-
Kubernetes IPVS和IPTABLES
个人名片:
对人间的热爱与歌颂,可抵岁月冗长🌞
Github👨🏻💻:念舒_C.ying
CSDN主页✏️:念舒_C.ying
个人博客🌏 :念舒_C.yingKubernetes IPVS和IPTABLES
什么是IPVS
IPVS(IP Virtual Server,IP虚拟服务器)实现了传输层的负载平衡,通常称为4 LAN(四层局域网)交换,是Linux内核的一部分。IPVS在主机上运行,在真实服务器集群前面充当负载平衡器。IPVS可以将基于 TCP 和 UDP 的服务请求定向到真实服务器上。
IPVS vs IPTABLES
IPVS 模式在
Kubernetes v1.8中引入,在v1.9中成为测试版,在v1.11中成为GA。
IPTABLES模式是在v1.1版本中加入的,从v1.2版本开始成为默认的操作模式。IPVS和IPTABLES都是基于netfilter的。IPVS模式和IPTABLES模式的区别如下:
-
IPVS为大型集群提供更好的可扩展性和性能。
-
IPVS比IPTABLES支持更复杂的负载平衡算法(最小负载、最小连接、定位、加权等)。
-
IPVS 支持服务器健康检查和连接重试等。
IPVS 对 IPTABLES 的依赖
IPVS代理使用
IPTABLES做数据包过滤、SNAT或伪装。具体来说,IPVS代理将使用ipset来存储需要DROP或做伪装的流量的源地址或目的地址,以确保无论我们有多少服务,IPTABLES规则的数量不变。下面是IPVS代理服务器使用的ipset集的表格。
set name members usage KUBE-CLUSTER-IP All service IP + port Mark-Masq for cases that masquerade-all=trueorclusterCIDRspecifiedKUBE-LOOP-BACK All service IP + port + IP masquerade for solving hairpin purpose KUBE-EXTERNAL-IP service external IP + port masquerade for packages to external IPs KUBE-LOAD-BALANCER load balancer ingress IP + port masquerade for packages to load balancer type service KUBE-LOAD-BALANCER-LOCAL LB ingress IP + port with externalTrafficPolicy=localaccept packages to load balancer with externalTrafficPolicy=localKUBE-LOAD-BALANCER-FW load balancer ingress IP + port with loadBalancerSourceRangespackage filter for load balancer with loadBalancerSourceRangesspecifiedKUBE-LOAD-BALANCER-SOURCE-CIDR load balancer ingress IP + port + source CIDR package filter for load balancer with loadBalancerSourceRangesspecifiedKUBE-NODE-PORT-TCP nodeport type service TCP port masquerade for packets to nodePort(TCP) KUBE-NODE-PORT-LOCAL-TCP nodeport type service TCP port with externalTrafficPolicy=localaccept packages to nodeport service with externalTrafficPolicy=localKUBE-NODE-PORT-UDP nodeport type service UDP port masquerade for packets to nodePort(UDP) KUBE-NODE-PORT-LOCAL-UDP nodeport type service UDP port with externalTrafficPolicy=localaccept packages to nodeport service with externalTrafficPolicy=local在以下情况下,IPVS 代理将依赖 IPTABLES。
1. kube-proxy以–masquerade-all=true启动
如果kube-proxy以
--masquerade-all=true启动,IPVS代理将伪装所有访问服务集群IP的流量,这与IPTABLES代理的行为相同。假设kube-proxy指定了标志--masquerade-all=true,那么IPVS代理安装的IPTABLES应该如下所示:# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ Chain OUTPUT (policy ACCEPT) target prot opt source destination KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ Chain POSTROUTING (policy ACCEPT) target prot opt source destination KUBE-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules */ Chain KUBE-MARK-MASQ (2 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK or 0x4000 Chain KUBE-POSTROUTING (1 references) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOOP-BACK dst,dst,src Chain KUBE-SERVICES (2 references) target prot opt source destination KUBE-MARK-MASQ all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-CLUSTER-IP dst,dst ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-CLUSTER-IP dst,dst- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
2. 在kube-proxy启动时指定集群CIDR
如果kube-proxy以
--cluster-cidr=启动,IPVS代理将伪装访问服务集群IP的非集群流量,其行为与IPTABLES代理相同。假设kube-proxy提供的集群cidr是10.244.16.0/24,那么IPVS代理安装的IPTABLES应该如下所示。# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ Chain OUTPUT (policy ACCEPT) target prot opt source destination KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ Chain POSTROUTING (policy ACCEPT) target prot opt source destination KUBE-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules */ Chain KUBE-MARK-MASQ (3 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK or 0x4000 Chain KUBE-POSTROUTING (1 references) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOOP-BACK dst,dst,src Chain KUBE-SERVICES (2 references) target prot opt source destination KUBE-MARK-MASQ all -- !10.244.16.0/24 0.0.0.0/0 match-set KUBE-CLUSTER-IP dst,dst ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-CLUSTER-IP dst,dst- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
3. loadBalancer类型的服务
对于loadBalancer类型的服务,IPVS代理将安装IPTABLES与ipset
KUBE-LOAD-BALANCER匹配。特别是当服务的LoadBalancerSourceRanges被指定或指定externalTrafficPolicy=local时,IPVS代理将创建ipset集KUBE-LOAD-BALANCER-LOCAL/KUBE-LOAD-BALANCER-FW/KUBE-LOAD-BALANCER-SOURCE-CIDR并相应地安装IPTABLES,它应该看起来像下面所示。# iptables -t nat -nL Chain PREROUTING (policy ACCEPT) target prot opt source destination KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ Chain OUTPUT (policy ACCEPT) target prot opt source destination KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ Chain POSTROUTING (policy ACCEPT) target prot opt source destination KUBE-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules */ Chain KUBE-FIREWALL (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOAD-BALANCER-SOURCE-CIDR dst,dst,src KUBE-MARK-DROP all -- 0.0.0.0/0 0.0.0.0/0 Chain KUBE-LOAD-BALANCER (1 references) target prot opt source destination KUBE-FIREWALL all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOAD-BALANCER-FW dst,dst RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOAD-BALANCER-LOCAL dst,dst KUBE-MARK-MASQ all -- 0.0.0.0/0 0.0.0.0/0 Chain KUBE-MARK-DROP (1 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK or 0x8000 Chain KUBE-MARK-MASQ (2 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK or 0x4000 Chain KUBE-POSTROUTING (1 references) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOOP-BACK dst,dst,src Chain KUBE-SERVICES (2 references) target prot opt source destination KUBE-LOAD-BALANCER all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOAD-BALANCER dst,dst ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOAD-BALANCER dst,dst- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
4. NodePort类型的服务
对于NodePort类型的服务,IPVS代理将安装IPTABLES与ipset
KUBE-NODE-PORT-TCP/KUBE-NODE-PORT-UDP的匹配。当指定externalTrafficPolicy=local时,IPVS代理将创建ipset集KUBE-NODE-PORT-LOCAL-TCP/KUBE-NODE-PORT-LOCAL-UDP并相应地安装IPTABLES,这应该是如下所示的:假设服务的TCP类型为nodePort。
Chain PREROUTING (policy ACCEPT) target prot opt source destination KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ Chain OUTPUT (policy ACCEPT) target prot opt source destination KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ Chain POSTROUTING (policy ACCEPT) target prot opt source destination KUBE-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules */ Chain KUBE-MARK-MASQ (2 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK or 0x4000 Chain KUBE-NODE-PORT (1 references) target prot opt source destination RETURN all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-NODE-PORT-LOCAL-TCP dst KUBE-MARK-MASQ all -- 0.0.0.0/0 0.0.0.0/0 Chain KUBE-POSTROUTING (1 references) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOOP-BACK dst,dst,src Chain KUBE-SERVICES (2 references) target prot opt source destination KUBE-NODE-PORT all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-NODE-PORT-TCP dst- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
5. 指定externalIP的服务
对于指定了外部IP的服务,IPVS代理将安装IPTABLES与ipset
KUBE-EXTERNAL-IP匹配,假设我们有指定了外部IP的服务,IPTABLES规则应该如下所示:Chain PREROUTING (policy ACCEPT) target prot opt source destination KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ Chain OUTPUT (policy ACCEPT) target prot opt source destination KUBE-SERVICES all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */ Chain POSTROUTING (policy ACCEPT) target prot opt source destination KUBE-POSTROUTING all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules */ Chain KUBE-MARK-MASQ (2 references) target prot opt source destination MARK all -- 0.0.0.0/0 0.0.0.0/0 MARK or 0x4000 Chain KUBE-POSTROUTING (1 references) target prot opt source destination MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 /* kubernetes service traffic requiring SNAT */ mark match 0x4000/0x4000 MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-LOOP-BACK dst,dst,src Chain KUBE-SERVICES (2 references) target prot opt source destination KUBE-MARK-MASQ all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-EXTERNAL-IP dst,dst ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-EXTERNAL-IP dst,dst PHYSDEV match ! --physdev-is-in ADDRTYPE match src-type !LOCAL ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 match-set KUBE-EXTERNAL-IP dst,dst ADDRTYPE match dst-type LOCAL- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
Kubernetes使用IPVS
安装IPVS
CentOS
yum install ipset ipvsadm -y- 1
Ubuntu
apt-get install ipset ipvsadm -y- 1
- 2
设置
cat > /etc/sysconfig/modules/ipvs.modules <- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
期待下次的分享,别忘了三连支持博主呀~
我是 念舒_C.ying ,期待你的关注~💪💪💪 -
VS2022新建项目时没有ASP.NET Web应用程序 (.NET Framework)
终极GPU互联技术探索:消失的内存墙
曝一段十多年前的“情史”!
一文彻底搞懂协程(coroutine)是什么,值得收藏
深入理解前端字节二进制知识以及相关API
C4D坐标与渲染
常用前端js开发工具函数
JavaScript事件之拖拽事件(详解)
力扣刷题-数组-滑动窗口法相关题目总结