使用hostPort引入外部流量存在着无法确定pod调度到后端的哪个节点的缺陷。
以下为另一种引入外部流量的实现方法,让容器共享宿主机的网络名称空间。
共享Network示例
1.创建资源配置清单
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| root@k8s-master01:~/yaml/chapter01
apiVersion: v1
kind: Pod
metadata:
name: mypod-host-network
labels:
app: demoapp
release: canary
spec:
containers:
- name: mypod-host-network
image: ikubernetes/demoapp:v1.0
env:
- name: PORT
value: "8080"
hostNetwork: true
|
2.创建容器
1
2
| root@k8s-master01:~/yaml/chapter01
pod/mypod-host-network created
|
3.验证
1
2
3
4
5
6
7
8
9
|
root@k8s-master01:~/yaml/chapter01
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mypod-host-network 1/1 Running 0 21s 172.16.11.81 k8s-node01 <none> <none>
root@k8s-master01:~/yaml/chapter01
iKubernetes demoapp v1.0 !! ClientIP: 172.16.11.71, ServerName: k8s-node01, ServerIP: 172.16.11.81!
|
4.在node01上查看端口监听
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| root@k8s-node01:~
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:8080 0.0.0.0:* users:(("python3",pid=3226710,fd=3))
LISTEN 0 20480 0.0.0.0:31156 0.0.0.0:* users:(("kube-proxy",pid=15562,fd=10))
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=685,fd=13))
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=762,fd=3))
LISTEN 0 128 127.0.0.1:6010 0.0.0.0:* users:(("sshd",pid=3247420,fd=10))
LISTEN 0 20480 127.0.0.1:11910 0.0.0.0:* users:(("kubelet",pid=14915,fd=13))
LISTEN 0 20480 127.0.0.1:10248 0.0.0.0:* users:(("kubelet",pid=14915,fd=30))
LISTEN 0 20480 127.0.0.1:10249 0.0.0.0:* users:(("kube-proxy",pid=15562,fd=22))
LISTEN 0 20480 *:10250 *:* users:(("kubelet",pid=14915,fd=38))
LISTEN 0 20480 *:10256 *:* users:(("kube-proxy",pid=15562,fd=20))
LISTEN 0 128 [::]:22 [::]:* users:(("sshd",pid=762,fd=4))
LISTEN 0 128 [::1]:6010 [::]:* users:(("sshd",pid=3247420,fd=9))
|
5.查看容器内的网络
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| root@k8s-master01:~/yaml/chapter01
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:4f:07:f6 brd ff:ff:ff:ff:ff:ff
inet 172.16.11.81/24 brd 172.16.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe4f:7f6/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:8e:85:75:5f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether 7e:c5:0b:9e:6a:5c brd ff:ff:ff:ff:ff:ff
inet 10.244.1.0/32 brd 10.244.1.0 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::7cc5:bff:fe9e:6a5c/64 scope link
valid_lft forever preferred_lft forever
5: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether ca:45:cb:f7:14:54 brd ff:ff:ff:ff:ff:ff
inet 10.244.1.1/24 brd 10.244.1.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::c845:cbff:fef7:1454/64 scope link
valid_lft forever preferred_lft forever
|
6.查看宿主机网络
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
| root@k8s-node01:~
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 52:54:00:4f:07:f6 brd ff:ff:ff:ff:ff:ff
inet 172.16.11.81/24 brd 172.16.11.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fe4f:7f6/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:8e:85:75:5f brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether 7e:c5:0b:9e:6a:5c brd ff:ff:ff:ff:ff:ff
inet 10.244.1.0/32 brd 10.244.1.0 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::7cc5:bff:fe9e:6a5c/64 scope link
valid_lft forever preferred_lft forever
5: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether ca:45:cb:f7:14:54 brd ff:ff:ff:ff:ff:ff
inet 10.244.1.1/24 brd 10.244.1.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::c845:cbff:fef7:1454/64 scope link
valid_lft forever preferred_lft forever
|
注意事项
不建议使用hostNetwork共享网络名称空间。这种操作具有危险性,使用hostNetwork能使得容器内部可以操作宿主机的网络。
如果容器内存在漏洞,整个节点的流量均会被控制,进而使得整个k8s集群被劫持。
所以容器创建时,出于安全考虑应该禁止共享宿主机网路名称空间。这些操作需要在容器的安全上下文中进行解决。
