3QYXJU2 -s 10.244.0.2/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-YIL6JZP7A3QYXJU2 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.244.0.2:53
-A KUBE-SEP-ZP3FB6NMPNCO4VBJ -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-ZP3FB6NMPNCO4VBJ -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.244.0.3:9153
-A KUBE-SEP-ZXMNUKOKXUTL2MK2 -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-ZXMNUKOKXUTL2MK2 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.244.0.3:53
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES -d 10.97.122.105/32 -p tcp -m comment --comment "default/httpd-test cluster IP" -m tcp --dport 80 -j KUBE-SVC-ZLFK63IBL3TQ6LW7
-A KUBE-SERVICES -d 10.106.113.156/32 -p tcp -m comment --comment "default/httpd-app cluster IP" -m tcp --dport 80 -j KUBE-SVC-47MZKVTVFE2WTG5V
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-47MZKVTVFE2WTG5V ! -s 10.244.0.0/16 -d 10.106.113.156/32 -p tcp -m comment --comment "default/httpd-app cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SVC-47MZKVTVFE2WTG5V -p tcp -m comment --comment "default/httpd-app" -m tcp --dport 31248 -j KUBE-MARK-MASQ
-A KUBE-SVC-47MZKVTVFE2WTG5V -m comment --comment "default/httpd-app" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-JEHA6AXBK4XAVWB5
-A KUBE-SVC-47MZKVTVFE2WTG5V -m comment --comment "default/httpd-app" -j KUBE-SEP-B7WZ6X3JS7NGRAGL
-A KUBE-SVC-ERIFXISQEP7F7OF4 ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-IT2ZTR26TO4XFPTO
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-ZXMNUKOKXUTL2MK2
-A KUBE-SVC-JD5MR3NA4I4DYORP ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-N4G2XR5TDX7PQE7P
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-ZP3FB6NMPNCO4VBJ
-A KUBE-SVC-NPX46M4PTMTKRN6Y ! -s 10.244.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-C3AY35NSVPYD6C6M
-A KUBE-SVC-TCOU7JCQXEZGVUNU ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-YIL6JZP7A3QYXJU2
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-6E7XQMQ4RAYOWTTM
-A KUBE-SVC-ZLFK63IBL3TQ6LW7 ! -s 10.244.0.0/16 -d 10.97.122.105/32 -p tcp -m comment --comment "default/httpd-test cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SVC-ZLFK63IBL3TQ6LW7 -m comment --comment "default/httpd-test" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5OCXZNKOYHPOQMHR
-A KUBE-SVC-ZLFK63IBL3TQ6LW7 -m comment --comment "default/httpd-test" -j KUBE-SEP-MPQE5E3

访问的形式为:NodePort:31248,根据31248就可以查询到:

-A KUBE-NODEPORTS -p tcp -m comment --comment "default/httpd-app" -m tcp --dport 31248 -j KUBE-SVC-47MZKVTVFE2WTG5V

跳转到KUBE-SVC-47MZKVTVFE2WTG5V的链,可以看到,各自以50%的概率进行负载:

-A KUBE-SVC-47MZKVTVFE2WTG5V -m comment --comment "default/httpd-app" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-JEHA6AXBK4XAVWB5
-A KUBE-SVC-47MZKVTVFE2WTG5V -m comment --comment "default/httpd-app" -j KUBE-SEP-B7WZ6X3JS7NGRAGL

KUBE-SEP-JEHA6AXBK4XAVWB5通过DNAT发送到10.244.1.2的80端口,KUBE-SEP-B7WZ6X3JS7NGRAGL通过DNAT发送到10.244.2.2的80端口。

-A KUBE-SEP-JEHA6AXBK4XAVWB5 -s 10.244.1.2/32 -m comment --comment "default/httpd-app" -j KUBE-MARK-MASQ
-A KUBE-SEP-JEHA6AXBK4XAVWB5 -p tcp -m comment --comment "default/httpd-app" -m tcp -j DNAT --to-destination 10.244.1.2:80
-A KUBE-SEP-B7WZ6X3JS7NGRAGL -s 10.244.2.2/32 -m comment --comment "default/httpd-app" -j KUBE-MARK-MASQ
-A KUBE-SEP-B7WZ6X3JS7NGRAGL -p tcp -m comment --comment "default/httpd-app"
打开APP阅读更多精彩内容
声明:本文内容及配图由入驻作者撰写或者入驻合作网站授权转载。文章观点仅代表作者本人,不代表电子发烧友网立场。文章及其配图仅供工程师学习之用,如有内容侵权或者其他违规问题,请联系本站处理。 举报投诉

全部0条评论

快来发表一下你的评论吧 !

×
20
完善资料,
赚取积分