SNAT Planning Optimization of Flannel of K8S 09/19 Update SLTechnology News&Howtos

SNAT Planning Optimization of Flannel of K8S

2025-09-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/02 Report--

1. The SNAT planning optimization function of Flannel solves the transparent access between two host containers. If not optimized, the access between containers is recorded as the IP address of the host. 1. Host accesses nginx container of 172.7.22.2

2. 172.7.22.2 View nginx access log

3. Enter the container of 172.7.21.2 and access the nginx container of 172.7.22.2 to view the log.

4. Check the nginx access log of 172.7.22.2 again.

5. Solve the problem: when container 172.7.21.2 accesses the nginx container of 172.7.22.2 The log displayed should be 172.7.22.2, solution 1, Install iptables-services component [root@test-nodes1 ~] # yum-y install iptables-services [root@test-nodes1 ~] # systemctl start iptables [root@test-nodes1 ~] # systemctl enable iptablesCreated symlink from / etc/systemd/system/basic.target.wants/iptables.service to / usr/lib/systemd/system/iptables.service.-- -2. Change the camouflage of the following iptable records to delete [root@test-nodes1 ~] # iptables-save | grep-I postrouting:POSTROUTING ACCEPT [68grep 4098]: KUBE-POSTROUTING- [0:0]-A POSTROUTING- m comment-- comment "kubernetes postrouting rules"-j KUBE-POSTROUTING-A POSTROUTING- s 172.7.21.0 KUBE-POSTROUTING-A POSTROUTING- 24!-o docker0-j MASQUERADE # Delete this entry-A KUBE-POSTROUTING- m comment-- comment "kubernetes service traffic requiring SNAT"-m mark -- mark 0x4000/0x4000-j MASQUERADE-3 Delete the record [root@test-nodes1 ~] # iptables-t nat-D POSTROUTING-s 172.7.21.0 MASQUERADE----!-o docker0-j MASQUERADE -4. Insert a new record (excluding the camouflage of network access to 172.7.0.0 nat 16) [root@test-nodes1] # iptables-t nat-I POSTROUTING-s 172.7.21.0 MASQUERADE--- 24!-d 172.7.0.0 docker0 16!-o docker0-j MASQUERADE -5. Check whether it works [root@test-nodes1 ~] # iptables-save | grep-I postrouting:POSTROUTING ACCEPT [13 KUBE-POSTROUTING-A KUBE-POSTROUTING- 814]: KUBE-POSTROUTING- [0:0]-A POSTROUTING- s 172.7.21.0 MASQUERADE-A POSTROUTING- 24!-d 172.7.0.0 MASQUERADE-A POSTROUTING- m comment-- comment "kubernetes postrouting rules"-j KUBE-POSTROUTING-A KUBE-POSTROUTING- m comment-- comment "kubernetes service traffic requiring SNAT"-mm ark-- Mark 0x4000/0x4000-j MASQUERADE-6, Delete all reject rejection rules on iptables [root@test-nodes1 ~] # iptables-save | grep-I reject-An INPUT-j REJECT-- reject-with icmp-host-prohibited-A FORWARD-j REJECT-- reject-with icmp-host-prohibited [root@test-nodes1 ~] # iptables- t filter-D INPUT-j REJECT-- reject-with icmp-host-prohibited [root@test-nodes1 ~] # iptables- t filter-D FORWARD-j REJECT-reject-with icmp-host-prohibited [root @ test-nodes1 ~] # iptables-save | grep-I reject-7, Save iptables rule [root@test-nodes1 ~] # iptables-save > / etc/sysconfig/iptables III, verify result 1, access 172.7.22.2 through container 172.7.21.2

2. View the container log of 172.7.22.2

Note: test-nodes needs to have the same operation.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.