Tanzu Kubernetes Cluster load balancer Service

最新推荐文章于 2022-02-13 16:58:32 发布

Etaon

最新推荐文章于 2022-02-13 16:58:32 发布

阅读量464

点赞数

分类专栏： NSX-T TKG K8S 文章标签： kubernetes iptables NSX-T

本文链接：https://blog.csdn.net/weixin_43394724/article/details/119220050

版权

NSX-T 同时被 3 个专栏收录

16 篇文章 28 订阅

订阅专栏

K8S

15 篇文章 2 订阅

订阅专栏

TKG

7 篇文章 1 订阅

订阅专栏

本文记录Tanzu Kubernetes Cluster 以Load balancer方式对外提供Service的细节。

实验环境

沿用NSX-T 为vSphere with Tanzu提供网络支撑

项目	描述	备注
vSphere	vSphere7.0u2a	17867351
vCenter	VCSA-.7.0.2	17920168
NSX-T Datacenter	3.1.2.1.0	17975795
Tanzu	1.3.1

IP地址分配

名称	说明	本实验使用	备注
Pods	命名空间中工作负载的私有 IPv4 地址池，为pod/TKG VM提供地址	172.211.0.0/16
Services	服务 IPv4 地址池，用于通过 K8s ClusterIP 在命名空间内的服务	172.96.0.0/16
Ingress	公共 IPv4 地址池，通过 K8s 类型负载均衡器、Ingress 和 Cloudprovider 负载均衡器，为Tanzu Kubernetes 集群和 Supervisor 集群提供 Supervisor 集群之外的服务	172.80.0.0/16
Egress	公共 IPv4 地址池，用于 Supervisor 集群向外的 NAT 流量	172.60.0.0/16
TKG pods	TKG集群内的私有IP地址池，为pod提供地址	10.96.0.0/11	Antrea提供
TKG Services	TKG内部Service的Cluster IP地址	100.64.0.0/16	Antrea提供

TKG使用的实验用例yaml

在TKG Cluster内部使用如下yaml建立deployment和service

apiVersion: v1
kind: Service
metadata:
  name: hello-kubernetes
spec:
  type: LoadBalancer
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: hello-kubernetes
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-kubernetes
spec:
  replicas: 4
  selector:
    matchLabels:
      app: hello-kubernetes
  template:
    metadata:
      labels:
        app: hello-kubernetes
    spec:
      imagePullSecrets:
      - name: harbor-registry-secret
      containers:
      - name: hello-kubernetes
        image: 172.80.88.4/ns-dev/hello-kubernetes:1.5
        ports:
        - containerPort: 8080
        env:
        - name: MESSAGE
          value: I just deployed a PodVM on the Tanzu Kubernetes Cluster!!

结果记录

Pod及Service创建情况

[root@hop ~]# kubectl get pod -owide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
hello-kubernetes-6cd455cc47-7w5jf 1/1 Running 0 39d 10.96.4.4 tkg-cluster-01-workers-vqv9h-dfb456585-lqz4s
hello-kubernetes-6cd455cc47-jw666 1/1 Running 0 39d 10.96.0.5 tkg-cluster-01-workers-vqv9h-dfb456585-mg2g7
hello-kubernetes-6cd455cc47-q7w4b 1/1 Running 0 39d 10.96.0.4 tkg-cluster-01-workers-vqv9h-dfb456585-mg2g7
hello-kubernetes-6cd455cc47-wm4lw 1/1 Running 0 37d 10.96.1.3 tkg-cluster-01-workers-vqv9h-dfb456585-8hmz8
test-pd 1/1 Running 0 27d 10.96.0.6 tkg-cluster-01-workers-vqv9h-dfb456585-mg2g7

[root@hop ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
hello-kubernetes LoadBalancer 100.64.136.105 172.80.88.7 80:32762/TCP 39d
kubernetes ClusterIP 100.64.0.1 443/TCP 64d
supervisor ClusterIP None 6443/TCP 64d

以上信息我们可以看到

对外提供Service的地址是：172.80.88.7
内部Service的Cluster IP是：100.64.136.105
对外提供80端口，内部是32762端口

外部Web

我们把四个Pod都刷到了！
在这里插入图片描述

NSX-T上面观察LB

在这里插入图片描述

以上信息表面：

从NSX-T角度对外提供172.80.88.7：80的服务
NSX-T为LB建立一个Pool，该pool看到的是TKG VM，使用NodePort指定服务

服务如何指向pod

真正提供服务的是pod，该组pods的网络是由Antrea提供
在这里插入图片描述

查看OVS

选择一个VM中的antrea-pod

[root@hop ~]# kubectl exec -n kube-system -it antrea-agent-62ts6 -c antrea-ovs – ovs-ofctl show br-int
OFPT_FEATURES_REPLY (xid=0x2): dpid:00006e2c7246ef4b
n_tables:254, n_buffers:0
capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP_MATCH_IP
actions: output enqueue set_vlan_vid set_vlan_pcp strip_vlan mod_dl_src mod_dl_dst mod_nw_src mod_nw_dst mod_nw_tos mod_tp_src mod_tp_dst
1(antrea-tun0): addr:1a:d6:b5:98:43:23
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
2(antrea-gw0): addr:ae:d8:c3:ae:8a:a9
config: 0
state: 0
speed: 0 Mbps now, 0 Mbps max
3(coredns–1de91c): addr:8e:35:ca:da:10:83
config: 0
state: 0
current: 10GB-FD COPPER
speed: 10000 Mbps now, 0 Mbps max
4(vsphere–94f0df): addr:2e:8c:0c:e7:1c:fd
config: 0
state: 0
current: 10GB-FD COPPER
speed: 10000 Mbps now, 0 Mbps max
5(hello-ku-0f40e6): addr:ba:75:2e:fd:9f:70
config: 0
state: 0
current: 10GB-FD COPPER
speed: 10000 Mbps now, 0 Mbps max
6(hello-ku-102fde): addr:4a:4d:fe:f7:3f:0d
config: 0
state: 0
current: 10GB-FD COPPER
speed: 10000 Mbps now, 0 Mbps max
7(test-pd-0ec60a): addr:b6:df:fe:3a:d6:62
config: 0
state: 0
current: 10GB-FD COPPER
speed: 10000 Mbps now, 0 Mbps max
OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0

以上信息可以清楚的看到OVS的端口发布情况：

port1是trun0
port2是gw0
port5、6是示例pod的端口

查看IPtables表

Antrea是使用iptables（kube-proxy）来提供Service功能，所以我们在Node上查看IPtables，有关如何登陆TKG Node，请查看How to SSH to the Tanzu Kubernetes Cluster Nodes

vmware-system-user@tkg-cluster-01-workers-vqv9h-dfb456585-mg2g7 [ ~ ]$ sudo iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
KUBE-SERVICES all – 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-SERVICES all – 0.0.0.0/0 0.0.0.0/0 /* kubernetes service portals */

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
KUBE-POSTROUTING all – 0.0.0.0/0 0.0.0.0/0 /* kubernetes postrouting rules /
ANTREA-POSTROUTING all – 0.0.0.0/0 0.0.0.0/0 / Antrea: jump to Antrea postrouting rules /
Chain ANTREA-POSTROUTING (1 references)
target prot opt source destination
MASQUERADE all – 10.96.0.0/24 0.0.0.0/0 / Antrea: masquerade pod to external packets / ! match-set ANTREA-POD-IP dst
Chain KUBE-FW-XM7DIBVJQPJ3TSDT (1 references) target prot opt source destination KUBE-MARK-MASQ all -- 0.0.0.0/0 0.0.0.0/0 /* default/hello-kubernetes loadbalancer IP */ KUBE-SVC-XM7DIBVJQPJ3TSDT all -- 0.0.0.0/0 0.0.0.0/0 /* default/hello-kubernetes loadbalancer IP */ KUBE-MARK-DROP all -- 0.0.0.0/0 0.0.0.0/0 /* default/hello-kubernetes loadbalancer IP */
Chain KUBE-KUBELET-CANARY (0 references)
target prot opt source destination
Chain KUBE-MARK-DROP (1 references)
target prot opt source destination
MARK all – 0.0.0.0/0 0.0.0.0/0 MARK or 0x8000
Chain KUBE-MARK-MASQ (24 references)
target prot opt source destination
MARK all – 0.0.0.0/0 0.0.0.0/0 MARK or 0x4000
Chain KUBE-NODEPORTS (1 references) target prot opt source destination KUBE-MARK-MASQ tcp -- 0.0.0.0/0 0.0.0.0/0 /* default/hello-kubernetes */ tcp dpt:32762 KUBE-SVC-XM7DIBVJQPJ3TSDT tcp -- 0.0.0.0/0 0.0.0.0/0 /* default/hello-kubernetes */ tcp dpt:32762
Chain KUBE-POSTROUTING (1 references)
target prot opt source destination
RETURN all – 0.0.0.0/0 0.0.0.0/0 mark match ! 0x4000/0x4000
MARK all – 0.0.0.0/0 0.0.0.0/0 MARK xor 0x4000
MASQUERADE all – 0.0.0.0/0 0.0.0.0/0 / kubernetes service traffic requiring SNAT / random-fully
Chain KUBE-PROXY-CANARY (0 references)
target prot opt source destination
Chain KUBE-SEP-4AOHSCTDEETDC334 (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 10.96.4.3 0.0.0.0/0 / kube-system/kube-dns:dns /
DNAT udp – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:dns / udp to:10.96.4.3:53
Chain KUBE-SEP-7MGGW6LIQYM2AEZM (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 10.96.0.2 0.0.0.0/0 / kube-system/kube-dns:dns /
DNAT udp – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:dns / udp to:10.96.0.2:53
Chain KUBE-SEP-BAEMDSCADA7MFLF6 (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 172.211.0.71 0.0.0.0/0 / default/kubernetes:https /
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 / default/kubernetes:https / tcp to:172.211.0.71:6443
Chain KUBE-SEP-C5JUJ7G3IEKY63Q2 (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 10.96.4.3 0.0.0.0/0 / kube-system/kube-dns:dns-tcp /
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:dns-tcp / tcp to:10.96.4.3:53
Chain KUBE-SEP-H4R2CT6HM6EFNIJJ (1 references) target prot opt source destination KUBE-MARK-MASQ all -- 10.96.0.5 0.0.0.0/0 /* default/hello-kubernetes */ DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 /* default/hello-kubernetes */ tcp to:10.96.0.5:8080 Chain KUBE-SEP-HU5MDV4BUZFHSUJC (1 references) target prot opt source destination KUBE-MARK-MASQ all -- 10.96.0.4 0.0.0.0/0 /* default/hello-kubernetes */ DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 /* default/hello-kubernetes */ tcp to:10.96.0.4:8080
Chain KUBE-SEP-KPJ3BBKAZPHMYFTG (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 10.96.0.2 0.0.0.0/0 / kube-system/kube-dns:metrics /
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:metrics / tcp to:10.96.0.2:9153
Chain KUBE-SEP-LIVJA523RKC6LSVI (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 10.96.5.4 0.0.0.0/0 / vmware-system-csi/vsphere-csi-controller:syncer /
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 / vmware-system-csi/vsphere-csi-controller:syncer / tcp to:10.96.5.4:2113
Chain KUBE-SEP-MH6Q7TDG4GD3GZT6 (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 172.211.0.67 0.0.0.0/0 / kube-system/antrea /
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 / kube-system/antrea / tcp to:172.211.0.67:10349
Chain KUBE-SEP-N55QOV3APYFANXKA (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 10.96.5.4 0.0.0.0/0 / vmware-system-csi/vsphere-csi-controller:ctlr /
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 / vmware-system-csi/vsphere-csi-controller:ctlr / tcp to:10.96.5.4:2112
Chain KUBE-SEP-N7SD7XOQOSKLNZUL (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 10.96.4.3 0.0.0.0/0 / kube-system/kube-dns:metrics /
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:metrics / tcp to:10.96.4.3:9153
Chain KUBE-SEP-NR26ZMIMIRVTQMOT (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 10.96.1.3 0.0.0.0/0 / default/hello-kubernetes /
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 / default/hello-kubernetes / tcp to:10.96.1.3:8080
Chain KUBE-SEP-TJMM3PWXZKCELOTO (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 10.96.0.2 0.0.0.0/0 / kube-system/kube-dns:dns-tcp /
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:dns-tcp / tcp to:10.96.0.2:53
Chain KUBE-SEP-WBYNSHOG7M44Q3HZ (1 references)
target prot opt source destination
KUBE-MARK-MASQ all – 10.96.4.4 0.0.0.0/0 / default/hello-kubernetes /
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 / default/hello-kubernetes / tcp to:10.96.4.4:8080
Chain KUBE-SERVICES (2 references)
target prot opt source destination
KUBE-MARK-MASQ tcp – !10.96.0.0/11 100.64.0.10 / kube-system/kube-dns:dns-tcp cluster IP / tcp dpt:53
KUBE-SVC-ERIFXISQEP7F7OF4 tcp – 0.0.0.0/0 100.64.0.10 / kube-system/kube-dns:dns-tcp cluster IP / tcp dpt:53
KUBE-MARK-MASQ tcp – !10.96.0.0/11 100.64.0.10 / kube-system/kube-dns:metrics cluster IP / tcp dpt:9153
KUBE-SVC-JD5MR3NA4I4DYORP tcp – 0.0.0.0/0 100.64.0.10 / kube-system/kube-dns:metrics cluster IP / tcp dpt:9153
KUBE-MARK-MASQ tcp – !10.96.0.0/11 100.71.165.12 / vmware-system-csi/vsphere-csi-controller:ctlr cluster IP / tcp dpt:211
KUBE-SVC-MRLSHM6RP645F575 tcp – 0.0.0.0/0 100.71.165.12 / vmware-system-csi/vsphere-csi-controller:ctlr cluster IP /
KUBE-MARK-MASQ tcp – !10.96.0.0/11 100.71.165.12 / vmware-system-csi/vsphere-csi-controller:syncer cluster IP / tcp dpt:2
KUBE-SVC-AAQCXBCVUR2XJIMS tcp – 0.0.0.0/0 100.71.165.12 / vmware-system-csi/vsphere-csi-controller:syncer cluster IP *
KUBE-MARK-MASQ tcp -- !10.96.0.0/11 100.64.136.105 /* default/hello-kubernetes cluster IP */ tcp dpt:80
KUBE-SVC-XM7DIBVJQPJ3TSDT tcp -- 0.0.0.0/0 100.64.136.105 /* default/hello-kubernetes cluster IP */ tcp dpt:80 KUBE-FW-XM7DIBVJQPJ3TSDT tcp -- 0.0.0.0/0 172.80.88.7 /* default/hello-kubernetes loadbalancer IP */ tcp dpt:80
KUBE-MARK-MASQ tcp – !10.96.0.0/11 100.64.0.1 /* default/kubernetes:https cluster IP / tcp dpt:443
KUBE-SVC-NPX46M4PTMTKRN6Y tcp – 0.0.0.0/0 100.64.0.1 / default/kubernetes:https cluster IP / tcp dpt:443
KUBE-MARK-MASQ tcp – !10.96.0.0/11 100.65.211.79 / kube-system/antrea cluster IP / tcp dpt:443
KUBE-SVC-QDWG4LJGNBTOT5ED tcp – 0.0.0.0/0 100.65.211.79 / kube-system/antrea cluster IP / tcp dpt:443
KUBE-MARK-MASQ udp – !10.96.0.0/11 100.64.0.10 / kube-system/kube-dns:dns cluster IP / udp dpt:53
KUBE-SVC-TCOU7JCQXEZGVUNU udp – 0.0.0.0/0 100.64.0.10 / kube-system/kube-dns:dns cluster IP / udp dpt:53
KUBE-NODEPORTS all – 0.0.0.0/0 0.0.0.0/0 / kubernetes service nodeports; NOTE: this must be the last rule in this
Chain KUBE-SVC-AAQCXBCVUR2XJIMS (1 references)
target prot opt source destination
KUBE-SEP-LIVJA523RKC6LSVI all – 0.0.0.0/0 0.0.0.0/0 /* vmware-system-csi/vsphere-csi-controller:syncer /
Chain KUBE-SVC-ERIFXISQEP7F7OF4 (1 references)
target prot opt source destination
KUBE-SEP-TJMM3PWXZKCELOTO all – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:dns-tcp / statistic mode random probab
KUBE-SEP-C5JUJ7G3IEKY63Q2 all – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:dns-tcp /
Chain KUBE-SVC-JD5MR3NA4I4DYORP (1 references)
target prot opt source destination
KUBE-SEP-KPJ3BBKAZPHMYFTG all – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:metrics / statistic mode random probab
KUBE-SEP-N7SD7XOQOSKLNZUL all – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:metrics /
Chain KUBE-SVC-MRLSHM6RP645F575 (1 references)
target prot opt source destination
KUBE-SEP-N55QOV3APYFANXKA all – 0.0.0.0/0 0.0.0.0/0 / vmware-system-csi/vsphere-csi-controller:ctlr /
Chain KUBE-SVC-NPX46M4PTMTKRN6Y (1 references)
target prot opt source destination
KUBE-SEP-BAEMDSCADA7MFLF6 all – 0.0.0.0/0 0.0.0.0/0 / default/kubernetes:https /
Chain KUBE-SVC-QDWG4LJGNBTOT5ED (1 references)
target prot opt source destination
KUBE-SEP-MH6Q7TDG4GD3GZT6 all – 0.0.0.0/0 0.0.0.0/0 / kube-system/antrea /
Chain KUBE-SVC-TCOU7JCQXEZGVUNU (1 references)
target prot opt source destination
KUBE-SEP-7MGGW6LIQYM2AEZM all – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:dns / statistic mode random probabilit
KUBE-SEP-4AOHSCTDEETDC334 all – 0.0.0.0/0 0.0.0.0/0 / kube-system/kube-dns:dns */
Chain KUBE-SVC-XM7DIBVJQPJ3TSDT (3 references) target prot opt source destination KUBE-SEP-HU5MDV4BUZFHSUJC all -- 0.0.0.0/0 0.0.0.0/0 /* default/hello-kubernetes */ statistic mode random probabilit KUBE-SEP-H4R2CT6HM6EFNIJJ all -- 0.0.0.0/0 0.0.0.0/0 /* default/hello-kubernetes */ statistic mode random probabilit KUBE-SEP-NR26ZMIMIRVTQMOT all -- 0.0.0.0/0 0.0.0.0/0 /* default/hello-kubernetes */ statistic mode random probabilit KUBE-SEP-WBYNSHOG7M44Q3HZ all -- 0.0.0.0/0 0.0.0.0/0 /* default/hello-kubernetes */

我们把上图标红的地方整理一下：

Chain KUBE-SVC-XM7DIBVJQPJ3TSDT (3 references) 该表项在每个VM的IPtables表中一致

target	prot	opt	source	destination
`KUBE-SEP-HU5MDV4BUZFHSUJC`	all	–	0.0.0.0/0	0.0.0.0/0
KUBE-SEP-H4R2CT6HM6EFNIJJ	all	–	0.0.0.0/0	0.0.0.0/0
KUBE-SEP-NR26ZMIMIRVTQMOT	all	–	0.0.0.0/0	0.0.0.0/0
KUBE-SEP-WBYNSHOG7M44Q3HZ	all	–	0.0.0.0/0	0.0.0.0/0

服务Chain ：KUBE-SVC-XM7DIBVJQPJ3TSDT包括了4个target
分析第一个target：Chain KUBE-SEP-HU5MDV4BUZFHSUJC (1 references)

target	prot	opt	source	destination
KUBE-MARK-MASQ	all	–	10.96.0.4	0.0.0.0/0	/* default/hello-kubernetes */
DNAT	tcp	–	0.0.0.0/0	0.0.0.0/0	/* default/hello-kubernetes */ tcp to:10.96.0.4:8080`

这个target最终指向了提供服务的pod及其端口10.96.0.4:8080。
同样的，我们可以找到10.96.0.5:8080，这两个都是本Node的pod

Cluster IP

target	prot	opt	source	destination
KUBE-MARK-MASQ	tcp	–	!10.96.0.0/11	100.64.136.105	/* default/hello-kubernetes cluster IP */ tcp dpt:80`
`KUBE-SVC-XM7DIBVJQPJ3TSDT`	tcp	–	0.0.0.0/0	100.64.136.105	/* default/hello-kubernetes cluster IP */ tcp dpt:80
`KUBE-FW-XM7DIBVJQPJ3TSDT`	tcp	–	0.0.0.0/0	172.80.88.7	/* default/hello-kubernetes loadbalancer IP */ tcp dpt:80

这个表清楚给出了Cluster IP和外部IP以及相应的target：KUBE-FW-XM7DIBVJQPJ3TSDT，并没有指定pod，说明所有pod会参与服务，事实上我们也在web前端刷到所有pod。

NodePort

Chain KUBE-NODEPORTS (1 references)

target	prot	opt	source	destination
KUBE-MARK-MASQ	tcp	–	0.0.0.0/0	0.0.0.0/0	/* default/hello-kubernetes */ tcp dpt:32762
`KUBE-SVC-XM7DIBVJQPJ3TSDT`	tcp	–	0.0.0.0/0	0.0.0.0/0	/* default/hello-kubernetes */ tcp dpt:32762`

该表给出NodePort和target的联系。
我们再回头看

[root@hop ~]# kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
hello-kubernetes LoadBalancer 100.64.136.105 172.80.88.7 80:32762/TCP 39d

和IPtables表中的相关项有对应关系。
在这里插入图片描述