了解从外部环境访问 NodePort
Understanding access to NodePort from outside environment
我正在阅读 https://kubernetes.io/docs/concepts/services-networking/service/ 的 k8s 文档。
NodePort: Exposes the Service on each Node's IP at a static port (the
NodePort). A ClusterIP Service, to which the NodePort Service routes,
is automatically created. You'll be able to contact the NodePort
Service, from outside the cluster, by requesting <NodeIP>:<NodePort>.
因此,我尝试实际检查它。在此 LoadBalancer 服务中,端口 31724 是一个 NodePort,80 是容器端口。根据文档,NodePort 应该对外开放,而容器端口不应该。但是使用 nmap,我发现情况恰恰相反。
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
gen LoadBalancer 10.200.32.132 10.44.9.162,10.44.9.163 80:31724/TCP,443:30039 20d
$ nmap -p 80 10.44.9.162
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-08 12:33 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.44.9.162
Host is up (0.00061s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds
$ nmap -p 31724 10.44.9.162
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-08 12:33 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.44.9.162
Host is up (0.00044s latency).
PORT STATE SERVICE
31724/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
我肯定漏掉了什么。请帮助我理解这一点。谢谢!
跟进:
我知道跟进应该是一个不同的问题,但它似乎是正确的地方。
我创建了一个 NodePort 服务并重试了同样的操作。正如描述中所述。
object-controller-np NodePort 10.200.32.240 <none> 7203:31206/TCP 5s
节点IP
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.46.104.20 ...
$ nmap -p 7203 10.46.104.20
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-09 07:01 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.46.104.20
Host is up (0.00052s latency).
PORT STATE SERVICE
7203/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
$ nmap -p 31206 10.46.104.20
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-09 07:01 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.46.104.20
Host is up (0.00050s latency).
PORT STATE SERVICE
31206/tcp open unknown
早些时候我尝试使用 LoadBalancer,因为我认为它是 NodePort 的超集。
问题:那么为什么NodePort类服务和LoadBalancer类服务中的NodePort行为完全相反。
来自 :
NodePort
If you access this service on a nodePort from the node's external IP,
it will route the request to spec.clusterIp:spec.ports[*].port, which
will in turn route it to your spec.ports[*].targetPort, if set. This
service can also be accessed in the same way as ClusterIP.
...
LoadBalancer
You can access this service from your load balancer's IP address,
which routes your request to a nodePort, which in turn routes the
request to the clusterIP port.
因此,对于 NodePort,请求如下:
NodeIP:NodePort -> ClusterIP:Port -> ClusterIP:TargetPort
上面Port是yaml中指定为port的端口,在集群内的指定端口上暴露Kubernetes服务。 TargetPort 是 yaml 中 targetPort 指定的端口,服务将向其发送请求,您的 pod 将监听该端口。
对于 LoadBalancer,我预期的行为是:
ExternalLBIP:NodePort --(load-balanced across nodes)--> NodeIP:NodePort -> ClusterIP:Port -> ClusterIP:TargetPort
我看到的是:
ExternalLBIP:NodePort -> (doesn't work)
相反,有效的是:
ExternalLBIP:Port --(load-balanced across nodes)--> NodeIP:Port -> ClusterIP:Port -> ClusterIP:TargetPort
您看到的是正确的,因为您使用 nmap 访问的 IP 是由 LoadBalancer 类型的服务创建的 LoadBalancer 的 IP,这意味着80 点开门 (and/or 443)。虽然 NodePort 可以在 pod 和服务所在的工作节点的 IP 上访问 运行.
您在此处部署的服务类型为 LoadBalancer 而不是 NodePort。
如需进一步阅读,请查看 this。
后续问题的答案:
您在期望中提到的和实际有效的都不正确。
ExternalLBIP:NodePort :如果您查看您共享的 post,<NodePort> 可通过 <NodeIP> 访问,而不是 LB 的外部 IP。
ExternalLBIP:Port --(load-balanced across nodes)--> NodeIP:Port -> :LB 将请求路由到 NodePort,因此它将是 NodeIP:NodePort.
关于你的问题,NodePort在NodePort类服务和LoadBalancer类服务中的行为并不相反。您只需要记住 NodePort 只能在 NodeIP.
上访问
服务类型NodePort:
NodeIP:NodePort -> ClusterIP:Port -> Pod:TargetPort
服务类型LoadBalancer:
ExternalIPofLB:Port -> NodeIP:NodePort -> ClusterIP:Port -> Pod:TargetPort
例如。来自类型为 LoadBalancer:
的 运行 服务
kubectl get svc -n <namespace> <service-name>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
<service-name>-********** LoadBalancer 172.20.96.130 a4b63c833c2***************d4-1996967498.<region>.elb.amazonaws.com 8443:31010/TCP 8m49s
正如您在下面的代码片段中看到的,请求将从 LB Port to NodePort 转发。
我正在阅读 https://kubernetes.io/docs/concepts/services-networking/service/ 的 k8s 文档。
NodePort: Exposes the Service on each Node's IP at a static port (the NodePort). A ClusterIP Service, to which the NodePort Service routes, is automatically created. You'll be able to contact the NodePort Service, from outside the cluster, by requesting <NodeIP>:<NodePort>.
因此,我尝试实际检查它。在此 LoadBalancer 服务中,端口 31724 是一个 NodePort,80 是容器端口。根据文档,NodePort 应该对外开放,而容器端口不应该。但是使用 nmap,我发现情况恰恰相反。
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
gen LoadBalancer 10.200.32.132 10.44.9.162,10.44.9.163 80:31724/TCP,443:30039 20d
$ nmap -p 80 10.44.9.162
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-08 12:33 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.44.9.162
Host is up (0.00061s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.02 seconds
$ nmap -p 31724 10.44.9.162
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-08 12:33 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.44.9.162
Host is up (0.00044s latency).
PORT STATE SERVICE
31724/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
我肯定漏掉了什么。请帮助我理解这一点。谢谢!
跟进:
我知道跟进应该是一个不同的问题,但它似乎是正确的地方。
我创建了一个 NodePort 服务并重试了同样的操作。正如描述中所述。
object-controller-np NodePort 10.200.32.240 <none> 7203:31206/TCP 5s
节点IP
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.46.104.20 ...
$ nmap -p 7203 10.46.104.20
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-09 07:01 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.46.104.20
Host is up (0.00052s latency).
PORT STATE SERVICE
7203/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
$ nmap -p 31206 10.46.104.20
Starting Nmap 6.40 ( http://nmap.org ) at 2021-04-09 07:01 UTC
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.46.104.20
Host is up (0.00050s latency).
PORT STATE SERVICE
31206/tcp open unknown
早些时候我尝试使用 LoadBalancer,因为我认为它是 NodePort 的超集。
问题:那么为什么NodePort类服务和LoadBalancer类服务中的NodePort行为完全相反。
来自
NodePort
If you access this service on a nodePort from the node's external IP, it will route the request tospec.clusterIp:spec.ports[*].port, which will in turn route it to yourspec.ports[*].targetPort, if set. This service can also be accessed in the same way as ClusterIP. ...
LoadBalancer
You can access this service from your load balancer's IP address, which routes your request to a nodePort, which in turn routes the request to the clusterIP port.
因此,对于 NodePort,请求如下:
NodeIP:NodePort -> ClusterIP:Port -> ClusterIP:TargetPort
上面Port是yaml中指定为port的端口,在集群内的指定端口上暴露Kubernetes服务。 TargetPort 是 yaml 中 targetPort 指定的端口,服务将向其发送请求,您的 pod 将监听该端口。
对于 LoadBalancer,我预期的行为是:
ExternalLBIP:NodePort --(load-balanced across nodes)--> NodeIP:NodePort -> ClusterIP:Port -> ClusterIP:TargetPort
我看到的是:
ExternalLBIP:NodePort -> (doesn't work)
相反,有效的是:
ExternalLBIP:Port --(load-balanced across nodes)--> NodeIP:Port -> ClusterIP:Port -> ClusterIP:TargetPort
您看到的是正确的,因为您使用 nmap 访问的 IP 是由 LoadBalancer 类型的服务创建的 LoadBalancer 的 IP,这意味着80 点开门 (and/or 443)。虽然 NodePort 可以在 pod 和服务所在的工作节点的 IP 上访问 运行.
您在此处部署的服务类型为 LoadBalancer 而不是 NodePort。
如需进一步阅读,请查看 this。
后续问题的答案:
您在期望中提到的和实际有效的都不正确。
ExternalLBIP:NodePort :如果您查看您共享的 post,<NodePort> 可通过 <NodeIP> 访问,而不是 LB 的外部 IP。
ExternalLBIP:Port --(load-balanced across nodes)--> NodeIP:Port -> :LB 将请求路由到 NodePort,因此它将是 NodeIP:NodePort.
关于你的问题,NodePort在NodePort类服务和LoadBalancer类服务中的行为并不相反。您只需要记住 NodePort 只能在 NodeIP.
服务类型NodePort:
NodeIP:NodePort -> ClusterIP:Port -> Pod:TargetPort
服务类型LoadBalancer:
ExternalIPofLB:Port -> NodeIP:NodePort -> ClusterIP:Port -> Pod:TargetPort
例如。来自类型为 LoadBalancer:
kubectl get svc -n <namespace> <service-name>
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
<service-name>-********** LoadBalancer 172.20.96.130 a4b63c833c2***************d4-1996967498.<region>.elb.amazonaws.com 8443:31010/TCP 8m49s
正如您在下面的代码片段中看到的,请求将从 LB Port to NodePort 转发。