kubernetes 学習 hostnetwork 続き
今回は hostnetwork:true の pod がどんな状態になるのか調べてみた。
pod のマニフェスト
hello-pod.yaml
apiVersion: v1 kind: Pod metadata: name: hello-pod spec: hostNetwork: false containers: - name: hello image: dockercloud/hello-world ports: - containerPort: 80
hello-hostnetwork-pod.yaml
apiVersion: v1 kind: Pod metadata: name: hello-hostnetwork-pod spec: hostNetwork: true containers: - name: hello image: dockercloud/hello-world ports: - containerPort: 80
apply したあと get。hostnetwork:true のipがnodeのものになっている。
$ kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES hello-hostnetwork-pod 1/1 Running 0 31m 192.168.0.103 kb3 <none> <none> hello-pod 1/1 Running 0 31m 10.244.1.7 kb2 <none> <none>
hello-pod
ip a
と /etc/hosts
を確認
$ kubectl exec -it hello-pod sh / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 4: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1440 qdisc noqueue state UP link/ether 1a:4c:fe:1b:a9:9c brd ff:ff:ff:ff:ff:ff inet 10.244.1.7/32 scope global eth0 valid_lft forever preferred_lft forever
/ # cat /etc/hosts # Kubernetes-managed hosts file. 127.0.0.1 localhost ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet fe00::0 ip6-mcastprefix fe00::1 ip6-allnodes fe00::2 ip6-allrouters 10.244.1.7 hello-pod
当然 node からの curl はいけない。
$ curl --connect-timeout 3 10.244.1.7 curl: (28) Connection timed out after 3001 milliseconds
hello-hostnetwork-pod
hostnetwork:true も ip a
と /etc/hosts
を確認
$ kubectl exec -it hello-hostnetwork-pod sh / # ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000 link/ether 9c:a3:ba:31:75:80 brd ff:ff:ff:ff:ff:ff inet 192.168.0.103/24 brd 192.168.0.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::9ea3:baff:fe31:7580/64 scope link valid_lft forever preferred_lft forever 3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN link/ether 02:42:96:40:f8:e7 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever 4: tunl0@NONE: <NOARP,UP,LOWER_UP> mtu 1440 qdisc noqueue state UNKNOWN qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 inet 10.244.2.1/32 brd 10.244.2.1 scope global tunl0 valid_lft forever preferred_lft forever
/ # cat /etc/hosts # Kubernetes-managed hosts file (host network). # /etc/hosts: Local Host Database # # This file describes a number of aliases-to-address mappings for the for # local hosts that share this file. # # The format of lines in this file is: # # IP_ADDRESS canonical_hostname [aliases...] # #The fields can be separated by any number of spaces or tabs. # # In the presence of the domain name service or NIS, this file may not be # consulted at all; see /etc/host.conf for the resolution order. # # IPv4 and IPv6 localhost aliases 127.0.0.1 localhost ::1 localhost # # Imaginary network. #10.0.0.2 myname #10.0.0.3 myfriend # # According to RFC 1918, you can use the following IP networks for private # nets which will never be connected to the Internet: # # 10.0.0.0 - 10.255.255.255 # 172.16.0.0 - 172.31.255.255 # 192.168.0.0 - 192.168.255.255 # # In case you want to be able to connect directly to the Internet (i.e. not # behind a NAT, ADSL router, etc...), you need real official assigned # numbers. Do not try to invent your own network numbers but instead get one # from your network provider (if any) or from your regional registry (ARIN, # APNIC, LACNIC, RIPE NCC, or AfriNIC.) #
node からの curl もいける。
$ curl 192.168.0.103 <html> <head> <title>Hello world!</title> :
hostnetwork:true は pod がnodeのネットワークにアクセスできるが、逆に晒されてしまう。calico tutorial で試したネットワーク分離はできないんじゃないか? hostnetworkを利用すればクラスタ外からpodにアクセス可能だが、pod がどのnodeで実行するのか特定しない限り都度ipアドレスが変わってしまうので向かない。