Kubernetes
K8S Service Network - 실습
uuuhhh
2022. 11. 10. 15:57
▪ 실습
- ClusterIP
- NodePort
• ClusterIP
- 3pod.yaml (목적지 파드)
apiVersion: v1
kind: Pod
metadata:
name: webpod1
labels:
app: webpod
spec:
nodeName: w1-k8s
containers:
- name: container
image: traefik/whoami
terminationGracePeriodSeconds: 0
---
apiVersion: v1
kind: Pod
metadata:
name: webpod2
labels:
app: webpod
spec:
nodeName: w2-k8s
containers:
- name: container
image: traefik/whoami
terminationGracePeriodSeconds: 0
---
apiVersion: v1
kind: Pod
metadata:
name: webpod3
labels:
app: webpod
spec:
nodeName: w3-k8s
containers:
- name: container
image: traefik/whoami
terminationGracePeriodSeconds: 0
- netpod.yaml (클라이언트)
apiVersion: v1
kind: Pod
metadata:
name: net-pod
spec:
nodeName: m-k8s
containers:
- name: netshoot-pod
image: nicolaka/netshoot
command: ["tail"]
args: ["-f", "/dev/null"]
terminationGracePeriodSeconds: 0
- svc-clusterip.yaaml (서비스)
apiVersion: v1
kind: Service
metadata:
name: svc-clusterip
spec:
ports:
- name: svc-webport
port: 9000
targetPort: 80
selector:
app: webpod
type: ClusterIP
- 동작 확인
- iptables rule 확인
- PREROUTING
- KUBE-SERVICES
- KUBE-SVC-###
- KUBE-SEP-#<파드1>, KUBE-SEP-#<파드2>, KUBE-SEP-#<파드3>
- SEP : SERVICE ENDPOINT
[root@m-k8s clusterIP]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 32 packets, 2248 bytes)
pkts bytes target prot opt in out source destination
1018 70687 KUBE-SERVICES all -- * * 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */
Chain KUBE-SERVICES (2 references)
pkts bytes target prot opt in out source destination
208 12480 KUBE-SVC-KBDEBIL6IU6WL7RF tcp -- * * 0.0.0.0/0 10.101.45.138 /* default/svc-clusterip:svc-webport cluster IP */ tcp dpt:9000
Chain KUBE-SVC-KBDEBIL6IU6WL7RF (1 references)
pkts bytes target prot opt in out source destination
71 4260 KUBE-SEP-4GLOYZ5YBL4ZIC54 all -- * * 0.0.0.0/0 0.0.0.0/0 /* default/svc-clusterip:svc-webport */ statistic mode random probability 0.33333333349
69 4140 KUBE-SEP-OSRWDXZKC43CGPGW all -- * * 0.0.0.0/0 0.0.0.0/0 /* default/svc-clusterip:svc-webport */ statistic mode random probability 0.50000000000
68 4080 KUBE-SEP-X4VKZM5IYTJMJGTP all -- * * 0.0.0.0/0 0.0.0.0/0 /* default/svc-clusterip:svc-webport */
Chain KUBE-SEP-4GLOYZ5YBL4ZIC54 (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ all -- * * 172.16.103.135 0.0.0.0/0 /* default/svc-clusterip:svc-webport */
71 4260 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* default/svc-clusterip:svc-webport */ tcp to:172.16.103.135:80
Chain KUBE-SEP-OSRWDXZKC43CGPGW (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ all -- * * 172.16.132.14 0.0.0.0/0 /* default/svc-clusterip:svc-webport */
69 4140 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* default/svc-clusterip:svc-webport */ tcp to:172.16.132.14:80
Chain KUBE-SEP-X4VKZM5IYTJMJGTP (1 references)
pkts bytes target prot opt in out source destination
0 0 KUBE-MARK-MASQ all -- * * 172.16.221.148 0.0.0.0/0 /* default/svc-clusterip:svc-webport */
68 4080 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* default/svc-clusterip:svc-webport */ tcp to:172.16.221.148:80
• NodePort
- echo-pod.yaml (목적지 파드)
apiVersion: apps/v1
kind: Deployment
metadata:
name: deploy-echo
spec:
replicas: 3
selector:
matchLabels:
app: deploy-websrv
template:
metadata:
labels:
app: deploy-websrv
spec:
terminationGracePeriodSeconds: 0
containers:
- name: cndk-websrv
image: k8s.gcr.io/echoserver:1.5
ports:
- containerPort: 8080
- svc-nodeport.yaml (서비스)
apiVersion: v1
kind: Service
metadata:
name: svc-nodeport
spec:
ports:
- name: svc-webport
port: 9000
targetPort: 8080
# nodePort 미지정시 임의 할당 / 30000 – 32767
selector:
app: deploy-websrv
type: NodePort
- 동작 확인
[root@m-k8s nodePort]# ss -4tlnp | egrep "(Process|30282)"
LISTEN 0 128 *:30282 *:* users:(("kube-proxy",pid=2560,fd=12))
- iptables rule 확인
- PREROUTING
- KUBE-SERVICES
- KUBE-NODEPORTS
- KUBE-SVC-###
- KUBE-SEP-#<파드1>, KUBE-SEP-#<파드2>, KUBE-SEP-#<파드3>
[root@m-k8s nodePort]# iptables -t nat -S
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/svc-nodeport:svc-webport" -m tcp --dport 30282 -j KUBE-SVC-VTR7MTHHNMFZ3OFS
-A KUBE-SVC-VTR7MTHHNMFZ3OFS -m comment --comment "default/svc-nodeport:svc-webport" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-ZFQZV32UODUPBKSN
-A KUBE-SVC-VTR7MTHHNMFZ3OFS -m comment --comment "default/svc-nodeport:svc-webport" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-TIDBC43XW5IICFED
-A KUBE-SVC-VTR7MTHHNMFZ3OFS -m comment --comment "default/svc-nodeport:svc-webport" -j KUBE-SEP-2JHZOYSDCT4K5OXZ
-A KUBE-SEP-ZFQZV32UODUPBKSN -s 172.16.103.136/32 -m comment --comment "default/svc-nodeport:svc-webport" -j KUBE-MARK-MASQ
-A KUBE-SEP-ZFQZV32UODUPBKSN -p tcp -m comment --comment "default/svc-nodeport:svc-webport" -m tcp -j DNAT --to-destination 172.16.103.136:8080
-A KUBE-SEP-TIDBC43XW5IICFED -s 172.16.132.15/32 -m comment --comment "default/svc-nodeport:svc-webport" -j KUBE-MARK-MASQ
-A KUBE-SEP-TIDBC43XW5IICFED -p tcp -m comment --comment "default/svc-nodeport:svc-webport" -m tcp -j DNAT --to-destination 172.16.132.15:8080
-A KUBE-SEP-2JHZOYSDCT4K5OXZ -s 172.16.221.149/32 -m comment --comment "default/svc-nodeport:svc-webport" -j KUBE-MARK-MASQ
-A KUBE-SEP-2JHZOYSDCT4K5OXZ -p tcp -m comment --comment "default/svc-nodeport:svc-webport" -m tcp -j DNAT --to-destination 172.16.221.149:8080
# 출발지IP를 접속한 노드의 IP 로 SNAT(MASQUERADE) 처리
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
Ref.
Kubernetes NodePort vs LoadBalancer vs Ingress? When should I use what?