You should see that kube-proxy is listening on NodePort 6600. You can verify this on the above kubernetes node: $ sudo lsof -i:30000
Under normal circumstances kube-proxy binds and listens on all NodePorts to ensure these ports stay reserved and no other processes can use them. Then verify kube-proxy is listening on NodePort. You should see that output show that targets are for packets destined to your NodePort 30000. $ sudo iptables -t nat -L KUBE-NODEPORTS -n | column -t Since the service we created is of type NodePort, let’s list the rules in KUBE-NODEPORTS chain. KUBE-NODEPORTS all - 0.0.0.0/0 0.0.0.0/0 /* kubernetes service nodeports NOTE: this must be the last rule in this chain */ ADDRTYPE match dst-type LOCALĪs you can see one target in the KUBE-SERVICES chain is the KUBE-NODEPORTS chain. List the rules in that chain, see example below: $ sudo iptables -t nat -L KUBE-SERVICES -n | column -t There’s a KUBE-SERVICES chain in the target that’s created by kube-proxy. So you don't have to manually configure iptables rules if you have service NodePort.
Kube-proxy binds and listens (on all k8s nodes) to all ports allocated as NodePorts to ensure these ports stay reserved and no other processes can use themĮven if a process starts using NodePort, iptables rules (because they are in PRESOUTING chain) ensure that the traffic sent to the NodePort gets routed to the pods. When kube-proxy is used in iptables mode (as it is by dafault in kubernetes), routing requests to services continues to work for existing services even when the kube-proxy process dies on the node
0 kommentar(er)
