Foreword
Kubernetes use iptables to achieve the following two objectives:
1) External exposure POD and services
2) simple load balancing
Kubernetes worker node appears in the list and output prerouting iptables NAT table follows the rules as data packets associated with the operation of the inlet Kubernetes:
-A PREROUTING -m comment --comment "kube hostport portals" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-CONTAINER
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A PREROUTING -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-CONTAINER
-A OUTPUT -m comment --comment "kube hostport portals" -m addrtype --dst-type LOCAL -j KUBE-HOSTPORTS
-A OUTPUT -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -m comment --comment "handle ClusterIPs; NOTE: this must be before the NodePort rules" -j KUBE-PORTALS-HOST
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT -m addrtype --dst-type LOCAL -m comment --comment "handle service NodePorts; NOTE: this must be the last rule in the chain" -j KUBE-NODEPORT-HOSTPREROUTING chain for processing incoming packets outside
Rule 1 is used to forward packets to the POD hostport used (for IP Tables mode)
Rule 2 is used to forward packets to Kubernetes service (for IPTables mode)
Rule 3 for handling the container within the cluster service request issued by the virtual IP (for kube-proxy mode)
Rule 4 for processing the request sent to the container nodeport (for kube-proxy mode)
OUTPUT chain for processing data packets sent to the outside
Rule 1 for processing the request sent by the host to the host port (for IP Tables mode)
Rule 2 for processing the request sent by the host to kubernetes service (for IP Tables mode)
Rule 3 for processing the request sent by the host to the virtual cluster service IP (for kube-proxy mode)
Rule 4 for processing the request sent by the host to nodeport (for kube-proxy mode)
kubernetes various types of services of external exposure of the order is hostport, cluster service, node external, loadbalancer service and nodeport service
-A KUBE-SERVICES -d cluster_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name cluster IP" -m tcp --dport 80 -j KUBE-SVC-SSSSSS
-A KUBE-SERVICES -d node_external_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name external IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
-A KUBE-SERVICES -d node_external_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name external IP" -m tcp --dport 80 -m physdev ! --physdev-is-in -m addrtype ! --src-type LOCAL -j KUBE-SVC-SSSSSS
-A KUBE-SERVICES -d node_external_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name external IP" -m tcp --dport 80 -m addrtype --dst-type LOCAL -j KUBE-SVC-SSSSSS
-A KUBE-SERVICES -d loadbalancer_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name loadbalancer IP" -m tcp --dport 80 -j KUBE-FW-SSSSSS
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
working principle
1) cluster service entrance is the rule "-A [PREROUTING | OUTPUT] -m comment --comment 'kubernetes service portals' -j KUBE_SERVICES", jump KUBE-SERVICE chain
2) The KUBE-SERVICE chain by a series of rules satisfy the following rule consisting of:
Meet and visit a cluster_VIP port request will be poured into rule KUBE-SVC-XXXXX
3) KUBE-SVC-XXXXXX following composition:
-A KUBE-SVC-XXXXXX -m comment --comment "namespace/pod_name:port_name" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-AAAAAA
-A KUBE-SVC-XXXXXX -m comment --comment "namespace/pod_name:port_name" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BBBBBB
-A KUBE-SVC-XXXXXX -m comment --comment "namespace/pod_name:port_name" -j KUBE-SEP-CCCCCC
POD will choose to forward all the back-end in accordance with the probability
4) KUBE-SEP-CCCCC following composition:
-A KUBE-SEP-CCCCCC -s POD_IP/32 -m comment --comment "namespace/pod_name:port_name" -j KUBE-MARK-MASQ
-A KUBE-SEP-CCCCCC -p tcp -m comment --comment "namespace/pod_name:port_name" -m tcp -j DNAT --to-destination POD_IP:PORT
It required a DNAT, the data packet to the selected positioning of POD, and then into the distal or via the routing local POD
How External Load balancer service iptables use of external exposure POD service
1. The external request forwarded via the external load balancer will be with the external IP address that matches the following rules:
-A KUBE-SERVICES -d loadbalancer_IP/32 -p tcp -m comment --comment "namespace/pod_name:port_name loadbalancer IP" -m tcp --dport 80 -j KUBE-FW-SSSSSS
2. KUBE-FW-SSSSSS composed as follows:
-A KUBE-FW-SSSSSS -m comment --comment "namespace/pod_name:port_name loadbalancer IP" -j KUBE-XLB-KKKKKK
-A KUBE-FW-SSSSSS -m comment --comment "namespace/pod_name:port_name loadbalancer IP" -j KUBE-MARK-DROP
3.KUBE-XLB-KKKKKK by a series of probabilistic selection rule consists of:
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 0 for namespace/pod_name:port_name" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-AAAAAA
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 1 for namespace/pod_name:port_name" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BBBBBB
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 2 for namespace/pod_name:port_name" -j KUBE-SEP-CCCCCC
Leads to the packet iptables rules related to specific POD
4. KUBE-SEP-CCCCC following composition:
-A KUBE-SEP-CCCCCC -s POD_IP/32 -m comment --comment "namespace/pod_name:port_name" -j KUBE-MARK-MASQ
-A KUBE-SEP-CCCCCC -p tcp -m comment --comment "namespace/pod_name:port_name" -m tcp -j DNAT --to-destination POD_IP:PORT
Required a DNAT, the data packet to the selected positioning POD, and then into the distal or via the routing local POD
nodePort Service How to Use External exposure POD service iptables
1. KUBE-SERVICE chain endmost nodeport service will jump to the corresponding chain KUBE-NODEPORTS
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
2. KUBE-NODEPORTS which contains a different set of rules corresponding to nodeport service
E.g:
-A KUBE-NODEPORTS -p tcp -m comment --comment "namespace/pod_name:port_name" -m tcp --dport 80 -j KUBE-XLB-KKKKKK
Finally jump to the external access generated load balance rules.
3.KUBE-XLB-KKKKKK by a series of probabilistic selection rule consists of:
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 0 for namespace/pod_name:port_name" -m statistic --mode random --probability 0.33332999982 -j KUBE-SEP-AAAAAA
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 1 for namespace/pod_name:port_name" -m statistic --mode random --probability 0.50000000000 -j KUBE-SEP-BBBBBB
-A KUBE-XLB-KKKKKK -m comment --comment "Balancing rule 2 for namespace/pod_name:port_name" -j KUBE-SEP-CCCCCC
Leads to the packet iptables rules related to specific POD
4. KUBE-SEP-CCCCC following composition:
-A KUBE-SEP-CCCCCC -s POD_IP/32 -m comment --comment "namespace/pod_name:port_name" -j KUBE-MARK-MASQ
-A KUBE-SEP-CCCCCC -p tcp -m comment --comment "namespace/pod_name:port_name" -m tcp -j DNAT --to-destination POD_IP:PORT
Required a DNAT, the data packet to the selected positioning POD, and then into the distal or via the routing local POD
