一、应用部署
# 部署httpd,2个副本。
root@k8s:~# kubectl create deployment httpd-test --image=httpd --replicas=2
deployment.apps/httpd-test created
# pod IP地址为安装时指定的--pod-network-cidr=10.244.0.0/16地址段。
root@k8s:~# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
httpd-app-675b65488d-6kgk6 1/1 Running 0 20h 10.244.2.2 node2
httpd-app-675b65488d-9w69v 1/1 Running 0 20h 10.244.1.2 node1
httpd-test-fd769fcb7-nbqsn 1/1 Running 0 2m29s 10.244.2.3 node2
httpd-test-fd769fcb7-nnm99 1/1 Running 0 2m29s 10.244.1.3 node1
httpd-app-*为仅执行了kubectl create deployment,而没有执行kubectl expose deployment。
# 通过POD ID地址都能访问
root@k8s:~# curl 10.244.1.2
It works!1>
root@k8s:~# curl 10.244.2.2
It works!1>
root@k8s:~# curl 10.244.1.3
It works!1>
root@k8s:~# curl 10.244.2.3
It works!1>
二、服务发布与访问
Service是Kubernetes最核心的概念,本质上是筛选具有相同功能的容器,并提供一个统一的入口地址,进而进行负载并分发到后端的Endpoint(容器应用)上。
kubernetes发布Service时,有不同的类型:
1、通过ClusterIP访问httpd(集群内部)
(1)对外开放服务(ClusterIP),不指定--type,默认为ClusterIP。
root@k8s:~# kubectl expose deployment httpd-test --port=80
service/httpd-test exposed
(2)httpd 服务信息
# 查看所有的服务
root@k8s:~# kubectl get services --all-namespaces
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default httpd-test ClusterIP 10.97.122.105 80/TCP 6s
default kubernetes ClusterIP 10.96.0.1 443/TCP 44h
kube-system kube-dns ClusterIP 10.96.0.10 53/UDP,53/TCP,9153/TCP 44h
# httpd-test的详细信息
root@k8s:~# kubectl describe services httpd-test
Name: httpd-test
Namespace: default
Labels: app=httpd-test
Annotations:
Selector: app=httpd-test
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.97.122.105 # service CLUSTER-IP
IPs: 10.97.122.105
Port: 80/TCP
TargetPort: 80/TCP
Endpoints: 10.244.1.3:80,10.244.2.3:80 # Pod IP:PORT
Session Affinity: None
Events:
(3)通过CLUSTERID访问httpd
root@k8s:/etc/kubernetes# curl 10.97.122.105
<html><body><h1>It works!h1>body>html>
2、通过NodePorT访问httpd-app(集群外部)
集群外部访问服务的方式有:Loadblancer;Nodeport;ingress。
root@k8s:/etc/kubernetes# kubectl expose deployment httpd-test --port=80 --type=NodePort
Error from server (AlreadyExists): services "httpd-test" already exists
root@k8s:/etc/kubernetes# kubectl expose deployment httpd-app --port=80 --type=NodePort
service/httpd-app exposed
root@k8s:/etc/kubernetes# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-app NodePort 10.106.113.156 80:31248/TCP 14s
httpd-test ClusterIP 10.97.122.105 80/TCP 3h43m
kubernetes ClusterIP 10.96.0.1 443/TCP 2d
root@k8s:/etc/kubernetes# curl 10.106.113.156
It works!1>
root@k8s:/etc/kubernetes# curl 30.0.1.180
curl: (7) Failed to connect to 30.0.1.180 port 80: Connection refused
root@k8s:/etc/kubernetes# curl 30.0.1.180:31248
It works!1>
root@k8s:~# kubectl describe services httpd-app
Name: httpd-app
Namespace: default
Labels: app=httpd-app
Annotations:
Selector: app=httpd-app
Type: NodePort
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.106.113.156 # ClusterIP
IPs: 10.106.113.156
Port: 80/TCP
TargetPort: 80/TCP
NodePort: 31248/TCP # NODEIP + 端口号
Endpoints: 10.244.1.2:80,10.244.2.2:80 # PODID + 端口号
Session Affinity: None
External Traffic Policy: Cluster
Events:
三、访问应用的背后
ClusterIP对应的链路是“cluster ip --> POD IP”;
NodePort对应的链路是“NodePort -- clusterIP --> POD IP”。
那么,这些链路是如何转换的呢?基本原理是通过iptables的NAT转换进行的。
root@k8s:~# iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N DOCKER
-N KUBE-KUBELET-CANARY
-N KUBE-MARK-DROP
-N KUBE-MARK-MASQ
-N KUBE-NODEPORTS
-N KUBE-POSTROUTING
-N KUBE-PROXY-CANARY
-N KUBE-SEP-5OCXZNKOYHPOQMHR
-N KUBE-SEP-6E7XQMQ4RAYOWTTM
-N KUBE-SEP-B7WZ6X3JS7NGRAGL
-N KUBE-SEP-C3AY35NSVPYD6C6M
-N KUBE-SEP-IT2ZTR26TO4XFPTO
-N KUBE-SEP-JEHA6AXBK4XAVWB5
-N KUBE-SEP-MPQE5E3FPNMZ422T
-N KUBE-SEP-N4G2XR5TDX7PQE7P
-N KUBE-SEP-YIL6JZP7A3QYXJU2
-N KUBE-SEP-ZP3FB6NMPNCO4VBJ
-N KUBE-SEP-ZXMNUKOKXUTL2MK2
-N KUBE-SERVICES
-N KUBE-SVC-47MZKVTVFE2WTG5V
-N KUBE-SVC-ERIFXISQEP7F7OF4
-N KUBE-SVC-JD5MR3NA4I4DYORP
-N KUBE-SVC-NPX46M4PTMTKRN6Y
-N KUBE-SVC-TCOU7JCQXEZGVUNU
-N KUBE-SVC-ZLFK63IBL3TQ6LW7
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 10.244.0.0/16 -d 10.244.0.0/16 -j RETURN
-A POSTROUTING -s 10.244.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE
-A POSTROUTING ! -s 10.244.0.0/16 -d 10.244.0.0/24 -j RETURN
-A POSTROUTING ! -s 10.244.0.0/16 -d 10.244.0.0/16 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A KUBE-MARK-DROP -j MARK --set-xmark 0x8000/0x8000
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/httpd-app" -m tcp --dport 31248 -j KUBE-SVC-47MZKVTVFE2WTG5V
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
-A KUBE-SEP-5OCXZNKOYHPOQMHR -s 10.244.1.3/32 -m comment --comment "default/httpd-test" -j KUBE-MARK-MASQ
-A KUBE-SEP-5OCXZNKOYHPOQMHR -p tcp -m comment --comment "default/httpd-test" -m tcp -j DNAT --to-destination 10.244.1.3:80
-A KUBE-SEP-6E7XQMQ4RAYOWTTM -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-6E7XQMQ4RAYOWTTM -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.244.0.3:53
-A KUBE-SEP-B7WZ6X3JS7NGRAGL -s 10.244.2.2/32 -m comment --comment "default/httpd-app" -j KUBE-MARK-MASQ
-A KUBE-SEP-B7WZ6X3JS7NGRAGL -p tcp -m comment --comment "default/httpd-app" -m tcp -j DNAT --to-destination 10.244.2.2:80
-A KUBE-SEP-C3AY35NSVPYD6C6M -s 30.0.1.180/32 -m comment --comment "default/kubernetes:https" -j KUBE-MARK-MASQ
-A KUBE-SEP-C3AY35NSVPYD6C6M -p tcp -m comment --comment "default/kubernetes:https" -m tcp -j DNAT --to-destination 30.0.1.180:6443
-A KUBE-SEP-IT2ZTR26TO4XFPTO -s 10.244.0.2/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-IT2ZTR26TO4XFPTO -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.244.0.2:53
-A KUBE-SEP-JEHA6AXBK4XAVWB5 -s 10.244.1.2/32 -m comment --comment "default/httpd-app" -j KUBE-MARK-MASQ
-A KUBE-SEP-JEHA6AXBK4XAVWB5 -p tcp -m comment --comment "default/httpd-app" -m tcp -j DNAT --to-destination 10.244.1.2:80
-A KUBE-SEP-MPQE5E3FPNMZ422T -s 10.244.2.3/32 -m comment --comment "default/httpd-test" -j KUBE-MARK-MASQ
-A KUBE-SEP-MPQE5E3FPNMZ422T -p tcp -m comment --comment "default/httpd-test" -m tcp -j DNAT --to-destination 10.244.2.3:80
-A KUBE-SEP-N4G2XR5TDX7PQE7P -s 10.244.0.2/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-N4G2XR5TDX7PQE7P -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.244.0.2:9153
-A KUBE-SEP-YIL6JZP7A3QYXJU2 -s 10.244.0.2/32 -m comment --comment "kube-system/kube-dns:dns" -j KUBE-MARK-MASQ
-A KUBE-SEP-YIL6JZP7A3QYXJU2 -p udp -m comment --comment "kube-system/kube-dns:dns" -m udp -j DNAT --to-destination 10.244.0.2:53
-A KUBE-SEP-ZP3FB6NMPNCO4VBJ -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-MARK-MASQ
-A KUBE-SEP-ZP3FB6NMPNCO4VBJ -p tcp -m comment --comment "kube-system/kube-dns:metrics" -m tcp -j DNAT --to-destination 10.244.0.3:9153
-A KUBE-SEP-ZXMNUKOKXUTL2MK2 -s 10.244.0.3/32 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-MARK-MASQ
-A KUBE-SEP-ZXMNUKOKXUTL2MK2 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp" -m tcp -j DNAT --to-destination 10.244.0.3:53
-A KUBE-SERVICES -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-SVC-NPX46M4PTMTKRN6Y
-A KUBE-SERVICES -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-SVC-TCOU7JCQXEZGVUNU
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-SVC-ERIFXISQEP7F7OF4
-A KUBE-SERVICES -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-SVC-JD5MR3NA4I4DYORP
-A KUBE-SERVICES -d 10.97.122.105/32 -p tcp -m comment --comment "default/httpd-test cluster IP" -m tcp --dport 80 -j KUBE-SVC-ZLFK63IBL3TQ6LW7
-A KUBE-SERVICES -d 10.106.113.156/32 -p tcp -m comment --comment "default/httpd-app cluster IP" -m tcp --dport 80 -j KUBE-SVC-47MZKVTVFE2WTG5V
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-47MZKVTVFE2WTG5V ! -s 10.244.0.0/16 -d 10.106.113.156/32 -p tcp -m comment --comment "default/httpd-app cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SVC-47MZKVTVFE2WTG5V -p tcp -m comment --comment "default/httpd-app" -m tcp --dport 31248 -j KUBE-MARK-MASQ
-A KUBE-SVC-47MZKVTVFE2WTG5V -m comment --comment "default/httpd-app" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-JEHA6AXBK4XAVWB5
-A KUBE-SVC-47MZKVTVFE2WTG5V -m comment --comment "default/httpd-app" -j KUBE-SEP-B7WZ6X3JS7NGRAGL
-A KUBE-SVC-ERIFXISQEP7F7OF4 ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:dns-tcp cluster IP" -m tcp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-IT2ZTR26TO4XFPTO
-A KUBE-SVC-ERIFXISQEP7F7OF4 -m comment --comment "kube-system/kube-dns:dns-tcp" -j KUBE-SEP-ZXMNUKOKXUTL2MK2
-A KUBE-SVC-JD5MR3NA4I4DYORP ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p tcp -m comment --comment "kube-system/kube-dns:metrics cluster IP" -m tcp --dport 9153 -j KUBE-MARK-MASQ
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-N4G2XR5TDX7PQE7P
-A KUBE-SVC-JD5MR3NA4I4DYORP -m comment --comment "kube-system/kube-dns:metrics" -j KUBE-SEP-ZP3FB6NMPNCO4VBJ
-A KUBE-SVC-NPX46M4PTMTKRN6Y ! -s 10.244.0.0/16 -d 10.96.0.1/32 -p tcp -m comment --comment "default/kubernetes:https cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
-A KUBE-SVC-NPX46M4PTMTKRN6Y -m comment --comment "default/kubernetes:https" -j KUBE-SEP-C3AY35NSVPYD6C6M
-A KUBE-SVC-TCOU7JCQXEZGVUNU ! -s 10.244.0.0/16 -d 10.96.0.10/32 -p udp -m comment --comment "kube-system/kube-dns:dns cluster IP" -m udp --dport 53 -j KUBE-MARK-MASQ
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-YIL6JZP7A3QYXJU2
-A KUBE-SVC-TCOU7JCQXEZGVUNU -m comment --comment "kube-system/kube-dns:dns" -j KUBE-SEP-6E7XQMQ4RAYOWTTM
-A KUBE-SVC-ZLFK63IBL3TQ6LW7 ! -s 10.244.0.0/16 -d 10.97.122.105/32 -p tcp -m comment --comment "default/httpd-test cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SVC-ZLFK63IBL3TQ6LW7 -m comment --comment "default/httpd-test" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5OCXZNKOYHPOQMHR
-A KUBE-SVC-ZLFK63IBL3TQ6LW7 -m comment --comment "default/httpd-test" -j KUBE-SEP-MPQE5E3
访问的形式为:NodePort:31248,根据31248就可以查询到:
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/httpd-app" -m tcp --dport 31248 -j KUBE-SVC-47MZKVTVFE2WTG5V
跳转到KUBE-SVC-47MZKVTVFE2WTG5V的链,可以看到,各自以50%的概率进行负载:
-A KUBE-SVC-47MZKVTVFE2WTG5V -m comment --comment "default/httpd-app" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-JEHA6AXBK4XAVWB5
-A KUBE-SVC-47MZKVTVFE2WTG5V -m comment --comment "default/httpd-app" -j KUBE-SEP-B7WZ6X3JS7NGRAGL
KUBE-SEP-JEHA6AXBK4XAVWB5通过DNAT发送到10.244.1.2的80端口,KUBE-SEP-B7WZ6X3JS7NGRAGL通过DNAT发送到10.244.2.2的80端口。
-A KUBE-SEP-JEHA6AXBK4XAVWB5 -s 10.244.1.2/32 -m comment --comment "default/httpd-app" -j KUBE-MARK-MASQ
-A KUBE-SEP-JEHA6AXBK4XAVWB5 -p tcp -m comment --comment "default/httpd-app" -m tcp -j DNAT --to-destination 10.244.1.2:80
-A KUBE-SEP-B7WZ6X3JS7NGRAGL -s 10.244.2.2/32 -m comment --comment "default/httpd-app" -j KUBE-MARK-MASQ
-A KUBE-SEP-B7WZ6X3JS7NGRAGL -p tcp -m comment --comment "default/httpd-app"
全部0条评论
快来发表一下你的评论吧 !