Traffic forwarding and bridging
- The core Kubernetes is to rely on Netfilter kernel modules to set up low-level cluster IP load balancing. It requires two key modules: IP forwarding and bridging
IP forwarding (IP Forward)
- IP forward is a kernel mode settings, allowing a forward traffic interface to another interface, the Linux kernel is arranged to route traffic from the container to the outside necessary.
View
sysctl net.ipv4.ip_forward
# 0意味着未开启
Set up
sysctl -w net.ipv4.ip_forward=1
echo net.ipv4.ip_forward=1 >> /usr/lib/sysctl.d/00-system.conf
sysctl -p
bridging
bridge-netfilter iptables rules can be set up so that you can work on Linux Bridges above, just like Docker and Kubernetes settings.
This address is provided to the Linux kernel data packets between the host vessel and the conversion is necessary.
View
[root@t91 home]# sysctl net.bridge.bridge-nf-call-iptables
net.bridge.bridge-nf-call-iptables = 1
# 如果是0,则表示未开启
Set up
modprobe br_netfilter
sysctl -w net.bridge.bridge-nf-call-iptables=1
echo net.bridge.bridge-nf-call-iptables=1 >> /etc/sysconf.d/10-bridge-nf-call-iptables.conf
sysctl -p
Firewall rules
Kubernetes network offers a variety of plug-ins to support its clustering capabilities, but also provides the traditional backward-compatible support for IP-based applications and ports.
The most common one is the use of network solutions Kubernetes VxLan Overlay network wherein an IP packet is encapsulated for data transmission via the UDP port 8472.
- In this case there will be 100% packet loss
$ ping 10.244.1.4
PING 10.244.1.4 (10.244.1.4): 56 data bytes
^C--- 10.244.1.4 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss
- The best way is to use the same protocol to transfer data, because the firewall rules may be specially configured protocols, such as might block UDP traffic.
- iperf is a good validation tool
# 在服务端执行
iperf -s -p 8472 -u
# 在客户端执行
iperf -c 172.28.128.103 -u -p 8472 -b 1K