Bolog
0%

k8s service expose

Posted on Edited on In

k8s 1.2版本开始提供Ingress来实现对外暴露服务;目前k8s有三种暴露方式

  • LoadBlancer Service
  • NodePort Service
  • Ingress

K8s-LBS

LBS是k8s与云平台深度结合的一个组件,当使用LBS暴露服务时,实际上是通过底层云平台申请创建一个负载均衡器来向外暴露服务。目前LBS支持的云平台有GCE、DigitalOcean、Aliyun、私有云Openstack等等,由于LBS与云平台深度结合,所以只能在这些平台上使用。

NodePort

k8s_nodeport

k8s的端口分为:

  • Port
    service上暴露出来的端口,提供给集群(集群指整个容器集群)内部客户访问的端口。
  • NodePort
    node上暴露的端口,提供给集群外部客户访问的端口。
  • TargetPort
    endpoint上暴露的端口,也可以当作Pod上暴露的端口,无论从Port或NodePort上来的数据最终都会经过kube-proxy转发到Pod的TargetPort端口上。

k8s的IP分为:

  • ClusterIP
    service上虚拟ip地址,它由kube-proxy使用iptables规则重新定向到本地端口,再均衡到后端的Pod上。
  • NodeIP
    node节点的物理ip地址,它被kube-proxy使用iptables规则重定向到本地端口。
  • ContainerIP/PodIP
    K8s中以Pod为最小部署单位,一个Pod中共享一个网络资源(无论Pod中有几个容器)。每个Pod启动时,会自动创建一个镜像为gcr.io/google_containers/pause:0.8.0的容器,容器内部与外部的通信经由此容器代理,所以ContainerIP就是PodIP。

暴露方法及API

1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: v1
kind: Service
metadata:
  name: svc-1
  labels:
    name: svc-1
spec:
  type: NodePort
  ports:
    - port: 2222
      targetPort: 22
      nodePort: 30022
  selector:
    name: rc-test

API操作

实现原理

ip地址及端口的暴露都是通过修改iptables规则来实现的。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# iptables -t nat -L -n
...
Chain KUBE-NODEPORTS (1 references)
target     prot opt source               destination
KUBE-MARK-MASQ  tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-lonely: */ tcp dpt:30023
KUBE-SVC-E6FDK4HG4F4JSB77  tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-lonely: */ tcp dpt:30023
KUBE-MARK-MASQ  tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-tmp: */ tcp dpt:30099
KUBE-SVC-OOWDNB3NCXKPBPZE  tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-tmp: */ tcp dpt:30099
KUBE-MARK-MASQ  tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-1: */ tcp dpt:30022
KUBE-SVC-D25WXD2YSOVKEUTU  tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-1: */ tcp dpt:30022
...
Chain KUBE-SEP-2LNK4QUGPB2C5PDO (2 references)
target     prot opt source               destination
KUBE-MARK-MASQ  all  --  192.168.6.110        0.0.0.0/0            /* default/kubernetes:https */
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/kubernetes:https */ recent: SET name: KUBE-SEP-2LNK4QUGPB2C5PDO side: source mask: 255.255.255.255 tcp to:192.168.6.110:6443

Chain KUBE-SEP-5GTCHBFJM5RAI7LS (1 references)
target     prot opt source               destination
KUBE-MARK-MASQ  all  --  10.254.86.9          0.0.0.0/0            /* default/svc-lonely: */
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-lonely: */ tcp to:10.254.86.9:22

Chain KUBE-SEP-BCYRFQ26LZTOSSU7 (1 references)
target     prot opt source               destination
KUBE-MARK-MASQ  all  --  10.254.86.4          0.0.0.0/0            /* default/svc-1: */
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-1: */ tcp to:10.254.86.4:22

Chain KUBE-SEP-CLKUH4WMQ3CNBJ7K (1 references)
target     prot opt source               destination
KUBE-MARK-MASQ  all  --  10.254.86.2          0.0.0.0/0            /* default/svc-1: */
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-1: */ tcp to:10.254.86.2:22

Chain KUBE-SEP-D3FORTYMXA7BVSDA (1 references)
target     prot opt source               destination
KUBE-MARK-MASQ  all  --  10.254.86.8          0.0.0.0/0            /* default/svc-1: */
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-1: */ tcp to:10.254.86.8:22

Chain KUBE-SEP-F4EJGNTAH3JOOQC6 (1 references)
target     prot opt source               destination
KUBE-MARK-MASQ  all  --  10.254.86.3          0.0.0.0/0            /* default/svc-1: */
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-1: */ tcp to:10.254.86.3:22

Chain KUBE-SEP-HO23WAVQKIB2R4KD (1 references)
target     prot opt source               destination
KUBE-MARK-MASQ  all  --  10.254.86.10         0.0.0.0/0            /* default/svc-tmp: */
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-tmp: */ tcp to:10.254.86.10:99

Chain KUBE-SERVICES (2 references)
target     prot opt source               destination
KUBE-SVC-E6FDK4HG4F4JSB77  tcp  --  0.0.0.0/0            10.254.162.24        /* default/svc-lonely: cluster IP */ tcp dpt:2223
KUBE-SVC-OOWDNB3NCXKPBPZE  tcp  --  0.0.0.0/0            10.254.119.86        /* default/svc-tmp: cluster IP */ tcp dpt:9999
KUBE-SVC-NPX46M4PTMTKRN6Y  tcp  --  0.0.0.0/0            10.254.0.1           /* default/kubernetes:https cluster IP */ tcp dpt:443
KUBE-SVC-D25WXD2YSOVKEUTU  tcp  --  0.0.0.0/0            10.254.159.12        /* default/svc-1: cluster IP */ tcp dpt:2222
KUBE-NODEPORTS  all  --  0.0.0.0/0            0.0.0.0/0            /* kubernetes service nodeports; NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCAL

Chain KUBE-SVC-D25WXD2YSOVKEUTU (2 references)
target     prot opt source               destination
KUBE-SEP-CLKUH4WMQ3CNBJ7K  all  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-1: */ statistic mode random probability 0.25000000000
KUBE-SEP-F4EJGNTAH3JOOQC6  all  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-1: */ statistic mode random probability 0.33332999982
KUBE-SEP-BCYRFQ26LZTOSSU7  all  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-1: */ statistic mode random probability 0.50000000000
KUBE-SEP-D3FORTYMXA7BVSDA  all  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-1: */

Chain KUBE-SVC-E6FDK4HG4F4JSB77 (2 references)
target     prot opt source               destination
KUBE-SEP-5GTCHBFJM5RAI7LS  all  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-lonely: */

Chain KUBE-SVC-NPX46M4PTMTKRN6Y (1 references)
target     prot opt source               destination
KUBE-SEP-2LNK4QUGPB2C5PDO  all  --  0.0.0.0/0            0.0.0.0/0            /* default/kubernetes:https */ recent: CHECK seconds: 180 reap name: KUBE-SEP-2LNK4QUGPB2C5PDO side: source mask: 255.255.255.255
KUBE-SEP-2LNK4QUGPB2C5PDO  all  --  0.0.0.0/0            0.0.0.0/0            /* default/kubernetes:https */

Chain KUBE-SVC-OOWDNB3NCXKPBPZE (2 references)
target     prot opt source               destination
KUBE-SEP-HO23WAVQKIB2R4KD  all  --  0.0.0.0/0            0.0.0.0/0            /* default/svc-tmp: */

Ingress

Todo…

参考&鸣谢