Istio from the ground up
Kubernetes SVC
lsns -l
ip a
sudo iptables -L | grep yelb-appserver
target prot opt source destination
NFLOG all -- anywhere anywhere /* rule to log dropped traffic POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
REJECT all -- anywhere anywhere /* rule to REJECT traffic destined for POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
KUBE-POD-FW-ROSJ4HABCONUDK7D all -- anywhere 10.42.0.110 /* rule to jump traffic destined to POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D all -- anywhere 10.42.0.110 PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D all -- 10.42.0.110 anywhere /* rule to jump traffic from POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D all -- 10.42.0.110 anywhere PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D all -- 10.42.0.110 anywhere /* rule to jump traffic from POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D all -- anywhere 10.42.0.110 /* rule to jump traffic destined to POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D all -- 10.42.0.110 anywhere /* rule to jump traffic from POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
Inside a pod
apt update
apt install iproute2 -y
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0@if155: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
link/ether c6:f7:37:ab:b4:4d brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.42.0.209/24 brd 10.42.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::c4f7:37ff:feab:b44d/64 scope link
valid_lft forever preferred_lft forever
10.42.0.209/24
is within range of cni0
on host machine...
6: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
link/ether 4a:2f:b7:2b:28:07 brd ff:ff:ff:ff:ff:ff
inet 10.42.0.1/24 brd 10.42.0.255 scope global cni0
valid_lft forever preferred_lft forever
inet6 fe80::482f:b7ff:fe2b:2807/64 scope link
valid_lft forever preferred_lft forever
So, the pods gets an ip from the CNI, but where does the SVC
ips comes from?
sudo iptables-save | grep 10.43.137.145
-A KUBE-SERVICES -d 10.43.137.145/32 -p tcp -m comment --comment "yelb/yelb-appserver cluster IP" -m tcp --dport 4567 -j KUBE-SVC-NZUSKVP5QZOUDOLX
-A KUBE-SVC-NZUSKVP5QZOUDOLX ! -s 10.42.0.0/16 -d 10.43.137.145/32 -p tcp -m comment --comment "yelb/yelb-appserver cluster IP" -m tcp --dport 4567 -j KUBE-MARK-MASQ
Last updated