k8s通过Service访问Pod
admin
撰写于 2022年 01月 22 日

如何创建服务

1、创建Deployment

#启动三个pod,运行httpd镜像,label是run:mcw-httpd,Seveice将会根据这个label挑选Pod
apiVersion: apps/v1

[machangwei@mcwk8s-master ~]$ cat mcwHttpd.yml
kind: Deployment
metadata:
name: mcw-httpd
spec:
replicas: 3
selector:
matchLabels:
run: mcw-httpd
template:
metadata:
labels:
run: mcw-httpd
spec:
containers:
- name: mcw-httpd
image: httpd
ports:
- containerPort: 80
[machangwei@mcwk8s-master ~]$ kubectl apply -f mcwHttpd.yml
deployment.apps/mcw-httpd created
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5rrkh 0/1 ContainerCreating 0 2m52s mcwk8s-node1
mcw-httpd-6fbf67d7d5-bqq58 0/1 ImagePullBackOff 0 2m52s 10.244.0.78 mcwk8s-node2
mcw-httpd-6fbf67d7d5-j52ff 0/1 ImagePullBackOff 0 2m52s 10.244.0.70 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide #过一会后,查看Pod分配了各自的IP,容器在创建的时候ip是none
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5rrkh 1/1 Running 0 6m28s 10.244.0.71 mcwk8s-node1
mcw-httpd-6fbf67d7d5-bqq58 1/1 Running 0 6m28s 10.244.0.78 mcwk8s-node2
mcw-httpd-6fbf67d7d5-j52ff 1/1 Running 0 6m28s 10.244.0.70 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ #这些ip只能被kubernates Cluster中的容器和节点访问

2、不通的情况,是不是就应该不通呢,答案是否。

[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5rrkh 1/1 Running 0 16m 10.244.0.71 mcwk8s-node1
mcw-httpd-6fbf67d7d5-bqq58 1/1 Running 0 16m 10.244.0.78 mcwk8s-node2
mcw-httpd-6fbf67d7d5-j52ff 1/1 Running 0 16m 10.244.0.70 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ curl 10.244.0.78 #主节点访问节点2上的pod的ip,连接超时
curl: (7) Failed connect to 10.244.0.78:80; Connection timed out 节点2上访问节点2上的pod ip是能访问的
[root@mcwk8s-node2 ~]$ curl 10.244.0.78

It works!

怀疑是节点上flannel状态问题
[machangwei@mcwk8s-master ~]$ kubectl get pod --all-namespaces|grep flannel
kube-system kube-flannel-ds-cn4m9 0/1 Error 233 (5m26s ago) 2d11h
kube-system kube-flannel-ds-hpgkz 1/1 Running 0 6d23h
kube-system kube-flannel-ds-nnjvj 0/1 CrashLoopBackOff 271 (15s ago) 6d23h 怀疑节点2上没添加-H的问题,然后添加重启docker daemon ,四个容器都重启了
[root@mcwk8s-node2 ~]$ vim /usr/lib/systemd/system/docker.service
[root@mcwk8s-node2 ~]$ grep -i execstart /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0 --containerd=/run/containerd/containerd.sock
[root@mcwk8s-node2 ~]$ systemctl daemon-reload
[root@mcwk8s-node2 ~]$ systemctl restart docker
[root@mcwk8s-node2 ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
88de5020b420 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 1 second ago Up 1 second k8s_POD_kube-flannel-ds-cn4m9_kube-system_ef070440-6778-430f-92b9-a1c48b755d2b_1
adf80a28c0be b46c42588d51 "/usr/local/bin/kube…" 2 seconds ago Up 1 second k8s_kube-proxy_kube-proxy-92g5c_kube-system_a69acf11-f51a-46d6-9472-d54b5383efef_1
46bceff879bd registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 6 seconds ago Up 2 seconds k8s_POD_kube-proxy-92g5c_kube-system_a69acf11-f51a-46d6-9472-d54b5383efef_1
a5cdf7f6ef3b registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 6 seconds ago Up 2 seconds k8s_POD_mcw-httpd-6fbf67d7d5-bqq58_default_4ceffe1e-df14-47dd-82f0-83cb68555de7_1 再次在主节点访问节点2上的pod ip ,还是无法访问,由于节点2上pod重启了,所以ip被重新分配了一个
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5rrkh 1/1 Running 0 30m 10.244.0.71 mcwk8s-node1
mcw-httpd-6fbf67d7d5-bqq58 1/1 Running 1 (95s ago) 30m 10.244.0.79 mcwk8s-node2
mcw-httpd-6fbf67d7d5-j52ff 1/1 Running 0 30m 10.244.0.70 mcwk8s-node1
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ curl 10.244.0.79 #虽然重新分配了ip,但是还是无法访问
curl: (7) Failed connect to 10.244.0.79:80; Connection timed out

3、创建Service

[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
selector:
run: httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ kubectl apply -f mcwHttpdService.yml
service/httpd-svc created
[machangwei@mcwk8s-master ~]$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.77.45 8080/TCP 14s
kubernetes ClusterIP 10.96.0.1 443/TCP 7d
[machangwei@mcwk8s-master ~]$ curl 10.99.77.45:8080
curl: (7) Failed connect to 10.99.77.45:8080; Connection refused

dns访问Service

[machangwei@mcwk8s-master ~]$ kubectl get deployment --namespace=kube-system
NAME READY UP-TO-DATE AVAILABLE AGE
coredns 2/2 2 2 7d1h
[machangwei@mcwk8s-master ~]$ kubectl get service -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
httpd-svc ClusterIP 10.99.77.45 8080/TCP 61m run=httpd
kubernetes ClusterIP 10.96.0.1 443/TCP 7d1h
[machangwei@mcwk8s-master ~]$ kubectl run mcwbusybox --rm -ti --image=busybox /bin/bash
pod "mcwbusybox" deleted
error: timed out waiting for the condition
[machangwei@mcwk8s-master ~]$ kubectl get pod
NAME READY STATUS RESTARTS AGE
mcw-httpd-6fbf67d7d5-5rrkh 1/1 Running 0 124m
mcw-httpd-6fbf67d7d5-bqq58 1/1 Running 1 (95m ago) 124m
mcw-httpd-6fbf67d7d5-j52ff 1/1 Running 0 124m 只可以访问自己节点上的pod,不能跨主机同命名空间内的pod互相通信。不知道哪里的问题
[machangwei@mcwk8s-master ~]$ kubectl run mcwcentos3 -it --image=centos /bin/bash
If you don't see a command prompt, try pressing enter.
[root@mcwcentos3 /]# curl 10.244.0.79
curl: (7) Failed to connect to 10.244.0.79 port 80: Connection timed out
[root@mcwcentos3 /]# curl 10.244.0.70

It works!


[root@mcwcentos3 /]# curl 10.244.0.71

It works!

route add -host 10.244.0.0 dev flannel.1
flannel.1 NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s
报错现象 系统或者网络占用过多CPU,造成内核软死锁(soft lockup)。Soft lockup名称解释:所谓,soft lockup就是说,这个bug没有让系统彻底死机,但是若干个进程(或...

fannel网络问题

网络是有问题的

两个节点上的fannel状态不对
[machangwei@mcwk8s-master ~]$ kubectl get pod --all-namespaces -o wide|grep flannel
kube-system kube-flannel-ds-cn4m9 0/1 CrashLoopBackOff 286 (3m50s ago) 3d10h 10.0.0.6 mcwk8s-node2
kube-system kube-flannel-ds-hpgkz 1/1 Running 1 (22h ago) 7d22h 10.0.0.4 mcwk8s-master
kube-system kube-flannel-ds-nnjvj 0/1 CrashLoopBackOff 325 (3m21s ago) 7d22h 10.0.0.5 mcwk8s-node1
[machangwei@mcwk8s-master ~] 节点上查看对应容器的日志错误信,未成功注册cidr
[root@mcwk8s-node2 ~]$ docker ps -a|grep flannel
2252229253e3 e6ea68648f0c "/opt/bin/flanneld -…" 10 seconds ago Exited (1) 2 seconds ago k8s_kube-flannel_kube-flannel-ds-cn4m9_kube-system_ef070440-6778-430f-92b9-a1c48b755d2b_284
[root@mcwk8s-node2 ~]$ docker logs 225
E0120 13:40:49.244765 1 main.go:325] Error registering network: failed to acquire lease: node "mcwk8s-node2" pod cidr not assigned
W0120 13:40:49.245111 1 reflector.go:424] github.com/flannel-io/flannel/subnet/kube/kube.go:379: watch of *v1.Node ended with: an error on the server ("unable to decode an event from the watch stream: context canceled") has prevented the request from succeeding master初始化写进来的cidr
[root@mcwk8s-master ~]$ grep cidr /etc/kubernetes/manifests/kube-controller-manager.yaml
- --allocate-node-cidrs=true
- --cluster-cidr=10.244.0.0/24 部署fannel用的网络
[machangwei@mcwk8s-master ~]$ grep -C 3 '"Network"' mm.yml
}
net-conf.json: |
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan"
} 修改网络
[machangwei@mcwk8s-master ~]$ vim mm.yml
[machangwei@mcwk8s-master ~]$ grep -C 3 '"Network"' mm.yml
}
net-conf.json: |
{
"Network": "10.244.0.0/24",
"Backend": {
"Type": "vxlan"
}
[machangwei@mcwk8s-master ~]

从头部署了k8s

修改网络后还是不行。直接从头部署k8s就好了,把flannel网络和初始化master都设置为10.244.0.0/16 网络

[machangwei@mcwk8s-master ~]$ kubectl get pod --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-6d8c4cb4d-vctxx 1/1 Running 1 (5m57s ago) 33m
kube-system coredns-6d8c4cb4d-xkv9h 1/1 Running 0 33m
kube-system etcd-mcwk8s-master 1/1 Running 0 33m
kube-system kube-apiserver-mcwk8s-master 1/1 Running 1 (4m42s ago) 33m
kube-system kube-controller-manager-mcwk8s-master 1/1 Running 1 33m
kube-system kube-flannel-ds-fvwgm 1/1 Running 0 22m
kube-system kube-flannel-ds-l5fdg 1/1 Running 0 25m
kube-system kube-flannel-ds-mzdcw 1/1 Running 0 21m
kube-system kube-proxy-796l7 1/1 Running 0 21m
kube-system kube-proxy-8wtxn 1/1 Running 0 22m
kube-system kube-proxy-qr6b8 1/1 Running 0 33m
kube-system kube-scheduler-mcwk8s-master 1/1 Running 1 33m
[machangwei@mcwk8s-master ~]$ [machangwei@mcwk8s-master ~]$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
mcwk8s-master Ready control-plane,master 35m v1.23.1
mcwk8s-node1 Ready 23m v1.23.1
mcwk8s-node2 Ready 22m v1.23.1

网络正常的三个节点,网卡和路由如下

跟之前相比,很明显的是多了路由了。之前应该是节点网络没好,所以路由也不全

主节点
[root@mcwk8s-master ~]$ ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a2:3a:b7 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.4/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::6b7a:2214:bef3:5850/64 scope link
valid_lft forever preferred_lft forever
3: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:a2:3a:c1 brd ff:ff:ff:ff:ff:ff
4: docker0: mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:af:00:ac:08 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: flannel.1: mtu 1450 qdisc noqueue state UNKNOWN
link/ether ca:9d:fb:2c:b7:22 brd ff:ff:ff:ff:ff:ff
inet 10.244.0.0/32 brd 10.244.0.0 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::c89d:fbff:fe2c:b722/64 scope link
valid_lft forever preferred_lft forever
6: cni0: mtu 1450 qdisc noqueue state UP qlen 1000
link/ether 3e:f7:13:d6:6b:5b brd ff:ff:ff:ff:ff:ff
inet 10.244.0.1/24 brd 10.244.0.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::3cf7:13ff:fed6:6b5b/64 scope link
valid_lft forever preferred_lft forever
7: vethf9bacd46@if3: mtu 1450 qdisc noqueue master cni0 state UP
link/ether f6:9d:2c:f7:ff:4e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::f49d:2cff:fef7:ff4e/64 scope link
valid_lft forever preferred_lft forever
8: veth59372586@if3: mtu 1450 qdisc noqueue master cni0 state UP
link/ether 56:da:7b:cb:75:49 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::54da:7bff:fecb:7549/64 scope link
valid_lft forever preferred_lft forever
[root@mcwk8s-master ~]$ node1
[root@mcwk8s-node1 ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.253 0.0.0.0 UG 100 0 0 ens33
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
10.244.0.0 10.244.0.0 255.255.255.0 UG 0 0 0 flannel.1
10.244.1.0 0.0.0.0 255.255.255.0 U 0 0 0 cni0
10.244.2.0 10.244.2.0 255.255.255.0 UG 0 0 0 flannel.1
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
[root@mcwk8s-node1 ~]$ ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:0b:a3:15 brd ff:ff:ff:ff:ff:ff
3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:0b:a3:0b brd ff:ff:ff:ff:ff:ff
inet 10.0.0.5/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::3516:c22b:d62:c43f/64 scope link
valid_lft forever preferred_lft forever
4: docker0: mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:5e:08:56:63 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: flannel.1: mtu 1450 qdisc noqueue state UNKNOWN
link/ether 4e:92:a2:b0:6b:5a brd ff:ff:ff:ff:ff:ff
inet 10.244.1.0/32 brd 10.244.1.0 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::4c92:a2ff:feb0:6b5a/64 scope link
valid_lft forever preferred_lft forever
6: cni0: mtu 1450 qdisc noqueue state UP qlen 1000
link/ether e2:d3:b2:00:28:bf brd ff:ff:ff:ff:ff:ff
inet 10.244.1.1/24 brd 10.244.1.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::e0d3:b2ff:fe00:28bf/64 scope link
valid_lft forever preferred_lft forever
7: vethafc53bc5@if3: mtu 1450 qdisc noqueue master cni0 state UP
link/ether 32:51:41:e9:e1:68 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::3051:41ff:fee9:e168/64 scope link
valid_lft forever preferred_lft forever
8: veth8246ed1c@if3: mtu 1450 qdisc noqueue master cni0 state UP
link/ether 12:67:28:44:fa:cd brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::1067:28ff:fe44:facd/64 scope link
valid_lft forever preferred_lft forever
[root@mcwk8s-node1 ~]$ node2
[root@mcwk8s-node2 ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.253 0.0.0.0 UG 100 0 0 ens33
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
10.244.0.0 10.244.0.0 255.255.255.0 UG 0 0 0 flannel.1
10.244.1.0 10.244.1.0 255.255.255.0 UG 0 0 0 flannel.1
10.244.2.0 0.0.0.0 255.255.255.0 U 0 0 0 cni0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
You have new mail in /var/spool/mail/root
[root@mcwk8s-node2 ~]$ ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:eb:83:cd brd ff:ff:ff:ff:ff:ff
3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:eb:83:c3 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.6/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::fd02:359f:93a4:95af/64 scope link
valid_lft forever preferred_lft forever
4: docker0: mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:ff:3f:37:b0 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: flannel.1: mtu 1450 qdisc noqueue state UNKNOWN
link/ether 56:16:44:85:ca:57 brd ff:ff:ff:ff:ff:ff
inet 10.244.2.0/32 brd 10.244.2.0 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::5416:44ff:fe85:ca57/64 scope link
valid_lft forever preferred_lft forever
6: cni0: mtu 1450 qdisc noqueue state UP qlen 1000
link/ether 06:1f:10:ee:32:6f brd ff:ff:ff:ff:ff:ff
inet 10.244.2.1/24 brd 10.244.2.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::41f:10ff:feee:326f/64 scope link
valid_lft forever preferred_lft forever
7: vethdf3032e1@if3: mtu 1450 qdisc noqueue master cni0 state UP
link/ether 1e:50:bf:95:46:4d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::1c50:bfff:fe95:464d/64 scope link
valid_lft forever preferred_lft forever
[root@mcwk8s-node2 ~]$

flannel正常之后,验证集群内pod跨主机访问

[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 0/1 ContainerCreating 0 5m19s mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 0/1 ContainerCreating 0 5m19s mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 0/1 ContainerCreating 0 5m19s mcwk8s-node1
[machangwei@mcwk8s-master ~]$ kubectl describe pod mcw-httpd-6fbf67d7d5-5qfrl
Events: #容器创建中的状态时间段,包括拉取镜像的过程
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 4m49s default-scheduler Successfully assigned default/mcw-httpd-6fbf67d7d5-5qfrl to mcwk8s-node1
Normal Pulling 4m35s kubelet Pulling image "httpd" mcwk8s-node1一直卡在拉取不下镜像,然后手动到节点1上docker pull,拉取完镜像之后,pod马上就运行状态了
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21m 10.244.1.2 mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21m 10.244.2.2 mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21m 10.244.1.3 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ 查看网络,现在分配的pod上分配的ip,可以正常的在集群其它节点上进行访问了。也就是Pod分配了各自的ip,这些ip只能被Kuernetes Cluster 中的容器和节点访问。前面那句话已经得到验证
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21m 10.244.1.2 mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21m 10.244.2.2 mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21m 10.244.1.3 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ curl 10.244.1.2

It works!


[machangwei@mcwk8s-master ~]$ curl 10.244.1.3

It works!


[machangwei@mcwk8s-master ~]$ hostname
mcwk8s-master
[machangwei@mcwk8s-master ~]$

部署service

部署service,但是没有后端服务

endpoint是空的,肯定不能通过服务ip加端口,去curl访问服务的响应数据
[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
selector:
run: httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ kubectl apply -f mcwHttpdService.yml #创建Service
service/httpd-svc created
[machangwei@mcwk8s-master ~]$ kubectl get service #查看service。有服务名,集群ip,以及端口,
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.102.232.38 8080/TCP 11s
kubernetes ClusterIP 10.96.0.1 443/TCP 140m
[machangwei@mcwk8s-master ~]$ curl 10.102.232.38:8080 #通过curl集群ip冒号端口,无法访问,因为没有endpoint
curl: (7) Failed connect to 10.102.232.38:8080; Connection refused
[machangwei@mcwk8s-master ~]$ curl 10.244.1.2 #通过访问pod ip ,可以直接在节点上访问到集群中的pod的对应的80服务

It works!


[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ ping 10.244.1.2 #可以在节点上ping通集群中pod的ip。
PING 10.244.1.2 (10.244.1.2) 56(84) bytes of data.
64 bytes from 10.244.1.2: icmp_seq=1 ttl=63 time=1.04 ms
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.102.232.38 8080/TCP 75s
kubernetes ClusterIP 10.96.0.1 443/TCP 141m
[machangwei@mcwk8s-master ~]$ curl 10.102.232.38:8080
curl: (7) Failed connect to 10.102.232.38:8080; Connection refused
[machangwei@mcwk8s-master ~]$ kubectl describe service httpd-svc #查看服务,可以看到endponts为none
Name: httpd-svc
Namespace: default
Labels:
Annotations:
Selector: run=httpd
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.102.232.38
IPs: 10.102.232.38
Port: 8080/TCP
TargetPort: 80/TCP
Endpoints:
Session Affinity: None
Events:
[machangwei@mcwk8s-master ~]$

正常的有后端pod

[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml   #修改前的yml文件,
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
selector:
run: httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ kubectl get pod --show-labels #查看服务对应的后端pod的标签,发现是run=mcw-httpd,
NAME READY STATUS RESTARTS AGE LABELS
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 107m pod-template-hash=6fbf67d7d5,run=mcw-httpd
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 107m pod-template-hash=6fbf67d7d5,run=mcw-httpd
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 107m pod-template-hash=6fbf67d7d5,run=mcw-httpd
[machangwei@mcwk8s-master ~]$ kubectl delete -f mcwHttpdService.yml
service "httpd-svc" deleted
[machangwei@mcwk8s-master ~]$ vim mcwHttpdService.yml
[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml #修改选择器,纠正标签,指定service后端pod的标签是run: mcw-httpd
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
selector:
run: mcw-httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ kubectl apply -f mcwHttpdService.yml #重新部署服务
service/httpd-svc created
[machangwei@mcwk8s-master ~]$ kubectl get service #查看服务,集群已经换掉了
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.19.228 8080/TCP 7s
kubernetes ClusterIP 10.96.0.1 443/TCP 146m
[machangwei@mcwk8s-master ~]$ curl 10.99.19.228:8080 #这下可以正常curl 集群IP:端口,来访问服务了。

It works!


[machangwei@mcwk8s-master ~]$ kubectl describe service httpd-svc
Name: httpd-svc
Namespace: default
Labels:
Annotations:
Selector: run=mcw-httpd
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.99.19.228
IPs: 10.99.19.228
Port: 8080/TCP #查看到现在的服务,后endpoint的值
TargetPort: 80/TCP # endpoint的值,是代表有可以访问带有指定标签pod ip,指定pod目标端口的服务。
Endpoints: 10.244.1.2:80,10.244.1.3:80,10.244.2.2:80
Session Affinity: None #也就是访问集群ip:端口,应该是负载均衡路由到这带有服务选择对应标签的pod ip和目标端口的
Events: #集群ip是创建服务时分配的,而选择带有什么样标签的pod,以及pod对应服务的端口,即目标端口,是在yml里面已经设置好了
[machangwei@mcwk8s-master ~]$

service文件介绍

[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml
apiVersion: v1 #Service的apiVersion
kind: Service #资源类型
metadata:
name: httpd-svc
spec:
selector: #指明挑选那些label为run: httpd的pod作为Service的后端
run: httpd
ports:
- protocol: TCP
port: 8080 #将Servicede 8080端口映射到Pod的80端口,使用TCP协议
targetPort: 80

Cluster IP底层实现

跟service相关的防火墙规则,集群ip和pod ip相关
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 20h 10.244.1.2 mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 20h 10.244.2.2 mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 20h 10.244.1.3 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.19.228 8080/TCP 18h
kubernetes ClusterIP 10.96.0.1 443/TCP 20h
[machangwei@mcwk8s-master ~]$ 查看当前主机防火墙
[root@mcwk8s-master ~]$ iptables-save |grep httpd-svc
-A KUBE-SEP-26GESA23ILIBJ6BG -s 10.244.1.2/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-26GESA23ILIBJ6BG -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.1.2:80
-A KUBE-SEP-5MDWNIS6FGKOLKLF -s 10.244.1.3/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-5MDWNIS6FGKOLKLF -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.1.3:80
-A KUBE-SEP-MZ7D7IEY543CBPN3 -s 10.244.2.2/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-MZ7D7IEY543CBPN3 -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.2.2:80
-A KUBE-SERVICES -d 10.99.19.228/32 -p tcp -m comment --comment "default/httpd-svc cluster IP" -m tcp --dport 8080 -j KUBE-SVC-IYRDZZKXS5EOQ6Q6
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 ! -s 10.244.0.0/16 -d 10.99.19.228/32 -p tcp -m comment --comment "default/httpd-svc cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-26GESA23ILIBJ6BG
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5MDWNIS6FGKOLKLF
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -j KUBE-SEP-MZ7D7IEY543CBPN3
[root@mcwk8s-master ~]$ 一:
-A KUBE-SERVICES -d 10.99.19.228/32 -p tcp -m comment --comment "default/httpd-svc cluster IP" -m tcp --dport 8080 -j KUBE-SVC-IYRDZZKXS5EOQ6Q6
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 ! -s 10.244.0.0/16 -d 10.99.19.228/32 -p tcp -m comment --comment "default/httpd-svc cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ
1、其它源地址访问httpd-svc,则允许
2、如果Cluster内的pod(源地址来自10.244.0.0/16)要访问httpd-svc,则跳转到KUBE-SVC-IYRDZZKXS5EOQ6Q6 KUBE-SVC-IYRDZZKXS5EOQ6Q6规则之一如下:
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-26GESA23ILIBJ6BG 二:
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-26GESA23ILIBJ6BG
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5MDWNIS6FGKOLKLF
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -j KUBE-SEP-MZ7D7IEY543CBPN3 1、1/3概率跳转到规则KUBE-SEP-26GESA23ILIBJ6BG
2、1/3概率(剩下2/3的一半)跳转到规则KUBE-SEP-5MDWNIS6FGKOLKLF
3、1/3概率跳转到规则KUBE-SEP-MZ7D7IEY543CBPN3 三:
-A KUBE-SEP-26GESA23ILIBJ6BG -s 10.244.1.2/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-26GESA23ILIBJ6BG -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.1.2:80
-A KUBE-SEP-5MDWNIS6FGKOLKLF -s 10.244.1.3/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-5MDWNIS6FGKOLKLF -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.1.3:80
-A KUBE-SEP-MZ7D7IEY543CBPN3 -s 10.244.2.2/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-MZ7D7IEY543CBPN3 -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.2.2:80 将请求分别转发到后端的三个pod.iptables将访问Service的流量转发到后端pod,而且使用类型轮询的负载均衡策略。集群的每一个结点都配置了相同的iptables规则,这样就确保了整个集群都能通过Service的集群ip访问服务。

DNS访问Service

访问本身namespace中的

[machangwei@mcwk8s-master ~]$ kubectl get deployment --namespace=kube-system #查看 dns组件
NAME READY UP-TO-DATE AVAILABLE AGE
coredns 2/2 2 2 21h
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ kubectl run mcwcentos --rm -ti --image=centos /bin/bash #创建pod并进入
If you don't see a command prompt, try pressing enter.
[root@mcwcentos /]# wget httpd-svc.default:8080 #在pod中通过.来访问Service
bash: wget: command not found
[root@mcwcentos /]# curl httpd-svc.default:8080

It works!


[root@mcwcentos /]#
[root@mcwcentos /]# curl httpd-svc:8080 #因为pod和httpd-svc同属于default namespace,因此可以省略default命名空间,直接访问服务

It works!


[root@mcwcentos /]# yum -y install bind-utils #安装工具,以方便使用nslookup命令
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:02:36 ago on Fri Jan 21 12:45:19 2022.
Dependencies resolved.
[root@mcwcentos /]# ls /etc/yum.repos.d/ 查看cenos镜像中的repo文件
CentOS-Linux-AppStream.repo CentOS-Linux-ContinuousRelease.repo CentOS-Linux-Devel.repo CentOS-Linux-FastTrack.repo CentOS-Linux-Media.repo CentOS-Linux-PowerTools.repo
CentOS-Linux-BaseOS.repo CentOS-Linux-Debuginfo.repo CentOS-Linux-Extras.repo CentOS-Linux-HighAvailability.repo CentOS-Linux-Plus.repo CentOS-Linux-Sources.repo
[root@mcwcentos /]# nslookup httpd-svc #用命令查看httpd-svc的DNS信息
Server: 10.96.0.10
Address: 10.96.0.10#53 Name: httpd-svc.default.svc.cluster.local #这个是DNS服务器,dns组件,这个是httpd的完整域名
Address: 10.99.19.228 #可以看到这个是service的cluster ip [root@mcwcentos /]# [machangwei@mcwk8s-master ~]$ kubectl get service 集群ip
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.19.228 8080/TCP 19h
kubernetes ClusterIP 10.96.0.1 443/TCP 21h
[machangwei@mcwk8s-master ~]$ 查看这个新创建的pod
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide|grep mcwcentos
mcwcentos 1/1 Running 0 8m8s 10.244.2.3 mcwk8s-node2 到pod对应节点上找到这个容器
[root@mcwk8s-node2 ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0b11a9d9ac35 centos "/bin/bash" 8 minutes ago Up 8 minutes k8s_mcwcentos_mcwcentos_default_05aaed6d-57b0-4f6b-807d-1cd0e9c39ad9_0 然后查看容器的日志,可以看到,记录了我进入容器后做的所有操作包括yum安装的过程
[root@mcwk8s-node2 ~]$ docker logs 0b1|tail
CentOS-Linux-AppStream.repo CentOS-Linux-ContinuousRelease.repo CentOS-Linux-Devel.repo CentOS-Linux-FastTrack.repo CentOS-Linux-Media.repo CentOS-Linux-PowerTools.repo
CentOS-Linux-BaseOS.repo CentOS-Linux-Debuginfo.repo CentOS-Linux-Extras.repo CentOS-Linux-HighAvailability.repo CentOS-Linux-Plus.repo CentOS-Linux-Sources.repo
[root@mcwcentos /]#
[root@mcwcentos /]# nslookup httpd-svc
Server: 10.96.0.10
Address: 10.96.0.10#53 Name: httpd-svc.default.svc.cluster.local
Address: 10.99.19.228 [root@mcwk8s-node2 ~]$
‘ 主节点进入的pod中:
[root@mcwcentos /]# ping httpd-svc
PING httpd-svc.default.svc.cluster.local (10.99.19.228) 56(84) bytes of data.
^C
--- httpd-svc.default.svc.cluster.local ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1001ms [root@mcwcentos /]# curl httpd-svc
curl: (7) Failed to connect to httpd-svc port 80: Connection timed out
[root@mcwcentos /]# curl httpd-svc:8080

It works!


[root@mcwcentos /]# curl httpd-svc.default.svc.cluster.local:8080 #也可以curl完整域名,如果不加端口,不行,因为服务里显示用到这个端口了

It works!


[root@mcwcentos /]#

访问其它namespace中的service

查看已存在的namespcace
[machangwei@mcwk8s-master ~]$ kubectl get namespace #这几个都是部署好集群时就已经创建好的namespace
NAME STATUS AGE
default Active 21h
kube-node-lease Active 21h
kube-public Active 21h
kube-system Active 21h
[machangwei@mcwk8s-master ~]$ 查看之前部署的文件
[machangwei@mcwk8s-master ~]$ cat mcwHttpd.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: mcw-httpd
spec:
replicas: 3
selector:
matchLabels:
run: mcw-httpd
template:
metadata:
labels:
run: mcw-httpd
spec:
containers:
- name: mcw-httpd
image: httpd
ports:
- containerPort: 80
[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
selector:
run: mcw-httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ cat mcwhttpd2quanyml #查看上两个文件合并修改名称,标签等信息,添加指定的命名空间。多个资源用---来分割
apiVersion: apps/v1
kind: Deployment
metadata:
name: mcw-httpd2
namespace: kube-public
spec:
replicas: 3
selector:
matchLabels:
run: mcw-httpd2
template:
metadata:
labels:
run: mcw-httpd2
spec:
containers:
- name: mcw-httpd2
image: httpd
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: httpd2-svc
namespace: kube-public
spec:
selector:
run: mcw-httpd2
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ 查看mcwcentos的ip
[root@mcwcentos /]# ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth0@if8: mtu 1450 qdisc noqueue state UP group default
link/ether c6:c1:ce:94:49:24 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.244.2.3/24 brd 10.244.2.255 scope global eth0
valid_lft forever preferred_lft forever
[root@mcwcentos /]# hostname -i
10.244.2.3
[root@mcwcentos /]# [machangwei@mcwk8s-master ~]$ kubectl apply -f mcwhttpd2quanyml #部署httpd2服务
deployment.apps/mcw-httpd2 created
service/httpd2-svc created
[machangwei@mcwk8s-master ~]$ kubectl get service --namespace=kube-public #查看服务2,需要指定命名空间
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd2-svc ClusterIP 10.101.134.243 8080/TCP 39s
[machangwei@mcwk8s-master ~]$ kubectl get service #不指定命名空间,无法看到kube-public中的服务
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.19.228 8080/TCP 19h
kubernetes ClusterIP 10.96.0.1 443/TCP 21h
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ kubectl run mcwcentos2 --rm -ti --image=centos /bin/bash #运行第二个,mcwcentos2
If you don't see a command prompt, try pressing enter.
[root@mcwcentos2 /]# curl httpd2-svc:8080 #pod属于default命名空间,访问其它命名空间的服务,不指定命名空间,直接访问服务名加端口,是无法访问到
curl: (6) Could not resolve host: httpd2-svc
[root@mcwcentos2 /]# curl httpd2-svc.kube-public:8080 #加上服务名称.命名空间:服务端口,就可以实现在pod中跨命名空间访问服务

It works!


[root@mcwcentos2 /]# ping -c 2 10.244.2.3 #pod中能直接ping同一命名空间内的pod
PING 10.244.2.3 (10.244.2.3) 56(84) bytes of data.
64 bytes from 10.244.2.3: icmp_seq=1 ttl=64 time=0.252 ms
64 bytes from 10.244.2.3: icmp_seq=2 ttl=64 time=0.072 ms --- 10.244.2.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.072/0.162/0.252/0.090 ms
[root@mcwcentos2 /]#
[root@mcwcentos2 /]# exit #当ctrl+d退出时,这个命令创建的pod就被删除掉了,get pod也看不见这个容器
Session ended, resume using 'kubectl attach mcwcentos2 -c mcwcentos2 -i -t' command when the pod is running
pod "mcwcentos2" deleted
[machangwei@mcwk8s-master ~]$ 如下,默认只能看到default下的pod
[machangwei@mcwk8s-master ~]$ kubectl get pod
NAME READY STATUS RESTARTS AGE
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21h
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21h
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21h
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ kubectl get pod --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21h
default mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21h
default mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21h
kube-public mcw-httpd2-6b98bfbbbf-69jb5 1/1 Running 0 21m
kube-public mcw-httpd2-6b98bfbbbf-qv7g9 1/1 Running 0 21m
kube-public mcw-httpd2-6b98bfbbbf-ztddf 1/1 Running 0 21m
kube-system coredns-6d8c4cb4d-vctxx 1/1 Running 1 (21h ago) 22h
kube-system coredns-6d8c4cb4d-xkv9h 1/1 Running 0 22h

外网如何访问Service

1、集群ip加端口,可以提供集群内部访问服务。

这里是在三个节点上都通过curl集群ip:端口,正常访问。如果是pod中,不同命名空间的pod中访问,结果如何,以后验证,应该也是没有问题的。
[machangwei@mcwk8s-master ~]$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc NodePort 10.107.208.46 8080:30450/TCP 14m
kubernetes ClusterIP 10.96.0.1 443/TCP 22h
[machangwei@mcwk8s-master ~]$ curl 10.107.208.46:8080

It works!

[root@mcwk8s-node1 ~]$ curl 10.107.208.46:8080

It works!

[root@mcwk8s-node2 ~]$ curl 10.107.208.46:8080

It works!


[root@mcwk8s-node2 ~]$

2、这里演示node port 方式将应用的service暴露给cluster外部。

[machangwei@mcwk8s-master ~]$ ls   #查看当前有的yml文件
mcwhttpd2quanyml mcwHttpdService.yml mcwHttpd.yml mm.yml
[machangwei@mcwk8s-master ~]$ kubectl get service #查看当前服务
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.19.228 8080/TCP 19h
kubernetes ClusterIP 10.96.0.1 443/TCP 22h
[machangwei@mcwk8s-master ~]$ kubectl get pod #查看当前的pod
NAME READY STATUS RESTARTS AGE
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21h
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21h
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21h
[machangwei@mcwk8s-master ~]$ kubectl delete -f mcwHttpdService.yml #把已有的服务删除掉,一会创建新的服务,还用以前的pod
service "httpd-svc" deleted
[machangwei@mcwk8s-master ~]$ kubectl get service #查看当前有的服务,之前的一个服务已经成功删除
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 443/TCP 22h
[machangwei@mcwk8s-master ~]$ vim mcwHttpdService.yml #编辑服务yml
[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml #将服务yml增添键值对 type: NodePort。
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
type: NodePort
selector:
run: mcw-httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ kubectl apply -f mcwHttpdService.yml #创建服务,好像不用删除,直接重新执行,会重新创建服务,有时间验证
service/httpd-svc created
[machangwei@mcwk8s-master ~]$ kubectl get service #查看新创建的服务,可以看到端口部分,多了一个端口,30450,
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc NodePort 10.107.208.46 8080:30450/TCP 21s
kubernetes ClusterIP 10.96.0.1 443/TCP 22h
[machangwei@mcwk8s-master ~]$ netstat -an|grep 30450 #查看要暴露的端口,这个端口在所有节点(node)上都有,节点ip:这个端口,都能供外网访问,供集群外的访问
tcp 0 0 0.0.0.0:30450 0.0.0.0:* LISTEN
[machangwei@mcwk8s-master ~]$ curl 10.107.208.46:8080 #集群ip 端口访问服务

It works!


[machangwei@mcwk8s-master ~]$ curl 10.107.208.46:30450 #集群ip访问这个端口是不行的
curl: (7) Failed connect to 10.107.208.46:30450; Connection timed out
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide #查看pod的ip
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21h 10.244.1.2 mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21h 10.244.2.2 mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21h 10.244.1.3 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ curl 10.244.1.2 #直接在节点上curl pod的ip,就能访问到服务

It works!


[machangwei@mcwk8s-master ~]$ curl 10.244.1.2:30450 #直接在节点上curl ip:要暴露的端口,是不行的
curl: (7) Failed connect to 10.244.1.2:30450; Connection refused
[machangwei@mcwk8s-master ~]$ hostname -i
10.0.0.4
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450 #应该用curl 节点ip:要暴露的端口

It works!


[machangwei@mcwk8s-master ~]$ curl 10.0.0.5:30450 #节点ip:这个端口,还可以在外面浏览器上访问。

It works!

#只不过三个 节点ip加这个端口,外网访问这个服务的时候,
[machangwei@mcwk8s-master ~]$ curl 10.0.0.6:30450 #是否后端实现了负载均衡,调度到三个后端pod上呢

It works!


[machangwei@mcwk8s-master ~]$ 主节点上找到服务的三个pod
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21h 10.244.1.2 mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21h 10.244.2.2 mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21h 10.244.1.3 mcwk8s-node1 根据三个pod信息,去节点上找到这三个容器,将容器内容修改,添加上自己的pod ip
[root@mcwk8s-node1 ~]$ netstat -an|grep 30450
tcp 0 0 0.0.0.0:30450 0.0.0.0:* LISTEN
[root@mcwk8s-node1 ~]$ docker ps |grep mcw-httpd-6fbf67d7d5-bpbq4
c978d2770826 httpd "httpd-foreground" 22 hours ago Up 22 hours k8s_mcw-httpd_mcw-httpd-6fbf67d7d5-bpbq4_default_1380d70d-e2b1-4276-b80f-813bcd3bae10_0
eddd4b542888 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 22 hours ago Up 22 hours k8s_POD_mcw-httpd-6fbf67d7d5-bpbq4_default_1380d70d-e2b1-4276-b80f-813bcd3bae10_0
[root@mcwk8s-node1 ~]$ docker exec -it c978 bash
root@mcw-httpd-6fbf67d7d5-bpbq4:/usr/local/apache2# ls
bin build cgi-bin conf error htdocs icons include logs modules
root@mcw-httpd-6fbf67d7d5-bpbq4:/usr/local/apache2# cd htdocs/
root@mcw-httpd-6fbf67d7d5-bpbq4:/usr/local/apache2/htdocs# cat index.html

It works!


root@mcw-httpd-6fbf67d7d5-bpbq4:/usr/local/apache2/htdocs# echo '

It works!

10.244.1.3'>index.html
root@mcw-httpd-6fbf67d7d5-bpbq4:/usr/local/apache2/htdocs# 在主节点上直接访问各个pod ip,查看都修改成功
[machangwei@mcwk8s-master ~]$ curl 10.244.1.3

It works!

10.244.1.3
[machangwei@mcwk8s-master ~]$ 然后根据节点ip加要暴露出去的端口,进行访问。可以发现,在节点上无论访问哪个节点ip:端口,都能实现后端三个pod的负载均衡。也就是说实现了负载均衡的。访问任意一个结点ip:加要暴露的端口,都等于访问这个服务,而这个服务后端三个pod是实现负载均衡的。在浏览器上访问,也是能看出了的,
[machangwei@mcwk8s-master ~]$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc NodePort 10.107.208.46 8080:30450/TCP 46m
kubernetes ClusterIP 10.96.0.1 443/TCP 23h
[machangwei@mcwk8s-master ~]$ hostname -i
10.0.0.4
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.2.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.1.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.2.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.2.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.2.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.1.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.1.3
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.2.2 [machangwei@mcwk8s-master ~]$ curl 10.0.0.5:30450

It works!

10.244.1.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.5:30450

It works!

10.244.1.3

3、loadbalancer

以后添加

k8s通过Service访问Pod的

k8s通过Service访问Pod

如何创建服务

1、创建Deployment

#启动三个pod,运行httpd镜像,label是run:mcw-httpd,Seveice将会根据这个label挑选Pod
apiVersion: apps/v1

[machangwei@mcwk8s-master ~]$ cat mcwHttpd.yml
kind: Deployment
metadata:
name: mcw-httpd
spec:
replicas: 3
selector:
matchLabels:
run: mcw-httpd
template:
metadata:
labels:
run: mcw-httpd
spec:
containers:
- name: mcw-httpd
image: httpd
ports:
- containerPort: 80
[machangwei@mcwk8s-master ~]$ kubectl apply -f mcwHttpd.yml
deployment.apps/mcw-httpd created
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5rrkh 0/1 ContainerCreating 0 2m52s mcwk8s-node1
mcw-httpd-6fbf67d7d5-bqq58 0/1 ImagePullBackOff 0 2m52s 10.244.0.78 mcwk8s-node2
mcw-httpd-6fbf67d7d5-j52ff 0/1 ImagePullBackOff 0 2m52s 10.244.0.70 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide #过一会后,查看Pod分配了各自的IP,容器在创建的时候ip是none
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5rrkh 1/1 Running 0 6m28s 10.244.0.71 mcwk8s-node1
mcw-httpd-6fbf67d7d5-bqq58 1/1 Running 0 6m28s 10.244.0.78 mcwk8s-node2
mcw-httpd-6fbf67d7d5-j52ff 1/1 Running 0 6m28s 10.244.0.70 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ #这些ip只能被kubernates Cluster中的容器和节点访问

2、不通的情况,是不是就应该不通呢,答案是否。

[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5rrkh 1/1 Running 0 16m 10.244.0.71 mcwk8s-node1
mcw-httpd-6fbf67d7d5-bqq58 1/1 Running 0 16m 10.244.0.78 mcwk8s-node2
mcw-httpd-6fbf67d7d5-j52ff 1/1 Running 0 16m 10.244.0.70 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ curl 10.244.0.78 #主节点访问节点2上的pod的ip,连接超时
curl: (7) Failed connect to 10.244.0.78:80; Connection timed out 节点2上访问节点2上的pod ip是能访问的
[root@mcwk8s-node2 ~]$ curl 10.244.0.78

It works!

怀疑是节点上flannel状态问题
[machangwei@mcwk8s-master ~]$ kubectl get pod --all-namespaces|grep flannel
kube-system kube-flannel-ds-cn4m9 0/1 Error 233 (5m26s ago) 2d11h
kube-system kube-flannel-ds-hpgkz 1/1 Running 0 6d23h
kube-system kube-flannel-ds-nnjvj 0/1 CrashLoopBackOff 271 (15s ago) 6d23h 怀疑节点2上没添加-H的问题,然后添加重启docker daemon ,四个容器都重启了
[root@mcwk8s-node2 ~]$ vim /usr/lib/systemd/system/docker.service
[root@mcwk8s-node2 ~]$ grep -i execstart /usr/lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0 --containerd=/run/containerd/containerd.sock
[root@mcwk8s-node2 ~]$ systemctl daemon-reload
[root@mcwk8s-node2 ~]$ systemctl restart docker
[root@mcwk8s-node2 ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
88de5020b420 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 1 second ago Up 1 second k8s_POD_kube-flannel-ds-cn4m9_kube-system_ef070440-6778-430f-92b9-a1c48b755d2b_1
adf80a28c0be b46c42588d51 "/usr/local/bin/kube…" 2 seconds ago Up 1 second k8s_kube-proxy_kube-proxy-92g5c_kube-system_a69acf11-f51a-46d6-9472-d54b5383efef_1
46bceff879bd registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 6 seconds ago Up 2 seconds k8s_POD_kube-proxy-92g5c_kube-system_a69acf11-f51a-46d6-9472-d54b5383efef_1
a5cdf7f6ef3b registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 6 seconds ago Up 2 seconds k8s_POD_mcw-httpd-6fbf67d7d5-bqq58_default_4ceffe1e-df14-47dd-82f0-83cb68555de7_1 再次在主节点访问节点2上的pod ip ,还是无法访问,由于节点2上pod重启了,所以ip被重新分配了一个
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5rrkh 1/1 Running 0 30m 10.244.0.71 mcwk8s-node1
mcw-httpd-6fbf67d7d5-bqq58 1/1 Running 1 (95s ago) 30m 10.244.0.79 mcwk8s-node2
mcw-httpd-6fbf67d7d5-j52ff 1/1 Running 0 30m 10.244.0.70 mcwk8s-node1
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ curl 10.244.0.79 #虽然重新分配了ip,但是还是无法访问
curl: (7) Failed connect to 10.244.0.79:80; Connection timed out

3、创建Service

[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
selector:
run: httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ kubectl apply -f mcwHttpdService.yml
service/httpd-svc created
[machangwei@mcwk8s-master ~]$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.77.45 8080/TCP 14s
kubernetes ClusterIP 10.96.0.1 443/TCP 7d
[machangwei@mcwk8s-master ~]$ curl 10.99.77.45:8080
curl: (7) Failed connect to 10.99.77.45:8080; Connection refused

dns访问Service

[machangwei@mcwk8s-master ~]$ kubectl get deployment --namespace=kube-system
NAME READY UP-TO-DATE AVAILABLE AGE
coredns 2/2 2 2 7d1h
[machangwei@mcwk8s-master ~]$ kubectl get service -o wide
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
httpd-svc ClusterIP 10.99.77.45 8080/TCP 61m run=httpd
kubernetes ClusterIP 10.96.0.1 443/TCP 7d1h
[machangwei@mcwk8s-master ~]$ kubectl run mcwbusybox --rm -ti --image=busybox /bin/bash
pod "mcwbusybox" deleted
error: timed out waiting for the condition
[machangwei@mcwk8s-master ~]$ kubectl get pod
NAME READY STATUS RESTARTS AGE
mcw-httpd-6fbf67d7d5-5rrkh 1/1 Running 0 124m
mcw-httpd-6fbf67d7d5-bqq58 1/1 Running 1 (95m ago) 124m
mcw-httpd-6fbf67d7d5-j52ff 1/1 Running 0 124m 只可以访问自己节点上的pod,不能跨主机同命名空间内的pod互相通信。不知道哪里的问题
[machangwei@mcwk8s-master ~]$ kubectl run mcwcentos3 -it --image=centos /bin/bash
If you don't see a command prompt, try pressing enter.
[root@mcwcentos3 /]# curl 10.244.0.79
curl: (7) Failed to connect to 10.244.0.79 port 80: Connection timed out
[root@mcwcentos3 /]# curl 10.244.0.70

It works!


[root@mcwcentos3 /]# curl 10.244.0.71

It works!

route add -host 10.244.0.0 dev flannel.1
flannel.1 NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s
报错现象 系统或者网络占用过多CPU,造成内核软死锁(soft lockup)。Soft lockup名称解释:所谓,soft lockup就是说,这个bug没有让系统彻底死机,但是若干个进程(或...

fannel网络问题

网络是有问题的

两个节点上的fannel状态不对
[machangwei@mcwk8s-master ~]$ kubectl get pod --all-namespaces -o wide|grep flannel
kube-system kube-flannel-ds-cn4m9 0/1 CrashLoopBackOff 286 (3m50s ago) 3d10h 10.0.0.6 mcwk8s-node2
kube-system kube-flannel-ds-hpgkz 1/1 Running 1 (22h ago) 7d22h 10.0.0.4 mcwk8s-master
kube-system kube-flannel-ds-nnjvj 0/1 CrashLoopBackOff 325 (3m21s ago) 7d22h 10.0.0.5 mcwk8s-node1
[machangwei@mcwk8s-master ~] 节点上查看对应容器的日志错误信,未成功注册cidr
[root@mcwk8s-node2 ~]$ docker ps -a|grep flannel
2252229253e3 e6ea68648f0c "/opt/bin/flanneld -…" 10 seconds ago Exited (1) 2 seconds ago k8s_kube-flannel_kube-flannel-ds-cn4m9_kube-system_ef070440-6778-430f-92b9-a1c48b755d2b_284
[root@mcwk8s-node2 ~]$ docker logs 225
E0120 13:40:49.244765 1 main.go:325] Error registering network: failed to acquire lease: node "mcwk8s-node2" pod cidr not assigned
W0120 13:40:49.245111 1 reflector.go:424] github.com/flannel-io/flannel/subnet/kube/kube.go:379: watch of *v1.Node ended with: an error on the server ("unable to decode an event from the watch stream: context canceled") has prevented the request from succeeding master初始化写进来的cidr
[root@mcwk8s-master ~]$ grep cidr /etc/kubernetes/manifests/kube-controller-manager.yaml
- --allocate-node-cidrs=true
- --cluster-cidr=10.244.0.0/24 部署fannel用的网络
[machangwei@mcwk8s-master ~]$ grep -C 3 '"Network"' mm.yml
}
net-conf.json: |
{
"Network": "10.244.0.0/16",
"Backend": {
"Type": "vxlan"
} 修改网络
[machangwei@mcwk8s-master ~]$ vim mm.yml
[machangwei@mcwk8s-master ~]$ grep -C 3 '"Network"' mm.yml
}
net-conf.json: |
{
"Network": "10.244.0.0/24",
"Backend": {
"Type": "vxlan"
}
[machangwei@mcwk8s-master ~]

从头部署了k8s

修改网络后还是不行。直接从头部署k8s就好了,把flannel网络和初始化master都设置为10.244.0.0/16 网络

[machangwei@mcwk8s-master ~]$ kubectl get pod --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system coredns-6d8c4cb4d-vctxx 1/1 Running 1 (5m57s ago) 33m
kube-system coredns-6d8c4cb4d-xkv9h 1/1 Running 0 33m
kube-system etcd-mcwk8s-master 1/1 Running 0 33m
kube-system kube-apiserver-mcwk8s-master 1/1 Running 1 (4m42s ago) 33m
kube-system kube-controller-manager-mcwk8s-master 1/1 Running 1 33m
kube-system kube-flannel-ds-fvwgm 1/1 Running 0 22m
kube-system kube-flannel-ds-l5fdg 1/1 Running 0 25m
kube-system kube-flannel-ds-mzdcw 1/1 Running 0 21m
kube-system kube-proxy-796l7 1/1 Running 0 21m
kube-system kube-proxy-8wtxn 1/1 Running 0 22m
kube-system kube-proxy-qr6b8 1/1 Running 0 33m
kube-system kube-scheduler-mcwk8s-master 1/1 Running 1 33m
[machangwei@mcwk8s-master ~]$ [machangwei@mcwk8s-master ~]$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
mcwk8s-master Ready control-plane,master 35m v1.23.1
mcwk8s-node1 Ready 23m v1.23.1
mcwk8s-node2 Ready 22m v1.23.1

网络正常的三个节点,网卡和路由如下

跟之前相比,很明显的是多了路由了。之前应该是节点网络没好,所以路由也不全

主节点
[root@mcwk8s-master ~]$ ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:a2:3a:b7 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.4/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::6b7a:2214:bef3:5850/64 scope link
valid_lft forever preferred_lft forever
3: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:a2:3a:c1 brd ff:ff:ff:ff:ff:ff
4: docker0: mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:af:00:ac:08 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: flannel.1: mtu 1450 qdisc noqueue state UNKNOWN
link/ether ca:9d:fb:2c:b7:22 brd ff:ff:ff:ff:ff:ff
inet 10.244.0.0/32 brd 10.244.0.0 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::c89d:fbff:fe2c:b722/64 scope link
valid_lft forever preferred_lft forever
6: cni0: mtu 1450 qdisc noqueue state UP qlen 1000
link/ether 3e:f7:13:d6:6b:5b brd ff:ff:ff:ff:ff:ff
inet 10.244.0.1/24 brd 10.244.0.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::3cf7:13ff:fed6:6b5b/64 scope link
valid_lft forever preferred_lft forever
7: vethf9bacd46@if3: mtu 1450 qdisc noqueue master cni0 state UP
link/ether f6:9d:2c:f7:ff:4e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::f49d:2cff:fef7:ff4e/64 scope link
valid_lft forever preferred_lft forever
8: veth59372586@if3: mtu 1450 qdisc noqueue master cni0 state UP
link/ether 56:da:7b:cb:75:49 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::54da:7bff:fecb:7549/64 scope link
valid_lft forever preferred_lft forever
[root@mcwk8s-master ~]$ node1
[root@mcwk8s-node1 ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.253 0.0.0.0 UG 100 0 0 ens33
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
10.244.0.0 10.244.0.0 255.255.255.0 UG 0 0 0 flannel.1
10.244.1.0 0.0.0.0 255.255.255.0 U 0 0 0 cni0
10.244.2.0 10.244.2.0 255.255.255.0 UG 0 0 0 flannel.1
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
[root@mcwk8s-node1 ~]$ ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:0b:a3:15 brd ff:ff:ff:ff:ff:ff
3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:0b:a3:0b brd ff:ff:ff:ff:ff:ff
inet 10.0.0.5/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::3516:c22b:d62:c43f/64 scope link
valid_lft forever preferred_lft forever
4: docker0: mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:5e:08:56:63 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: flannel.1: mtu 1450 qdisc noqueue state UNKNOWN
link/ether 4e:92:a2:b0:6b:5a brd ff:ff:ff:ff:ff:ff
inet 10.244.1.0/32 brd 10.244.1.0 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::4c92:a2ff:feb0:6b5a/64 scope link
valid_lft forever preferred_lft forever
6: cni0: mtu 1450 qdisc noqueue state UP qlen 1000
link/ether e2:d3:b2:00:28:bf brd ff:ff:ff:ff:ff:ff
inet 10.244.1.1/24 brd 10.244.1.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::e0d3:b2ff:fe00:28bf/64 scope link
valid_lft forever preferred_lft forever
7: vethafc53bc5@if3: mtu 1450 qdisc noqueue master cni0 state UP
link/ether 32:51:41:e9:e1:68 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::3051:41ff:fee9:e168/64 scope link
valid_lft forever preferred_lft forever
8: veth8246ed1c@if3: mtu 1450 qdisc noqueue master cni0 state UP
link/ether 12:67:28:44:fa:cd brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::1067:28ff:fe44:facd/64 scope link
valid_lft forever preferred_lft forever
[root@mcwk8s-node1 ~]$ node2
[root@mcwk8s-node2 ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.253 0.0.0.0 UG 100 0 0 ens33
10.0.0.0 0.0.0.0 255.255.255.0 U 100 0 0 ens33
10.244.0.0 10.244.0.0 255.255.255.0 UG 0 0 0 flannel.1
10.244.1.0 10.244.1.0 255.255.255.0 UG 0 0 0 flannel.1
10.244.2.0 0.0.0.0 255.255.255.0 U 0 0 0 cni0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
You have new mail in /var/spool/mail/root
[root@mcwk8s-node2 ~]$ ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens34: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:eb:83:cd brd ff:ff:ff:ff:ff:ff
3: ens33: mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:eb:83:c3 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.6/24 brd 10.0.0.255 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::fd02:359f:93a4:95af/64 scope link
valid_lft forever preferred_lft forever
4: docker0: mtu 1500 qdisc noqueue state DOWN
link/ether 02:42:ff:3f:37:b0 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
5: flannel.1: mtu 1450 qdisc noqueue state UNKNOWN
link/ether 56:16:44:85:ca:57 brd ff:ff:ff:ff:ff:ff
inet 10.244.2.0/32 brd 10.244.2.0 scope global flannel.1
valid_lft forever preferred_lft forever
inet6 fe80::5416:44ff:fe85:ca57/64 scope link
valid_lft forever preferred_lft forever
6: cni0: mtu 1450 qdisc noqueue state UP qlen 1000
link/ether 06:1f:10:ee:32:6f brd ff:ff:ff:ff:ff:ff
inet 10.244.2.1/24 brd 10.244.2.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::41f:10ff:feee:326f/64 scope link
valid_lft forever preferred_lft forever
7: vethdf3032e1@if3: mtu 1450 qdisc noqueue master cni0 state UP
link/ether 1e:50:bf:95:46:4d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::1c50:bfff:fe95:464d/64 scope link
valid_lft forever preferred_lft forever
[root@mcwk8s-node2 ~]$

flannel正常之后,验证集群内pod跨主机访问

[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 0/1 ContainerCreating 0 5m19s mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 0/1 ContainerCreating 0 5m19s mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 0/1 ContainerCreating 0 5m19s mcwk8s-node1
[machangwei@mcwk8s-master ~]$ kubectl describe pod mcw-httpd-6fbf67d7d5-5qfrl
Events: #容器创建中的状态时间段,包括拉取镜像的过程
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 4m49s default-scheduler Successfully assigned default/mcw-httpd-6fbf67d7d5-5qfrl to mcwk8s-node1
Normal Pulling 4m35s kubelet Pulling image "httpd" mcwk8s-node1一直卡在拉取不下镜像,然后手动到节点1上docker pull,拉取完镜像之后,pod马上就运行状态了
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21m 10.244.1.2 mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21m 10.244.2.2 mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21m 10.244.1.3 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ 查看网络,现在分配的pod上分配的ip,可以正常的在集群其它节点上进行访问了。也就是Pod分配了各自的ip,这些ip只能被Kuernetes Cluster 中的容器和节点访问。前面那句话已经得到验证
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21m 10.244.1.2 mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21m 10.244.2.2 mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21m 10.244.1.3 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ curl 10.244.1.2

It works!


[machangwei@mcwk8s-master ~]$ curl 10.244.1.3

It works!


[machangwei@mcwk8s-master ~]$ hostname
mcwk8s-master
[machangwei@mcwk8s-master ~]$

部署service

部署service,但是没有后端服务

endpoint是空的,肯定不能通过服务ip加端口,去curl访问服务的响应数据
[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
selector:
run: httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ kubectl apply -f mcwHttpdService.yml #创建Service
service/httpd-svc created
[machangwei@mcwk8s-master ~]$ kubectl get service #查看service。有服务名,集群ip,以及端口,
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.102.232.38 8080/TCP 11s
kubernetes ClusterIP 10.96.0.1 443/TCP 140m
[machangwei@mcwk8s-master ~]$ curl 10.102.232.38:8080 #通过curl集群ip冒号端口,无法访问,因为没有endpoint
curl: (7) Failed connect to 10.102.232.38:8080; Connection refused
[machangwei@mcwk8s-master ~]$ curl 10.244.1.2 #通过访问pod ip ,可以直接在节点上访问到集群中的pod的对应的80服务

It works!


[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ ping 10.244.1.2 #可以在节点上ping通集群中pod的ip。
PING 10.244.1.2 (10.244.1.2) 56(84) bytes of data.
64 bytes from 10.244.1.2: icmp_seq=1 ttl=63 time=1.04 ms
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.102.232.38 8080/TCP 75s
kubernetes ClusterIP 10.96.0.1 443/TCP 141m
[machangwei@mcwk8s-master ~]$ curl 10.102.232.38:8080
curl: (7) Failed connect to 10.102.232.38:8080; Connection refused
[machangwei@mcwk8s-master ~]$ kubectl describe service httpd-svc #查看服务,可以看到endponts为none
Name: httpd-svc
Namespace: default
Labels:
Annotations:
Selector: run=httpd
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.102.232.38
IPs: 10.102.232.38
Port: 8080/TCP
TargetPort: 80/TCP
Endpoints:
Session Affinity: None
Events:
[machangwei@mcwk8s-master ~]$

正常的有后端pod

[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml   #修改前的yml文件,
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
selector:
run: httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ kubectl get pod --show-labels #查看服务对应的后端pod的标签,发现是run=mcw-httpd,
NAME READY STATUS RESTARTS AGE LABELS
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 107m pod-template-hash=6fbf67d7d5,run=mcw-httpd
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 107m pod-template-hash=6fbf67d7d5,run=mcw-httpd
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 107m pod-template-hash=6fbf67d7d5,run=mcw-httpd
[machangwei@mcwk8s-master ~]$ kubectl delete -f mcwHttpdService.yml
service "httpd-svc" deleted
[machangwei@mcwk8s-master ~]$ vim mcwHttpdService.yml
[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml #修改选择器,纠正标签,指定service后端pod的标签是run: mcw-httpd
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
selector:
run: mcw-httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ kubectl apply -f mcwHttpdService.yml #重新部署服务
service/httpd-svc created
[machangwei@mcwk8s-master ~]$ kubectl get service #查看服务,集群已经换掉了
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.19.228 8080/TCP 7s
kubernetes ClusterIP 10.96.0.1 443/TCP 146m
[machangwei@mcwk8s-master ~]$ curl 10.99.19.228:8080 #这下可以正常curl 集群IP:端口,来访问服务了。

It works!


[machangwei@mcwk8s-master ~]$ kubectl describe service httpd-svc
Name: httpd-svc
Namespace: default
Labels:
Annotations:
Selector: run=mcw-httpd
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 10.99.19.228
IPs: 10.99.19.228
Port: 8080/TCP #查看到现在的服务,后endpoint的值
TargetPort: 80/TCP # endpoint的值,是代表有可以访问带有指定标签pod ip,指定pod目标端口的服务。
Endpoints: 10.244.1.2:80,10.244.1.3:80,10.244.2.2:80
Session Affinity: None #也就是访问集群ip:端口,应该是负载均衡路由到这带有服务选择对应标签的pod ip和目标端口的
Events: #集群ip是创建服务时分配的,而选择带有什么样标签的pod,以及pod对应服务的端口,即目标端口,是在yml里面已经设置好了
[machangwei@mcwk8s-master ~]$

service文件介绍

[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml
apiVersion: v1 #Service的apiVersion
kind: Service #资源类型
metadata:
name: httpd-svc
spec:
selector: #指明挑选那些label为run: httpd的pod作为Service的后端
run: httpd
ports:
- protocol: TCP
port: 8080 #将Servicede 8080端口映射到Pod的80端口,使用TCP协议
targetPort: 80

Cluster IP底层实现

跟service相关的防火墙规则,集群ip和pod ip相关
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 20h 10.244.1.2 mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 20h 10.244.2.2 mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 20h 10.244.1.3 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.19.228 8080/TCP 18h
kubernetes ClusterIP 10.96.0.1 443/TCP 20h
[machangwei@mcwk8s-master ~]$ 查看当前主机防火墙
[root@mcwk8s-master ~]$ iptables-save |grep httpd-svc
-A KUBE-SEP-26GESA23ILIBJ6BG -s 10.244.1.2/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-26GESA23ILIBJ6BG -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.1.2:80
-A KUBE-SEP-5MDWNIS6FGKOLKLF -s 10.244.1.3/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-5MDWNIS6FGKOLKLF -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.1.3:80
-A KUBE-SEP-MZ7D7IEY543CBPN3 -s 10.244.2.2/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-MZ7D7IEY543CBPN3 -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.2.2:80
-A KUBE-SERVICES -d 10.99.19.228/32 -p tcp -m comment --comment "default/httpd-svc cluster IP" -m tcp --dport 8080 -j KUBE-SVC-IYRDZZKXS5EOQ6Q6
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 ! -s 10.244.0.0/16 -d 10.99.19.228/32 -p tcp -m comment --comment "default/httpd-svc cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-26GESA23ILIBJ6BG
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5MDWNIS6FGKOLKLF
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -j KUBE-SEP-MZ7D7IEY543CBPN3
[root@mcwk8s-master ~]$ 一:
-A KUBE-SERVICES -d 10.99.19.228/32 -p tcp -m comment --comment "default/httpd-svc cluster IP" -m tcp --dport 8080 -j KUBE-SVC-IYRDZZKXS5EOQ6Q6
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 ! -s 10.244.0.0/16 -d 10.99.19.228/32 -p tcp -m comment --comment "default/httpd-svc cluster IP" -m tcp --dport 8080 -j KUBE-MARK-MASQ
1、其它源地址访问httpd-svc,则允许
2、如果Cluster内的pod(源地址来自10.244.0.0/16)要访问httpd-svc,则跳转到KUBE-SVC-IYRDZZKXS5EOQ6Q6 KUBE-SVC-IYRDZZKXS5EOQ6Q6规则之一如下:
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-26GESA23ILIBJ6BG 二:
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -m statistic --mode random --probability 0.33333333349 -j KUBE-SEP-26GESA23ILIBJ6BG
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-5MDWNIS6FGKOLKLF
-A KUBE-SVC-IYRDZZKXS5EOQ6Q6 -m comment --comment "default/httpd-svc" -j KUBE-SEP-MZ7D7IEY543CBPN3 1、1/3概率跳转到规则KUBE-SEP-26GESA23ILIBJ6BG
2、1/3概率(剩下2/3的一半)跳转到规则KUBE-SEP-5MDWNIS6FGKOLKLF
3、1/3概率跳转到规则KUBE-SEP-MZ7D7IEY543CBPN3 三:
-A KUBE-SEP-26GESA23ILIBJ6BG -s 10.244.1.2/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-26GESA23ILIBJ6BG -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.1.2:80
-A KUBE-SEP-5MDWNIS6FGKOLKLF -s 10.244.1.3/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-5MDWNIS6FGKOLKLF -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.1.3:80
-A KUBE-SEP-MZ7D7IEY543CBPN3 -s 10.244.2.2/32 -m comment --comment "default/httpd-svc" -j KUBE-MARK-MASQ
-A KUBE-SEP-MZ7D7IEY543CBPN3 -p tcp -m comment --comment "default/httpd-svc" -m tcp -j DNAT --to-destination 10.244.2.2:80 将请求分别转发到后端的三个pod.iptables将访问Service的流量转发到后端pod,而且使用类型轮询的负载均衡策略。集群的每一个结点都配置了相同的iptables规则,这样就确保了整个集群都能通过Service的集群ip访问服务。

DNS访问Service

访问本身namespace中的

[machangwei@mcwk8s-master ~]$ kubectl get deployment --namespace=kube-system #查看 dns组件
NAME READY UP-TO-DATE AVAILABLE AGE
coredns 2/2 2 2 21h
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ kubectl run mcwcentos --rm -ti --image=centos /bin/bash #创建pod并进入
If you don't see a command prompt, try pressing enter.
[root@mcwcentos /]# wget httpd-svc.default:8080 #在pod中通过.来访问Service
bash: wget: command not found
[root@mcwcentos /]# curl httpd-svc.default:8080

It works!


[root@mcwcentos /]#
[root@mcwcentos /]# curl httpd-svc:8080 #因为pod和httpd-svc同属于default namespace,因此可以省略default命名空间,直接访问服务

It works!


[root@mcwcentos /]# yum -y install bind-utils #安装工具,以方便使用nslookup命令
Failed to set locale, defaulting to C.UTF-8
Last metadata expiration check: 0:02:36 ago on Fri Jan 21 12:45:19 2022.
Dependencies resolved.
[root@mcwcentos /]# ls /etc/yum.repos.d/ 查看cenos镜像中的repo文件
CentOS-Linux-AppStream.repo CentOS-Linux-ContinuousRelease.repo CentOS-Linux-Devel.repo CentOS-Linux-FastTrack.repo CentOS-Linux-Media.repo CentOS-Linux-PowerTools.repo
CentOS-Linux-BaseOS.repo CentOS-Linux-Debuginfo.repo CentOS-Linux-Extras.repo CentOS-Linux-HighAvailability.repo CentOS-Linux-Plus.repo CentOS-Linux-Sources.repo
[root@mcwcentos /]# nslookup httpd-svc #用命令查看httpd-svc的DNS信息
Server: 10.96.0.10
Address: 10.96.0.10#53 Name: httpd-svc.default.svc.cluster.local #这个是DNS服务器,dns组件,这个是httpd的完整域名
Address: 10.99.19.228 #可以看到这个是service的cluster ip [root@mcwcentos /]# [machangwei@mcwk8s-master ~]$ kubectl get service 集群ip
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.19.228 8080/TCP 19h
kubernetes ClusterIP 10.96.0.1 443/TCP 21h
[machangwei@mcwk8s-master ~]$ 查看这个新创建的pod
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide|grep mcwcentos
mcwcentos 1/1 Running 0 8m8s 10.244.2.3 mcwk8s-node2 到pod对应节点上找到这个容器
[root@mcwk8s-node2 ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
0b11a9d9ac35 centos "/bin/bash" 8 minutes ago Up 8 minutes k8s_mcwcentos_mcwcentos_default_05aaed6d-57b0-4f6b-807d-1cd0e9c39ad9_0 然后查看容器的日志,可以看到,记录了我进入容器后做的所有操作包括yum安装的过程
[root@mcwk8s-node2 ~]$ docker logs 0b1|tail
CentOS-Linux-AppStream.repo CentOS-Linux-ContinuousRelease.repo CentOS-Linux-Devel.repo CentOS-Linux-FastTrack.repo CentOS-Linux-Media.repo CentOS-Linux-PowerTools.repo
CentOS-Linux-BaseOS.repo CentOS-Linux-Debuginfo.repo CentOS-Linux-Extras.repo CentOS-Linux-HighAvailability.repo CentOS-Linux-Plus.repo CentOS-Linux-Sources.repo
[root@mcwcentos /]#
[root@mcwcentos /]# nslookup httpd-svc
Server: 10.96.0.10
Address: 10.96.0.10#53 Name: httpd-svc.default.svc.cluster.local
Address: 10.99.19.228 [root@mcwk8s-node2 ~]$
‘ 主节点进入的pod中:
[root@mcwcentos /]# ping httpd-svc
PING httpd-svc.default.svc.cluster.local (10.99.19.228) 56(84) bytes of data.
^C
--- httpd-svc.default.svc.cluster.local ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1001ms [root@mcwcentos /]# curl httpd-svc
curl: (7) Failed to connect to httpd-svc port 80: Connection timed out
[root@mcwcentos /]# curl httpd-svc:8080

It works!


[root@mcwcentos /]# curl httpd-svc.default.svc.cluster.local:8080 #也可以curl完整域名,如果不加端口,不行,因为服务里显示用到这个端口了

It works!


[root@mcwcentos /]#

访问其它namespace中的service

查看已存在的namespcace
[machangwei@mcwk8s-master ~]$ kubectl get namespace #这几个都是部署好集群时就已经创建好的namespace
NAME STATUS AGE
default Active 21h
kube-node-lease Active 21h
kube-public Active 21h
kube-system Active 21h
[machangwei@mcwk8s-master ~]$ 查看之前部署的文件
[machangwei@mcwk8s-master ~]$ cat mcwHttpd.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: mcw-httpd
spec:
replicas: 3
selector:
matchLabels:
run: mcw-httpd
template:
metadata:
labels:
run: mcw-httpd
spec:
containers:
- name: mcw-httpd
image: httpd
ports:
- containerPort: 80
[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
selector:
run: mcw-httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ cat mcwhttpd2quanyml #查看上两个文件合并修改名称,标签等信息,添加指定的命名空间。多个资源用---来分割
apiVersion: apps/v1
kind: Deployment
metadata:
name: mcw-httpd2
namespace: kube-public
spec:
replicas: 3
selector:
matchLabels:
run: mcw-httpd2
template:
metadata:
labels:
run: mcw-httpd2
spec:
containers:
- name: mcw-httpd2
image: httpd
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: httpd2-svc
namespace: kube-public
spec:
selector:
run: mcw-httpd2
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ 查看mcwcentos的ip
[root@mcwcentos /]# ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth0@if8: mtu 1450 qdisc noqueue state UP group default
link/ether c6:c1:ce:94:49:24 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.244.2.3/24 brd 10.244.2.255 scope global eth0
valid_lft forever preferred_lft forever
[root@mcwcentos /]# hostname -i
10.244.2.3
[root@mcwcentos /]# [machangwei@mcwk8s-master ~]$ kubectl apply -f mcwhttpd2quanyml #部署httpd2服务
deployment.apps/mcw-httpd2 created
service/httpd2-svc created
[machangwei@mcwk8s-master ~]$ kubectl get service --namespace=kube-public #查看服务2,需要指定命名空间
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd2-svc ClusterIP 10.101.134.243 8080/TCP 39s
[machangwei@mcwk8s-master ~]$ kubectl get service #不指定命名空间,无法看到kube-public中的服务
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.19.228 8080/TCP 19h
kubernetes ClusterIP 10.96.0.1 443/TCP 21h
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ kubectl run mcwcentos2 --rm -ti --image=centos /bin/bash #运行第二个,mcwcentos2
If you don't see a command prompt, try pressing enter.
[root@mcwcentos2 /]# curl httpd2-svc:8080 #pod属于default命名空间,访问其它命名空间的服务,不指定命名空间,直接访问服务名加端口,是无法访问到
curl: (6) Could not resolve host: httpd2-svc
[root@mcwcentos2 /]# curl httpd2-svc.kube-public:8080 #加上服务名称.命名空间:服务端口,就可以实现在pod中跨命名空间访问服务

It works!


[root@mcwcentos2 /]# ping -c 2 10.244.2.3 #pod中能直接ping同一命名空间内的pod
PING 10.244.2.3 (10.244.2.3) 56(84) bytes of data.
64 bytes from 10.244.2.3: icmp_seq=1 ttl=64 time=0.252 ms
64 bytes from 10.244.2.3: icmp_seq=2 ttl=64 time=0.072 ms --- 10.244.2.3 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.072/0.162/0.252/0.090 ms
[root@mcwcentos2 /]#
[root@mcwcentos2 /]# exit #当ctrl+d退出时,这个命令创建的pod就被删除掉了,get pod也看不见这个容器
Session ended, resume using 'kubectl attach mcwcentos2 -c mcwcentos2 -i -t' command when the pod is running
pod "mcwcentos2" deleted
[machangwei@mcwk8s-master ~]$ 如下,默认只能看到default下的pod
[machangwei@mcwk8s-master ~]$ kubectl get pod
NAME READY STATUS RESTARTS AGE
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21h
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21h
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21h
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$
[machangwei@mcwk8s-master ~]$ kubectl get pod --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21h
default mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21h
default mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21h
kube-public mcw-httpd2-6b98bfbbbf-69jb5 1/1 Running 0 21m
kube-public mcw-httpd2-6b98bfbbbf-qv7g9 1/1 Running 0 21m
kube-public mcw-httpd2-6b98bfbbbf-ztddf 1/1 Running 0 21m
kube-system coredns-6d8c4cb4d-vctxx 1/1 Running 1 (21h ago) 22h
kube-system coredns-6d8c4cb4d-xkv9h 1/1 Running 0 22h

外网如何访问Service

1、集群ip加端口,可以提供集群内部访问服务。

这里是在三个节点上都通过curl集群ip:端口,正常访问。如果是pod中,不同命名空间的pod中访问,结果如何,以后验证,应该也是没有问题的。
[machangwei@mcwk8s-master ~]$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc NodePort 10.107.208.46 8080:30450/TCP 14m
kubernetes ClusterIP 10.96.0.1 443/TCP 22h
[machangwei@mcwk8s-master ~]$ curl 10.107.208.46:8080

It works!

[root@mcwk8s-node1 ~]$ curl 10.107.208.46:8080

It works!

[root@mcwk8s-node2 ~]$ curl 10.107.208.46:8080

It works!


[root@mcwk8s-node2 ~]$

2、这里演示node port 方式将应用的service暴露给cluster外部。

[machangwei@mcwk8s-master ~]$ ls   #查看当前有的yml文件
mcwhttpd2quanyml mcwHttpdService.yml mcwHttpd.yml mm.yml
[machangwei@mcwk8s-master ~]$ kubectl get service #查看当前服务
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc ClusterIP 10.99.19.228 8080/TCP 19h
kubernetes ClusterIP 10.96.0.1 443/TCP 22h
[machangwei@mcwk8s-master ~]$ kubectl get pod #查看当前的pod
NAME READY STATUS RESTARTS AGE
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21h
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21h
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21h
[machangwei@mcwk8s-master ~]$ kubectl delete -f mcwHttpdService.yml #把已有的服务删除掉,一会创建新的服务,还用以前的pod
service "httpd-svc" deleted
[machangwei@mcwk8s-master ~]$ kubectl get service #查看当前有的服务,之前的一个服务已经成功删除
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 10.96.0.1 443/TCP 22h
[machangwei@mcwk8s-master ~]$ vim mcwHttpdService.yml #编辑服务yml
[machangwei@mcwk8s-master ~]$ cat mcwHttpdService.yml #将服务yml增添键值对 type: NodePort。
apiVersion: v1
kind: Service
metadata:
name: httpd-svc
spec:
type: NodePort
selector:
run: mcw-httpd
ports:
- protocol: TCP
port: 8080
targetPort: 80
[machangwei@mcwk8s-master ~]$ kubectl apply -f mcwHttpdService.yml #创建服务,好像不用删除,直接重新执行,会重新创建服务,有时间验证
service/httpd-svc created
[machangwei@mcwk8s-master ~]$ kubectl get service #查看新创建的服务,可以看到端口部分,多了一个端口,30450,
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc NodePort 10.107.208.46 8080:30450/TCP 21s
kubernetes ClusterIP 10.96.0.1 443/TCP 22h
[machangwei@mcwk8s-master ~]$ netstat -an|grep 30450 #查看要暴露的端口,这个端口在所有节点(node)上都有,节点ip:这个端口,都能供外网访问,供集群外的访问
tcp 0 0 0.0.0.0:30450 0.0.0.0:* LISTEN
[machangwei@mcwk8s-master ~]$ curl 10.107.208.46:8080 #集群ip 端口访问服务

It works!


[machangwei@mcwk8s-master ~]$ curl 10.107.208.46:30450 #集群ip访问这个端口是不行的
curl: (7) Failed connect to 10.107.208.46:30450; Connection timed out
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide #查看pod的ip
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21h 10.244.1.2 mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21h 10.244.2.2 mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21h 10.244.1.3 mcwk8s-node1
[machangwei@mcwk8s-master ~]$ curl 10.244.1.2 #直接在节点上curl pod的ip,就能访问到服务

It works!


[machangwei@mcwk8s-master ~]$ curl 10.244.1.2:30450 #直接在节点上curl ip:要暴露的端口,是不行的
curl: (7) Failed connect to 10.244.1.2:30450; Connection refused
[machangwei@mcwk8s-master ~]$ hostname -i
10.0.0.4
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450 #应该用curl 节点ip:要暴露的端口

It works!


[machangwei@mcwk8s-master ~]$ curl 10.0.0.5:30450 #节点ip:这个端口,还可以在外面浏览器上访问。

It works!

#只不过三个 节点ip加这个端口,外网访问这个服务的时候,
[machangwei@mcwk8s-master ~]$ curl 10.0.0.6:30450 #是否后端实现了负载均衡,调度到三个后端pod上呢

It works!


[machangwei@mcwk8s-master ~]$ 主节点上找到服务的三个pod
[machangwei@mcwk8s-master ~]$ kubectl get pod -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
mcw-httpd-6fbf67d7d5-5qfrl 1/1 Running 0 21h 10.244.1.2 mcwk8s-node1
mcw-httpd-6fbf67d7d5-98x8d 1/1 Running 0 21h 10.244.2.2 mcwk8s-node2
mcw-httpd-6fbf67d7d5-bpbq4 1/1 Running 0 21h 10.244.1.3 mcwk8s-node1 根据三个pod信息,去节点上找到这三个容器,将容器内容修改,添加上自己的pod ip
[root@mcwk8s-node1 ~]$ netstat -an|grep 30450
tcp 0 0 0.0.0.0:30450 0.0.0.0:* LISTEN
[root@mcwk8s-node1 ~]$ docker ps |grep mcw-httpd-6fbf67d7d5-bpbq4
c978d2770826 httpd "httpd-foreground" 22 hours ago Up 22 hours k8s_mcw-httpd_mcw-httpd-6fbf67d7d5-bpbq4_default_1380d70d-e2b1-4276-b80f-813bcd3bae10_0
eddd4b542888 registry.aliyuncs.com/google_containers/pause:3.6 "/pause" 22 hours ago Up 22 hours k8s_POD_mcw-httpd-6fbf67d7d5-bpbq4_default_1380d70d-e2b1-4276-b80f-813bcd3bae10_0
[root@mcwk8s-node1 ~]$ docker exec -it c978 bash
root@mcw-httpd-6fbf67d7d5-bpbq4:/usr/local/apache2# ls
bin build cgi-bin conf error htdocs icons include logs modules
root@mcw-httpd-6fbf67d7d5-bpbq4:/usr/local/apache2# cd htdocs/
root@mcw-httpd-6fbf67d7d5-bpbq4:/usr/local/apache2/htdocs# cat index.html

It works!


root@mcw-httpd-6fbf67d7d5-bpbq4:/usr/local/apache2/htdocs# echo '

It works!

10.244.1.3'>index.html
root@mcw-httpd-6fbf67d7d5-bpbq4:/usr/local/apache2/htdocs# 在主节点上直接访问各个pod ip,查看都修改成功
[machangwei@mcwk8s-master ~]$ curl 10.244.1.3

It works!

10.244.1.3
[machangwei@mcwk8s-master ~]$ 然后根据节点ip加要暴露出去的端口,进行访问。可以发现,在节点上无论访问哪个节点ip:端口,都能实现后端三个pod的负载均衡。也就是说实现了负载均衡的。访问任意一个结点ip:加要暴露的端口,都等于访问这个服务,而这个服务后端三个pod是实现负载均衡的。在浏览器上访问,也是能看出了的,
[machangwei@mcwk8s-master ~]$ kubectl get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
httpd-svc NodePort 10.107.208.46 8080:30450/TCP 46m
kubernetes ClusterIP 10.96.0.1 443/TCP 23h
[machangwei@mcwk8s-master ~]$ hostname -i
10.0.0.4
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.2.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.1.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.2.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.2.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.2.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.1.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.1.3
[machangwei@mcwk8s-master ~]$ curl 10.0.0.4:30450

It works!

10.244.2.2 [machangwei@mcwk8s-master ~]$ curl 10.0.0.5:30450

It works!

10.244.1.2
[machangwei@mcwk8s-master ~]$ curl 10.0.0.5:30450

It works!

10.244.1.3

3、loadbalancer

以后添加

k8s通过Service访问Pod的

赞 (0)

猜您想看

评论区(暂无评论)

这里空空如也,快来评论吧~

我要评论