Kubernetes and iptables: forward external traffic to specific nodePort

linux iptables port port-forwarding kubernetes

Solution 1:

When kube-proxy is used in iptables mode (as it is by dafault in kubernetes), routing requests to services continues to work for existing services even when the kube-proxy process dies on the node Kube-proxy binds and listens (on all k8s nodes) to all ports allocated as NodePorts to ensure these ports stay reserved and no other processes can use them Even if a process starts using NodePort, iptables rules (because they are in PRESOUTING chain) ensure that the traffic sent to the NodePort gets routed to the pods.

Under normal circumstances kube-proxy binds and listens on all NodePorts to ensure these ports stay reserved and no other processes can use them. So you don't have to manually configure iptables rules if you have service NodePort.

There’s a KUBE-SERVICES chain in the target that’s created by kube-proxy. List the rules in that chain, see example below:

$ sudo iptables -t nat -L KUBE-SERVICES -n | column -t
...
KUBE-NODEPORTS             all            --   0.0.0.0/0       0.0.0.0/0     /*  kubernetes                                   service  nodeports;  NOTE:  this  must       be  the  last  rule  in  this  chain  */  ADDRTYPE  match  dst-type  LOCAL

As you can see one target in the KUBE-SERVICES chain is the KUBE-NODEPORTS chain. Since the service we created is of type NodePort, let’s list the rules in KUBE-NODEPORTS chain.

$ sudo iptables -t nat -L KUBE-NODEPORTS -n | column -t

You should see that output show that targets are for packets destined to your NodePort 30000.

Then verify kube-proxy is listening on NodePort.

Under normal circumstances kube-proxy binds and listens on all NodePorts to ensure these ports stay reserved and no other processes can use them. You can verify this on the above kubernetes node:

$ sudo lsof -i:30000
$ ps -aef | grep -v grep | grep PID

You should see that kube-proxy is listening on NodePort 6600. In iptables mode, kube-proxy creates iptables rules for kubernetes services which ensure that the request to the service gets routed (and load balanced) to the appropriate pods.

As long as these iptables rules exist, requests to services will get routed to the appropriate pods even if kube-proxy process dies on the node. Endpoints for new services won’t work from this node, however, since kube-proxy process won’t create the iptables rules for it.

Take a look: iptables-kubernetes.

Related

make ssh remember host's username
HDD bad sector marking through LUKS2 layer (dm-crypt) + ZFS
Strange behaviour of MySQL on Windows (CPU 100% with simple query)
CA with intermediate certificate for vault
Web server HTTP transfer dies randomly, TCP packet loss?
locale not getting set correctly over ssh connection
Redirection from http to https in Apache httpd24 with mod24_ssl is not working
GCE: Restricting VM network access to only Internal Load Balancer (of k8s cluster)
gcloud apps logs tail returns Internal Error. Logs GUI returns unknown error
How secure is a "root" password that's 26 alphanumeric characters long?
Original php mysql extension for php56
Upgrade image in a Deployment's pods