我的书签
添加书签
移除书签ip-masq-agent
ip-masq-agent 是一个用来管理 IP 伪装的扩展,即管理节点中 IP 网段的 SNAT 规则。
ip-masq-agent 配置 iptables 规则,以便将流量发送到集群节点之外的目标时处理 IP 伪装。默认情况下,RFC 1918 定一个的三个私有 IP 范围是非伪装网段,即 10.0.0.0/8、172.16.0.0/12 和 192.168.0.0/16。另外,链接本地地址(169.254.0.0/16)也被视为非伪装网段。
部署方法
首先,标记要运行 ip-masq-agent 的 Node
kubectl label nodes my-node beta.kubernetes.io/masq-agent-ds-ready=true
然后部署 ip-masq-agent:
kubectl create -f https://raw.githubusercontent.com/kubernetes-incubator/ip-masq-agent/master/ip-masq-agent.yaml
部署好,查看 iptables 规则,可以发现
iptables -t nat -L IP-MASQ-AGENTRETURN all -- anywhere 169.254.0.0/16 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCALRETURN all -- anywhere 10.0.0.0/8 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCALRETURN all -- anywhere 172.16.0.0/12 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCALRETURN all -- anywhere 192.168.0.0/16 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCALMASQUERADE all -- anywhere anywhere /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL
使用方法
自定义 SNAT 网段的方法:
cat >config <<EOFnonMasqueradeCIDRs:- 10.0.0.0/8resyncInterval: 60sEOFkubectl create configmap ip-masq-agent --from-file=config --namespace=kube-system
这样,查看 iptables 规则可以发现
$ iptables -t nat -L IP-MASQ-AGENTChain IP-MASQ-AGENT (1 references)target prot opt source destinationRETURN all -- anywhere 169.254.0.0/16 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCALRETURN all -- anywhere 10.0.0.0/8 /* ip-masq-agent: cluster-localMASQUERADE all -- anywhere anywhere /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL
