我在这里处于学习模式,所以如果这是一个愚蠢的问题,请原谅我。。。
我刚刚按照上的说明在ubuntu上安装了microk8shttps://ubuntu.com/tutorials/install-a-local-kubernetes-with-microk8s
一切正常。";"微珠";应用程序被部署和公开,并创建一个简单的web服务器。但令我惊讶的是,在我停止microk8s(使用"microk8s停止"(后,网络服务器显然仍然在运行。它继续以其简单的页面内容来回应curl。
这是预期的行为吗?指挥器停止后,吊舱是否继续运行?
此外,我试图弄清楚microk8s在网络上做了什么。它在10.152.183.203启动了仪表板,但当我查看主机上的接口和路由表时,我不知道流量是如何路由到那个目的地的。如果我运行tcpdump,我似乎无法捕获任何发送到该地址的流量。
对这里发生的事情有任何解释都将不胜感激!
- 邓肯
但让我惊讶的是,在我停止microk8s(使用"microk8s停止"(后,web服务器显然仍然在运行。它继续以其简单的页面内容来回应curl。
这是预期的行为吗?指挥器停止后,吊舱是否继续运行?
这不是预期的行为,我无法再现它。我看到的是,在运行microk8s stop后,服务可以使用几秒钟,但最终一切都关闭了。
此外,我正试图弄清楚microk8s在网络上做什么。它在10.152.183.203启动了仪表板,但当我查看主机上的接口和路由表时,我不知道流量是如何路由到那个目的地的。
我已经在本地部署了Microk8s,仪表板服务看起来像这样:
root@ubuntu:~# kubectl -n kube-system get service kubernetes-dashboard
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes-dashboard ClusterIP 10.152.183.151 <none> 443/TCP 14m
正如你在问题中所注意到的,我可以在http://10.152.183.151上访问它,但该网络上没有本地接口:
root@ubuntu:~# ip addr |grep 10.152
<no results>
而且没有通往该网络的有意义的路线。例如,这表明访问该ip将通过默认网关,这没有任何意义:
root@ubuntu:~# ip route get 10.152.183.151
10.152.183.151 via 192.168.122.1 dev enp1s0 src 192.168.122.72 uid 0
cache
怎么回事?事实证明,microk8s在您的本地防火墙配置中设置了一组NAT规则。如果我们在NAT表中查找仪表板地址,我们会发现:
root@ubuntu:~# iptables-legacy -t nat -S | grep 10.152.183.151
-A KUBE-SERVICES -d 10.152.183.151/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard cluster IP" -m tcp --dport 443 -j KUBE-SVC-4HQ2X6RJ753IMQ2F
-A KUBE-SVC-4HQ2X6RJ753IMQ2F ! -s 10.1.0.0/16 -d 10.152.183.151/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ
如果我们遵循这个链条,我们会发现:
去往
10.152.183.151的数据包进入NATPREROUTING链,后者将它们发送到KUBE-SERVICES链。在
KUBE-SERVICES链中,到仪表板(用于tcp端口443(的数据包被发送到KUBE-SVC-4HQ2X6RJ753IMQ2F链。在
KUBE-SVC-4HQ2X6RJ753IMQ2F中,数据包首先被发送到KUBE-MARK-MASQ链,后者在数据包上设置一个标记(在配置中的其他地方使用(,然后被发送到KUBE-SEP-SZAWMA3BPGJYVHOD链:root@ubuntu:~# iptables-legacy -t nat -S KUBE-SVC-4HQ2X6RJ753IMQ2F -A KUBE-SVC-4HQ2X6RJ753IMQ2F ! -s 10.1.0.0/16 -d 10.152.183.151/32 -p tcp -m comment --comment "kube-system/kubernetes-dashboard cluster IP" -m tcp --dport 443 -j KUBE-MARK-MASQ -A KUBE-SVC-4HQ2X6RJ753IMQ2F -m comment --comment "kube-system/kubernetes-dashboard -> 10.1.243.198:8443" -j KUBE-SEP-SZAWMA3BPGJYVHOD在
KUBE-SEP-SZAWMA3BPGJYVHOD链中,数据包最终符合DNAT规则,该规则将连接映射到pod的IP:root@ubuntu:~# iptables-legacy -t nat -S KUBE-SEP-SZAWMA3BPGJYVHOD -N KUBE-SEP-SZAWMA3BPGJYVHOD -A KUBE-SEP-SZAWMA3BPGJYVHOD -s 10.1.243.198/32 -m comment --comment "kube-system/kubernetes-dashboard" -j KUBE-MARK-MASQ -A KUBE-SEP-SZAWMA3BPGJYVHOD -p tcp -m comment --comment "kube-system/kubernetes-dashboard" -m tcp -j DNAT --to-destination 10.1.243.198:8443我们知道
10.1.243.198是Pod IP,因为我们可以看到它是这样的:kubectl -n kube-system get pod kubernetes-dashboard-74b66d7f9c-plj8f -o jsonpath='{.status.podIP}'
因此,我们可以在10.152.183.151处到达仪表板,因为PREROUTING链最终达到DNAT规则;clusterip";服务到pod ip。
如果我运行tcpdump,我似乎无法捕获任何发送到该地址的流量。
基于以上讨论,如果我们使用pod ip,我们将看到我们期望的流量。以下显示了我在另一个窗口中运行curl -k https://10.152.183.151的结果:
root@ubuntu:~# tcpdump -n -i any -c10 host 10.1.243.198
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
19:20:33.441481 cali7ef1137a66d Out IP 192.168.122.72.33034 > 10.1.243.198.8443: Flags [S], seq 228813760, win 64240, options [mss 1460,sackOK,TS val 3747829344 ecr 0,nop,wscale 7], length 0
19:20:33.441494 cali7ef1137a66d In IP 10.1.243.198.8443 > 192.168.122.72.33034: Flags [S.], seq 3905988324, ack 228813761, win 65160, options [mss 1460,sackOK,TS val 1344719721 ecr 3747829344,nop,wscale 7], length 0
19:20:33.441506 cali7ef1137a66d Out IP 192.168.122.72.33034 > 10.1.243.198.8443: Flags [.], ack 1, win 502, options [nop,nop,TS val 3747829344 ecr 1344719721], length 0
19:20:33.442754 cali7ef1137a66d Out IP 192.168.122.72.33034 > 10.1.243.198.8443: Flags [P.], seq 1:518, ack 1, win 502, options [nop,nop,TS val 3747829345 ecr 1344719721], length 517
19:20:33.442763 cali7ef1137a66d In IP 10.1.243.198.8443 > 192.168.122.72.33034: Flags [.], ack 518, win 506, options [nop,nop,TS val 1344719722 ecr 3747829345], length 0
19:20:33.443004 cali7ef1137a66d In IP 10.1.243.198.8443 > 192.168.122.72.33034: Flags [P.], seq 1:772, ack 518, win 506, options [nop,nop,TS val 1344719722 ecr 3747829345], length 771
19:20:33.443017 cali7ef1137a66d Out IP 192.168.122.72.33034 > 10.1.243.198.8443: Flags [.], ack 772, win 501, options [nop,nop,TS val 3747829345 ecr 1344719722], length 0
19:20:33.443677 cali7ef1137a66d Out IP 192.168.122.72.33034 > 10.1.243.198.8443: Flags [P.], seq 518:582, ack 772, win 501, options [nop,nop,TS val 3747829346 ecr 1344719722], length 64
19:20:33.443680 cali7ef1137a66d In IP 10.1.243.198.8443 > 192.168.122.72.33034: Flags [.], ack 582, win 506, options [nop,nop,TS val 1344719723 ecr 3747829346], length 0
19:20:33.443749 cali7ef1137a66d In IP 10.1.243.198.8443 > 192.168.122.72.33034: Flags [P.], seq 772:827, ack 582, win 506, options [nop,nop,TS val 1344719723 ecr 3747829346], length 55
10 packets captured
38 packets received by filter
0 packets dropped by kernel
在停止microk8s后,pod的相关进程似乎仍在运行。
我假设他们从未通过发布";microk8s停止";命令
不确定这是否应该是预期的行为,但通常我认为所有与pod相关的进程也应该被杀死。。
但是,在启动microK8之后,会为pod创建新的进程。
我使用的是MicroK8s v1.26.8修订版5884。
nicolae@nicolae-VirtualBox:~$ PROMPT_COMMAND="date"
Tue 12 Sep 2023 11:57:52 AM EDT
nicolae@nicolae-VirtualBox:~$ microk8s status
microk8s is running
high-availability: no
datastore master nodes: 127.0.0.1:19001
datastore standby nodes: none
addons:
enabled:
dashboard # (core) The Kubernetes dashboard
dns # (core) CoreDNS
ha-cluster # (core) Configure high availability on the current node
helm # (core) Helm - the package manager for Kubernetes
helm3 # (core) Helm 3 - the package manager for Kubernetes
hostpath-storage # (core) Storage class; allocates storage from host directory
ingress # (core) Ingress controller for external access
metrics-server # (core) K8s Metrics Server for API access to service metrics
registry # (core) Private image registry exposed on localhost:32000
storage # (core) Alias to hostpath-storage add-on, deprecated
disabled:
cert-manager # (core) Cloud native certificate management
community # (core) The community addons repository
gpu # (core) Automatic enablement of Nvidia CUDA
host-access # (core) Allow Pods connecting to Host services smoothly
kube-ovn # (core) An advanced network fabric for Kubernetes
mayastor # (core) OpenEBS MayaStor
metallb # (core) Loadbalancer for your Kubernetes cluster
minio # (core) MinIO object storage
observability # (core) A lightweight observability stack for logs, traces and metrics
prometheus # (core) Prometheus operator for monitoring and logging
rbac # (core) Role-Based Access Control for authorisation
Tue 12 Sep 2023 11:58:17 AM EDT
nicolae@nicolae-VirtualBox:~$ microk8s kubectl get pods | grep mysql
mysql-5c5556886-zvbg6 1/1 Running 92 (34m ago) 118d
haproxy-mysql-admin 1/1 Running 124 (33m ago) 104d
Tue 12 Sep 2023 11:59:21 AM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 11:59:22 AM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 11:59:22 AM EDT
nicolae@nicolae-VirtualBox:~$ ps aux | grep mysql
systemd+ 65010 0.0 2.3 1614608 240640 ? Ssl 11:25 0:01 mysqld
nicolae 106187 0.0 0.0 9040 716 pts/0 S+ 12:00 0:00 grep --color=auto mysql
Tue 12 Sep 2023 12:00:07 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:00:24 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:00:24 PM EDT
nicolae@nicolae-VirtualBox:~$ sudo nsenter -t 65010 -u hostname
mysql-5c5556886-zvbg6
Tue 12 Sep 2023 12:00:37 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:00:59 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:00:59 PM EDT
nicolae@nicolae-VirtualBox:~$ microk8s stop
Stopped.
Tue 12 Sep 2023 12:02:10 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:02:36 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:02:36 PM EDT
nicolae@nicolae-VirtualBox:~$ microk8s kubectl get pods
microk8s is not running, try microk8s start
Tue 12 Sep 2023 12:02:49 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:03:10 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:03:11 PM EDT
nicolae@nicolae-VirtualBox:~$ ps aux | grep mysql
systemd+ 65010 0.0 2.3 1614608 240640 ? Ssl 11:25 0:01 mysqld
nicolae 110162 0.0 0.0 9040 720 pts/0 S+ 12:03 0:00 grep --color=auto mysql
Tue 12 Sep 2023 12:03:18 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:03:19 PM EDT
nicolae@nicolae-VirtualBox:~$ ps aux | grep mysql
systemd+ 65010 0.0 2.3 1614608 240640 ? Ssl 11:25 0:02 mysqld
nicolae 117868 0.0 0.0 8908 720 pts/0 R+ 12:07 0:00 grep --color=auto mysql
Tue 12 Sep 2023 12:07:22 PM EDT
nicolae@nicolae-VirtualBox:~$ ps aux | grep mysql
systemd+ 65010 0.0 2.3 1614608 240640 ? Ssl 11:25 0:02 mysqld
nicolae 117930 0.0 0.0 9040 704 pts/0 S+ 12:07 0:00 grep --color=auto mysql
Tue 12 Sep 2023 12:07:24 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:07:24 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:08:08 PM EDT
nicolae@nicolae-VirtualBox:~$ ps aux | grep mysql
systemd+ 65010 0.0 2.3 1614608 240640 ? Ssl 11:25 0:02 mysqld
nicolae 119226 0.0 0.0 9040 712 pts/0 S+ 12:08 0:00 grep --color=auto mysql
Tue 12 Sep 2023 12:08:09 PM EDT
nicolae@nicolae-VirtualBox:~$
Tue 12 Sep 2023 12:08:47 PM EDT
nicolae@nicolae-VirtualBox:~$ microk8s start
Tue 12 Sep 2023 12:09:16 PM EDT
nicolae@nicolae-VirtualBox:~$ ps aux | grep mysql
systemd+ 124297 0.5 1.8 1147668 186324 ? Ssl 12:09 0:00 mysqld
nicolae 128970 0.0 0.0 9040 720 pts/0 S+ 12:09 0:00 grep --color=auto mysql
Tue 12 Sep 2023 12:09:53 PM EDT
nicolae@nicolae-VirtualBox:~$ microk8s version
MicroK8s v1.26.8 revision 5884
Tue 12 Sep 2023 12:10:58 PM EDT
nicolae@nicolae-VirtualBox:~$