kube & iptables

kubernetes简单介绍

http://dockone.io/article/932

虽然paas层用的openshift，实际上是封装kubernetes.

For some parts of your applications you may wantto expose a Service onto an external IP address. Kubernetes supports two waysof doing this: NodePorts and LoadBalancers..在我们的实现里面用的是node port这种方式。底层好像也是用iptables来实现的， 可以这样才看下

sudo iptables -L KUBE-NODEPORT-CONTAINER -t nat

 

target    prot opt source              destination

REDIRECT  tcp  --  anywhere             anywhere             /* default/test-server: */ tcpdpt:ndmps redir ports 35752

REDIRECT  tcp  --  anywhere             anywhere             /* default/consulhttp: */ tcpdpt:30850 redir ports 44005

REDIRECT  tcp  --  anywhere             anywhere             /* default/ test -http-http: */ tcpdpt:30004 redir ports 45898

REDIRECT  tcp  --  anywhere             anywhere             /* default/ test -http-1axmlv2: */tcp dpt:30003 redir ports 39764

REDIRECT  tcp  --  anywhere             anywhere             /* default/ test -tcil-iso9735: */tcp dpt:pago-services1 redir ports 34921

我们开的nodeport是30850，30004这些，然后后面有redirection。

 

https://github.com/kubernetes/kubernetes/wiki/Services-FAQ

 

 

openport的command

 

iptables-t nat -N KUBE-NODEPORT-CONTAINER-MARK（先定义一个新的chain KUBE-NODEPORT-CONTAINER-MARK）

iptables-t nat -I PREROUTING -m addrtype --dst-type LOCAL -jKUBE-NODEPORT-CONTAINER-MARK

 

iptables-A OS_FIREWALL_ALLOW -m state --state NEW -m mark --mark 0x42 -j ACCEPT

 

iptables-t nat -I KUBE-NODEPORT-CONTAINER-MARK 1 -p tcp --dport 30001 -j MARK--set-mark 0x42