ip-masq-agent
ip-masq-agent 是一个用来管理 IP 伪装的扩展,即管理节点中 IP 网段的 SNAT 规则。
ip-masq-agent 配置 iptables 规则,以便将流量发送到集群节点之外的目标时处理 IP 伪装。默认情况下,RFC 1918 定一个的三个私有 IP 范围是非伪装网段,即 10.0.0.0/8、172.16.0.0/12 和 192.168.0.0/16。另外,链接本地地址(169.254.0.0/16)也被视为非伪装网段。
image-20181014212528267

部署方法

首先,标记要运行 ip-masq-agent 的 Node
1
kubectl label nodes my-node beta.kubernetes.io/masq-agent-ds-ready=true
Copied!
然后部署 ip-masq-agent:
1
kubectl create -f https://raw.githubusercontent.com/kubernetes-incubator/ip-masq-agent/master/ip-masq-agent.yaml
Copied!
部署好,查看 iptables 规则,可以发现
1
iptables -t nat -L IP-MASQ-AGENT
2
RETURN all -- anywhere 169.254.0.0/16 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
3
RETURN all -- anywhere 10.0.0.0/8 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
4
RETURN all -- anywhere 172.16.0.0/12 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
5
RETURN all -- anywhere 192.168.0.0/16 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
6
MASQUERADE all -- anywhere anywhere /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL
Copied!

使用方法

自定义 SNAT 网段的方法:
1
cat >config <<EOF
2
nonMasqueradeCIDRs:
3
- 10.0.0.0/8
4
resyncInterval: 60s
5
EOF
6
7
kubectl create configmap ip-masq-agent --from-file=config --namespace=kube-system
Copied!
这样,查看 iptables 规则可以发现
1
$ iptables -t nat -L IP-MASQ-AGENT
2
Chain IP-MASQ-AGENT (1 references)
3
target prot opt source destination
4
RETURN all -- anywhere 169.254.0.0/16 /* ip-masq-agent: cluster-local traffic should not be subject to MASQUERADE */ ADDRTYPE match dst-type !LOCAL
5
RETURN all -- anywhere 10.0.0.0/8 /* ip-masq-agent: cluster-local
6
MASQUERADE all -- anywhere anywhere /* ip-masq-agent: outbound traffic should be subject to MASQUERADE (this match must come after cluster-local CIDR matches) */ ADDRTYPE match dst-type !LOCAL
Copied!

Windows IP 伪装

ip-masq-agent 只支持 Linux, 而在 Windows 节点中可以通过 CNI 配置实现类似的功能 (把不需要做 SNAT 的网段加入到 OutBoundNAT 策略的 ExceptionList 中):
1
{
2
"name": "cbr0",
3
"type": "win-bridge",
4
"dns": {
5
"nameservers": [
6
"11.0.0.10"
7
],
8
"search": [
9
"svc.cluster.local"
10
]
11
},
12
"policies": [
13
{
14
"name": "EndpointPolicy",
15
"value": {
16
"Type": "OutBoundNAT",
17
"ExceptionList": [
18
"192.168.0.0/16",
19
"11.0.0.0/8",
20
"10.137.196.0/23"
21
]
22
}
23
},
24
{
25
"name": "EndpointPolicy",
26
"value": {
27
"Type": "ROUTE",
28
"DestinationPrefix": "11.0.0.0/8",
29
"NeedEncap": true
30
}
31
},
32
{
33
"name": "EndpointPolicy",
34
"value": {
35
"Type": "ROUTE",
36
"DestinationPrefix": "10.137.198.27/32",
37
"NeedEncap": true
38
}
39
}
40
],
41
"loopbackDSR": true
42
}
Copied!