k8s proxy

最新推荐文章于 2025-05-01 10:19:06 发布
最新推荐文章于 2025-05-01 10:19:06 发布
阅读量1.3k 收藏
点赞数
CC 4.0 BY-SA版权
分类专栏: k8s
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/wasd12121212/article/details/82768206
K8S的proxy在每个node上运行,提供代理服务。它有两种模式:用户态iptable和内核态iptable。proxy通过reflector函数监控service和endpoint变化,更新iptable。服务或端点的增删会触发iptable同步。此外,系统每30秒会自动调用函数进行iptable同步。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

K8S 的proxy是运行在每一个node上面的,它主要起到代理作用,分为两种模式:

一种用户态:iptable

一种内核态iptable:

通过调用reflector函数,进行watch,watch service和endpoint资源,如发现有新建或者变动,则进行iptable的同步,proxier.syncProxyRules(),存储servic;endpoint也是如此,同步iptable和存储endpoint;

运行以后每隔30s,都会调用函数同步iptable

s.Proxier.SyncLoop();

// SyncLoop runs periodic work.  This is expected to run as a goroutine or as the main loop of the app.  It does not return.
func (proxier *Proxier) SyncLoop() {
   t := time.NewTicker(proxier.syncPeriod)
   defer t.Stop()
   for {
      <-t.C
      glog.V(6).Infof("Periodic sync")
      proxier.Sync()
   }
}
func (proxier *Proxier) Sync() {
   proxier.mu.Lock()
   defer proxier.mu.Unlock()
   proxier.syncProxyRules()
}

 

//execConntrackTool executes conntrack tool using given parameters
func (proxier *Proxier) execConntrackTool(parameters ...string) error {
   conntrackPath, err := proxier.exec.LookPath("conntrack")
   if err != nil {
      return fmt.Errorf("Error looking for path of conntrack: %v", err)
   }
   output, err := proxier.exec.Command(conntrackPath, parameters...).CombinedOutput()
   if err != nil {
      return fmt.Errorf("Conntrack command returned: %q, error message: %s", string(output), err)
   }
   return nil
}

// This is where all of the iptables-save/restore calls happen.
// The only other iptables rules are those that are setup in iptablesInit()
// assumes proxier.mu is held
func (proxier *Proxier) syncProxyRules() {
   start := time.Now()
   defer func() {
      glog.V(4).Infof("syncProxyRules took %v", time.Since(start))
   }()
   // don't sync rules till we've received services and endpoints
   if !proxier.haveReceivedEndpointsUpdate || !proxier.haveReceivedServiceUpdate {
      glog.V(2).Info("Not syncing iptables until Services and Endpoints have been received from master")
      return
   }
   glog.V(3).Infof("Syncing iptables rules")

   // Create and link the kube services chain.
   {
      tablesNeedServicesChain := []utiliptables.Table{utiliptables.TableFilter, utiliptables.TableNAT}
      for _, table := range tablesNeedServicesChain {
         if _, err := proxier.iptables.EnsureChain(table, kubeServicesChain); err != nil {
            glog.Errorf("Failed to ensure that %s chain %s exists: %v", table, kubeServicesChain, err)
            return
         }
      }

      tableChainsNeedJumpServices := []struct {
         table utiliptables.Table
         chain utiliptables.Chain
      }{
         {utiliptables.TableFilter, utiliptables.ChainOutput},
         {utiliptables.TableNAT, utiliptables.ChainOutput},
         {utiliptables.TableNAT, utiliptables.ChainPrerouting},
      }
      comment := "kubernetes service portals"
      args := []string{"-m", "comment", "--comment", comment, "-j", string(kubeServicesChain)}
      for _, tc := range tableChainsNeedJumpServices {
         if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, tc.table, tc.chain, args...); err != nil {
            glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", tc.table, tc.chain, kubeServicesChain, err)
            return
         }
      }
   }

   // Create and link the kube postrouting chain.
   {
      if _, err := proxier.iptables.EnsureChain(utiliptables.TableNAT, kubePostroutingChain); err != nil {
         glog.Errorf("Failed to ensure that %s chain %s exists: %v", utiliptables.TableNAT, kubePostroutingChain, err)
         return
      }

      comment := "kubernetes postrouting rules"
      args := []string{"-m", "comment", "--comment", comment, "-j", string(kubePostroutingChain)}
      if _, err := proxier.iptables.EnsureRule(utiliptables.Prepend, utiliptables.TableNAT, utiliptables.ChainPostrouting, args...); err != nil {
         glog.Errorf("Failed to ensure that %s chain %s jumps to %s: %v", utiliptables.TableNAT, utiliptables.ChainPostrouting, kubePostroutingChain, err)
         return
      }
   }

   // Get iptables-save output so we can check for existing chains and rules.
   // This will be a map of chain name to chain with rules as stored in iptables-save/iptables-restore
   existingFilterChains := make(map[utiliptables.Chain]string)
   iptablesSaveRaw, err := proxier.iptables.Save(utiliptables.TableFilter)
   if err != nil { // if we failed to get any rules
      glog.Errorf("Failed to execute iptables-save, syncing all rules: %v", err)
   } else { // otherwise parse the output
      existingFilterChains = utiliptables.GetChainLines(utiliptables.TableFilter, iptablesSaveRaw)
   }

   existingNATChains := make(map[utiliptables.Chain]string)
   iptablesSaveRaw, err = proxier.iptables.Save(utiliptables.TableNAT)
   if err != nil { // if we failed to get any rules
      glog.Errorf("Failed to execute iptables-save, syncing all rules: %v", err)
   } else { // otherwise parse the output
      existingNATChains = utiliptables.GetChainLines(utiliptables.TableNAT, iptablesSaveRaw)
   }

   filterChains := bytes.NewBuffer(nil)
   filterRules := bytes.NewBuffer(nil)
   natChains := bytes.NewBuffer(nil)
   natRules := bytes.NewBuffer(nil)

   // Write table headers.
   writeLine(filterChains, "*filter")
   writeLine(natChains, "*nat")

   // Make sure we keep stats for the top-level chains, if they existed
   // (which most should have because we created them above).
   if chain, ok := existingFilterChains[kubeServicesChain]; ok {
      writeLine(filterChains, chain)
   } else {
      writeLine(filterChains, utiliptables.MakeChainLine(kubeServicesChain))
   }
   if chain, ok := existingNATChains[kubeServicesChain]; ok {
      writeLine(natChains, chain)
   } else {
      writeLine(natChains, utiliptables.MakeChainLine(kubeServicesChain))
   }
   if chain, ok := existingNATChains[kubeNodePortsChain]; ok {
      writeLine(natChains, chain)
   } else {
      writeLine(natChains, utiliptables.MakeChainLine(kubeNodePortsChain))
   }
   if chain, ok := existingNATChains[kubePostroutingChain]; ok {
      writeLine(natChains, chain)
   } else {
      writeLine(natChains, utiliptables.MakeChainLine(kubePostroutingChain))
   }
   if chain, ok := existingNATChains[KubeMarkMasqChain]; ok {
      writeLine(natChains, chain)
   } else {
      writeLine(natChains, utiliptables.MakeChainLine(KubeMarkMasqChain))
   }

   // Install the kubernetes-specific postrouting rules. We use a whole chain for
   // this so that it is easier to flush and change, for example if the mark
   // value should ever change.
   writeLine(natRules, []string{
      "-A", string(kubePostroutingChain),
      "-m", "comment", "--comment", `"kubernetes service traffic requiring SNAT"`,
      "-m", "mark", "--mark", proxier.masqueradeMark,
      "-j", "MASQUERADE",
   }...)

   // Install the kubernetes-specific masquerade mark rule. We use a whole chain for
   // this so that it is easier to flush and change, for example if the mark
   // value should ever change.
   writeLine(natRules, []string{
      "-A", string(KubeMarkMasqChain),
      "-j", "MARK", "--set-xmark", proxier.masqueradeMark,
   }...)

   // Accumulate NAT chains to keep.
   activeNATChains := map[utiliptables.Chain]bool{} // use a map as a set

   // Accumulate the set of local ports that we will be holding open once this update is complete
   replacementPortsMap := map[localPort]closeable{}

   // Build rules for each service.
   for svcName, svcInfo := range proxier.serviceMap {
      protocol := strings.ToLower(string(svcInfo.protocol))

      // Create the per-service chain, retaining counters if possible.
      svcChain := servicePortChainName(svcName, protocol)
      if chain, ok := existingNATChains[svcChain]; ok {
         writeLine(natChains, chain)
      } else {
         writeLine(natChains, utiliptables.MakeChainLine(svcChain))
      }
      activeNATChains[svcChain] = true

      // Capture the clusterIP.
      args := []string{
         "-A", string(kubeServicesChain),
         "-m", "comment", "--comment", fmt.Sprintf(`"%s cluster IP"`, svcName.String()),
         "-m", protocol, "-p", protocol,
         "-d", fmt.Sprintf("%s/32", svcInfo.clusterIP.String()),
         "--dport", fmt.Sprintf("%d", svcInfo.port),
      }
      if proxier.masqueradeAll {
         writeLine(natRules, append(args, "-j", string(KubeMarkMasqChain))...)
      }
      if len(proxier.clusterCIDR) > 0 {
         writeLine(natRules, append(args, "! -s", proxier.clusterCIDR, "-j", string(KubeMarkMasqChain))...)
      }
      writeLine(natRules, append(args, "-j", string(svcChain))...)

      // Capture externalIPs.
      for _, externalIP := range svcInfo.externalIPs {
         // If the "external" IP happens to be an IP that is local to this
         // machine, hold the local port open so no other process can open it
         // (because the socket might open but it would never work).
         if local, err := isLocalIP(externalIP); err != nil {
            glog.Errorf("can't determine if IP is local, assuming not: %v", err)
         } else if local {
            lp := localPort{
               desc:     "externalIP for " + svcName.String(),
               ip:       externalIP,
               port:     svcInfo.port,
               protocol: protocol,
            }
            if proxier.portsMap[lp] != nil {
               glog.V(4).Infof("Port %s was open before and is still needed", lp.String())
               replacementPortsMap[lp] = proxier.portsMap[lp]
            } else {
               socket, err := openLocalPort(&lp)
               if err != nil {
                  glog.Errorf("can't open %s, skipping this externalIP: %v", lp.String(), err)
                  continue
               }
               replacementPortsMap[lp] = socket
            }
         } // We're holding the port, so it's OK to install iptables rules.
         args := []string{
            "-A", string(kubeServicesChain),
            "-m", "comment", "--comment", fmt.Sprintf(`"%s external IP"`, svcName.String()),
            "-m", protocol, "-p", protocol,
            "-d", fmt.Sprintf("%s/32", externalIP),
            "--dport", fmt.Sprintf("%d", svcInfo.port),
         }
         // We have to SNAT packets to external IPs.
         writeLine(natRules, append(args, "-j", string(KubeMarkMasqChain))...)

         // Allow traffic for external IPs that does not come from a bridge (i.e. not from a container)
         // nor from a local process to be forwarded to the service.
         // This rule roughly translates to "all traffic from off-machine".
         // This is imperfect in the face of network plugins that might not use a bridge, but we can revisit that later.
         externalTrafficOnlyArgs := append(args,
            "-m", "physdev", "!", "--physdev-is-in",
            "-m", "addrtype", "!", "--src-type", "LOCAL")
         writeLine(natRules, append(externalTrafficOnlyArgs, "-j", string(svcChain))...)
         dstLocalOnlyArgs := append(args, "-m", "addrtype", "--dst-type", "LOCAL")
         // Allow traffic bound for external IPs that happen to be recognized as local IPs to stay local.
         // This covers cases like GCE load-balancers which get added to the local routing table.
         writeLine(natRules, append(dstLocalOnlyArgs, "-j", string(svcChain))...)
      }

      // Capture load-balancer ingress.
      for _, ingress := range svcInfo.loadBalancerStatus.Ingress {
         if ingress.IP != "" {
            // create service firewall chain
            fwChain := serviceFirewallChainName(svcName, protocol)
            if chain, ok := existingNATChains[fwChain]; ok {
               writeLine(natChains, chain)
            } else {
               writeLine(natChains, utiliptables.MakeChainLine(fwChain))
            }
            activeNATChains[fwChain] = true
            // The service firewall rules are created based on ServiceSpec.loadBalancerSourceRanges field.
            // This currently works for loadbalancers that preserves source ips.
            // For loadbalancers which direct traffic to service NodePort, the firewall rules will not apply.

            args := []string{
               "-A", string(kubeServicesChain),
               "-m", "comment", "--comment", fmt.Sprintf(`"%s loadbalancer IP"`, svcName.String()),
               "-m", protocol, "-p", protocol,
               "-d", fmt.Sprintf("%s/32", ingress.IP),
               "--dport", fmt.Sprintf("%d", svcInfo.port),
            }
            // jump to service firewall chain
            writeLine(natRules, append(args, "-j", string(fwChain))...)

            args = []string{
               "-A", string(fwChain),
               "-m", "comment", "--comment", fmt.Sprintf(`"%s loadbalancer IP"`, svcName.String()),
            }
            // We have to SNAT packets from external IPs.
            writeLine(natRules, append(args, "-j", string(KubeMarkMasqChain))...)

            if len(svcInfo.loadBalancerSourceRanges) == 0 {
               // allow all sources, so jump directly to KUBE-SVC chain
               writeLine(natRules, append(args, "-j", string(svcChain))...)
            } else {
               // firewall filter based on each source range
               allowFromNode := false
               for _, src := range svcInfo.loadBalancerSourceRanges {
                  writeLine(natRules, append(args, "-s", src, "-j", string(svcChain))...)
                  // ignore error because it has been validated
                  _, cidr, _ := net.ParseCIDR(src)
                  if cidr.Contains(proxier.nodeIP) {
                     allowFromNode = true
                  }
               }
               // generally, ip route rule was added to intercept request to loadbalancer vip from the
               // loadbalancer's backend hosts. In this case, request will not hit the loadbalancer but loop back directly.
               // Need to add the following rule to allow request on host.
               if allowFromNode {
                  writeLine(natRules, append(args, "-s", fmt.Sprintf("%s/32", ingress.IP), "-j", string(svcChain))...)
               }
            }

            // If the packet was able to reach the end of firewall chain, then it did not get DNATed.
            // It means the packet cannot go thru the firewall, then mark it for DROP
            writeLine(natRules, append(args, "-j", string(KubeMarkDropChain))...)
         }
      }

      // Capture nodeports.  If we had more than 2 rules it might be
      // worthwhile to make a new per-service chain for nodeport rules, but
      // with just 2 rules it ends up being a waste and a cognitive burden.
      if svcInfo.nodePort != 0 {
         // Hold the local port open so no other process can open it
         // (because the socket might open but it would never work).
         lp := localPort{
            desc:     "nodePort for " + svcName.String(),
            ip:       "",
            port:     svcInfo.nodePort,
            protocol: protocol,
         }
         if proxier.portsMap[lp] != nil {
            glog.V(4).Infof("Port %s was open before and is still needed", lp.String())
            replacementPortsMap[lp] = proxier.portsMap[lp]
         } else {
            socket, err := openLocalPort(&lp)
            if err != nil {
               glog.Errorf("can't open %s, skipping this nodePort: %v", lp.String(), err)
               continue
            }
            replacementPortsMap[lp] = socket
         } // We're holding the port, so it's OK to install iptables rules.

         args := []string{
            "-A", string(kubeNodePortsChain),
            "-m", "comment", "--comment", svcName.String(),
            "-m", protocol, "-p", protocol,
            "--dport", fmt.Sprintf("%d", svcInfo.nodePort),
         }
         // Nodeports need SNAT.
         writeLine(natRules, append(args, "-j", string(KubeMarkMasqChain))...)
         // Jump to the service chain.
         writeLine(natRules, append(args, "-j", string(svcChain))...)
      }

      // If the service has no endpoints then reject packets.
      if len(proxier.endpointsMap[svcName]) == 0 {
         writeLine(filterRules,
            "-A", string(kubeServicesChain),
            "-m", "comment", "--comment", fmt.Sprintf(`"%s has no endpoints"`, svcName.String()),
            "-m", protocol, "-p", protocol,
            "-d", fmt.Sprintf("%s/32", svcInfo.clusterIP.String()),
            "--dport", fmt.Sprintf("%d", svcInfo.port),
            "-j", "REJECT",
         )
         continue
      }

      // Generate the per-endpoint chains.  We do this in multiple passes so we
      // can group rules together.
      endpoints := make([]string, 0)
      endpointChains := make([]utiliptables.Chain, 0)
      for _, ep := range proxier.endpointsMap[svcName] {
         endpoints = append(endpoints, ep)
         endpointChain := servicePortEndpointChainName(svcName, protocol, ep)
         endpointChains = append(endpointChains, endpointChain)

         // Create the endpoint chain, retaining counters if possible.
         if chain, ok := existingNATChains[utiliptables.Chain(endpointChain)]; ok {
            writeLine(natChains, chain)
         } else {
            writeLine(natChains, utiliptables.MakeChainLine(endpointChain))
         }
         activeNATChains[endpointChain] = true
      }

      // First write session affinity rules, if applicable.
      if svcInfo.sessionAffinityType == api.ServiceAffinityClientIP {
         for _, endpointChain := range endpointChains {
            writeLine(natRules,
               "-A", string(svcChain),
               "-m", "comment", "--comment", svcName.String(),
               "-m", "recent", "--name", string(endpointChain),
               "--rcheck", "--seconds", fmt.Sprintf("%d", svcInfo.stickyMaxAgeSeconds), "--reap",
               "-j", string(endpointChain))
         }
      }

      // Now write loadbalancing & DNAT rules.
      n := len(endpointChains)
      for i, endpointChain := range endpointChains {
         // Balancing rules in the per-service chain.
         args := []string{
            "-A", string(svcChain),
            "-m", "comment", "--comment", svcName.String(),
         }
         if i < (n - 1) {
            // Each rule is a probabilistic match.
            args = append(args,
               "-m", "statistic",
               "--mode", "random",
               "--probability", fmt.Sprintf("%0.5f", 1.0/float64(n-i)))
         }
         // The final (or only if n == 1) rule is a guaranteed match.
         args = append(args, "-j", string(endpointChain))
         writeLine(natRules, args...)

         // Rules in the per-endpoint chain.
         args = []string{
            "-A", string(endpointChain),
            "-m", "comment", "--comment", svcName.String(),
         }
         // Handle traffic that loops back to the originator with SNAT.
         // Technically we only need to do this if the endpoint is on this
         // host, but we don't have that information, so we just do this for
         // all endpoints.
         // TODO: if we grow logic to get this node's pod CIDR, we can use it.
         writeLine(natRules, append(args,
            "-s", fmt.Sprintf("%s/32", strings.Split(endpoints[i], ":")[0]),
            "-j", string(KubeMarkMasqChain))...)

         // Update client-affinity lists.
         if svcInfo.sessionAffinityType == api.ServiceAffinityClientIP {
            args = append(args, "-m", "recent", "--name", string(endpointChain), "--set")
         }
         // DNAT to final destination.
         args = append(args, "-m", protocol, "-p", protocol, "-j", "DNAT", "--to-destination", endpoints[i])
         writeLine(natRules, args...)
      }
   }

   // Delete chains no longer in use.
   for chain := range existingNATChains {
      if !activeNATChains[chain] {
         chainString := string(chain)
         if !strings.HasPrefix(chainString, "KUBE-SVC-") && !strings.HasPrefix(chainString, "KUBE-SEP-") && !strings.HasPrefix(chainString, "KUBE-FW-") {
            // Ignore chains that aren't ours.
            continue
         }
         // We must (as per iptables) write a chain-line for it, which has
         // the nice effect of flushing the chain.  Then we can remove the
         // chain.
         writeLine(natChains, existingNATChains[chain])
         writeLine(natRules, "-X", chainString)
      }
   }

   // Finally, tail-call to the nodeports chain.  This needs to be after all
   // other service portal rules.
   writeLine(natRules,
      "-A", string(kubeServicesChain),
      "-m", "comment", "--comment", `"kubernetes service nodeports; NOTE: this must be the last rule in this chain"`,
      "-m", "addrtype", "--dst-type", "LOCAL",
      "-j", string(kubeNodePortsChain))

   // Write the end-of-table markers.
   writeLine(filterRules, "COMMIT")
   writeLine(natRules, "COMMIT")

   // Sync rules.
   // NOTE: NoFlushTables is used so we don't flush non-kubernetes chains in the table.
   filterLines := append(filterChains.Bytes(), filterRules.Bytes()...)
   natLines := append(natChains.Bytes(), natRules.Bytes()...)
   lines := append(filterLines, natLines...)

   glog.V(3).Infof("Restoring iptables rules: %s", lines)
   err = proxier.iptables.RestoreAll(lines, utiliptables.NoFlushTables, utiliptables.RestoreCounters)
   if err != nil {
      glog.Errorf("Failed to execute iptables-restore: %v", err)
      // Revert new local ports.
      revertPorts(replacementPortsMap, proxier.portsMap)
      return
   }

   // Close old local ports and save new ones.
   for k, v := range proxier.portsMap {
      if replacementPortsMap[k] == nil {
         v.Close()
      }
   }
   proxier.portsMap = replacementPortsMap

   // Clean up the older SNAT rule which was directly in POSTROUTING.
   // TODO(thockin): Remove this for v1.3 or v1.4.
   args := []string{
      "-m", "comment", "--comment", "kubernetes service traffic requiring SNAT",
      "-m", "mark", "--mark", oldIptablesMasqueradeMark,
      "-j", "MASQUERADE",
   }
   if err := proxier.iptables.DeleteRule(utiliptables.TableNAT, utiliptables.ChainPostrouting, args...); err != nil {
      if !utiliptables.IsNotFoundError(err) {
         glog.Errorf("Error removing old-style SNAT rule: %v", err)
      }
   }
}

 

k8s kube-proxy ipvs
fengcai_ke的博客
07-12 2095
k8s kube-proxy ipvs分析
【实战加详解】二进制部署k8s高可用集群教程系列十二 - 部署kube-proxy
JohnYang's 优快云 Home
10-13 899
实战加详解 - 完美解决二进制部署k8s高可用集群中ssl证书以及TLS Bootstrap机制的问题
深入理解k8s kube-proxy
fofcn的专栏
04-09 1728
k8s中的Pod是临时的,因为Pod中运行的是我们的应用,我们的应用可能随时会崩溃,崩溃了以后k8s会为我们重新创建,我们不能用Pod的IP通信,因为Pod每次崩溃重启IP会变更,而且Pod的数量也会改变。所以K8s就增加了Service来提供Pod统一的入口。Service提供了连接一个或者多个的Pod静态地址。我们可以这么理解:进入k8s集群的流量先到达Service,然后流量被重定向到Pod,同时Service保证流量不转发到不健康的Pod。
k8s kube-proxy详解
魏志标的博客
06-13 6061
kube-proxy是kubernetes中网络核心组件,实现了服务暴露和转发等网络功能。kube-proxy支持userspace,ipvs和iptables三种代理模式。userspace性能问题较严重,基本不再使用,应用最多的是iptables和ipvs模式。kube-proxy 以daemonset的方式运行在每个Node计算节点上,负责Pod网络代理, 它会定时通过apiserver从etcd服务获取到service和endpoint资源的变化,维护网络规则和四层负载均衡工作。
k8s kube-proxy源码分析
最新发布
fengcai_ke的博客
05-01 308
service是为了给一组pod提供负载均衡功能的服务。
k8s弹性伸缩】使用proxy的方式访问k8s中的服务
tangdaren2的博客
08-18 1674
访问k8s中应用的方式: 第一种:NodePort类型(该种方式必须在svc配置文件中声明是nodeport类型) type:NodePort ports: -port:80 targetPort:80 此时有两种访问方式: 1、woker1节点的ip+servcie映射的端口 http://192.168.1.6:32123/ 2、利用上一节dashboard的反向代理修改后的url访问 http:/...
k8s】kube-proxy 工作模式
热门推荐
言之。
09-16 1万+
除了Kubernetes提供的默认策略,也可以使用外部负载均衡器来替代或补充K8s内置的负载均衡策略。这样可以利用更丰富的负载均衡功能和灵活性。
k8sproxy原理
wasd12121212的博客
10-16 841
pod 访问service服务 这里涉及到k8s里面一个重要的概念service。它是一个服务的抽象,通过label(k8s会根据service和pod直接的关系创建endpoint,可以通过kubectl get ep查看)关联到后端的pod容器。 Service分配的ip叫cluster ip是一个虚拟ip(相对固定,除非删除service),这个ip只能在k8s集群内部使用,如果serv...
k8s资料下载;k8s资料下载
01-01
由于给定的信息非常有限,提供的内容对于生成详细知识点帮助不大,因此我将基于标题和标签“k8s”来撰写一篇关于Kubernetes(通常缩写为k8s)的详细介绍文章。 Kubernetes(简称k8s)是一个开源的,用于自动部署、...
websocket-proxy:java websocket代理k8s docker终端
05-26
java websocket proxy k8s docker terminal 之所以有这个项目是因为有多个区域部署k8s集群, 每个集群里的容器都需要有终端访问。 应用程序都是运行在k8s里的, 采用sa认证的方式, k8s集群的api server外面并不能...
k8s中的service、api-server、kube-proxy有什么区别
qq_33525062的博客
06-02 1134
它是集群的控制平面,接收和处理用户(开发人员、管理员)的请求,管理集群中的资源对象(如Pod、Service、Deployment等)和配置信息。综上所述,Service、API Server和kube-proxy是Kubernetes中的三个核心组件,它们分别负责将请求转发给后端的Pod、管理集群的资源和配置信息,以及处理流量的路由和代理。总结起来,Pod是K8s中的一个概念,它提供了一种组织和管理容器的方式,类似于一个旅行团中的小组,它们共享资源和网络环境,方便沟通和协作,提高整体的效率和可管理性。
k8s-kube-proxy运行机制分析
hahachenchen789的博客
06-09 4591
在每个Node上都会运行一个kube-proxy服务进程,这个进程可以看做service的透明代理和负载均衡器。其核心功能是将某个service的访问请求转发到后端的某个Pod上。对每一个TCP类型的service,kube-proxy都会在本地Node上建立一个socketserver来负责接收请求,然后均匀发送到后端某个Pod端口上。这个过程默认采用Round Robin负载均衡算法。此外,s...
Kubernetes(k8s)kube-proxy、Service详解
匠人精神,持之以恒!
09-25 3554
文章目录一、kube-proxy简介二、Service 简介三、Service 类型1)ClusterIp(集群内部使用)2)NodePort(对外暴露应用)3)LoadBalancer(对外暴露应用,适用于公有云)4)ExternalName四、Service 工作流程五、Service, Endpoints与Pod的关系六、kubernetes服务发现1)环境变量2) DNS五、Service代理模式1)userspace模式2)iptables模式(默认模式)3)ipvs模型4)kube-proxy
K8S安装(六) kube-proxy组件安装
05-28 2999
Kube-Proxy简述 参考文献:https://ywnz.com/linuxyffq/2530.html 运行在每个节点上,监听 API Server 中服务对象的变化,再通过管理 IPtables 来实现网络的转发 Kube-Proxy 目前支持三种模式: UserSpace k8s v1.2 后就已经淘汰 IPtables 目前默认方式 IPVS--推荐,支持7层 需要安装ipvsadm、ipset 工具包和加载 ip_vs 内核模块 kube-proxy部署在hdss7-
K8S中,kube-proxy作用是什么?
努力变的更强
10-13 283
在kubernetes中,kube-proxy是一个关键的网络组件,它运行在集群中的每个节点上,负责实现服务发现和负载均衡功能。
k8s概念入门之kube-proxy-针对早期(0.4)版本阅读
qq_33339479的博客
04-09 520
k8s的kube-proxy分析 Kube-proxy主要是伴随着kubtlet进程一起部署在每个node节点中,proxy的功能主要就是为了完成在k8s集群中实现集群内部的通信,也可完成集群外的数据到集群内部的通信。从功能上来说确实是完成了完成更高层次的网络封装,让用户能够忽略网络层的部分细节从而专注于业务层的功能。 在早期的k8s的实现中,使用了最简单快速的方式来实现流量的转发,即通过用户态的数据接受直接转发到后端的目标地址上去。 首先查看proxy的main函数: var ( etcdServerL
云原生技术 --- k8s节点组件之kube-proxy的学习与理解
编码爱好者
09-29 2531
k8s 网络代理(`kube-proxy`)在每个节点上运行。网络代理反映了每个节点上 Kubernetes API 中定义的服务,并且可以执行简单的 TCP、UDP 和 SCTP 流转发,或者在一组后端进行 循环 TCP、UDP 和 SCTP 转发。但是,必须要有一个插件,才可以实现相应的通信功能,它的作用是使发往 Service 的流量(通过ClusterIP和端口)负载均衡到正确的后端Pod。
k8s学习--kube-proxy的三种工作模式详细解释
lwxvgdv的博客
06-06 1509
kube-proxy 是 Kubernetes 中负责集群中网络规则的组件,它维护网络规则使得 Pod 间的网络通信和访问集群外部的服务成为可能。kube-proxy 支持三种工作模式:userspace 模式、iptables 模式和 ipvs 模式。实现简单,但性能较低,适用于早期的测试和开发环境。性能较好,适用于大多数生产环境,但在处理大量规则时可能复杂。性能最佳,支持更多的负载均衡算法和规则,适用于高性能和大规模集群,但需要内核支持。一般情况下,都默认使用ipvs模式。
Centos7部署kubernetes Proxy(七)
weixin_30593261的博客
06-11 222
1、配置kube-proxy使用LVS(三个节点都装上去) [root@linux-node1 ssl]# yum install -y ipvsadm ipset conntrack [root@linux-node2 ssl]# yum install -y ipvsadm ipset conntrack [root@linux-node3 ssl]# yum install -y ip...
k8s runtime proxy
04-29
Kubernetes (k8s) runtime proxy is a component of the Kubernetes architecture that provides a way for containers to communicate with the Kubernetes API server. It acts as a middleman between the container runtime (such as Docker) and the Kubernetes control plane. When a container is started, the runtime proxy creates a network socket that allows the container to communicate with the Kubernetes API server. This socket is then used to send requests to the API server, such as requests for information about the pod, or requests to update the pod's status. The runtime proxy can also handle certain events, such as when a container is deleted or when a pod is rescheduled. It ensures that the Kubernetes control plane is always aware of the status of the containers and pods, and can take appropriate action when necessary. Overall, the k8s runtime proxy plays an important role in ensuring the smooth and efficient operation of Kubernetes clusters, by providing a secure and reliable means of communication between the containers and the Kubernetes API server.
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值