二进制部署K8s集群第20节addons之flanneld优化SNAT规则

二进制部署K8s集群第20节addons之flanneld优化SNAT规则

增加iptables规则

优化SNAT规则，各运算节点之间的各POD之间的网络通信不再出网 让Pod之间通信Nginx日志能够显示Pod的IP，而非宿主机的IP

1 优化前

hdss7-21，hdss7-22上操作iptables规则各主机的略有不同，其他运算节点上执行时注意修改

[root@hdss7-21 ~]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES nginx-test-558df79dc9-ftkmn 1/1 Running 0 7m22s 172.7.22.2 hdss7-22.host.com nginx-test-558df79dc9-vrtgk 1/1 Running 0 7m22s 172.7.21.2 hdss7-21.host.com [root@hdss7-22 ~]# kubectl exec -it nginx-test-558df79dc9-ftkmn -- /bin/bash root@nginx-test-558df79dc9-ftkmn:/# curl 172.7.21.2 [root@hdss7-21 ~]## kubectl logs -f nginx-test-558df79dc9-vrtgk /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh 10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf 10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh /docker-entrypoint.sh: Configuration complete; ready for start up 10.4.7.22 - - [04/Oct/2020:22:31:50 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-"

pod之间通信，显示的是宿主机IP

2 开始优化

yum -y install iptables-services systemctl enable iptables iptables -t nat -D POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE iptables -t nat -I POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j MASQUERADE iptables-save > /etc/sysconfig/iptables iptables -t nat -nvL POSTROUTING

不同地方： iptables -t nat -D POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE iptables -t nat -I POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j 含 义：主机来源172.7.21.0/24段的docker的ip，目标ip不是172.7.0.0/16段，网络发包不从docker0桥 设备出站的，才进行SNAT转换

3 优化后

[root@hdss7-22 ~]# kubectl exec -it nginx-test-558df79dc9-ftkmn -- /bin/bash root@nginx-test-558df79dc9-ftkmn:/# curl 172.7.21.2 [root@hdss7-21 ~]# kubectl logs -f nginx-test-558df79dc9-vrtgk /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/ /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh 10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf 10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh /docker-entrypoint.sh: Configuration complete; ready for start up 10.4.7.22 - - [04/Oct/2020:22:31:50 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-" 172.7.22.2 - - [04/Oct/2020:23:14:08 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-" 的IP

日志输出已变为Pod的IP

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。