简体繁体 English

'systemctl stop kube-proxy'将不清理iptables

[英]’systemctl stop kube-proxy‘ will not clean the iptables

原文 2016-07-05 06:29:48 7 1 kubernetes

kube version:1.22 kube版本：1.22

There is a svc running in k8s cluster which use nodeport 30003 在k8s集群中运行的svc使用nodeport 30003
systemctl stop kube-proxy in minion A, ss -antpl | systemctl stop kube-proxy在minion A，ss -antpl中systemctl stop kube-proxy | grep 30003 you will found the port 30003 is free grep 30003您会发现端口30003是免费的
In minion B， telnet $A_IP 30003 success( or nc $A_IP 30003 ) 在奴才B中， telnet $A_IP 30003成功（或nc $A_IP 30003 ）
iptable -F -t nat in minion A iptable -F -t nat在小兵A中
Repeat step 3, telnet $A_IP 30003 failed 重复步骤3， telnet $A_IP 30003失败

So I think should clean the iptables when kube-proxy abnormal exit? 所以我认为当kube-proxy异常退出时应该清理iptables吗？

1 个解决方案

If you are running a cluster that uses kube-proxy for service IP to endpoint mapping, then it is expected that kube-proxy will be restarted shortly after it exits by a monitoring process (eg systemd, monit, supervisord, etc). 如果您正在运行一个使用kube-proxy进行服务IP到端点映射的群集，那么预期kube-proxy将在监视进程（例如systemd，monit，supervisor等）退出后不久重新启动。 In fact, in later versions of Kubernetes, kube-proxy runs as a privileged container and the kubelet ensures that it stays running. 实际上，在更高版本的Kubernetes中，kube-proxy作为特权容器运行，并且kubelet确保其保持运行状态。 Since it is expected to be restarted quickly, cleaning up iptables would just cause them to be modified unnecessarily each time kube-proxy was restarted. 由于希望快速重启，清理iptables只会在每次重启kube-proxy时不必要地对其进行修改。

If you don't want kube-proxy to manage iptables for you, then you can decide not to run it in your cluster at all, or to manually clean up the iptables rules after you stop it. 如果您不希望kube-proxy为您管理iptables，则可以决定完全不在集群中运行它，或者在停止它之后手动清理iptables规则。