Istio from the ground up

Kubernetes SVC

lsns -l
ip a
sudo iptables -L | grep yelb-appserver
target     prot opt source               destination
NFLOG      all  --  anywhere             anywhere             /* rule to log dropped traffic POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb */ mark match ! 0x10000/0x10000 limit: avg 10/min burst 10 nflog-group 100
REJECT     all  --  anywhere             anywhere             /* rule to REJECT traffic destined for POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb */ mark match ! 0x10000/0x10000 reject-with icmp-port-unreachable
KUBE-POD-FW-ROSJ4HABCONUDK7D  all  --  anywhere             10.42.0.110          /* rule to jump traffic destined to POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D  all  --  anywhere             10.42.0.110          PHYSDEV match --physdev-is-bridged /* rule to jump traffic destined to POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D  all  --  10.42.0.110          anywhere             /* rule to jump traffic from POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D  all  --  10.42.0.110          anywhere             PHYSDEV match --physdev-is-bridged /* rule to jump traffic from POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D  all  --  10.42.0.110          anywhere             /* rule to jump traffic from POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D  all  --  anywhere             10.42.0.110          /* rule to jump traffic destined to POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */
KUBE-POD-FW-ROSJ4HABCONUDK7D  all  --  10.42.0.110          anywhere             /* rule to jump traffic from POD name:yelb-appserver-5d89946ffd-lqs9q namespace: yelb to chain KUBE-POD-FW-ROSJ4HABCONUDK7D */

Inside a pod

apt update
apt install iproute2 -y
ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0@if155: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
    link/ether c6:f7:37:ab:b4:4d brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.42.0.209/24 brd 10.42.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::c4f7:37ff:feab:b44d/64 scope link
       valid_lft forever preferred_lft forever

10.42.0.209/24 is within range of cni0

on host machine...

6: cni0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default qlen 1000
    link/ether 4a:2f:b7:2b:28:07 brd ff:ff:ff:ff:ff:ff
    inet 10.42.0.1/24 brd 10.42.0.255 scope global cni0
       valid_lft forever preferred_lft forever
    inet6 fe80::482f:b7ff:fe2b:2807/64 scope link
       valid_lft forever preferred_lft forever

So, the pods gets an ip from the CNI, but where does the SVC ips comes from?

sudo iptables-save | grep 10.43.137.145
-A KUBE-SERVICES -d 10.43.137.145/32 -p tcp -m comment --comment "yelb/yelb-appserver cluster IP" -m tcp --dport 4567 -j KUBE-SVC-NZUSKVP5QZOUDOLX
-A KUBE-SVC-NZUSKVP5QZOUDOLX ! -s 10.42.0.0/16 -d 10.43.137.145/32 -p tcp -m comment --comment "yelb/yelb-appserver cluster IP" -m tcp --dport 4567 -j KUBE-MARK-MASQ
PreviousistioNextIstio Monitoring

Last updated