tjtjtjのメモ

自分のためのメモです

kubernetes 学習 hostnetwork 続き

今回は hostnetwork:true の pod がどんな状態になるのか調べてみた。

pod のマニフェスト

hello-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: hello-pod
spec:
  hostNetwork: false
  containers:
  - name: hello
    image: dockercloud/hello-world
    ports:
    - containerPort: 80

hello-hostnetwork-pod.yaml

apiVersion: v1
kind: Pod
metadata:
  name: hello-hostnetwork-pod
spec:
  hostNetwork: true
  containers:
  - name: hello
    image: dockercloud/hello-world
    ports:
    - containerPort: 80

apply したあと get。hostnetwork:true のipがnodeのものになっている。

$ kubectl get pod -o wide
NAME                    READY   STATUS    RESTARTS   AGE   IP              NODE   NOMINATED NODE   READINESS GATES
hello-hostnetwork-pod   1/1     Running   0          31m   192.168.0.103   kb3    <none>           <none>
hello-pod               1/1     Running   0          31m   10.244.1.7      kb2    <none>           <none>

hello-pod

ip a/etc/hosts を確認

$ kubectl exec -it hello-pod sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
4: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1440 qdisc noqueue state UP
    link/ether 1a:4c:fe:1b:a9:9c brd ff:ff:ff:ff:ff:ff
    inet 10.244.1.7/32 scope global eth0
       valid_lft forever preferred_lft forever
/ # cat /etc/hosts
# Kubernetes-managed hosts file.
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
fe00::0 ip6-mcastprefix
fe00::1 ip6-allnodes
fe00::2 ip6-allrouters
10.244.1.7      hello-pod

当然 node からの curl はいけない。

$ curl --connect-timeout 3 10.244.1.7
curl: (28) Connection timed out after 3001 milliseconds

hello-hostnetwork-pod

hostnetwork:true も ip a/etc/hosts を確認

$ kubectl exec -it hello-hostnetwork-pod sh
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 9c:a3:ba:31:75:80 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.103/24 brd 192.168.0.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::9ea3:baff:fe31:7580/64 scope link
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN
    link/ether 02:42:96:40:f8:e7 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
4: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
    inet 10.244.2.1/32 brd 10.244.2.1 scope global tunl0
       valid_lft forever preferred_lft forever
/ # cat /etc/hosts
# Kubernetes-managed hosts file (host network).
# /etc/hosts: Local Host Database
#
# This file describes a number of aliases-to-address mappings for the for
# local hosts that share this file.
#
# The format of lines in this file is:
#
# IP_ADDRESS    canonical_hostname      [aliases...]
#
#The fields can be separated by any number of spaces or tabs.
#
# In the presence of the domain name service or NIS, this file may not be
# consulted at all; see /etc/host.conf for the resolution order.
#

# IPv4 and IPv6 localhost aliases
127.0.0.1       localhost
::1             localhost

#
# Imaginary network.
#10.0.0.2               myname
#10.0.0.3               myfriend
#
# According to RFC 1918, you can use the following IP networks for private
# nets which will never be connected to the Internet:
#
#       10.0.0.0        -   10.255.255.255
#       172.16.0.0      -   172.31.255.255
#       192.168.0.0     -   192.168.255.255
#
# In case you want to be able to connect directly to the Internet (i.e. not
# behind a NAT, ADSL router, etc...), you need real official assigned
# numbers.  Do not try to invent your own network numbers but instead get one
# from your network provider (if any) or from your regional registry (ARIN,
# APNIC, LACNIC, RIPE NCC, or AfriNIC.)
#

node からの curl もいける。

$ curl 192.168.0.103
<html>
<head>
        <title>Hello world!</title>
:

hostnetwork:true は pod がnodeのネットワークにアクセスできるが、逆に晒されてしまう。calico tutorial で試したネットワーク分離はできないんじゃないか? hostnetworkを利用すればクラスタ外からpodにアクセス可能だが、pod がどのnodeで実行するのか特定しない限り都度ipアドレスが変わってしまうので向かない。