08.kubernetes笔记 Service(二) Endpoint Controller、修改iptable为ipvs模式

Endpoint Controller简介

  • 前面有提到 管理后端端点与svc的绑定,根据标签选择器,筛选适配的pod,监控就绪的pod 并完成svc与pod的绑定
  • 实际应用中可以自动创建一个Endpoint Controller把外部的节点管理起来 相当于所外部的服务引入到内部 然后绑定到svc 集群内部就可以以访问内部svc一样访问到外部的服务

资源规范

apiVersion: v1
kind: Endpoint
metadata: # 对象元数据
  name :
  namespace:
subsets:  #端点对象的列表
- addresses: #处于“就绪”状态的端点地址对象列表
  - hostname  #端点主机名 
    ip   #端点的IP地址,必选字段 hostname或IP给其中一个就行
    nodeName  # 节点主机名
    targetRef: #提供了该端点的对象引用
      apiVersion  # 被引用对象所属的API群组及版本
      kind  # 被引用对象的资源类型,多为Pod
      name  # 对象名称
      namespace  # 对象所属的名称究竟
      fieldPath   #被引用的对象的字段,在未引用整个对象时使用,常用于仅引用
      # 指定Pod对象中的单容器,例如spec . containers[1]
      uid  #对象的标识符;
  notReadyAddresses: #处于“未就绪”状态的端点地址对象列表,格式与address相同
  ports: # 端口对象列表
  - name  #端口名称;
    port  # 端口号,必选字段;
    protocol   #协议类型,仅支持UDP、TCP和SCTP,默认为TCP;
    appProtocol  # 应用层协议;
Endpoints详情
[root@k8s-master svc]# kubectl get endpoints
NAME                       ENDPOINTS                                                    AGE
demoapp-externalip-svc     10.244.1.102:80,10.244.1.103:80,10.244.2.97:80 + 1 more...   9m36s
demoapp-loadbalancer-svc   10.244.1.102:80,10.244.1.103:80,10.244.2.97:80 + 1 more...   3h15m
demoapp-nodeport-svc       10.244.1.102:80,10.244.1.103:80,10.244.2.97:80 + 1 more...   3h45m
demoapp-svc                10.244.1.102:80,10.244.1.103:80,10.244.2.97:80 + 1 more...   4h57m


[root@k8s-master svc]# kubectl describe ep demoapp-svc 
Name:         demoapp-svc
Namespace:    default
Labels:       
Annotations:  endpoints.kubernetes.io/last-change-trigger-time: 2021-07-28T19:22:06Z
Subsets:
  Addresses:          10.244.1.102,10.244.1.103,10.244.2.97,10.244.2.99  #绑定的后端Pod地址
  NotReadyAddresses:     #所有归类到未就绪后端端点都不会接受流量
  Ports:
    Name  Port  Protocol
    ----  ----  --------
    http  80    TCP

示例1: Endpoints引入外部服务

1.通过Endpoints把192.168.4.100、192.168.4.254 http引入到k8s集权内部并绑定svc
2.这里httpd服务为外部服务 无法通过API service来检测就绪状态,需要手动配置

[root@k8s-master svc]# cat http-endpoints-demo.yaml 
apiVersion: v1
kind: Endpoints
metadata:
  name: http-external
  namespace: default
subsets:
- addresses:   #外部服务地址
  - ip: 192.168.4.100
  - ip: 192.168.4.254
  ports:
  - name: http
    port: 80
    protocol: TCP
  notReadyAddresses:
---
apiVersion: v1
kind: Service
metadata: 
  name: http-external  #通过name匹配 不在需要用标签选择器  在同一名称空间下 name 一致就会相互匹配
  namespace: default
spec: 
  type: ClusterIP
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 80

root@k8s-master svc]# kubectl apply -f http-endpoints-demo.yaml 
endpoints/http-external created
service/http-external created

[root@k8s-master svc]# kubectl describe svc http-external
Name:              http-external
Namespace:         default
Labels:            
Annotations:       
Selector:          
Type:              ClusterIP
IP:                10.103.125.128     #svc IP
Port:              http  80/TCP
TargetPort:        80/TCP
Endpoints:         192.168.4.100:80,192.168.4.254:80
Session Affinity:  None
Events:            

#访问测试
[root@k8s-master svc]# while true;do  curl 10.103.125.128;sleep 1;done
192.168.4.254
192.168.4.100
192.168.4.100
192.168.4.254
192.168.4.100
192.168.4.254
192.168.4.100

iptable、ipvs代理模式

  • iptable代理模式:

    1. iptables代理模式下的ClusterIP,每个Service在每个节点上(由kube-proxy负责生成))都会生成相应的iptables规则
    2. iptables 用户空间-->ptables(内核 完成数据调度)-->调度给用户空间 效率高 在iptables模型下kube-proxy的作用不在是数据调度转发,而是监听API server所有service中的定义转为本地的iptables规则 缺点:iptables模式,一个service会生成大量的规则; 如果一个service有50条规则 那如果有一万个容器,内核的性能就会受到影响
ipvs代理模式:
kube-ipvs0,将所有的ClusterlP绑定在该接口;而后将每个Service定义为虚拟服务器; nat转发 仅需要借助于极少量的iptables规则完成源地址转换等功能
ipvs代理模式: 在继承iptables优点的情况下,同时改进了iptables产生大量规则的缺点,在大规模集群中serice多的情况下优势更明显

示例2: 修改iptable为ipvs模式

[root@k8s-master ~]# kubectl get configmap -nkube-system
NAME                                 DATA   AGE
coredns                              1      31d
extension-apiserver-authentication   6      31d
kube-flannel-cfg                     2      31d
kube-proxy                           2      31d
kubeadm-config                       2      31d
kubelet-config-1.19                  1      31d
[root@k8s-master ~]# kubectl edit cm kube-proxy -n kube-system
...
      qps: 0
    clusterCIDR: 10.244.0.0/16
    configSyncPeriod: 0s
    conntrack:
      maxPerCore: null
      min: null
      tcpCloseWaitTimeout: null
      tcpEstablishedTimeout: null
    detectLocalMode: ""
    enableProfiling: false
    healthzBindAddress: ""
    hostnameOverride: ""
    iptables:
      masqueradeAll: false
      masqueradeBit: null
      minSyncPeriod: 0s
      syncPeriod: 0s
    ipvs:
      excludeCIDRs: null
      minSyncPeriod: 0s
      scheduler: ""   #调度算法 默认轮询算法
      strictARP: false
      syncPeriod: 0s
      tcpFinTimeout: 0s
      tcpTimeout: 0s
      udpTimeout: 0s
    kind: KubeProxyConfiguration
    metricsBindAddress: ""
    mode: "ipvs"       #默认为空 修改来ipvs
    nodePortAddresses: null
    oomScoreAdj: null
    portRange: ""
    showHiddenMetricsForVersion: ""

[root@k8s-master ~]# kubectl get pod -n kube-system -l k8s-app=kube-proxy
NAME               READY   STATUS    RESTARTS   AGE
kube-proxy-4shl5   1/1     Running   6          31d
kube-proxy-dw4tc   1/1     Running   7          31d
kube-proxy-xg2vf   1/1     Running   6          31d
[root@k8s-master ~]# kubectl delete  pod -n kube-system -l k8s-app=kube-proxy  #手动重启pod 生产环境最好是提前设定好
pod "kube-proxy-4shl5" deleted
pod "kube-proxy-dw4tc" deleted
pod "kube-proxy-xg2vf" deleted

[root@k8s-master ~]# ifconfig kube-ipvs   #修改成功好 会有一个kube-ipvs的虚拟接口
kube-ipvs0: flags=130  mtu 1500
        inet 10.97.56.1  netmask 255.255.255.255  broadcast 0.0.0.0
        ether b2:09:48:a5:8c:0a  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

[root@k8s-master ~]# kubectl get svc
NAME                       TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)        AGE
demoapp-externalip-svc     ClusterIP      10.110.30.133    192.168.100.100   80/TCP         42h
demoapp-loadbalancer-svc   LoadBalancer   10.110.155.70             80:31619/TCP   45h
demoapp-nodeport-svc       NodePort       10.97.56.1                   80:31399/TCP   45h
demoapp-svc                ClusterIP      10.97.72.1                   80/TCP         47h
http-external              ClusterIP      10.103.125.128               80/TCP         29h
kubernetes                 ClusterIP      10.96.0.1                    443/TCP        31d
my-grafana                 NodePort       10.96.4.185                  80:30379/TCP   29d
myapp                      NodePort       10.106.116.205               80:31532/TCP   31d

root@k8s-master ~]# ip addr show kube-ipvs0    #所有svc的IP地址都可以在kube-ipvs0接口中找到 也说明所有的svc都配置在kube-ipvs0接口上
14: kube-ipvs0:  mtu 1500 qdisc noop state DOWN group default 
    link/ether b2:09:48:a5:8c:0a brd ff:ff:ff:ff:ff:ff
    inet 10.97.56.1/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.110.30.133/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 192.168.100.100/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.97.72.1/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.103.125.128/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.96.4.185/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.96.0.10/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.110.155.70/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.106.116.205/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.108.171.56/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.106.239.211/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.103.145.83/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.96.0.1/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever

[root@k8s-master ~]# ipvsadm -Ln  #查看IPVS规格
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  127.0.0.1:31619 rr
  -> 10.244.1.102:80              Masq    1      0          0         
  -> 10.244.1.103:80              Masq    1      0          0         
  -> 10.244.2.97:80               Masq    1      0          0         
  -> 10.244.2.99:80               Masq    1      0          0         
TCP  127.0.0.1:31994 rr
  -> 192.168.4.170:9100           Masq    1      0          0         
  -> 192.168.4.171:9100           Masq    1      0          0         
  -> 192.168.4.172:9100           Masq    1      0          0         
TCP  172.17.0.1:30169 rr
  -> 10.244.2.82:4443             Masq    1      0          0         
TCP  172.17.0.1:30379 rr
  -> 10.244.1.84:3000             Masq    1      0          0       

你可能感兴趣的