kube-ovn 默认vpc snat 出公网

2022-11-16  本文已影响0人  cloudFans

1. 正常情况下

image.png image.png image.png

异常情况下

image.png image.png image.png 
# 关于node上的规则 在ovn-cni中可以看到

[root@pc-node-1 test-old-enable-eip-snat]# kubectl exec -it -n  kube-system     kube-ovn-cni-cmlsp   -- /bin/bash
Defaulted container "cni-server" out of: cni-server, install-cni (init)
root@pc-node-1:/kube-ovn#
root@pc-node-1:/kube-ovn# iptables -t nat -S | grep set
-A OVN-POSTROUTING -m set --match-set ovn40subnets src -m set --match-set ovn40subnets dst -j MASQUERADE
-A OVN-POSTROUTING -m mark --mark 0x80000/0x80000 -m set --match-set ovn40subnets-distributed-gw dst -j RETURN
-A OVN-POSTROUTING -m set ! --match-set ovn40subnets src -m set ! --match-set ovn40other-node src -m set --match-set ovn40subnets-nat dst -j RETURN
-A OVN-POSTROUTING -m set --match-set ovn40subnets-nat src -m set ! --match-set ovn40subnets dst -j MASQUERADE
-A OVN-PREROUTING -i ovn0 -m set --match-set ovn40subnets src -m set --match-set ovn40services dst -j MARK --set-xmark 0x4000/0x4000
-A OVN-PREROUTING -p tcp -m addrtype --dst-type LOCAL -m set --match-set KUBE-NODE-PORT-LOCAL-TCP dst -j MARK --set-xmark 0x80000/0x80000
-A OVN-PREROUTING -p udp -m addrtype --dst-type LOCAL -m set --match-set KUBE-NODE-PORT-LOCAL-UDP dst -j MARK --set-xmark 0x80000/0x80000
root@pc-node-1:/kube-ovn#
上一篇 下一篇

猜你喜欢

热点阅读