k8s部署nginx实例、iptables开放端口_iptables 如何开放端口在nginx上-CSDN博客

本文链接：https://blog.csdn.net/idwtwt/article/details/96011612

1 运行nginx实例

kubectl run nginx --image=nginx --replicas=2 --port=80

2 查看pod

[root@localhost ~]# kubectl get pods
NAME                     READY     STATUS    RESTARTS   AGE
nginx-3449338310-tmlqp   1/1       Running   0          50s
nginx-3449338310-tn7xt   1/1       Running   0          50s

3 查看服务详情

[root@localhost ~]# kubectl  describe pod nginx-3449338310-tmlqp
Name:           nginx-3449338310-tmlqp
Namespace:      default
Node:           127.0.0.1/127.0.0.1
Start Time:     Mon, 15 Jul 2019 07:54:10 -0400
Labels:         pod-template-hash=3449338310
                run=nginx
Status:         Running
IP:             172.17.0.3
Controllers:    ReplicaSet/nginx-3449338310
Containers:
  nginx:
    Container ID:               docker://38d6e64e2b9a5d5936c74eca5d117e6b5a0cf8b9d4d0726ea1e1869be543c10c
    Image:                      nginx
    Image ID:                   docker-pullable://docker.io/nginx@sha256:48cbeee0cb0a3b5e885e36222f969e0a2f41819a68e07aeb6631ca7cb356fed1
    Port:                       80/TCP
    State:                      Running
      Started:                  Mon, 15 Jul 2019 07:54:30 -0400
    Ready:                      True
    Restart Count:              0
    Volume Mounts:              <none>
    Environment Variables:      <none>
Conditions:
  Type          Status
  Initialized   True 
  Ready         True 
  PodScheduled  True 
No volumes.
QoS Class:      BestEffort
Tolerations:    <none>
Events:
  FirstSeen     LastSeen        Count   From                    SubObjectPath           Type            Reason                  Message
  ---------     --------        -----   ----                    -------------           --------        ------                  -------
  2m            2m              1       {default-scheduler }                            Normal          Scheduled               Successfully assigned nginx-3449338310-tmlqp to 127.0.0.1
  2m            2m              1       {kubelet 127.0.0.1}     spec.containers{nginx}  Normal          Pulling                 pulling image "nginx"
  2m            2m              2       {kubelet 127.0.0.1}                             Warning         MissingClusterDNS       kubelet does not have ClusterDNS IP configured and cannot create Pod using "ClusterFirst" policy. Falling back to DNSDefault policy.
  2m            2m              1       {kubelet 127.0.0.1}     spec.containers{nginx}  Normal          Pulled                  Successfully pulled image "nginx"
  2m            2m              1       {kubelet 127.0.0.1}     spec.containers{nginx}  Normal          Created                 Created container with docker id 38d6e64e2b9a; Security:[seccomp=unconfined]
  2m            2m              1       {kubelet 127.0.0.1}     spec.containers{nginx}  Normal          Started                 Started container with docker id 38d6e64e2b9a

4 暴露到集群外可供访问

[root@localhost ~]# kubectl expose deployment/nginx --type="NodePort" --port 80
service "nginx" exposed

[root@localhost ~]# kubectl get service/nginx
NAME      CLUSTER-IP       EXTERNAL-IP   PORT(S)        AGE
nginx     10.254.121.216   <nodes>       80:32757/TCP   1m

访问32757端口

不能访问，原因是为了安全起见， docker 在 1.13 版本之后，将系统iptables 中 FORWARD 链的默认策略设置为 DROP，并为连接到 docker0 网桥的容器添加了放行规则：

可以添加该端口到白名单：

[root@localhost ~]# iptables -I FORWARD -p tcp --sport 32757 -j ACCEPT
[root@localhost ~]# iptables -I FORWARD -p tcp --dport 32757 -j ACCEPT
[root@localhost ~]# iptables -I FORWARD -p tcp --sport 80 -j ACCEPT
[root@localhost ~]# iptables -I FORWARD -p tcp --dport 80 -j ACCEPT