(草稿)调试k8s网络
nicolaka/netshoot
$ kubectl run -ti --rm awakening-fong -n cattle-system --image nicolaka/netshoot:v0.8 -- /bin/bash
执行 ip route add 会出错, 如何 privileged?
处理:
securityContext:
privileged: true
无效的: --overrides='{"securityContext": {"privileged": true}}'
nsenter 容器 中执行
使用 netstat -s 检查下是否有丢包统计:
$ netstat -s | grep -E 'overflow|drop'
123 times the listen queue of a socket overflowed
456 SYNs to LISTEN sockets dropped
问题: 如果是 iptable 规则导致丢包, netstat 是否会统计到???
在 net/ipv4/tcpinput.c 的 tcpconn_request 函数:
if (sk_acceptq_is_full(sk)) {
NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
goto drop;
}
static inline void tcp_listendrop(const struct sock *sk)
{
atomic_inc(&((struct sock *)sk)->sk_drops);
__NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENDROPS);
}
netstat -s 看到的丢包统计,对应的 ListenOverflows 和 ListenDrops 这两个计数器。
ipvsadm
如何开启 ipvs
kube-proxy listens on port 10249, You can query the kube-proxy mode by fetching
$ curl http://localhost:10249/proxyMode
iptables
ip a show kube-ipvs0
kube-ipvs0 是一个 dummy interface,实际不会接收报文,可以看到它的网卡状态是 DOWN,主要用于绑 ipvs 规则的 VIP,因为 ipvs 主要工作在 netfilter 的 INPUT 链,报文通过 PREROUTING 链之后需要决定下一步该进入 INPUT 还是 FORWARD 链,如果是本机 IP 就会进入 INPUT,如果不是就会进入 FORWARD 转发到其它机器。所以 k8s 利用 kube-ipvs0 这个网卡将 service 相关的 VIP 绑在上面以便让报文进入 INPUT 进而被 ipvs 转发。
ip route show table local ip route show local local - the destinations are assigned to this host. The packets are looped back and delivered locally.
ip route show table local type local
ip route show table local type local
local 10.42.0.0 dev flannel.1 proto kernel scope host src 10.42.0.0
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 172.17.0.1 dev docker0 proto kernel scope host src 172.17.0.1
local 192.168.4.167 dev eth0 proto kernel scope host src 192.168.4.167
ip route show table local
local 10.42.0.0 dev flannel.1 proto kernel scope host src 10.42.0.0
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
broadcast 172.17.0.0 dev docker0 proto kernel scope link src 172.17.0.1
local 172.17.0.1 dev docker0 proto kernel scope host src 172.17.0.1
broadcast 172.17.255.255 dev docker0 proto kernel scope link src 172.17.0.1
broadcast 192.168.4.0 dev eth0 proto kernel scope link src 192.168.4.167
local 192.168.4.167 dev eth0 proto kernel scope host src 192.168.4.167
broadcast 192.168.4.255 dev eth0 proto kernel scope link src 192.168.4.167
iptables -t nat -A POSTROUTING -s 10.42.0.0/16 -d 192.168.4.167 -o eth0 -j MASQUERADE
本文地址: https://awakening-fong.github.io/posts/network/debug_k8s_network
转载请注明出处: https://awakening-fong.github.io
若无法评论, 请打开JavaScript, 并通过proxy.
blog comments powered by Disqus