如何为 AKS 中的出口流量保留 pod IP 地址?
[英]How to preserve pod IP address for egress traffic in AKS?
问题描述
In Azure Kubernetes (AKS) if pod sending the traffic outside the cluster it get Natted to the Node IP address.
在 Azure Kubernetes (AKS) 中,如果 pod 在集群外发送流量,它会被 Natted 到节点 IP 地址。 For example, if pod nettools ( from node aks-agentpool-35359625-1 ) sending the traffic to Azure destinations that is outside of the cluster it get natted to 10.240.0.35.例如,如果 pod nettools(来自节点 aks-agentpool-35359625-1)将流量发送到集群外部的 Azure 目的地,它会被 nat 到 10.240.0.35。 Is there a way to preserve the original source ( 10.240.0.48 )?有没有办法保留原始来源( 10.240.0.48 )?
Cluster running with networking plugin azure and transparent networking mode使用联网插件 azure 和透明联网模式运行的集群
/AKS/cluster1 $ kubectl get nodes -o wide
kubectl get pods -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
aks-agentpool-35359625-0 Ready agent 6h13m v1.15.10 10.240.0.66 <none> Ubuntu 16.04.6 LTS 4.15.0-1071-azure docker://3.0.10+azure
aks-agentpool-35359625-1 Ready agent 6h13m v1.15.10 10.240.0.35 <none> Ubuntu 16.04.6 LTS 4.15.0-1071-azure docker://3.0.10+azure
aks-agentpool-35359625-2 Ready agent 6h13m v1.15.10 10.240.0.4 <none> Ubuntu 16.04.6 LTS 4.15.0-1071-azure docker://3.0.10+azure
/AKS/cluster1 $ kubectl get pods -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
nettools 1/1 Running 0 21m 10.240.0.48 aks-agentpool-35359625-1 <none> <none>
/AKS/cluster1 $ az aks show -g $rg --name $cluster --query "networkProfile"
{
"dnsServiceIp": "10.0.0.10",
"dockerBridgeCidr": "172.17.0.1/16",
"loadBalancerProfile": null,
"loadBalancerSku": "Basic",
"networkMode": "transparent",
"networkPlugin": "azure",
"networkPolicy": null,
"outboundType": "UDR",
"podCidr": null,
"serviceCidr": "10.0.0.0/16"
}
2 个解决方案
解决方案1
0 2020-04-19 13:29:48
You actually can't do that, every time a Pod is destroyed and a new Pod is created, a new IP will be assigned to it.你实际上不能这样做,每次销毁一个 Pod 并创建一个新 Pod 时,都会为其分配一个新的 IP。 Pods are ephemeral and their IPs as well. Pod 是短暂的,它们的 IP 也是如此。
I believe that to achieve what you are looking for you need to use Services.我相信要实现您正在寻找的东西,您需要使用服务。
Services in Kubernetes are an "abstract way to expose an application running on a set of Pods as a network service." Kubernetes 中的服务是“将在一组 Pod 上运行的应用程序公开为网络服务的抽象方式”。 ( k8s documentation ) ( k8s 文档)
Again, you can access your pod by its IP and port that Kubernetes have given to it, but that's not a good practice as the Pods can die and another one will be created (if controlled by a Deployment/ReplicaSet) with a new IP, and everything on your app will start to fail.同样,您可以通过其ZA12A3079E14CED46E6BA52B8A90B21AZ访问POD和Z30136395F0187979792198317C11831EA4Z的端口和端口。你的应用程序上的一切都将开始失败。
If you expose your Deployment or Pod, the Service created will have an IP as well, and doesn't matter how many times your Pod is destroyed, because you will still be able to access it through the Service IP (o course when the new Pod is up and running, but I think you got the idea).如果您公开您的 Deployment 或 Pod,则创建的 Service 也将具有 IP,并且无论您的 Pod 被销毁多少次,因为您仍然可以通过 Service IP 访问它(当然,当新的Pod 已启动并正在运行,但我认为您明白了)。
解决方案2
0 已采纳 2021-02-15 05:34:23
You can edit the azure-ip-masq-agent configmap to add the target private IP CIDR that you don't want it to be Masqueraded.您可以编辑 azure-ip-masq-agent configmap 以添加您不希望它被伪装的目标私有 IP CIDR。
kubectl get pods --namespace kube-system -l "k8s-app=azure-ip-masq-agent" -o wide
kubectl describe configmap azure-ip-masq-agent-config --namespace kube-system
# Add x.x.x.x/x to the nonMasq CIDRs
kubectl edit configmap azure-ip-masq-agent-config --namespace kube-system
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.