为什么在Kubernetes中,具有Cluster IP服务的Pod可以从主机/节点访问?

huangapple
go评论69阅读模式
英文:

why pod with cluster ip service is reachable from host/node in k8s

问题

当CLUSTER-IP位于集群网络内部时,为什么我能够从安装了K8s的主机/节点上ping到集群IP服务之一呢?请看IP地址10.101.210.88,它是一个集群IP,根据定义,它只应该从其他Pod可达,但我仍然可以从我的Ubuntu主机/节点机器访问它。

感谢。

英文:

when CLUSTER-IP is internal to cluster network, then why I am able to ping one of the cluster IP service from host/node where k8s installed. Have a look at ip 10.101.210.88 which is a cluster-ip and as per definition it must be only reachable from any other pod only but still I can reach it from my Ubuntu host/node machine

/root#kgs
NAMESPACE     NAME                                        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                           AGE
default       kubernetes                                  ClusterIP   10.96.0.1        <none>        443/TCP                           16d
kube-system   kube-dns                                    ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP,9153/TCP            16d
ricinfra      service-tiller-ricxapp                      ClusterIP   10.98.94.194     <none>        44134/TCP                         7d7h
ricplt        aux-entry                                   ClusterIP   10.105.149.143   <none>        80/TCP,443/TCP                    7d7h
ricplt        r4-influxdb-influxdb2                       ClusterIP   10.110.14.243    <none>        80/TCP                            7d7h
ricplt        r4-infrastructure-kong-proxy                NodePort    10.107.12.178    <none>        32080:32080/TCP,32443:32443/TCP   7d7h
ricplt        r4-infrastructure-prometheus-alertmanager   ClusterIP   10.104.86.76     <none>        80/TCP                            7d7h
ricplt        r4-infrastructure-prometheus-server         ClusterIP   10.102.224.176   <none>        80/TCP                            7d7h
ricplt        service-ricplt-a1mediator-http              ClusterIP   10.105.45.1      <none>        10000/TCP                         7d7h
ricplt        service-ricplt-a1mediator-rmr               ClusterIP   10.108.188.147   <none>        4561/TCP,4562/TCP                 7d7h
ricplt        service-ricplt-alarmmanager-http            ClusterIP   10.111.239.130   <none>        8080/TCP                          7d7h
ricplt        service-ricplt-alarmmanager-rmr             ClusterIP   10.106.30.195    <none>        4560/TCP,4561/TCP                 7d7h
ricplt        service-ricplt-appmgr-http                  ClusterIP   10.110.110.91    <none>        8080/TCP                          7d7h
ricplt        service-ricplt-appmgr-rmr                   ClusterIP   10.110.96.28     <none>        4561/TCP,4560/TCP                 7d7h
ricplt        service-ricplt-dbaas-tcp                    ClusterIP   None             <none>        6379/TCP                          7d7h
ricplt        service-ricplt-e2mgr-http                   ClusterIP   10.101.210.88    <none>        3800/TCP                          7d7h
ricplt        service-ricplt-e2mgr-rmr                    ClusterIP   10.101.245.34    <none>        4561/TCP,3801/TCP                 7d7h
ricplt        service-ricplt-e2term-prometheus-alpha      ClusterIP   10.97.95.213     <none>        8088/TCP                          7d7h
ricplt        service-ricplt-e2term-rmr-alpha             ClusterIP   10.100.36.142    <none>        4561/TCP,38000/TCP                7d7h
ricplt        service-ricplt-e2term-sctp-alpha            NodePort    10.108.215.136   <none>        36422:32222/SCTP                  7d7h
ricplt        service-ricplt-o1mediator-http              ClusterIP   10.96.196.67     <none>        9001/TCP,8080/TCP,3000/TCP        7d7h
ricplt        service-ricplt-o1mediator-tcp-netconf       NodePort    10.104.237.252   <none>        830:30830/TCP                     7d7h
ricplt        service-ricplt-rtmgr-http                   ClusterIP   10.105.27.42     <none>        3800/TCP                          7d7h
ricplt        service-ricplt-rtmgr-rmr                    ClusterIP   10.110.0.158     <none>        4561/TCP,4560/TCP                 7d7h
ricplt        service-ricplt-submgr-http                  ClusterIP   None             <none>        3800/TCP                          7d7h
ricplt        service-ricplt-submgr-rmr                   ClusterIP   None             <none>        4560/TCP,4561/TCP                 7d7h
ricplt        service-ricplt-vespamgr-http                ClusterIP   10.98.139.191    <none>        8080/TCP,9095/TCP                 7d7h
ricxapp       aux-entry                                   ClusterIP   10.99.152.66     <none>        80/TCP,443/TCP                    7d7h
ricxapp       service-ricxapp-bouncer-xapp-http           ClusterIP   10.99.222.68     <none>        8080/TCP                          25h
ricxapp       service-ricxapp-bouncer-xapp-rmr            ClusterIP   10.97.149.3      <none>        4560/TCP,4561/TCP                 25h
ricxapp       service-ricxapp-example-http                ClusterIP   10.101.14.166    <none>        8080/TCP                          2d11h
ricxapp       service-ricxapp-example-rmr                 ClusterIP   10.97.129.85     <none>        4560/TCP,4561/TCP                 2d11h
/root#
/root#
/root#ping 10.101.210.88    --------> this is a cluster ip and i am pinging it from my host/node machine 
PING 10.101.210.88 (10.101.210.88) 56(84) bytes of data.
64 bytes from 10.101.210.88: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 10.101.210.88: icmp_seq=2 ttl=64 time=0.032 ms
^C
--- 10.101.210.88 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1019ms
rtt min/avg/max/mdev = 0.032/0.046/0.061/0.014 ms
/root#

thanks

答案1

得分: 2

是的,您将能够从Kubernetes工作节点访问ClusterIP。

当您在Kubernetes中创建类型为ClusterIP的SVC时,它会为SVC分配虚拟IP地址,虚拟IP地址只能在K8s集群内部访问。

Kubernetes使用IPTables规则将流量从VirtualIP转发到服务路由流量的POD。

Kubernetes节点是集群的一部分,它们将能够访问虚拟IP。因此,clusterIp将可以从集群中的任何工作节点访问,但无法从集群外部访问。

如果您真的想深入了解桥接、IP分配和转发,您可以参考这篇很好的文章:https://dustinspecker.com/posts/iptables-how-kubernetes-services-direct-traffic-to-pods/

英文:

Yes, you will be able to access the ClusterIP from Kubernetes worker nodes.

When you create the SVC in to Kubernetes with type ClusterIP it assigns the Virtual IP to SVC, Virtual IP address is accessible only within the K8s cluster.

Kubernetes uses the IPTables rules to forward traffic from VirtualIP to the PODs that the service is routing traffic to.

Kubernetes nodes are part of the Cluster they will be able to access the virtual IP. So clusterIp will be accessible from in cluster across from any of worker node but you won't be able to access it from outside of Cluster.

If you really want to go deep understanding the bridge, IP assignment, forwarding you can ref this nice article : https://dustinspecker.com/posts/iptables-how-kubernetes-services-direct-traffic-to-pods/

huangapple
  • 本文由 发表于 2023年2月24日 03:07:22
  • 转载请务必保留本文链接:https://go.coder-hub.com/75549294.html
  • kubernetes
  • kubernetes-ingress
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定