K8S 之 Flannel之SNAT规划优化

一、Flannel之SNAT规划优化作用

解决两宿主机容器之间的透明访问，如不进行优化，容器之间的访问，日志记录为宿主机的IP地址。

1、宿主机访问172.7.22.2的nginx容器情况

2、172.7.22.2查看nginx访问日志

3、进入172.7.21.2的容器访问172.7.22.2的nginx容器，查看日志

4、再次查看172.7.22.2的nginx访问日志

5、解决问题：当容器172.7.21.2访问172.7.22.2的nginx容器时，展示的日志应为172.7.21.2

二、解决方法

1、安装iptables-services组件 [root@test-nodes1 ~]# yum -y install iptables-services [root@test-nodes1 ~]# systemctl start iptables [root@test-nodes1 ~]# systemctl enable iptables Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service. ----------------------------------------------------------------------------------------------- 2、把以下iptable记录的伪装转向删除 [root@test-nodes1 ~]# iptables-save |grep -i postrouting :POSTROUTING ACCEPT [68:4098] :KUBE-POSTROUTING - [0:0] -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING -A POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE #删除此条 -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE ----------------------------------------------------------------------------------------------- 3、删除该记录 [root@test-nodes1 ~]# iptables -t nat -D POSTROUTING -s 172.7.21.0/24 ! -o docker0 -j MASQUERADE ----------------------------------------------------------------------------------------------- 4、插入一条新的记录（排除对172.7.0.0/16网络访问的伪装） [root@test-nodes1 ~]# iptables -t nat -I POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j MASQUERADE ----------------------------------------------------------------------------------------------- 5、查看是否生效 [root@test-nodes1 ~]# iptables-save |grep -i postrouting :POSTROUTING ACCEPT [13:814] :KUBE-POSTROUTING - [0:0] -A POSTROUTING -s 172.7.21.0/24 ! -d 172.7.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING -A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -m mark --mark 0x4000/0x4000 -j MASQUERADE ----------------------------------------------------------------------------------------------- 6、删除iptables上所有reject拒绝规则 [root@test-nodes1 ~]# iptables-save | grep -i reject -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited [root@test-nodes1 ~]# iptables -t filter -D INPUT -j REJECT --reject-with icmp-host-prohibited [root@test-nodes1 ~]# iptables -t filter -D FORWARD -j REJECT --reject-with icmp-host-prohibited [root@test-nodes1 ~]# iptables-save | grep -i reject ----------------------------------------------------------------------------------------------- 7、保存iptables规则 [root@test-nodes1 ~]# iptables-save > /etc/sysconfig/iptables 

三、验证结果

1、通过容器172.7.21.2访问172.7.22.2

2、查看172.7.22.2的容器日志

备注：test-nodes需要有相同的操作