Kubernetes pod ip 暴露

1. k8s pod 和 service 网络暴露

• 借助 iptables 的路由转发功能，打通k8s集群内的pod和service网络，与外部网络联通

# 查看集群的 pod 网段和 service 网段
kubectl -n kube-system describe cm kubeadm-config
networking:
  dnsDomain: cluster.local
  podSubnet: 10.244.0.0/16
  serviceSubnet: 10.96.0.0/12

# 内核模块
sysctl -a | grep 'net.ipv4.ip_forward = 1'
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
sysctl -p

# 在k8s节点 192.168.1.79 节点上开启转发 192.168.0.0/16 网段为服务器网段，利用 192.168.0.0/16 网段某个服务器作为路由器
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o eth0 -j SNAT --to-source 10.244.0.0/16
iptables -t nat -A POSTROUTING -s 192.168.0.0/16  -o eth0 -j SNAT --to-source 10.96.0.0/12

# 这个不确定是否执行
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -j MASQUERADE

# 测试，在 192.168.0.0/16 网段中找一个非k8s集群的服务器，加上路由，进行测试
# 现找个pod ip ping一下是否通不通
route add -net 10.244.0.0 netmask 255.255.0.0 gw 192.168.1.79 dev eth0
# 加上这个路由之后， 再测试看是否通

# 为了能让办公人员的浏览器可以访问到， 需要再核心交换机上配置规则
# 核心交换机
route add -net 10.244.0.0 netmask 255.255.0.0 gw 192.168.1.79 dev eth0
route add -net 10.96.0.0 netmask 255.240.0.0 gw 192.168.1.79 dev eth0

• nginx demo

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-aa
spec:
  replicas: 1
  selector:
    matchLabels:
      app: aa
  template:
    metadata:
      labels:
        app: aa
    spec:
      containers:
      - name: nginx-aa
        image: nginx
        volumeMounts:
        - mountPath: /etc/nginx/conf.d/
          name: nginx-aa
      volumes:
      - configMap:
          name: nginx-aa
        name: nginx-aa
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-bb
spec:
  replicas: 1
  selector:
    matchLabels:
      app: bb
  template:
    metadata:
      labels:
        app: bb
    spec:
      containers:
      - name: nginx-bb
        image: nginx
        volumeMounts:
        - mountPath: /etc/nginx/conf.d/
          name: nginx-bb
      volumes:
      - configMap:
          name: nginx-bb
        name: nginx-bb
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-aa
spec:
  type: ClusterIP
  ports:
    - port: 80
  selector:
    app: aa
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-bb
spec:
  type: ClusterIP
  ports:
    - port: 80
  selector:
    app: bb
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-demo
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  #ingressClassName: nginx
  rules:
  - host: jin.yeemiao.net.cn
    http:
      paths:
      - backend:
          service:
            name: nginx-aa
            port:
              number: 80
        path: /aa/
        pathType: Prefix
      - backend:
          service:
            name: nginx-bb
            port:
              number: 80
        path: /bb/
        pathType: Prefix
  tls:
  - hosts:
    - jin.yeemiao.net.cn
    secretName: yeemiao.net.cn
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-aa
data:
  default.conf: |
    server{
        listen       80; 
            server_name  localhost;
            location /aa/ {
               proxy_pass http://192.168.1.181:8888/;
                 }
    }
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-bb
data:
  default.conf: |
    server{
        listen       80;
            server_name  localhost;
            location /bb/ {
               proxy_pass http://192.168.1.181:8889/;
                 }
    }