我们可以使用describe 命令查看pod所分到的节点:
$ $ kubectl -s :8080 describe pod nginx-controller-6zr34 2>/dev/null | grep Node: Node: 192.168.0.203/192.168.0.203 $ kubectl -s :8080 describe pod nginx-controller-njlgt 2>/dev/null | grep Node: Node: 192.168.0.201/192.168.0.201从上表可以看出,这个复制器启动了两个Pod,分别运行在192.168.0.201和203代理节点主机上。
部署节点内部可访问的nginx serviceService的type有ClusterIP和NodePort之分,缺省是ClusterIP,这种类型的Service只能在集群内部访问。下表是本文用的配置文件:
$ cat nginx-service-clusterip.yaml apiVersion: v1 kind: Service metadata: name: nginx-service-clusterip spec: ports: - port: 8001 targetPort: 80 protocol: TCP selector: name: nginx执行下面的命令创建service:
$ kubectl -s :8080 create -f ./nginx-service-clusterip.yaml services/nginx-service $ kubectl -s :8080 get service NAME LABELS SELECTOR IP(S) PORT(S) kubernetes component=apiserver,provider=kubernetes <none> 192.168.3.1 443/TCP nginx-service-clusterip <none> name=nginx 192.168.3.91 8001/TCP验证service的可访问性:
上面的输出告诉我们这个Service的Cluster IP是192.168.3.91,端口是8001。下面我们验证这个PortalNet IP的工作情况:
$ ssh 192.168.0.202 curl -s 192.168.3.91:8001 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="https://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="https://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html>从前面部署复制器的部分我们知道nginx Pod运行在201和203节点上。上面我们特意从202代理节点上访问我们的服务来体现Service Cluster IP在所有集群代理节点的可到达性。
部署外部可访问的nginx service下面我们创建NodePort类型的Service,这种类型的Service在集群外部是可以访问。下表是本文用的配置文件:
$ cat nginx-service-nodeport.yaml apiVersion: v1 kind: Service metadata: name: nginx-service-nodeport spec: ports: - port: 8000 targetPort: 80 protocol: TCP type: NodePort selector: name: nginx执行下面的命令创建service:
$ kubectl -s :8080 create -f ./nginx-service-nodeport.yaml services/nginx-service-nodeport $ kubectl -s :8080 get service NAME LABELS SELECTOR IP(S) PORT(S) kubernetes component=apiserver,provider=kubernetes <none> 192.168.3.1 443/TCP nginx-service-clusterip <none> name=nginx 192.168.3.91 8001/TCP nginx-service-nodeport <none> name=nginx 192.168.3.84 8000/TCP使用下面的命令获得这个service的节点级别的端口:
$ kubectl -s :8080 describe service nginx-service-nodeport 2>/dev/null | grep NodePort Type: NodePort NodePort: <unnamed> 32606/TCP验证service的可访问性:
上面的输出告诉我们这个Service的节点级别端口是32606。下面我们验证这个Service的工作情况:
$ curl 192.168.0.201:32606 <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> <style> body { width: 35em; margin: 0 auto; font-family: Tahoma, Verdana, Arial, sans-serif; } </style> </head> <body> <h1>Welcome to nginx!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> <p>For online documentation and support please refer to <a href="https://nginx.org/">nginx.org</a>.<br/> Commercial support is available at <a href="https://nginx.com/">nginx.com</a>.</p> <p><em>Thank you for using nginx.</em></p> </body> </html> 代理节点上的IP tables规则解析下面的图是IPTables中流量经过的table和chain。
可以看出,Kubernetes在nat表中插入了下面四条chain:
1. KUBE-PORTALS-CONTAINER