kube-proxy防火墙

2025-05-29 17:09:05   0  举报





kube-proxy防火墙流转图

k8s

网络

防火墙

运维技术栈

模板推荐

作者其他创作

大纲/内容

KUBE-SERVICES

-A KUBE-SEP-HGTJ4YGXMCUHHKV7 -p tcp -m comment --comment "default/demoapp-service:http" -m tcp -j DNAT --to-destination 10.244.235.166:80

KUBE-EXT-XXX

-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000

raw

mangle

nat(DNAT)

filter

-A KUBE-SVC-G6UTZMDV6UZKQNCF ! -s 10.244.0.0/16 -d 10.100.148.235/32 -p tcp -m comment --comment "default/demoapp-service:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ

路由判断

-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING

nat(SNAT)

数据进入流向

-A KUBE-SERVICES -d 10.100.148.235/32 -p tcp -m comment --comment "default/demoapp-service:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-G6UTZMDV6UZKQNCF

KUBE-SEP-XXX

FPRWARD

数据包出口

KUBE-NODEPORTS

INPUT

数据发出流向

-A KUBE-SEP-HGTJ4YGXMCUHHKV7 -s 10.244.235.166/32 -m comment --comment "default/demoapp-service:http" -j KUBE-MARK-MASQ

-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE

数据包入口

-A KUBE-EXT-G6UTZMDV6UZKQNCF -m comment --comment "masquerade traffic for default/demoapp-service:http external destinations" -j KUBE-MARK-MASQ

OUTPUT

-A KUBE-NODEPORTS -p tcp -m comment --comment "default/demoapp-service:http" -m tcp --dport 31049 -j KUBE-EXT-G6UTZMDV6UZKQNCF

KUBE-SVC-XXX

KUBE-POSTROUTING

-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN

上层协议栈

POSTROUTING

-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES

-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0

-A KUBE-EXT-G6UTZMDV6UZKQNCF -j KUBE-SVC-G6UTZMDV6UZKQNCF

-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS

-A KUBE-SVC-G6UTZMDV6UZKQNCF -m comment --comment "default/demoapp-service:http -> 10.244.235.166:80" -j KUBE-SEP-HGTJ4YGXMCUHHKV7

PREROUTING