二進制部署K8s集羣第20節flanneld之SNAT規則優化

時間  2020-10-07
標籤 nginx docker shell bash 網絡 curl ide 優化 url 日誌 欄目 負載均衡 简体版
原文   原文鏈接

增長iptables規則

  • 優化SNAT規則,各運算節點之間的各POD之間的網絡通訊再也不出網
  • 讓Pod之間通訊Nginx日誌可以顯示Pod的IP,而非宿主機的IP

1 優化前

hdss7-21,hdss7-22上操做
iptables規則各主機的略有不一樣,其餘運算節點上執行時注意修改nginx

[root@hdss7-21 ~]# kubectl get pod -o wide
NAME                          READY   STATUS    RESTARTS   AGE     IP           NODE                NOMINATED NODE   READINESS GATES
nginx-test-558df79dc9-ftkmn   1/1     Running   0          7m22s   172.7.22.2   hdss7-22.host.com   <none>           <none>
nginx-test-558df79dc9-vrtgk   1/1     Running   0          7m22s   172.7.21.2   hdss7-21.host.com   <none>           <none>

[root@hdss7-22 ~]# kubectl exec -it nginx-test-558df79dc9-ftkmn -- /bin/bash     
root@nginx-test-558df79dc9-ftkmn:/# curl 172.7.21.2

[root@hdss7-21 ~]## kubectl logs -f nginx-test-558df79dc9-vrtgk
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
10.4.7.22 - - [04/Oct/2020:22:31:50 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-"

pod之間通訊,顯示的是宿主機IPdocker

2 開始優化

yum -y install iptables-services
systemctl enable iptables
iptables -t nat -D POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
iptables -t nat -nvL POSTROUTING

不一樣地方:shell

iptables -t nat -D POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADEbash

iptables -t nat -I POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j 網絡

含 義:主機來源172.7.21.0/24段的docker的ip,目標ip不是172.7.0.0/16段,網絡發包不從docker0橋curl

設備出站的,才進行SNAT轉換ide

3 優化後

[root@hdss7-22 ~]# kubectl exec -it nginx-test-558df79dc9-ftkmn -- /bin/bash 
root@nginx-test-558df79dc9-ftkmn:/# curl 172.7.21.2
[root@hdss7-21 ~]# kubectl logs -f nginx-test-558df79dc9-vrtgk
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
10.4.7.22 - - [04/Oct/2020:22:31:50 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-"
172.7.22.2 - - [04/Oct/2020:23:14:08 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-" 的IP

日誌輸出已變爲Pod的IP優化

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程