← 返回首页
☁️

K8s网络

📂 architecture ⏱ 2 min 242 words
架构云原生KubernetesServiceIngressCNI

K8s网络

网络模型

K8s网络模型要求所有Pod可直接通信,通过Service实现服务发现和负载均衡。

┌─────────────────────────────────────────────┐
│              K8s网络模型                     │
├─────────────┬─────────────┬─────────────────┤
│  Pod网络    │  Service    │   Ingress       │
│  (CNI)     │  ClusterIP  │   (L7路由)      │
├─────────────┼─────────────┼─────────────────┤
│ Pod-to-Pod │ Pod-to-Ext  │  External-to-   │
│            │             │  Service        │
└─────────────┴─────────────┴─────────────────┘

Service类型

# ClusterIP - 集群内部访问
apiVersion: v1
kind: Service
metadata:
  name: backend
spec:
  type: ClusterIP
  selector:
    app: backend
  ports:
  - port: 80
    targetPort: 8080
---
# NodePort - 节点端口暴露
apiVersion: v1
kind: Service
metadata:
  name: backend-nodeport
spec:
  type: NodePort
  selector:
    app: backend
  ports:
  - port: 80
    targetPort: 8080
    nodePort: 30080
---
# LoadBalancer - 云厂商负载均衡
apiVersion: v1
kind: Service
metadata:
  name: backend-lb
spec:
  type: LoadBalancer
  selector:
    app: backend
  ports:
  - port: 80
    targetPort: 8080

Ingress路由

# Ingress配置
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  tls:
  - hosts:
    - app.example.com
    secretName: app-tls
  rules:
  - host: app.example.com
    http:
      paths:
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: api-service
            port:
              number: 80
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-service
            port:
              number: 80

CNI插件

CNI插件负责Pod网络配置,常见有Calico、Flannel、Cilium。

# Calico网络策略
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: production
spec:
  selector: all()
  types:
  - Ingress
  - Egress
---
apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-frontend
spec:
  selector: app == 'backend'
  types:
  - Ingress
  ingress:
  - from:
    - selector: app == 'frontend'
    ports:
    - protocol: TCP
      port: 8080

Headless Service

# Headless Service用于StatefulSet
apiVersion: v1
kind: Service
metadata:
  name: mysql-headless
spec:
  clusterIP: None
  selector:
    app: mysql
  ports:
  - port: 3306
---
# StatefulSet使用
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: mysql
spec:
  serviceName: mysql-headless
  replicas: 3
  selector:
    matchLabels:
      app: mysql
  template:
    metadata:
      labels:
        app: mysql
    spec:
      containers:
      - name: mysql
        image: mysql:8.0