I explained Kubernetes’ resource controllers and demonstrated how they control Pod behavior in action. We know that if a Pod created through the controller encounters an exception and dies, the controller will automatically create a new Pod to replace it, to maintain a stable number of Pod copies.

Let’s imagine another scenario:

For example, we have a service cluster with three Pod load balancing directly through Nginx reverse proxy. All three Pod are managed by Deployment. If one Pod fails unexpectedly one day, We know that Deployment will start a new Pod to meet the expected number of pods of 3. The IP address of the Pod (s) in the upstream will be different from that in the real environment. Then Nginx will have an error.

Do you need to write another monitor script to listen for Pod IP address changes and then synchronize them to Nginx?

If so, the administrative costs will be huge, and the K8s is not as good as we thought

Does K8s have a mechanism to solve this problem?

K8s provides a Service that detects the status of matched pods and records the IP address of the Pod to the load queue. In Nginx, you only need to configure the address to the Service. Subsequent Pod status changes will be automatically synchronized to the Service, the Service to complete the load balancing, Nginx does not need to do any modification.

Once a Service is introduced, there will be no impact on Nginx’s reverse proxy (or upper-layer Service) from the expansion or update of the BACK-END Pod.

The concept of Service

A Service is a mechanism to access a Service externally by matching a set of pods with a Label Selector. Each Service can be thought of as a microservice.

Services provide load balancing capabilities, but they have the following limitations:

  • The system provides layer 4 load balancing but does not provide layer 7 load balancing. That is, the host name or domain name scheme cannot be used for load balancing.

By default, the Service does not have 7 layers of load. You can add an Ingress to add 7 layers of load.

Type of Service

There are four types of services in K8S:

  • **ClusterIP: ** Default type that automatically assigns a virtual IP that is accessible only within the Cluster
  • **NodePort: ** Binds a port on each machine to the Service based on ClusterIP, so that the Service can be accessed via: (used briefly in the first introductory article)
  • **LoadBalancer: ** create an external LoadBalancer with the Cloud Provider based on the NodePort and forward the request to:
  • ExternalName: * * * * the cluster internal to external service is introduced into the cluster, use directly within the cluster. No proxy of any type was created. K8s ExternalName = ExternalName = K8s ExternalName = ExternalName = ExternalName Other PODS need not be modified)

Iii. VIP and Service agents

In a K8s cluster, each Node runs a Kube-proxy process, which implements a VIP (virtual IP) form for the Service instead of ExternalName. In Kubernetes V1.0, userspace was used as the proxy. In V1.1, iptables agents were added, but not the default operating mode. Since V1.2, iptables agents have been used by default. Ipvs proxy is used by default starting with version 1.14.

In V1.0, Service was a “layer 4” (TCP/UDP over IP) concept. In V1.1, the Ingress API was added to represent a “layer 7” (HTTP) Service.

Think: Why not use round-robin DNS for load balancing?

One of the biggest reasons is that DNS domain names are cached on clients after being resolved.

I am not clear about these proxy modes, so I won’t expand them here. Note, however, that the IPVS mode assumes that the IPVS kernel module is installed on all nodes before kube-Proxy is run. When kube-proxy starts in ipvS proxy mode, kube-Proxy verifies that the IPVS module is installed on the node. If not, kube-Proxy reverts to iptables proxy mode.

Four, ClusterIP

ClusterIP uses iptables (or IPVS) on each node to forward the data sent to the ClusterIP port to Kube-Proxy. Then Kube-Proxy implements load balancing internally. In addition, the address and port of the corresponding Pod under the Service can be queried, and the data can be forwarded to the corresponding Pod address and port.

Take the three PODS of Nginx reverse proxy as an example. In order to achieve this function, the following three components are mainly needed to work together:

  1. Api-server: The user sends the command to create server to api-server through kubectl command. Api-server receives the request and stores the data in etCD
  2. Kube-proxy: Kubernetes Each node has a process called kube-proxy that senses service and POD changes and writes the changes to the local iptables rules
  3. Iptables: Uses technologies such as NAT to forward traffic from the virtual IP address to the endpoint

Here’s a demonstration:

svc-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: myapp-deploy
  namespace: default
spec:
  replicas: 3
  selector:
    matchLabels:
      app: myapp
      release: stabel
  template:
    metadata:
      labels:
        app: myapp
        release: stabel
        env: test
    spec:
      containers:
      - name: myapp
        image: heqingbao/k8s_myapp:v2
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
          containerPort: 80
Copy the code

The above Deployment deploys three Pod copies

Deploy it below:

[root@master01 ~]# kubectl apply -f svc-deployment.yaml [root@master01 ~]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NODE READINESS GATES myapp-deploy-DFDB77DFd-l8mt8 1/1 Running 0 2m48s 172.16.196.180 Node01 <none> <none> myapp-deploy- dfDB77DFd - LHDQS 1/1 Running 0 2M48s 172.16.140.117 node02 <none> <none> Myapp -deploy-dfdb77dfd- x9vSQ 1/1 Running 0 2m48s 172.16.196.181 node01 <none> <none>
#Access the Pod through Pod IP/ root @ master01 ~ # curl 172.16.196.180 Hello MyApp | Version: v2 | < a href = "hostname. HTML" > Pod Name < / a >Copy the code

As above, we can access each Pod directly using the Pod’s IP.

** Create Service **

svc.yaml

apiVersion: v1
kind: Service
metadata:
  name: myapp
  namespace: default
spec:
  type: ClusterIP
  selector:
    app: myapp
    release: stabel
  ports:
  - name: http
    port: 80
    targetPort: 80
Copy the code

Note the selector selector inside, which matches the three pods created earlier. In addition, targetPort represents the port of the back-end real service, which is the port defined by Pod above.

Deployment of the Service:

[root@master01 ~]# kubectl apply -f svc.yaml service/myapp created [root@master01 ~]# kubectl get svc NAME TYPE Cluster-ip external-ip PORT(S) AGE kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 13d MyApp ClusterIP 10.100.8.189 <none> 80 / TCP/root @ master01 ~ # 5 s curl 10.100.8.189 Hello MyApp | Version: v2 | < a href = "hostname. HTML" > Pod Name < / a >
#Viewing Pod Information/ root @ master01 ~ # curl 10.100.8.189 / hostname. HTML myapp - deploy - dfdb77dfd - l8mt8 root @ master01 ~ # curl 10.100.8.189 / hostname. HTML myapp - deploy - dfdb77dfd - x9vsq/root @ master01 ~ # curl 10.100.8.189 / hostname. HTML myapp-deploy-dfdb77dfd-lhdqsCopy the code

You can see that the Service implements load balancing

Five, the Headless Service

Sometimes load balancing and a separate Service IP are not needed or desired. In this case, you can create a Headless Service by specifying the Cluster IP (spec.clusterIP) value to None. Such services do not assign Cluster IP, kube-Proxy does not process them, and the platform does not load balance them.

Headless Service is also the basis for StatefulSet later.

demonstrate

svc-none.yaml

apiVersion: v1
kind: Service
metadata:
  name: myapp-headless
  namespace: default
spec:
  selector:
    app: myapp
  clusterIP: "None"
  ports:
  - port: 80
    targetPort: 80

Copy the code

ClusterIP specified: “None”

[root@master01 ~]# kubectl apply -f svc-none.yaml service/myapp-headless created [root@master01 ~]# kubectl get svc NAME TYPE cluster-ip external-ip PORT(S) AGE kubernetes ClusterIP 10.96.0.1 < None > 443/TCP 13d MyApp ClusterIP 10.96.16.55 <none> 80/TCP 96s myapp-headless ClusterIP None <none> 80/TCP 4sCopy the code

You can see that the IP address of myapp-headless is None. So how do you access this service?

If a Service is created successfully, it will be written to CoreDNS:

[root@master01 ~]# kubectl get pod -n kube-system NAME READY STATUS RESTARTS AGE calico-kube-controllers-6b9d4c8765-t2rw8 1/1 Running 11 13d calico-node-4f5sr 1/1 Running 11 13d calico-node-pzcv7 1/1 Running 4 9d calico-node-wm6ch 1/1 Running 6 9d coredns-6955765f44-jr5mk 1/1 Running 11 13d coredns-6955765f44-tw67g 1/1  Running 11 13d etcd-master01 1/1 Running 11 13d kube-apiserver-master01 1/1 Running 12 13d kube-controller-manager-master01 1/1 Running 11 13d kube-proxy-9k8tk 1/1 Running 11 13d kube-proxy-lh9bm 1/1 Running 5 9d kube-proxy-lmwfv 1/1 Running 4 9d kube-scheduler-master01 1/1 Running 11 13dCopy the code

Coredns-6955765f44-jr5mk and CoreDNS-6955765F44-TW67G

Kubectl get pod -o wide -n kube-system kubectl get pod -o wide -n kube-system kubectl get pod -o wide -n kube-system kubectl get pod -o wide -n kube-system kubectl get pod -o wide -n kube-system

Coredns – 6955765 f44 – jr5mk: 172.16.241.98

Coredns – 6955765 f44 – tw67g: 172.16.241.99

We use the first DNS to resolve myapp-headless:

/ root @ master01 ~ # dig - t A myapp - headless. Default. SVC. Cluster. The local. @ 172.16.241.98; < < > > DiG 9.11.4 - P2 - RedHat - 9.11.4-9. P2. El7 < < > > - t A myapp - headless. Default. SVC. Cluster. The local. @ 172.16.241.98;; global options: +cmd ;; Got answer: ;; WARNING: .local is reserved for Multicast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19378 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ; myapp-headless.default.svc.cluster.local. IN A ;; ANSWER SECTION: Myapp - headless. Default. SVC. Cluster. The local. 30 IN A 172.16.196.182 myapp - headless. Default. SVC. Cluster. The local. 30 IN A 172.16.140.119 myapp - headless. Default. SVC. Cluster. The local. 30 IN A 172.16.140.118;; Query time: 125 msec ;; SERVER: 172.16.241.98 # 53 (172.16.241.98);; WHEN: Sat 3月 07 17:01:41 CST 2020; MSG SIZE rcvd: 237Copy the code

We can see that IP addresses 172.16.196.182, 172.16.140.119, 172.16.140.118 are the IP addresses of the three pods created above:

[root@master01 ~]# kubectl get pod -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES Myapp - deploy-dfDB77DDFd-5tq9p 1/1 Running 0 17M 172.16.140.118node02 <none> <none> myapp- deploy-dfDB77DDFd-cp2r4 1/1 Running 0 17m 172.16.140.119node02 <none> <none> myapp- deploy-dfdb77DFd-dpcjn 1/1 Running 0 17m 172.16.196.182node01 <none> <none>Copy the code

That is, in the Headless Service, it does not have its own IP, but it can still access the Pod ** by accessing the domain name

Six, NodePort

NodePort works by opening a port on node and importing traffic to the port to Kube-proxy, which then feeds traffic to the corresponding Pod.

demonstrate

nodeport.yaml

apiVersion: v1
kind: Service
metadata:
  name: myapp
  namespace: default
spec:
  type: NodePort
  selector:
    app: myapp
    release: stabel
  ports:
  - name: http
    port: 80
    targetPort: 80
Copy the code

The only thing to note is type: NodePort

To deploy the Service:

[root@master01 ~]# kubectl apply -f nodeport.yaml service/myapp configured [root@master01 ~]# kubectl get pod NAME READY  STATUS RESTARTS AGE myapp-deploy-dfdb77dfd-5tq9p 1/1 Running 0 22m myapp-deploy-dfdb77dfd-cp2r4 1/1 Running 0 22m myapp-deploy-dfdb77dfd-dpcjn 1/1 Running 0 22m [root@master01 ~]# kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE Kubernetes ClusterIP 10.96.0.1 < None > 443/TCP 13d Myapp NodePort 10.96.16.55 < None > 80:30459/TCP 21m myapp-headless ClusterIP None <none> 80/TCP 20mCopy the code

Note that a set of PODS can be associated with multiple services, as long as the label of the Service matches the label of the Pod.

Can access on the external browser: http://192.168.0.114:30459, should be can access. Port 30459 is enabled on each node.

Seven, LoadBalancer

LoadBalancer and NodePort are the same method, but LoadBalancer has one more step than NodePort, that is, the Cloud Provider can be called to create the LB to direct the node.

It’s a service that costs money, and it’s untested, and I’ll talk about it later.

Eight, ExternalName

This type of Service maps the Service to the contents of the externalName field (for example, xxx.com) by returning CNAME and its value. ExternalName is a special case of a Service. It does not have a selector, nor does it define any port or Endpoint. Instead, for a Service running outside the cluster, it provides the Service by returning the alias of the external Service.

demonstrate

externalname.yaml

apiVersion: v1
kind: Service
metadata:
  name: my-service-1
  namespace: default
spec:
  type: ExternalName
  externalName: baidu.com
Copy the code

When the query host my – service – 1. The default. SVC. Cluster. The local (SVC_NAME. NAMESPACE. SVC. Cluster. The local), The DNS service of the cluster will return a CNAME record with the value of baidu.com. Accessing this service works in the same way as the others, except that the redirection takes place at the DNS layer and no proxy or forwarding is performed.

Validation:

[root@master01 ~]# kubectl apply -f externalname.yaml service/my-service-1 created [root@master01 ~]# kubectl get svc NAME TYPE cluster-ip external-ip PORT(S) AGE kubernetes ClusterIP 10.96.0.1 < None > 443/TCP 13d my-service-1 ExternalName  <none> baidu.com <none> 5sCopy the code

Parse the Service:

[root@master01 ~]# t A dig - my - service - 1. The default. The SVC. Cluster. The local. @ 172.16.241.98; < < > > DiG 9.11.4 - P2 - RedHat - 9.11.4-9. P2. El7 < < > > t A my - service - 1. The default. The SVC. Cluster. The local. @ 172.16.241.98;; global options: +cmd ;; Got answer: ;; WARNING: .local is reservedforMulticast DNS ;; You are currently testing what happens when an mDNS query is leaked to DNS ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48206 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ; my-service-1.default.svc.cluster.local. IN A ;; ANSWER SECTION: My - service - 1. The default. SVC. Cluster. The local. 30 IN CNAME baidu.com baidu.com 30 IN A 220.181.38.148 baidu.com 30 IN A 39.156.69.79;; Query time: 49 msec ;; SERVER: 172.16.241.98# 53 (172.16.241.98)
;; WHEN: 六 3月 07 17:30:26 CST 2020
;; MSG SIZE  rcvd: 178
Copy the code

You can see a CNAME configuration: my – service – 1. The default. The SVC. Cluster. The local. 30 IN CNAME baidu.com.

We can go to any Pod and ping the domain name:

[root@node01 ~]# docker exec -it fc57079ad9dd sh / # ping my-service-1.default.svc.cluster.local PING My - service - 1. The default. SVC. Cluster. The local (39.156.69.79) : 56 data bytes to 64 bytes from 39.156.69.79: Seq =0 TTL =47 time=44.341 ms 64 bytes from 39.156.69.79: seq=1 TTL =47 time=54.839 msCopy the code

It can be seen that it has been resolved to 39.156.69.79, which is the IP of Baidu.com.


Welcome to pay attention to the public account: non-famous developers, subscribe to more exciting content.