二进制部署K8S集群（二十一）addons之flanneld优化SNAT规则

目录

• 0.增加iptables规则
• 1.优化前
• 2.开始优化
• 3.优化后

0.增加iptables规则

• 优化SNAT规则，各运算节点之间的各POD之间的网络通信不再出网。
• 让Pod之间通信Nginx日志能够显示Pod的IP，而非宿主机的IP。

1.优化前

hdss7-21，hdss7-22上操作
iptables规则各主机的略有不同，其他运算节点上执行时注意修改

[root@hdss7-21 ~]# kubectl get pod -o wide
NAME                          READY   STATUS    RESTARTS   AGE     IP           NODE                NOMINATED NODE   READINESS GATES
nginx-test-558df79dc9-ftkmn   1/1     Running   0          7m22s   172.7.22.2   hdss7-22.host.com   <none>           <none>
nginx-test-558df79dc9-vrtgk   1/1     Running   0          7m22s   172.7.21.2   hdss7-21.host.com   <none>           <none>

[root@hdss7-22 ~]# kubectl exec -it nginx-test-558df79dc9-ftkmn -- /bin/bash     
root@nginx-test-558df79dc9-ftkmn:/# curl 172.7.21.2

[root@hdss7-21 ~]## kubectl logs -f nginx-test-558df79dc9-vrtgk
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
10.4.7.22 - - [04/Oct/2020:22:31:50 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-"

pod之间通信，显示的是宿主机IP。

2.开始优化

yum -y install iptables-services
systemctl enable iptables
iptables -t nat -D POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
iptables -t nat -nvL POSTROUTING

注：不同地方

iptables -t nat -D POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j

含义：主机来源172.7.21.0/24段的docker的ip，目标ip不是172.7.0.0/16段，网络发包不从docker0桥设备出站的，才进行SNAT转换。

3.优化后

[root@hdss7-22 ~]# kubectl exec -it nginx-test-558df79dc9-ftkmn -- /bin/bash 
root@nginx-test-558df79dc9-ftkmn:/# curl 172.7.21.2
[root@hdss7-21 ~]# kubectl logs -f nginx-test-558df79dc9-vrtgk
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: Enabled listen on IPv6 in /etc/nginx/conf.d/default.conf
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
10.4.7.22 - - [04/Oct/2020:22:31:50 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-"
172.7.22.2 - - [04/Oct/2020:23:14:08 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.64.0" "-" 的IP

日志输出已变为Pod的IP。