云原生

microk8s(五)尝试dashboard

2019-07-21  本文已影响0人  印随2018

使用dashboard添加一个Nginx应用,只提供集群内部服务

一、添加一个nginx应用

image.png

二、查看监听端口

# kubectl get svc
NAME         TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
nginx        ClusterIP   10.152.183.193   <none>        9999/TCP   12m

# curl http://127.0.0.1:8080/api/v1/namespaces/default/services/nginx | jq .spec.ports
[
  {
    "name": "tcp-9999-80-2sjll",
    "protocol": "TCP",
    "port": 9999,
    "targetPort": 80
  }
]

从上面可以查看,该服务启用了Port,来看看iptables的规则是怎么实现的

Chain KUBE-PORTALS-HOST (1 references)
DNAT       tcp  --  anywhere             10.152.183.193       /* default/nginx:tcp-9999-80-2sjll */ tcp dpt:9999 to:172.21.102.124:45883

Chain KUBE-PORTALS-CONTAINER (1 references)
REDIRECT   tcp  --  anywhere             10.152.183.193       /* default/nginx:tcp-9999-80-2sjll */ tcp dpt:9999 redir ports 45883

看看是谁在监听端口45883

# lsof -i:45883
COMMAND    PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
kube-prox 9764 root   97u  IPv6 3882512      0t0  TCP *:45883 (LISTEN)

# cat /proc/9764/cmdline
/snap/microk8s/687/kube-proxy \
  --master=http://127.0.0.1:8080 \
  --cluster-cidr=10.152.183.0/24 \
  --kubeconfig=/snap/microk8s/687/kubeproxy.config \
  --proxy-mode=userspace \
  --healthz-bind-address=127.0.0.1

这个有个非常关键的参数,,查看手册

--proxy-mode ProxyMode

Which proxy mode to use: 'userspace' (older) or 'iptables' (faster) or 'ipvs' (experimental). If blank, use the best-available proxy (currently
iptables). If the iptables proxy is selected, regardless of how, but the system's kernel or iptables versions are insufficient,
this always falls back to the userspace proxy.

实际上,我们可以直接访问端口45883来实现访问容器应用

# curl http://127.0.0.1:45883
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
...

我们来使用集群IP来访问应用

# curl http://10.152.183.193:9999
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
.....

# netstat -ant | grep 9999
tcp        0      0 172.21.102.124:47714    10.152.183.193:9999     TIME_WAIT

可以看出,尽管连接的是集群虚拟地址,linux内核还是会完成TCP连接的标准过程

抓包加强说明一下

# tcpdump -i lo port 9999 -nnnn
22:50:48.610817 IP 10.152.183.193.9999 > 172.21.102.124.57146: Flags [S.]
22:50:48.611873 IP 10.152.183.193.9999 > 172.21.102.124.57146: Flags [.]
22:50:48.612256 IP 10.152.183.193.9999 > 172.21.102.124.57146: Flags [P.]
22:50:48.616116 IP 10.152.183.193.9999 > 172.21.102.124.57146: Flags [F.]
上一篇 下一篇

猜你喜欢

热点阅读