[k8s]k8s pod的4种网络模式最佳实战(externalIPs )
hostPort相当于docker run -p 8081:8080,不用创建svc,因此端口只在容器运行的vm上监听
缺点: 没法多pod负载
$ cat pod-hostport.yaml
apiVersion: v1
kind: Pod
metadata:
name: webapp
labels:
app: webapp
spec:
containers:
- name: webapp
image: tomcat
ports:
- containerPort: 8080
hostPort: 8081
$ kubectl get po --all-namespaces -o wide --show-labels
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE LABELS
default webapp 1/1 Running 0 5s 10.2.100.3 n2.ma.com app=webapp
[root@n2 ~]# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
59e72c92ba55 tomcat "catalina.sh run" 2 minutes ago Up 2 minutes k8s_webapp_webapp_default_932c613e-e2dc-11e7-8313-00505636c956_0
0fe8c2f08e03 gcr.io/google_containers/pause-amd64:3.0 "/pause" 2 minutes ago Up 2 minutes 0.0.0.0:8081->8080/tcp k8s_POD_webapp_default_932c613e-e2dc-11e7-8313-00505636c956_0
hostNetwork相当于 docker run --net=host ,不用创建svc,因此端口只在容器运行的vm上监听
缺点: 没法多pod负载
apiVersion: v1
kind: Pod
metadata:
name: webapp
labels:
app: webapp
spec:
hostNetwork: true
containers:
- name: webapp
image: tomcat
ports:
- containerPort: 8080
$ kubectl get po --all-namespaces -o wide --show-labels
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE LABELS
default webapp 1/1 Running 0 36s 192.168.x.x n2.ma.com app=webapp
查看该pod的网卡, 发现和宿主机一致
$ docker exec -it b8a1e1e35c3e ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:33:13:b6 brd ff:ff:ff:ff:ff:ff
inet 192.168.14.133/24 brd 192.168.14.255 scope global dynamic eth0
valid_lft 5356021sec preferred_lft 5356021sec
inet6 fe80::250:56ff:fe33:13b6/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
link/ether 02:42:41:e8:f5:22 brd ff:ff:ff:ff:ff:ff
inet 10.2.100.1/24 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:41ff:fee8:f522/64 scope link
valid_lft forever preferred_lft forever
4: flannel.1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default
link/ether ae:4a:e1:f9:52:ea brd ff:ff:ff:ff:ff:ff
inet 10.2.100.0/32 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::ac4a:e1ff:fef9:52ea/64 scope link
valid_lft forever preferred_lft forever
244: veth007dbe6@if243: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master docker0 state UP group default
link/ether f2:02:e1:a2:9f:8a brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::f002:e1ff:fea2:9f8a/64 scope link
valid_lft forever preferred_lft forever
NodePort-svc级别,由kube-proxy操控,所有节点规则统一,逻辑上市全局的
因此,svc上的nodeport会监听在所有的节点上(如果不指定,即是随机端口,由apiserver指定--service-node-port-range '30000-32767'),即使有1个pod,任意访问某台的nodeport都可以访问到这个服务
$ cat nginx-deployment.yaml
apiVersion: apps/v1beta1 # for versions before 1.8.0 use apps/v1beta1
kind: Deployment
metadata:
name: mynginx
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
$ cat nginx-svc.yaml
kind: Service
apiVersion: v1
metadata:
name: mynginx
spec:
type: NodePort
selector:
app: nginx
ports:
- protocol: TCP
port: 8080
targetPort: 80
$ kubect get pod --show-lables -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE LABELS
default mynginx-31893996-f8bn7 1/1 Running 0 12m 10.2.100.2 n2.ma.com app=nginx,pod-template-hash=31893996
$ kubectl get svc --show-lables -o wide
NAMESPACE NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
default mynginx 10.254.173.173 <nodes> 8080:31277/TCP 9m app=nginx
externalIPs 通过svc创建,在指定的node上监听端口
适用场景: 想通过svc来负载,但要求某台指定的node上监听,而非像nodeport所有节点监听.
[root@n1 external-ip]# cat nginx-deployment.yaml
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
ports:
- containerPort: 80
[root@n1 external-ip]# cat nginx-svc.yaml
apiVersion: v1
kind: Service
metadata:
name: svc-nginx
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
externalIPs:
- 192.168.2.12 #这是我的一台node的ip
- 这个端口是kube-proxy来启动的,所以只有运行kube-proxy的
[root@n2 ~]# netstat -ntulp
tcp 0 0 192.168.2.12:80 0.0.0.0:* LISTEN 11465/kube-proxy
