Kubernetes指南
Linux性能优化实战eBPF 核心技术与实战SDN指南个人博客
EN
EN
  • Overview
  • Introduction
    • Kubernetes Introduction
    • Kubernetes Concepts
    • Kubernetes 101
    • Kubernetes 201
    • Kubernetes Cluster
  • Concepts
    • Concepts
    • Architecture
    • Design Principles
    • Components
      • etcd
      • kube-apiserver
      • kube-scheduler
      • kube-controller-manager
      • kubelet
      • kube-proxy
      • kube-dns
      • Federation
      • kubeadm
      • hyperkube
      • kubectl
    • Objects
      • Autoscaling
      • ConfigMap
      • CronJob
      • CustomResourceDefinition
      • DaemonSet
      • Deployment
      • Ingress
      • Job
      • LocalVolume
      • Namespace
      • NetworkPolicy
      • Node
      • PersistentVolume
      • Pod
      • PodPreset
      • ReplicaSet
      • Resource Quota
      • Secret
      • SecurityContext
      • Service
      • ServiceAccount
      • StatefulSet
      • Volume
  • Setup
    • Setup Guidance
    • kubectl Install
    • Single Machine
    • Feature Gates
    • Best Practice
    • Version Support
    • Setup Cluster
      • kubeadm
      • kops
      • Kubespray
      • Azure
      • Windows
      • LinuxKit
      • kubeasz
    • Setup Addons
      • Addon-manager
      • DNS
      • Dashboard
      • Monitoring
      • Logging
      • Metrics
      • GPU
      • Cluster Autoscaler
      • ip-masq-agent
  • Extension
    • API Extension
      • Aggregation
      • CustomResourceDefinition
    • Access Control
      • Authentication
      • RBAC Authz
      • Admission
    • Scheduler Extension
    • Network Plugin
      • CNI
      • Flannel
      • Calico
      • Weave
      • Cilium
      • OVN
      • Contiv
      • SR-IOV
      • Romana
      • OpenContrail
      • Kuryr
    • Container Runtime
      • CRI-tools
      • Frakti
    • Storage Driver
      • CSI
      • FlexVolume
      • glusterfs
    • Network Policy
    • Ingress Controller
      • Ingress + Letsencrypt
      • minikube Ingress
      • Traefik Ingress
      • Keepalived-VIP
    • Cloud Provider
    • Device Plugin
  • Cloud Native Apps
    • Apps Management
      • Patterns
      • Rolling Update
      • Helm
      • Operator
      • Service Mesh
      • Linkerd
      • Linkerd2
    • Istio
      • Deploy
      • Traffic Management
      • Security
      • Policy
      • Metrics
      • Troubleshooting
      • Community
    • Devops
      • Draft
      • Jenkins X
      • Spinnaker
      • Kompose
      • Skaffold
      • Argo
      • Flux GitOps
  • Practices
    • Overview
    • Resource Management
    • Cluster HA
    • Workload HA
    • Debugging
    • Portmap
    • Portforward
    • User Management
    • GPU
    • HugePage
    • Security
    • Audit
    • Backup
    • Cert Rotation
    • Large Cluster
    • Big Data
      • Spark
      • Tensorflow
    • Serverless
  • Troubleshooting
    • Overview
    • Cluster Troubleshooting
    • Pod Troubleshooting
    • Network Troubleshooting
    • PV Troubleshooting
      • AzureDisk
      • AzureFile
    • Windows Troubleshooting
    • Cloud Platform Troubleshooting
      • Azure
    • Troubleshooting Tools
  • Community
    • Development Guide
    • Unit Test and Integration Test
    • Community Contribution
  • Appendix
    • Ecosystem
    • Learning Resources
    • Domestic Mirrors
    • How to Contribute
    • Reference Documents
由 GitBook 提供支持
在本页
  • ip-masq-agent
  • How to Deploy
  • How to Use
  • Windows IP Masquerading
  • Unleashing the ip-masq-agent for Kubernetes Networking
  • How to Wave Your Magic Wand (Deploy)
  • Tailoring Your Magical Shield (Customization)
  • Windows Wizards Unite!
  1. Setup
  2. Setup Addons

ip-masq-agent

上一页Cluster Autoscaler下一页API Extension

最后更新于1年前

ip-masq-agent

The is an extension for managing IP masquerading, that is, for managing SNAT (Source Network Address Translation) rules for IP ranges on nodes.

ip-masq-agent configures iptables rules to handle IP masquerading when traffic is sent to destinations outside the Kubernetes cluster nodes. By default, the three private IP ranges defined by RFC 1918 are not masqueraded, which are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Additionally, the link-local address range (169.254.0.0/16) is also considered as a non-masquerade range.

How to Deploy

Firstly, label the nodes where you want to run ip-masq-agent:

kubectl label nodes my-node beta.kubernetes.io/masq-agent-ds-ready=true

Then deploy the ip-masq-agent:

kubectl create -f https://raw.githubusercontent.com/kubernetes-incubator/ip-masq-agent/master/ip-masq-agent.yaml

After deployment, check the iptables rules, you will find:

iptables -t nat -L IP-MASQ-AGENT
RETURN     all  --  anywhere             169.254.0.0/16       /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
RETURN     all  --  anywhere             10.0.0.0/8           /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
RETURN     all  --  anywhere             172.16.0.0/12        /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
RETURN     all  --  anywhere             192.168.0.0/16       /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
MASQUERADE  all  --  anywhere             anywhere             /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL

How to Use

To customize SNAT ranges:

cat >config <<EOF
nonMasqueradeCIDRs:
  - 10.0.0.0/8
resyncInterval: 60s
EOF

kubectl create configmap ip-masq-agent --from-file=config --namespace=kube-system

By doing so, if you check the iptables rules again, you will see:

$ iptables -t nat -L IP-MASQ-AGENT
Chain IP-MASQ-AGENT (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             169.254.0.0/16       /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
RETURN     all  --  anywhere             10.0.0.0/8           /* ip-masq-agent: cluster-local
MASQUERADE  all  --  anywhere             anywhere             /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL

Windows IP Masquerading

{
  "name": "cbr0",
  "type": "win-bridge",
  "dns": {
    "nameservers": [
      "11.0.0.10"
    ],
    "search": [
      "svc.cluster.local"
    ]
  },
  "policies": [
    {
      "name": "EndpointPolicy",
      "value": {
        "Type": "OutBoundNAT",
        "ExceptionList": [
          "192.168.0.0/16",
          "11.0.0.0/8",
          "10.137.196.0/23"
        ]
      }
    },
    {
      "name": "EndpointPolicy",
      "value": {
        "Type": "ROUTE",
        "DestinationPrefix": "11.0.0.0/8",
        "NeedEncap": true
      }
    },
    {
      "name": "EndpointPolicy",
      "value": {
        "Type": "ROUTE",
        "DestinationPrefix": "10.137.198.27/32",
        "NeedEncap": true
      }
    }
  ],
  "loopbackDSR": true
}

Unleashing the ip-masq-agent for Kubernetes Networking

Manage your clusters' IP masquerading like a boss with ip-masq-agent!

When you're sending traffic out of the cluster kingdom to foreign lands (read: external destinations), ip-masq-agent steps in like a digital Gandalf and manages IP masquerading for you. It's smart enough to know that some IP ranges—like our good old private IP neighborhoods 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16, and the local alleyway 169.254.0.0/16—don't need masquerading, thanks to the wisdom of RFC 1918.

How to Wave Your Magic Wand (Deploy)

First up, mark your loyal nodes to prepare them for the ip-masq-agent's enchantment:

kubectl label nodes my-node beta.kubernetes.io/masq-agent-ds-ready=true

Next, summon the agent into existence with a flick of your command line:

kubectl create -f https://raw.githubusercontent.com/kubernetes-incubator/ip-masq-agent/master/ip-masq-agent.yaml

Once the incantations are complete, double-check your iptables spells with a quick inspection:

iptables -t nat -L IP-MASQ-AGENT

Tailoring Your Magical Shield (Customization)

Craft your own protective shield by tailoring SNAT sanctuaries:

cat >config <<EOF
nonMasqueradeCIDRs:
  - 10.0.0.0/8
resyncInterval: 60s
EOF

kubectl create configmap ip-masq-agent --from-file=config --namespace=kube-system

After you do this, a peek into the iptables book will show you a streamlined list of protected ranges.

Windows Wizards Unite!

"policies": [
  {
    "name": "EndpointPolicy",
    "value": {
      "Type": "OutBoundNAT",
      "ExceptionList": [
        "192.168.0.0/16",
        "11.0.0.0/8",
        "10.137.196.0/23"
      ]
    },
  ...
]

And there you have it, modern warlocks and witches! With ip-masq-agent at your side, you can navigate the complicated web of Kubernetes networking with the grace and ease of a dragon in flight. Happy masquerading!

While ip-masq-agent is only compatible with Linux, on Windows nodes a similar functionality can be achieved through by adding the ranges that should not be SNAT'ed to the ExceptionList of the OutBoundNAT policy:

Are you trying to tame the networking beast within your Kubernetes cluster? Look no further than the , the handy extension designed to manage those sneaky SNAT rules on your nodes!

Linux wizards aren't the only ones with tricks up their sleeves. On Windows nodes, you can pull off similar feats using . Just add any IP ranges that are to be excused from SNAT into the ExceptionList for a flawless masquerade dodge. Check out this neat enchantment:

CNI configuration
ip-masq-agent
CNI configuration
ip-masq-agent
image-20181014212528267
The Digital Enchanter