Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of the network model in kubernetes, which is very detailed and has a certain reference value. Friends who are interested must finish it!

Kubernetes is independent of Docker's default network model to form its own network model. The basic principle of the model is that each Pod has an independent IP address, and it is assumed that all Pod are in a directly connected, flat cyberspace. Containers in the same Pod can connect to each other's ports through localhost.

Docker network model

Docker uses Linux bridge to virtualize a Docker bridge (docker0) on the host. When Docker starts a container, it allocates the container's IP according to the network segment of the Docker bridge, and the Docker bridge is the default gateway for each container. Because the containers in the same host are all connected to the same bridge, the containers can communicate directly through the container's IP.

1. Network namespace

To support multiple instances of the network protocol stack, Linux introduces network namespaces into the network stack. These separate protocol stacks are isolated into different namespaces. Network stacks in different namespaces are completely isolated. The network namespace can have its own independent routing table and independent Iptables/Netfilter settings to provide packet forwarding, NAT and IP packet filtering and other functions.

2. Veth

Veth device pair is introduced to communicate between different network namespaces, which can be used to connect the two network namespaces directly.

3. Iptables/Netfilter

Netfilter is a packet processing module in the core layer of Linux operating system. Iptables is an application layer, and its essence is a configuration tool that defines rules, while the core packet interception and forwarding is Netfiler.

Netfilter acts on the network layer, and data packets pass through the five Hook POINT points of Netfilter: PRE_ROUTING, INPUT, OUTPUT, FORWARD, POST_ROUTING. As long as they pass through the local machine, they will pass through one of these five mount points.

The rule composition of iptables, also known as four tables and five chains:

Four tables: filter table (for filtering), nat table (for address translation), mangle table (for modifying packets), raw table (generally in order to no longer let iptables do packet link tracking processing, skip other tables and improve performance)

Five mount points: PRE_ROUTING, INPUT, OUTPUT, FORWARD, POST_ROUTING

Specifically, every iptables rule such as allow / deny or forward must select a mount point and associate a table.

The way to view existing rules in the system is as follows:

Iptables-save: prints the contents of the Iptables in the manner of the command.

Iptables-vnL: displays the contents of the Netfilter table in another format.

4. Network bridge

The bridge is a layer 2 network device, which can parse the received and transmitted messages, read the information of the destination MAC address, and combine with the MAC table recorded by itself to determine the forwarding port of the message.

5. Routin

The routing function is implemented by a routing table maintained by the IP layer. When the host receives the data message, it uses this table to decide what to do. When the data message is received from the network side, the IP layer will first check whether the IP address of the message is the same as that of the host itself. If it is different, and the host is configured with routing, the message will be forwarded, otherwise, the message will be discarded.

View the contents of the LOCAL table:

Ip route show table local type local

Routing table view:

Ip route list

6. Gateway

A Gateway is a gateway through which one network is connected to another. According to different classification standards, there are many kinds of gateways. The gateway in the TCP/IP protocol is the most commonly used.

A gateway is essentially an IP address from one network to other networks. For example, there are network An and network B. the IP address range of network An is "192.168.1.1" 192. 168.1.254 "with a subnet mask of 255.255.255.0, and the IP address range of network B is" 192.168.2.1 "192.168.2.254" with a subnet mask of 255.255.255.0. Without a router, there is no TCP/IP communication between the two networks. Even if the two networks are connected to the same switch (or hub), the TCP/IP protocol will determine that the hosts in the two networks are in different networks according to the subnet mask (255.255.255.0). In order to realize the communication between the two networks, it must be through the gateway.

The Docker bridge is virtual from the host and is not a real network device, and the external network cannot be addressed, which means that the external network cannot directly access the container. If the container wants to be accessible by the external network, it needs to map the container port to the host. Docker run-p *: *

In fact, port mapping is done by adding corresponding rules to the NAT table of iptables, so we change the way the port is mapped to the NAT way.

Third: Kubernetes network model

1. Communication between containers

Pod is a collection of containers. Pod contains containers that run on the same host. These containers will have the same cyberspace. Containers can communicate with each other, and they can access the ports of other containers locally.

2. Inter-Pod communication

The Kubernetes network model is a flat network plane in which Pod, as a network unit, is at the same level as the network of Kubernetes Node.

Pod/ containers on the same Kubernetes Node can communicate natively, but communication between Pod/ containers between Kubernetes Node needs to be enhanced by Docker. Create an overlay network in the container cluster to connect the nodes.

3. Communication from Service to Pod

Service acts as a service agent between Pod and is represented as a single access interface. The network forwarding of requests to Pod,Service is a key part of Kubernetes service scheduling.

IP

It is 10.254.248.68, and the Endpoints corresponding to port 80/TCP contains 10.1.46.2 80, 10.1.77.2, 80; that is, when a request for 10.254.248.68 is requested, it is forwarded to one of these backends.

By creating Iptables rules, Kubernetes Proxy directly redirects the request to access the Service virtual IP to Endpoints. When the Endpoints changes, Kubernetes Proxy refreshes the relevant Iptables rules. In Iptables mode, Kubernetes Proxy is only responsible for monitoring Service and Endpoints and updating Iptables rules. Packet forwarding depends on the Linux kernel, and the default load balancing strategy is random.

The above is all the contents of the article "sample Analysis of Network models in kubernetes". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.