-
Notifications
You must be signed in to change notification settings - Fork 457
集中式子网网关NAT模式指定出网IP
oilbeater edited this page Jun 27, 2022
·
3 revisions
Wiki 下的中文文档将不在维护,请访问我们最新的中文文档网站,获取最新的文档更新。
在实际的网络环境中,同一个节点上可能存在多个可以访问外网的网卡,存在使用指定网卡作为某个子网出网网卡的情况,从kube-ovn v1.8.0版本开始,增加了对这种情况的支持。
集中式子网可以指定出网网关节点信息,因此需要创建集中式的子网。
apiVersion: kubeovn.io/v1
kind: Subnet
metadata:
name: central
spec:
cidrBlock: 100.168.10.0/24
disableInterConnection: true
natOutgoing: true
vpc: ovn-cluster
namespaces:
- test
gatewayType: centralized
gatewayNode: kube-ovn-control-plane,kube-ovn-worker:172.17.0.3
有三个参数的取值需要关注,出网NAT设置为true,网关类型为集中式网关。 对于节点指定出网IP,使用 NodeName:NodeIP 的格式,使用冒号隔开节点名称和指定IP地址。
natOutgoing: true
gatewayType: centralized
gatewayNode: kube-ovn-control-plane,kube-ovn-worker:172.17.0.3
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
labels:
app: test
name: test
namespace: test
spec:
replicas: 2
selector:
matchLabels:
app: test
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
labels:
app: test
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app: test
topologyKey: kubernetes.io/hostname
containers:
- image: nginx:latest
imagePullPolicy: IfNotPresent
name: nginx
tolerations:
- operator: Exists
创建的子网如果不是默认子网,则需要在子网中指定Pod所在的Namespace,来控制Pod从指定的子网分配IP地址。
在pod容器中,验证外网访问情况
mac@macdeMacBook-Pro kube-ovn % kubectl get pod -n test -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
test-d67747b6b-ltzbd 1/1 Running 0 20h 100.168.10.2 kube-ovn-worker <none> <none>
test-d67747b6b-qgwxf 1/1 Running 0 20h 100.168.10.3 kube-ovn-control-plane <none> <none>
mac@macdeMacBook-Pro kube-ovn %
mac@macdeMacBook-Pro kube-ovn % kubectl exec -it -n test test-d67747b6b-ltzbd -- bash
bash-5.0# ping -c1 -W1 www.baidu.com
PING www.baidu.com (103.235.46.39): 56 data bytes
64 bytes from 103.235.46.39: seq=0 ttl=35 time=294.876 ms
--- www.baidu.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 294.876/294.876/294.876 ms
在与pod同节点的kube-ovn-cni容器中,查看iptables规则,可以看到该子网网段的流量,都在指定网关节点做了SNAT处理。
mac@macdeMacBook-Pro kube-ovn % kubectl get pod -n kube-system -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
kube-ovn-cni-gtxx7 1/1 Running 0 21h 172.18.0.3 kube-ovn-worker <none> <none>
kube-ovn-cni-qfmq7 1/1 Running 0 21h 172.18.0.2 kube-ovn-control-plane <none> <none>
mac@macdeMacBook-Pro kube-ovn % kubectl exec -it kube-ovn-cni-gtxx7 -n kube-system -- bash
root@kube-ovn-worker:/kube-ovn#
root@kube-ovn-worker:/kube-ovn# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 100.168.10.0/24 anywhere ! match-set ovn40subnets dst to:172.17.0.3