Shulou(Shulou.com)06/01 Report--

This article is to share with you about the principle of iptable node port implementation in k8s-service, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Here we mainly introduce the implementation principle of node port, of course, our K8s container network here is still based on iptable, not based on ipvs.

We can see the service of the deployed nginx-ingress-controller:

This service is of type node prot

Cluster ip is 10.254.188.128

This cluster ip is associated with an endpoints:10.1.27.2.

Port 8080 of host is mapped to port 80 of cluster ip and port 80 of pod

Port 8443 of host is mapped to port 443 of cluster ip and port 443 of pod.

Kubectl describe service service-nginx-ingress-n kube-system

For service of type node port, the port that accesses the host accesses the service. So from the perspective of host network, when host receives the packet, it should enter the PREROUTING chain of host network namespace. Let's look at the PREROUTING chain of host network namespace.

Iptables-nvL-t nat

According to the rules, for PREROUTING chain, all traffic goes to KUBE-SERVICES, the target.

View KUBE-SERVICES target:

Iptables-nvL-t nat | grep KUBE-SVC

In KUBE-SERVICES target, we can see that when accessing 8080 or 8443port of nginx-ingress-controller-service on host, the target of KUBE-NODEPORTS is matched according to the rules.

View KUBE-NODEPORTS target:

Iptables-nvL-t nat

In KUBE-NODEPORTS target, we can see that when visiting 8080 and 8443:

KUBE-MARK-MASQ will match.

KUBE-SVC-QY5PTWKILTPBPDCE matches port 8080 access

KUBE-SVC-SQYXO6PN7K55YEZU matches port 8443 access

View KUBE-MARK-MASQ target:

It's just marked here, and there's no nat target.

Iptables-nvL-t nat

View the target of KUBE-SVC-QY5PTWKILTPBPDCE and KUBE-SVC-SQYXO6PN7K55YEZU:

Iptables-nvL-t nat

We can see

KUBE-SVC-QY5PTWKILTPBPDCE match enters KUBE-SEP-WM2TRROMQQXWNW4W.

KUBE-SVC-SQYXO6PN7K55YEZU match enters KUBE-SEP-7XLQX5JZL77UC7RY.

Is it familiar to the careful students here? yes, this is the same as the cluster ip type service in ipable in the previous article. The only difference is that the example in the previous article, nginx-application-service, has two endpoints, and here nginx-ingress-controller-service has only one endpoint. Therefore, one KUBE-SEP-XXX will be matched. If there are multiple endpoints, then the random module random of the leverage kernel will be matched evenly in percentage, so as to achieve load balancing for pord access.

View the target of KUBE-SEP-WM2TRROMQQXWNW4W and KUBE-SEP-7XLQX5JZL77UC7RY:

Iptables-nvL-t nat

We can see

MASQ operation has been done, of course, this should be outbound engress traffic (limited to source ip), not our inbound ingress traffic.

Do the DNAT operation, convert the original cluster ip to DANT into pod's ip 10.1.27.2, and convert the original port into 80 or 443 port.

According to iptable, 10.1.27.2 after PREROUTING chain discovers that DNAT is not a local ip (definitely not, because this ip is pod's ip, certainly not in host's network namespace). So we go to Forwarding chain and decide the next-hop address according to the routing table of host network namespace.

So to sum up the above example, the service of node port type in the k8s cluster of ipable mode is summarized as follows:

KUBE-SERVICES target is matched in the PREROUTING chain of host netwok namespace.

Will match KUBE-NODEPORTS target in KUBE-SERVICES target

In KUBE-NODEPORTS target, KUBE-SVC-XXX target will be matched according to prot.

These are the principles of iptable node port implementation in k8s-service. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.