kubernetes 为什么从k8s中的主机/节点可以访问具有群集IP服务的pod

当CLUSTER-IP在群集网络内部时，为什么我能够从安装了k8s的主机/节点ping其中一个群集IP服务。请查看ip10.101.210.88，它是一个cluster-ip，根据定义，它必须只能从任何其他pod访问，但我仍然可以从Ubuntu主机/节点计算机访问它

/root#kgs
NAMESPACE     NAME                                        TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                           AGE
default       kubernetes                                  ClusterIP   10.96.0.1        <none>        443/TCP                           16d
kube-system   kube-dns                                    ClusterIP   10.96.0.10       <none>        53/UDP,53/TCP,9153/TCP            16d
ricinfra      service-tiller-ricxapp                      ClusterIP   10.98.94.194     <none>        44134/TCP                         7d7h
ricplt        aux-entry                                   ClusterIP   10.105.149.143   <none>        80/TCP,443/TCP                    7d7h
ricplt        r4-influxdb-influxdb2                       ClusterIP   10.110.14.243    <none>        80/TCP                            7d7h
ricplt        r4-infrastructure-kong-proxy                NodePort    10.107.12.178    <none>        32080:32080/TCP,32443:32443/TCP   7d7h
ricplt        r4-infrastructure-prometheus-alertmanager   ClusterIP   10.104.86.76     <none>        80/TCP                            7d7h
ricplt        r4-infrastructure-prometheus-server         ClusterIP   10.102.224.176   <none>        80/TCP                            7d7h
ricplt        service-ricplt-a1mediator-http              ClusterIP   10.105.45.1      <none>        10000/TCP                         7d7h
ricplt        service-ricplt-a1mediator-rmr               ClusterIP   10.108.188.147   <none>        4561/TCP,4562/TCP                 7d7h
ricplt        service-ricplt-alarmmanager-http            ClusterIP   10.111.239.130   <none>        8080/TCP                          7d7h
ricplt        service-ricplt-alarmmanager-rmr             ClusterIP   10.106.30.195    <none>        4560/TCP,4561/TCP                 7d7h
ricplt        service-ricplt-appmgr-http                  ClusterIP   10.110.110.91    <none>        8080/TCP                          7d7h
ricplt        service-ricplt-appmgr-rmr                   ClusterIP   10.110.96.28     <none>        4561/TCP,4560/TCP                 7d7h
ricplt        service-ricplt-dbaas-tcp                    ClusterIP   None             <none>        6379/TCP                          7d7h
ricplt        service-ricplt-e2mgr-http                   ClusterIP   10.101.210.88    <none>        3800/TCP                          7d7h
ricplt        service-ricplt-e2mgr-rmr                    ClusterIP   10.101.245.34    <none>        4561/TCP,3801/TCP                 7d7h
ricplt        service-ricplt-e2term-prometheus-alpha      ClusterIP   10.97.95.213     <none>        8088/TCP                          7d7h
ricplt        service-ricplt-e2term-rmr-alpha             ClusterIP   10.100.36.142    <none>        4561/TCP,38000/TCP                7d7h
ricplt        service-ricplt-e2term-sctp-alpha            NodePort    10.108.215.136   <none>        36422:32222/SCTP                  7d7h
ricplt        service-ricplt-o1mediator-http              ClusterIP   10.96.196.67     <none>        9001/TCP,8080/TCP,3000/TCP        7d7h
ricplt        service-ricplt-o1mediator-tcp-netconf       NodePort    10.104.237.252   <none>        830:30830/TCP                     7d7h
ricplt        service-ricplt-rtmgr-http                   ClusterIP   10.105.27.42     <none>        3800/TCP                          7d7h
ricplt        service-ricplt-rtmgr-rmr                    ClusterIP   10.110.0.158     <none>        4561/TCP,4560/TCP                 7d7h
ricplt        service-ricplt-submgr-http                  ClusterIP   None             <none>        3800/TCP                          7d7h
ricplt        service-ricplt-submgr-rmr                   ClusterIP   None             <none>        4560/TCP,4561/TCP                 7d7h
ricplt        service-ricplt-vespamgr-http                ClusterIP   10.98.139.191    <none>        8080/TCP,9095/TCP                 7d7h
ricxapp       aux-entry                                   ClusterIP   10.99.152.66     <none>        80/TCP,443/TCP                    7d7h
ricxapp       service-ricxapp-bouncer-xapp-http           ClusterIP   10.99.222.68     <none>        8080/TCP                          25h
ricxapp       service-ricxapp-bouncer-xapp-rmr            ClusterIP   10.97.149.3      <none>        4560/TCP,4561/TCP                 25h
ricxapp       service-ricxapp-example-http                ClusterIP   10.101.14.166    <none>        8080/TCP                          2d11h
ricxapp       service-ricxapp-example-rmr                 ClusterIP   10.97.129.85     <none>        4560/TCP,4561/TCP                 2d11h
/root#
/root#
/root#ping 10.101.210.88    --------> this is a cluster ip and i am pinging it from my host/node machine 
PING 10.101.210.88 (10.101.210.88) 56(84) bytes of data.
64 bytes from 10.101.210.88: icmp_seq=1 ttl=64 time=0.061 ms
64 bytes from 10.101.210.88: icmp_seq=2 ttl=64 time=0.032 ms
^C
--- 10.101.210.88 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1019ms
rtt min/avg/max/mdev = 0.032/0.046/0.061/0.014 ms
/root#

谢谢

可以，您将能够从Kubernetes工作节点访问ClusterIP。
当您在Kubernetes中创建类型为ClusterIP的SVC时，它会将虚拟IP分配给SVC，虚拟IP地址只能在K8s群集中访问。
Kubernetes使用IPTables****规则将流量从VirtualIP转发到服务将流量路由到的POD。
Kubernetes节点是群集的一部分，它们将能够访问虚拟IP。因此，clusterIp将可以从任何工作节点对面的群集中访问，但无法从群集的外部访问。
如果你真的想深入了解网桥，IP分配，转发你可以参考这篇不错的文章：https://dustinspecker.com/posts/iptables-how-kubernetes-services-direct-traffic-to-pods/

kubernetes 为什么从k8s中的主机/节点可以访问具有群集IP服务的pod

1条答案

相关问题

热门标签

最新问答