增加iptables规则
1 优化前
hdss7-21,hdss7-22上操作
i~ q + K + I 8 - 9ptables规则各主机的略有不同,其e g ? . l S U c c他运算节点上执行时注意修改
[root@hdss7-21 ~]# kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nginx-test-558df79dcY M + [9-ftkmn 1/1 Running 0 7m22s 172.7.22.2 hdss7-22.hosh D 2 n 7t.com <none&gF q d = w & Et; <none>O 5 [ /
nF ! 5 ` Y : @ )ginx-test-558df79dc9-vrtgkT j g , O Y q ? 1/1 Running 0 7m22s 172.7.21.2 hdss7-21.host.com <none> <none>
[root@hdss7-22 ~]# kubectl exec -it nginx-test-558df79dc9-ftkmn -- /bin/bash
root@nginx-test-558df79dc9-ftkmn:/# curl 172.7.21.2
[root@K M m Ohdss7-21 ~]## kubectl logs -f nginx-test-558df795 J j Xdc9-vrtgk
/docker-entrypo# Q ( R p ` |inv Z 0 Xt.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking forQ 6 8 [ shell scripts in /docker-entrypoint.d/
/doce p F Y F d @ker-entrypoint.sh: Launching /do2 0 s E b e i & pcker-entrypoint.d/10-listen-on% v : ) ` ( 5-ix t I R ipv6-by-default.sh
10-listen-on-ipv6-2 Q e Q ` n n 9 }by-default.sh: G9 + A M s etting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginG r I 9 F 1 e Ox/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypZ E z Q z Y Q ~oint.sh: Confi5 x O y { 4guration complete; ready for start up
10.4.7.22 - - [04/Oct/2020:22:31:5* { c ] = w $0 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-"
pod之间通信,显示的是宿主机O g . Y + S % zIP
2 开W R ~ g Q I始优化
yum -y install ipc E 3tables-services
systemctl ey N e q # l $ enable iptables
iptables -t nat -D POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE
iptables -t nat} r I -I POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j MASQUa I d PERADE
iptables-save &k ! j ] . agt; /etc/sysconfig/iptables
iptables -t nat -nvL POSTROUTING
不同地方:
iptables -t nat -D POh e b W ` dSTROUTING -s 172.7.21.0/24 ! -o doc` Q H j Kker0 -j MASQUERADE
iptabl+ : / l 8es -t nat -I POSTROUTING -s 172.P j l7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j
含 义:主机来源172.7.21.0/24段的docker的ip,目标ip不是172.7.0.0/16段,网络发包不从docker0桥
设备出站的,才进行SNAT转换
3 优化后
[root@hdss7-22 ~]# kubectl exec -it nginx-: x } ,test-558df79dc9-ftkmU 0 g ) X Q Y I on -- /bin/bash
root@nginx-test-558dB - U 9 : I ] 6 cf79dc9b K + R & R y p-ftkmn:/# curl 172.7.21.2
[root@hdss7-21 ~]#t ` i e m D k 1 q aubectl lo; g K A O : g 7gs -f nginx-test-558df79dc9-vrtgk
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entS * Q } t [rypoint.sh: Looking for shell scripts in /docker-entrypo f C W Vint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-liY a R y o ? h Tsten-on-ipv6-by-default.sh: Gl k ) F D +etting the checksh + M w Z W m ;u% d I ?m of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 i{ j ? @ an /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-enm Z h h ~ V tvsubst-on-templates.sh
/docker-entrypQ s 3oint.sh: Configury ^ i F F ? E i |ation complete; ready for start. b @ up
10.4.7.22 - - [04/Oct/2020:22:31:50 +0000] "GET / HTTP/1.1" 200 612 "-" "cuc p | Y ! t _ 5 #rl/7.64.0" "-"
172.7.22.2 - - [04/Oct/2020:23:14:08 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-" 的IP
日志输出已变为Pod的IP
发表评论