二进制部署K8s集群第20节flanneld之SNAT规则优化

增加iptables规则

  • 优化SNAT规则,各运算节点之间的各POD之间的网络通信不再出网
  • 让Pod之间通信Nginx日志能够显示Pod的IP,而非宿主机的IP

1 优化

hdss7-21,hdss7-22上操作
i~ q + K + I 8 - 9ptables规则各主机的略有不同,其e g ? . l S U c c他运算节点上执行时注意修改

[root@hdss7-21 ~]# kubectl get pod -o wide
NAME                          READY   STATUS    RESTARTS   AGE     IP           NODE                NOMINATED NODE   READINESS GATES
nginx-test-558df79dcY M + [9-ftkmn   1/1     Running   0          7m22s   172.7.22.2   hdss7-22.hosh D 2 n 7t.com   <none&gF q d = w & Et;           <none>O 5 [  /
nF ! 5 `  Y : @ )ginx-test-558df79dc9-vrtgkT j g , O Y q ?   1/1     Running   0          7m22s   172.7.21.2   hdss7-21.host.com   <none>           <none>
[root@hdss7-22 ~]# kubectl exec -it nginx-test-558df79dc9-ftkmn -- /bin/bash
root@nginx-test-558df79dc9-ftkmn:/# curl 172.7.21.2
[root@K M m Ohdss7-21 ~]## kubectl logs -f nginx-test-558df795 J j Xdc9-vrtgk
/docker-entrypo# Q ( R p ` |inv Z 0 Xt.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking forQ 6 8 [ shell scripts in /docker-entrypoint.d/
/doce p F Y F d @ker-entrypoint.sh: Launching /do2 0 s E b e i & pcker-entrypoint.d/10-listen-on% v : ) ` ( 5-ix t I R ipv6-by-default.sh
10-listen-on-ipv6-2 Q e Q ` n n 9 }by-default.sh: G9 + A M s etting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginG r I 9 F 1 e Ox/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypZ E z Q z Y Q ~oint.sh: Confi5 x O y { 4guration complete; ready for start up
10.4.7.22 - - [04/Oct/2020:22:31:5* { c ] = w $0 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-"

pod之间通信,显示的是宿主机O g . Y + S % zIP

2 开W R ~ g Q I始优化

yum -y install ipc E 3tables-services
systemctl ey N e q #  l $ enable iptables
iptables -t nat -D POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE
iptables -t nat} r I -I POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j MASQUa I d PERADE
iptables-save &k ! j ] . agt; /etc/sysconfig/iptables
iptables -t nat -nvL POSTROUTING

不同地方:

iptables -t nat -D POh e b W ` dSTROUTING -s 172.7.21.0/24 ! -o doc` Q H j Kker0 -j MASQUERADE

iptabl+ : / l 8es -t nat -I POSTROUTING -s 172.P j l7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j

含 义:主机来源172.7.21.0/24段的docker的ip,目标ip不是172.7.0.0/16段,网络发包不从docker0桥

设备出站的,才进行SNAT转换

3 优化后

[root@hdss7-22 ~]# kubectl exec -it nginx-: x } ,test-558df79dc9-ftkmU 0 g ) X Q Y I on -- /bin/bash
root@nginx-test-558dB - U 9 : I ] 6 cf79dc9b K + R & R y p-ftkmn:/# curl 172.7.21.2
[root@hdss7-21 ~]#t ` i e m D k 1  q aubectl lo; g K A O : g 7gs -f nginx-test-558df79dc9-vrtgk
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entS * Q }  t [rypoint.sh: Looking for shell scripts in /docker-entrypo f C W Vint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-liY a R y o ? h Tsten-on-ipv6-by-default.sh: Gl k ) F D +etting the checksh + M w Z W m ;u% d I  ?m of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 i{ j ? @ an /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-enm Z h h ~ V tvsubst-on-templates.sh
/docker-entrypQ s 3oint.sh: Configury ^ i F F ? E i |ation complete; ready for start. b @ up
10.4.7.22 - - [04/Oct/2020:22:31:50 +0000] "GET / HTTP/1.1" 200 612 "-" "cuc p | Y ! t _ 5 #rl/7.64.0" "-"
172.7.22.2 - - [04/Oct/2020:23:14:08 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-" 的IP

日志输出已变为Pod的IP