Skip to content

集中式子网网关NAT模式指定出网IP

Jump to bottom
oilbeater edited this page Jun 27, 2022 · 3 revisions

Wiki 下的中文文档将不在维护,请访问我们最新的中文文档网站,获取最新的文档更新。

背景

在实际的网络环境中,同一个节点上可能存在多个可以访问外网的网卡,存在使用指定网卡作为某个子网出网网卡的情况,从kube-ovn v1.8.0版本开始,增加了对这种情况的支持。

创建子网

集中式子网可以指定出网网关节点信息,因此需要创建集中式的子网。

apiVersion: kubeovn.io/v1
kind: Subnet
metadata:
  name: central
spec:
  cidrBlock: 100.168.10.0/24
  disableInterConnection: true
  natOutgoing: true
  vpc: ovn-cluster
  namespaces:
  - test
  gatewayType: centralized
  gatewayNode: kube-ovn-control-plane,kube-ovn-worker:172.17.0.3

有三个参数的取值需要关注,出网NAT设置为true,网关类型为集中式网关。 对于节点指定出网IP,使用 NodeName:NodeIP 的格式,使用冒号隔开节点名称和指定IP地址。

  natOutgoing: true
  gatewayType: centralized
  gatewayNode: kube-ovn-control-plane,kube-ovn-worker:172.17.0.3

创建Pod

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
  labels:
    app: test
  name: test
  namespace: test
spec:
  replicas: 2
  selector:
    matchLabels:
      app: test
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 25%
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: test
    spec:
      affinity:
        podAntiAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchLabels:
                app: test
            topologyKey: kubernetes.io/hostname
      containers:
      - image: nginx:latest
        imagePullPolicy: IfNotPresent
        name: nginx
      tolerations:
      - operator: Exists

创建的子网如果不是默认子网,则需要在子网中指定Pod所在的Namespace,来控制Pod从指定的子网分配IP地址。

验证

在pod容器中,验证外网访问情况

mac@macdeMacBook-Pro kube-ovn % kubectl get pod -n test -o wide
NAME                   READY   STATUS    RESTARTS   AGE   IP             NODE                     NOMINATED NODE   READINESS GATES
test-d67747b6b-ltzbd   1/1     Running   0          20h   100.168.10.2   kube-ovn-worker          <none>           <none>
test-d67747b6b-qgwxf   1/1     Running   0          20h   100.168.10.3   kube-ovn-control-plane   <none>           <none>
mac@macdeMacBook-Pro kube-ovn %
mac@macdeMacBook-Pro kube-ovn % kubectl exec -it -n test test-d67747b6b-ltzbd -- bash
bash-5.0# ping -c1 -W1 www.baidu.com
PING www.baidu.com (103.235.46.39): 56 data bytes
64 bytes from 103.235.46.39: seq=0 ttl=35 time=294.876 ms
--- www.baidu.com ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 294.876/294.876/294.876 ms

在与pod同节点的kube-ovn-cni容器中,查看iptables规则,可以看到该子网网段的流量,都在指定网关节点做了SNAT处理。

mac@macdeMacBook-Pro kube-ovn % kubectl get pod -n kube-system -o wide
NAME                                             READY   STATUS             RESTARTS   AGE   IP           NODE                     NOMINATED NODE   READINESS GATES
kube-ovn-cni-gtxx7                               1/1     Running            0          21h   172.18.0.3   kube-ovn-worker          <none>           <none>
kube-ovn-cni-qfmq7                               1/1     Running            0          21h   172.18.0.2   kube-ovn-control-plane   <none>           <none>
mac@macdeMacBook-Pro kube-ovn % kubectl exec -it kube-ovn-cni-gtxx7 -n kube-system -- bash
root@kube-ovn-worker:/kube-ovn#
root@kube-ovn-worker:/kube-ovn# iptables -t nat -L POSTROUTING
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
SNAT       all  --  100.168.10.0/24      anywhere             ! match-set ovn40subnets dst to:172.17.0.3
Clone this wiki locally