kube-proxy防火墙
2025-05-29 17:09:05 0 举报kube-proxy防火墙流转图
作者其他创作
大纲/内容
KUBE-SERVICES
-A KUBE-SEP-HGTJ4YGXMCUHHKV7 -p tcp -m comment --comment "default/demoapp-service:http" -m tcp -j DNAT --to-destination 10.244.235.166:80
KUBE-EXT-XXX
-A KUBE-MARK-MASQ -j MARK --set-xmark 0x4000/0x4000
raw
mangle
nat(DNAT)
filter
-A KUBE-SVC-G6UTZMDV6UZKQNCF ! -s 10.244.0.0/16 -d 10.100.148.235/32 -p tcp -m comment --comment "default/demoapp-service:http cluster IP" -m tcp --dport 80 -j KUBE-MARK-MASQ
路由判断
-A POSTROUTING -m comment --comment "kubernetes postrouting rules" -j KUBE-POSTROUTING
nat(SNAT)
数据进入流向
-A KUBE-SERVICES -d 10.100.148.235/32 -p tcp -m comment --comment "default/demoapp-service:http cluster IP" -m tcp --dport 80 -j KUBE-SVC-G6UTZMDV6UZKQNCF
KUBE-SEP-XXX
FPRWARD
数据包出口
KUBE-NODEPORTS
INPUT
数据发出流向
-A KUBE-SEP-HGTJ4YGXMCUHHKV7 -s 10.244.235.166/32 -m comment --comment "default/demoapp-service:http" -j KUBE-MARK-MASQ
-A KUBE-POSTROUTING -m comment --comment "kubernetes service traffic requiring SNAT" -j MASQUERADE
数据包入口
-A KUBE-EXT-G6UTZMDV6UZKQNCF -m comment --comment "masquerade traffic for default/demoapp-service:http external destinations" -j KUBE-MARK-MASQ
OUTPUT
-A KUBE-NODEPORTS -p tcp -m comment --comment "default/demoapp-service:http" -m tcp --dport 31049 -j KUBE-EXT-G6UTZMDV6UZKQNCF
KUBE-SVC-XXX
KUBE-POSTROUTING
-A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN
上层协议栈
POSTROUTING
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A KUBE-POSTROUTING -j MARK --set-xmark 0x4000/0x0
-A KUBE-EXT-G6UTZMDV6UZKQNCF -j KUBE-SVC-G6UTZMDV6UZKQNCF
-A KUBE-SERVICES -m comment --comment "kubernetes service nodeports; NOTE: this must be the last rule in this chain" -m addrtype --dst-type LOCAL -j KUBE-NODEPORTS
-A KUBE-SVC-G6UTZMDV6UZKQNCF -m comment --comment "default/demoapp-service:http -> 10.244.235.166:80" -j KUBE-SEP-HGTJ4YGXMCUHHKV7
PREROUTING
收藏
0 条评论
下一页
