쿠버네티스 Service Networing

티스토리 뷰

카테고리 없음

쿠버네티스 Service Networing

미니대왕님 2023. 6. 11. 09:40

node 정보

webnsdp.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: webns
spec:
  replicas: 3
  selector:
    matchLabels:
      app: webns
  template:
    metadata:
      name : nginx-pod
      labels:
        app: webns
    spec:
      containers:
      - name: nginx-container
        image: nginx:1.14

[root@m-k8s podtest]# k apply -f deploymenet.yaml
deployment.apps/webns created

생성된 IP 확인 Worknode1 [172.16.221.165]

생성된 IP 확인 Worknode2 [172.16.103.145,146]

webns-svc.yaml 생성해보기 (Service)

apiVersion: v1
kind: Service
metadata:
  name: webns-svc
spec:
  clusterIP: 10.96.100.100
  selector:
    app: webns
  ports:
  - protocol: TCP
    port: 8081
    targetPort: 8080

#기타

k8s 가 리눅스 iptables 와 연동체크! [기억하세요]

worknode1 접속하여 curl 10.96.100.100 접속 테스트

[root@m-k8s vagrant]# k get node
NAME     STATUS   ROLES           AGE   VERSION
m-k8s    Ready    control-plane   8d    v1.26.1
w1-k8s   Ready    <none>          8d    v1.26.1
w2-k8s   Ready    <none>          8d    v1.26.1


[root@m-k8s vagrant]# ssh w1-k8s
The authenticity of host 'w1-k8s (192.168.29.11)' can't be established.
ECDSA key fingerprint is SHA256:l6XikZFgOibzSygqZ6+UYHUnEmjFEFhx7PpZw0I3WaM.
ECDSA key fingerprint is MD5:09:74:43:ef:38:3e:36:a1:7e:51:76:1a:ac:2d:7e:0c.
Are you sure you want to continue connecting (yes/no)? yes


[root@w1-k8s ~]# curl 10.96.100.100
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>
[root@w1-k8s ~]#

# 참고사항 : dry run

kubectl create deploy web --image=nginx --port=80 --replicas=2 --dry-run=client -o yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: web
  name: web
spec:
  replicas: 2
  selector:
    matchLabels:
      app: web
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: web
    spec:
      containers:
      - image: nginx
        name: nginx
        ports:
        - containerPort: 80
        resources: {}
status: {}

$ kubectl expose deploy webns --type=ClusterIP --port=80 --target-port=80 --dry-run=client -o yaml

kubectl expose deploy webns --type=ClusterIP --port=80 --target-port=80 --dry-run=client -o yaml
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  name: webns
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: webns
  type: ClusterIP
status:
  loadBalancer: {}

CKA 문제한번 풀어보고 넘어갑시다!~

[root@m-k8s vagrant]# k describe po --namespace cymtest webapp-7d66bc6c7f-7m692
Name:             webapp-7d66bc6c7f-7m692
Namespace:        cymtest
Priority:         0
Service Account:  default
Node:             w1-k8s/192.168.29.11
Start Time:       Sat, 10 Jun 2023 08:26:52 +0900
Labels:           app=webapp
                  pod-template-hash=7d66bc6c7f
Annotations:      cni.projectcalico.org/containerID: 0a02f9ccf5226f47818d96391bbd998088eb946fd7b6d3c299b6f7f90de1d744
                  cni.projectcalico.org/podIP: 172.16.221.153/32
                  cni.projectcalico.org/podIPs: 172.16.221.153/32
Status:           Running
IP:               172.16.221.153
IPs:
  IP:           172.16.221.153
Controlled By:  ReplicaSet/webapp-7d66bc6c7f
Containers:
  nginx:
    Container ID:   containerd://b250072ca0cb825bc311b2bb14bab43651e1afa82b54e6f626b6763fdebc6075
    Image:          nginx:1.14.2
    Image ID:       docker.io/library/nginx@sha256:f7988fb6c02e0ce69257d9bd9cf37ae20a60f1df7563c3a2a6abe24160306b8d
    Port:           80/TCP
    Host Port:      0/TCP
    State:          Running
      Started:      Sat, 10 Jun 2023 08:26:53 +0900
    Ready:          True
    Restart Count:  0
    Environment:    <none>
    Mounts:
      /var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-kvq7c (ro)
Conditions:
  Type              Status
  Initialized       True
  Ready             True
  ContainersReady   True
  PodScheduled      True
Volumes:
  kube-api-access-kvq7c:
    Type:                    Projected (a volume that contains injected data from multiple sources)
    TokenExpirationSeconds:  3607
    ConfigMapName:           kube-root-ca.crt
    ConfigMapOptional:       <nil>
    DownwardAPI:             true
QoS Class:                   BestEffort
Node-Selectors:              <none>
Tolerations:                 node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
                             node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:                      <none>
[root@m-k8s vagrant]# k describe po --namespace cymtest webapp-7d66bc6c7f-7m692

[root@m-k8s vagrant]# k get deployments.apps -n cymtest -o wide
NAME   READY   UP-TO-DATE   AVAILABLE   AGE     CONTAINERS      IMAGES     SELECTOR
webns  3/3     3            3           3h47m   nginx-container nginx:1.14 app=webns

$ k expose deployment -n cymtest webapp --type=ClusterIP --port=80 --target-port=80 --dry-run=client -o yaml

webappsvc.yaml

[root@m-k8s vagrant]# k expose deployment -n cymtest webapp --type=ClusterIP --port=80 --target-port=80 --name=webappsvc --dry-run=client -o yaml
apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  labels:
    app: webapp
  name: webappsvc
  namespace: cymtest
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 80
  selector:
    app: webapp
  type: ClusterIP
status:
  loadBalancer: {}

#vi frond-end.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: front-end
spec:
  replicas: 2
  selector:
    matchLabels:
      run: nginx
  template:
    metadata:
      labels:
        run: nginx
    spec:
      containers:
      - image: nginx
        name: http

#k edit svc front-end-svc 에서 아래 type 를 NodePort 로 변경해줍니다.

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"front-end-svc","namespace":"cymtest"},"spec":{"ports":[{"name":"name-of-service-port","port":80,"protocol":"TCP","targetPort":"http"}],"selector":{"run":"nginx"}}}
  creationTimestamp: "2023-06-11T07:26:26Z"
  name: front-end-svc
  namespace: cymtest
  resourceVersion: "485869"
  uid: cb6a84dd-3510-4e70-a899-fbebcd52ef50
spec:
  clusterIP: 10.106.170.55
  clusterIPs:
  - 10.106.170.55
  externalTrafficPolicy: Cluster
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: name-of-service-port
    nodePort: 30457
    port: 80
    protocol: TCP
    targetPort: http
  selector:
    run: nginx
  sessionAffinity: None
  type: NodePort
status:

그럼 아래와 같이 port 에 80:30457 port가 보이게 될것이며, curl 로 확인해봅니다.

접속 worknode1 : 30457 확인

iptables와 Netfiler 개념
[iptables란?]
기본적으로 Iptables에는 세가지 chain이 있음.
모든 패킷은 INPUT, OUTPUT, FORWARD 이 세가지 chain중 하나를 통과하게 됨. 
컴퓨터로 들어가는 모든 패킷은 INPUT chain을 통과하고,
컴퓨터에서 나가는 모든 패킷은 OUTPUT chain을 통과함.
그리고 하나의 네트워크에서 다른 곳으로 보내는 모든 패킷은 FORWARD chain을 통과함.
iptables가 작동하는 방식은 이들 각각의 INPUT, OUTPUT, FORWARD chain에 당신이 어떠한 rule을
세우는 지에 따라 달라진다.


[netfilter란?]
kernel space에 위치하여 모든 오고 가는 패킷의 생명주기를 관찰하는 tool.
netfilter에 설정된 규칙에 매칭되는 패킷을 발견하면 미리 정의된 action을 수행함.
즉 iptables이 패킷을 필터링 하는것이 아님,
패킷필터링은 커널에 탑제된 netfilter기능으로 하며 
iptables은 단지 netfilter의 룰을 세워줄 뿐.
다시 말하자면 iptables은 룰셋구축 툴임.

[netfilter, iptables와 tcpdump 우선순위]
Wire -> NIC -> tcpdump -> netfilter/iptables
iptables -> tcpdump -> NIC -> Wire
 

[Chain 종류]
PREROUTING (DNAT) =  패킷의 도착지(deatination) 주소를 변경한다. D(estination)NAT
POSTROUTING (SNAT 또는 masquerade) = 패킷의 출발지(source) 주소를 변경한다. S(ource)NAT
OUTPUT : 호스트에서 밖으로 흐르는 패킷의 도착지(destination) 주소를 변경한다. 
INPUT : 밖에서 호스트로 흐르는 패킷의 출발지(source) 주소를 변경한다. 


Netfilter Chain 조회 명령어
[모든 Chain 조회]
iptables -t nat -L -nv


[특정 Chain만 조회]
iptables -t nat -L [Chain 이름] -n  | column -t
예) iptables -t nat -L KUBE-SERVICES -n  | column -t


[모든 Chain 조회을 조회하는데 number 표시함]
iptables -t nat -L -nv --line-numbers

꿀팁!
pod 안의 apt resource.list 변경하기

sed -i s/deb.debian.org/archive.debian.org/g /etc/apt/sources.list
sed -i 's|security.debian.org|archive.debian.org/debian-security/|g' /etc/apt/sources.list
sed -i '/stretch-updates/d' /etc/apt/sources.list
apt-get update

이렇게 하거나 아래와 같이 하든가..

cat <<EOF > /etc/apt/sources.list

# deb http://snapshot.debian.org/archive/debian/20190326T120000Z stretch main

deb http://archive.debian.org/debian stretch main

# deb http://snapshot.debian.org/archive/debian-security/20190326T120000Z stretch/updates main

deb http://archive.debian.org/debian-security//debian-security stretch/updates main

EOF