pod与services关系
通过查看svc和ep可以找到service与pod的映射关系
查看service
[root@master demo]# kubectl get svc # 查看默认ns下的service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
elasticsearch ClusterIP 10.0.0.111 <none> 9200/TCP 42m
kubernetes ClusterIP 10.0.0.1 <none> 443/TCP 108m
查看终端
[root@master demo]# kubectl get ep # 查看ns下的节点。
NAME ENDPOINTS AGE
elasticsearch 10.224.1.29:9200 42m
kubernetes 119.45.35.170:6443 109m
service网络代理模式
iptables 通过iptables规则实现service转发
# 检查OUTPUT链. 存在子链kube-service
[root@king ~]# iptables -t nat -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
KUBE-SERVICES all -- anywhere anywhere /* kubernetes service portals */
DOCKER all -- anywhere !loopback/8 ADDRTYPE match dst-type LOCAL
# 查看kube-service链,查到所有service ip出站规则。
[root@king ~]# iptables -t nat -L KUBE-SERVICES。
Chain KUBE-SERVICES (2 references)
target prot opt source destination
KUBE-MARK-MASQ udp -- anywhere 10.0.0.2 /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
KUBE-SVC-TCOU7JCQXEZGVUNU udp -- anywhere 10.0.0.2 /* kube-system/kube-dns:dns cluster IP */ udp dpt:domain
KUBE-MARK-MASQ tcp -- anywhere 10.0.0.2 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
KUBE-SVC-ERIFXISQEP7F7OF4 tcp -- anywhere 10.0.0.2 /* kube-system/kube-dns:dns-tcp cluster IP */ tcp dpt:domain
KUBE-MARK-MASQ tcp -- anywhere 10.0.0.2 /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153
KUBE-SVC-JD5MR3NA4I4DYORP tcp -- anywhere 10.0.0.2 /* kube-system/kube-dns:metrics cluster IP */ tcp dpt:9153
KUBE-MARK-MASQ tcp -- anywhere 10.0.0.111 /* default/elasticsearch: cluster IP */ tcp dpt:wap-wsp
KUBE-SVC-PYQCHYHB3UFIKOME tcp -- anywhere 10.0.0.111 /* default/elasticsearch: cluster IP */ tcp dpt:wap-wsp
# 查找其中一条10.0.0.111转发规则,获取第一列数据即iptables target(操作)对象
[root@king ~]# iptables -t nat -L KUBE-SVC-PYQCHYHB3UFIKOME
Chain KUBE-SVC-PYQCHYHB3UFIKOME (1 references)
target prot opt source destination
KUBE-SEP-DIPLF5TUSOOIU2IB all -- anywhere anywhere
# 结果显示没有任何限制,并转入子链KUBE-SEP-DIPLF5TUSOOIU2IB
[root@king ~]# iptables -t nat -L KUBE-SEP-DIPLF5TUSOOIU2IB
Chain KUBE-SEP-DIPLF5TUSOOIU2IB (1 references)
target prot opt source destination
KUBE-MARK-MASQ all -- 10.224.1.29 anywhere
DNAT tcp -- anywhere anywhere tcp to:10.224.1.29:9200
ipvs 通过ipvsadm查看ipvs转发
[root@master demo]# ipvsadm -ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.0.0.1:443 rr
-> 119.45.35.170:6443 Masq 1 1 0
TCP 10.0.0.2:53 rr
-> 10.224.1.22:53 Masq 1 0 0
TCP 10.0.0.2:9153 rr
-> 10.224.1.22:9153 Masq 1 0 0
TCP 10.0.0.111:9200 rr
-> 10.224.1.29:9200 Masq 1 0 0
UDP 10.0.0.2:53 rr
-> 10.224.1.22:53 Masq 1 0 0
iptables与ipvs优缺点
- kube-service的转发主要从iptables的kube-services链发起
- iptables会创建很多规则,并且是增量更新。
- iptables遍历更新和匹配,呈线性延迟,在规则更多情况下效率偏低
- iptables相对灵活,功能强大。
- ipvs规则查看比iptables简单明白
- ipvs工作在内核状态,有更好的负载均衡性能
- ipvs负载均衡调度算法丰富: rr, wrr, lc, wlc ,ip hash
创建service模板
apiVersion: v1
kind: Service
metadata:
name: service_name
namespace: default
spec:
clusterIP: 10.0.0.1 # 指定一个IP
ports:
- name: http
protocol: tcp
port: 80 # service暴露端口
targetPort: 80 # containers端口
selector: # 通过pod标签实现service的配对
all: nginx
Service 主要功能
- 动态感知pod的IP,外提供访问入口,防止pod失联(服务发现)
- 定义一组Pod访问策略,通过ipvs/iptables两种网络模式,实现后端负载均衡,
- 支持ClusterIP,NodePort,LoadBalancer三种类型
Service 类型
- clusterIP
- 默认。分配一个集群内部的VIP
- NodePort
- 已知node与port的前提下,可以搭建lvs做负载均衡
- 用户 -> 域名 -> 负载均衡 -> NodeIp:Port -> PodIp:Port
- LoadBalancer
- 工作在特地的cloud,如AWS,Google Cloud